Академический Документы
Профессиональный Документы
Культура Документы
V200R008C00
Issue 07
Date 2017-11-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Intended Audience
This document describes how to configure the components for Ethernet switching services.
This document provides procedures and examples to illustrate the methods and application
scenarios for the Ethernet switching configurations.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Security Conventions
l Password setting
Declaration
This manual is only a reference for you to configure your devices. The contents in the manual,
such as web pages, command line syntax, and command outputs, are based on the device
conditions in the lab. The manual provides instructions for general scenarios, but do not cover
all usage scenarios of all product models. The contents in the manual may be different from
your actual device situations due to the differences in software versions, models, and
configuration files. The manual will not list every possible difference. You should configure
your devices according to actual situations.
The specifications provided in this manual are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Contents
4.9.8 Example for Configuring VLANIF Interfaces to Implement Intra-VLAN Communication.................................. 265
4.9.9 Example for Configuring VLANIF Interfaces to Implement Communication of Hosts on Different Network
Segments in the Same VLAN...........................................................................................................................................269
4.9.10 Example for Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation..................................... 272
4.9.11 Example for Configuring an mVLAN to Implement Remote Management......................................................... 278
4.9.12 Example for Configuring Transparent Transmission of Protocol Packets in a VLAN......................................... 281
4.10 Common Misconfigurations..................................................................................................................................... 283
4.10.1 A VLANIF Interface Fails to Be Created..............................................................................................................283
4.10.2 A VLANIF Interface Goes Down......................................................................................................................... 284
4.10.3 Users in a VLAN Cannot Communicate............................................................................................................... 285
4.10.4 IP Addresses of the Connected Interfaces Between Switches Cannot Be Pinged.................................................288
4.11 FAQ...........................................................................................................................................................................289
4.11.1 How Do I Create VLANs in a Batch?................................................................................................................... 289
4.11.2 How Do I Add Interfaces to a VLAN in a Batch?.................................................................................................289
4.11.3 How Do I Restore the Default VLAN Configuration of an Interface?..................................................................290
4.11.4 How Do I Change the Link Type of an Interface?.................................................................................................290
4.11.5 How Do I Rapidly Query the Link Types and Default VLANs of All Interfaces?............................................... 292
4.11.6 How Do I Delete a Single VLAN or VLANs in a Batch?.....................................................................................293
4.11.7 Can Multiple Network Segments Be Configured in a VLAN?............................................................................. 294
4.11.8 How Is the Inter-VLAN Communication Fault Rectified?....................................................................................294
4.11.9 Do VLANs Need to Be Assigned on the Intermediate Device That Transparently Transmits Packets?.............. 296
4.11.10 Why Are MAC-VLAN Entries Invalid?..............................................................................................................296
4.11.11 Can the Switch Collect Statistics on Only Traffic Destined for the VLANIF Interface Enabled with Traffic
Statistics?.......................................................................................................................................................................... 297
4.12 References................................................................................................................................................................ 297
10 QinQ Configuration................................................................................................................456
10.1 Introduction to QinQ................................................................................................................................................ 457
10.2 Principles.................................................................................................................................................................. 457
10.2.1 QinQ Fundamentals............................................................................................................................................... 458
10.2.2 Basic QinQ............................................................................................................................................................ 460
10.2.3 Selective QinQ.......................................................................................................................................................461
10.2.4 TPID...................................................................................................................................................................... 463
10.2.5 QinQ Mapping....................................................................................................................................................... 464
10.3 Applications..............................................................................................................................................................466
10.3.1 Public User Services on a Metro Ethernet Network..............................................................................................467
10.3.2 Enterprise Network Connection Through Private Lines....................................................................................... 468
10.4 Configuration Task Summary...................................................................................................................................469
10.5 Configuration Notes................................................................................................................................................. 469
10.6 Configuring QinQ.....................................................................................................................................................471
10.6.1 Configuring Basic QinQ........................................................................................................................................ 471
10.6.2 Configuring Selective QinQ.................................................................................................................................. 472
10.6.2.1 Configuring VLAN ID-based Selective QinQ................................................................................................... 472
10.6.2.2 Configuring MQC-based Selective QinQ...........................................................................................................474
10.6.2.3 Configuring 802.1p Priority-based Selective QinQ........................................................................................... 482
10.6.3 Configuring the TPID Value in an Outer VLAN Tag............................................................................................483
10.6.4 Configuring the Device to Add Double VLAN Tags to Untagged Packets.......................................................... 484
10.6.5 Configuring QinQ Mapping.................................................................................................................................. 485
10.6.5.1 Configuring 1-to-1 QinQ Mapping.....................................................................................................................486
10.6.5.2 Configuring 2-to-1 QinQ Mapping.....................................................................................................................487
10.7 Maintaining QinQ.....................................................................................................................................................487
10.7.1 Displaying VLAN Translation Resource Usage....................................................................................................487
10.8 Configuration Examples........................................................................................................................................... 488
10.8.1 Example for Configuring Basic QinQ................................................................................................................... 488
10.8.2 Example for Configuring Selective QinQ............................................................................................................. 492
10.8.3 Example for Configuring Selective QinQ and VLAN Mapping........................................................................... 495
10.8.4 Example for Configuring Traffic Selective QinQ and Traffic Policy................................................................... 497
10.8.5 Example for Configuring Flow-based Selective QinQ..........................................................................................500
10.8.6 Example for Connecting a Single-Tag VLAN Mapping Sub-Interface to a VLL Network..................................504
10.8.7 Example for Connecting a Double-Tag VLAN Mapping Sub-Interface to a VLL Network................................ 513
10.8.8 Example for Connecting a VLAN Stacking Sub-interface to a VLL Network.....................................................523
10.8.9 Example for Connecting a Single-tag VLAN Mapping Sub-interface to a VPLS Network................................. 533
10.8.10 Example for Connecting a Double-tag VLAN Mapping Sub-interface to a VPLS Network............................. 543
10.8.11 Example for Connecting a VLAN Stacking Sub-interface to a VPLS Network................................................. 554
13 VCMP Configuration..............................................................................................................625
13.1 Introduction to VCMP.............................................................................................................................................. 626
13.2 Principles.................................................................................................................................................................. 626
13.2.1 VCMP Concepts.................................................................................................................................................... 626
13.2.2 Implementation...................................................................................................................................................... 628
13.3 Applicable Scenario..................................................................................................................................................634
13.4 Configuration Notes................................................................................................................................................. 635
13.5 Default Configuration...............................................................................................................................................637
13.6 Configuring VCMP.................................................................................................................................................. 637
13.7 Maintaining VCMP.................................................................................................................................................. 640
13.7.1 Displaying VCMP Running Information.............................................................................................................. 640
13.7.2 Clearing VCMP Running Information.................................................................................................................. 641
13.8 Configuration Examples........................................................................................................................................... 641
13.8.1 Example for Configuring VCMP to Implement Centralized VLAN Management...............................................641
14.10.5 What Precautions Should Be Taken When Configuring the Formats of Sent and Received BPDUs on an STP
Interface?.......................................................................................................................................................................... 707
14.10.6 How Do I Configure a User-Side Interface on an STP Switch?..........................................................................707
14.10.7 How Do I Prevent Terminals' Failures to Ping the Gateway or Slow Speeds for Obtaining IP Addresses When
They Connect to an STP Network?.................................................................................................................................. 707
14.10.8 Can the Switch Work with Non-Huawei Devices Running STP or RSTP?........................................................ 708
14.10.9 What Is the Function of Automatic Edge-port Detecting?.................................................................................. 708
14.11 References...............................................................................................................................................................708
15 MSTP Configuration...............................................................................................................710
15.1 Introduction to MSTP............................................................................................................................................... 711
15.2 MSTP Principles.......................................................................................................................................................712
15.2.1 MSTP Background................................................................................................................................................ 712
15.2.2 Basic MSTP Concepts........................................................................................................................................... 713
15.2.3 MST BPDUs..........................................................................................................................................................721
15.2.4 MSTP Topology Calculation................................................................................................................................. 725
15.2.5 MSTP Fast Convergence....................................................................................................................................... 727
15.2.6 MSTP Multi-Process............................................................................................................................................. 728
15.3 Application Environment......................................................................................................................................... 735
15.4 Configuration Task Summary...................................................................................................................................737
15.5 Configuration Notes................................................................................................................................................. 738
15.6 Default Configuration...............................................................................................................................................740
15.7 Configuring MSTP................................................................................................................................................... 740
15.7.1 Configuring Basic MSTP Functions......................................................................................................................740
15.7.1.1 Configuring the MSTP Mode............................................................................................................................. 741
15.7.1.2 Configuring and Activating an MST Region..................................................................................................... 741
15.7.1.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge............................................................... 743
15.7.1.4 (Optional) Configuring a Priority for a Switching Device in an MSTI..............................................................744
15.7.1.5 (Optional) Configuring a Path Cost of a Port in an MSTI..................................................................................745
15.7.1.6 (Optional) Configuring a Port Priority in an MSTI............................................................................................ 745
15.7.1.7 Enabling MSTP.................................................................................................................................................. 746
15.7.1.8 Checking the Configuration................................................................................................................................747
15.7.2 Configuring MSTP Multi-Process.........................................................................................................................747
15.7.2.1 Creating an MSTP Process................................................................................................................................. 748
15.7.2.2 Adding a Port to an MSTP Process.................................................................................................................... 748
15.7.2.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge............................................................... 750
15.7.2.4 (Optional) Configuring a Priority for a Switching Device in an MSTI..............................................................751
15.7.2.5 (Optional) Configuring a Path Cost of a Port in an MSTI..................................................................................752
15.7.2.6 (Optional) Configuring a Port Priority in an MSTI............................................................................................ 753
15.7.2.7 Configuring TC Notification in MSTP Multi-process....................................................................................... 753
15.7.2.8 Enabling MSTP.................................................................................................................................................. 754
15.7.2.9 Checking the Configuration................................................................................................................................755
15.7.3 Configuring MSTP Parameters on an Interface.................................................................................................... 755
15.7.3.1 Setting the MSTP Network Diameter.................................................................................................................755
17 SEP Configuration...................................................................................................................861
17.1 Introduction to SEP.................................................................................................................................................. 862
17.2 Principles.................................................................................................................................................................. 862
17.2.1 Principles of SEP................................................................................................................................................... 863
17.2.2 Basic Concepts of SEP.......................................................................................................................................... 865
17.2.3 SEP Implementation Mechanisms.........................................................................................................................869
17.3 Applications..............................................................................................................................................................883
17.3.1 Open-Ring Networking......................................................................................................................................... 883
17.3.2 Closed-Ring Networking....................................................................................................................................... 884
18.2.4 Implementation of a Single RRPP Ring (When the Ring is Faulty)..................................................................... 978
18.2.5 Implementation of a Single RRPP Ring (When the Fault is Recovered).............................................................. 980
18.2.6 Implementation of Multiple Rings........................................................................................................................ 983
18.2.7 RRPP Multi-Instance............................................................................................................................................. 992
18.3 Application Scenarios...............................................................................................................................................994
18.3.1 Application of a Single Ring................................................................................................................................. 994
18.3.2 Application of Tangent RRPP Rings..................................................................................................................... 995
18.3.3 Application of Intersecting RRPP Rings............................................................................................................... 996
18.3.4 Application of the RRPP and STP Network..........................................................................................................997
18.3.5 Application of Intersecting RRPP Rings of Multi-Instance in MAN....................................................................998
18.3.6 Application of Tangent RRPP Rings of Multi-Instance in MAN..........................................................................999
18.3.7 Application of Multiple Instances Single-homed to an RRPP Aggregation Ring.............................................. 1000
18.3.8 Application of the RRPP Multi-instance Ring and SmartLink Network............................................................ 1001
18.3.9 Application of RRPP Snooping........................................................................................................................... 1002
18.4 Configuration Task Summary.................................................................................................................................1005
18.5 Configuration Notes............................................................................................................................................... 1006
18.6 Default Configuration.............................................................................................................................................1007
18.7 Configuring RRPP.................................................................................................................................................. 1008
18.7.1 Configuring RRPP............................................................................................................................................... 1008
18.7.1.1 Configuring Interfaces on an RRPP Ring.........................................................................................................1008
18.7.1.2 Creating an RRPP Domain and the Control VLAN......................................................................................... 1009
18.7.1.3 Creating an Instance......................................................................................................................................... 1010
18.7.1.4 Configuring a Protected VLAN........................................................................................................................1011
18.7.1.5 (Optional) Setting the RRPP Working Mode................................................................................................... 1012
18.7.1.6 Creating and Enabling an RRPP Ring.............................................................................................................. 1013
18.7.1.7 Enabling RRPP................................................................................................................................................. 1014
18.7.1.8 (Optional) Creating a Ring Group.................................................................................................................... 1014
18.7.1.9 (Optional) Setting the Values of the Hello Timer and Fail Timer in an RRPP Domain...................................1015
18.7.1.10 (Optional) Setting the Value of the Link-Up Timer........................................................................................1016
18.7.1.11 Checking the Configuration............................................................................................................................1016
18.7.2 Configuring RRPP Snooping...............................................................................................................................1017
18.7.2.1 Enabling RRPP Snooping.................................................................................................................................1017
18.7.2.2 (Optional) Configuring the VSI Associated with RRPP Snooping.................................................................. 1018
18.7.2.3 Checking the Configuration..............................................................................................................................1019
18.8 Maintaining RRPP.................................................................................................................................................. 1019
18.8.1 Clearing RRPP Statistics..................................................................................................................................... 1019
18.9 Configuration Examples......................................................................................................................................... 1019
18.9.1 Example for Configuring a Single RRPP Ring with a Single Instance...............................................................1020
18.9.2 Example for Configuring Intersecting RRPP Rings with a Single Instance (RRPP Defined by the National
Standard of China)..........................................................................................................................................................1024
18.9.3 Example for Configuring Intersecting RRPP Rings with a Single Instance (RRPP Defined by Huawei)..........1034
18.9.4 Example for Configuring Tangent RRPP Rings..................................................................................................1045
18.9.5 Example for Configuring a Single RRPP Ring with Multiple Instances............................................................ 1053
18.9.6 Example for Configuring Intersecting RRPP Rings with Multiple Instances (RRPP Defined by the National
Standard of China)..........................................................................................................................................................1061
18.9.7 Example for Configuring Intersecting RRPP Rings with Multiple Instances (RRPP Defined by Huawei)....... 1077
18.9.8 Example for Configuring Tangent RRPP Rings with Multiple Instances........................................................... 1093
18.10 Common Configuration Errors............................................................................................................................. 1103
18.10.1 A Loop Occurs After the RRPP Configuration is Complete............................................................................. 1103
18.10.2 After the Primary Port of a Transit Node on an RRPP Ring Network Becomes Down and Then Recovers, the
Transit Node and Other Transit Nodes Cannot Register With the Master Node............................................................1104
18.11 FAQ.......................................................................................................................................................................1104
18.11.1 What Should Be Noted When Configuring RRPP? ..........................................................................................1105
18.11.2 Can RRPP and VRRP Be Used Together on a Switch?.....................................................................................1105
18.11.3 Can Data Packets Be Blocked in the Control VLAN of RRPP?....................................................................... 1105
18.12 References.............................................................................................................................................................1105
19.7.2.8 (Optional) Configuring Association Between ERPS and Ethernet CFM......................................................... 1146
19.7.2.9 Checking the Configuration..............................................................................................................................1146
19.8 Maintaining ERPS.................................................................................................................................................. 1147
19.8.1 Clearing ERPS Statistics......................................................................................................................................1147
19.9 Configuration Examples......................................................................................................................................... 1147
19.9.1 Example for Configuring ERPS Multi-instance.................................................................................................. 1147
19.9.2 Example for Configuring Intersecting ERPS Rings............................................................................................ 1156
19.10 Common Configuration Errors............................................................................................................................. 1164
19.10.1 Traffic Forwarding Fails in an ERPS Ring........................................................................................................1164
19.11 References.............................................................................................................................................................1164
Ethernet is a simple, cost-effective, and easy-to-implement LAN technology and widely used.
NOTE
To distinguish Ethernet frames of the two types, Ethernet frames defined in RFC 894 are called
Ethernet_II frames and Ethernet frames defined in RFC 1042 IEEE 802.3 are called frames in this
document.
History
In 1972, when Robert Metcalfe (father of Ethernet) was hired by Xerox, his first job was to
connect computers in Xerox's Palo Alto Research Center (PARC) to the Advanced Research
Projects Agency Network (ARPANET), progenitor of the Internet. In 1972 also, Robert
Metcalfe designed a network to connect computers in the PARC. That network was based on
the Aloha system (a radio network system) and connected many computers in the PARC, so
Metcalfe originally named the network Alto Aloha network. The Alto Aloha network started
operating in May 1973, and Metcalfe then gave it an official name Ethernet, which is the
prototype of Ethernet. The network operated at a rate of 2.94 Mbit/s and used thick coaxial
cable as transmission medium. In June 1976, Metcalfe and his assistant David Boggs
published a paper Ethernet Distributed Packet Switching for Local Computer Networks. At
the end of 1977, Metcalfe and his three co-workers were gained a patent on "Multipoint data
communication system with collision detection." Since then, Ethernet was known to the
public.
As Ethernet technology develops rapidly, Ethernet has become the most widely used LAN
technology and replaced most of other LAN standards, such as token ring, fiber distributed
data interface (FDDI), and attached resource computer network (ARCNET). After rapid
development of 100M Ethernet in the 20th century, gigabit Ethernet and even 10G Ethernet
are now expanding their applications as promoted by international standardization
organizations and industry-leading enterprises.
Purpose
Ethernet is a universal communication protocol standard used for local area networks (LANs).
This standard defines the cable type and signal processing method used for LANs.
Ethernet networks are broadcast networks established based on the Carrier Sense Multiple
Access with Collision Detection (CSMA/CD) mechanism. Collisions restrict Ethernet
performance. Early Ethernet devices such as hubs work at the physical layer, and cannot
As a simple, cost-effective, and easy-to-implement LAN technology, Ethernet has become the
mainstream in the industry. Gigabit Ethernet and even 10G Ethernet make Ethernet the most
promising network technology.
Ethernet uses passive medium and transmits data in broadcast mode. It defines protocols used
on the physical layer and data link layer, interfaces between the two layers, and interfaces
between the data link layer and upper layers.
Physical Layer
The physical layer determines basic physical attributes of Ethernet, including data coding,
time scale, and electrical frequency.
The physical layer is the lowest layer in the Open Systems Interconnection (OSI) reference
model and is closest to the physical medium (communication channel) that transmits data.
Data is transmitted on the physical layer in binary bits (0 or 1). Transmission of bits depends
on transmission devices and physical media, but the physical layer does not refer to a specific
physical device or a physical media. Actually, the physical layer is located above a physical
medium and provides the data link layer with physical connections to transmit original bit
streams.
The physical layer and data link layer depend on each other. Therefore, different working
modes of the physical layer must be supported by corresponding data link layer modes. This
hinders Ethernet design and application.
Some organizations and vendors propose to divide the data link layer into two sub-layers: the
Media Access Control (MAC) sub-layer and the Logical Link Control (LLC) sub-layer. Then
different physical layers correspond to different MAC sub-layers, and the LLC sub-layer
becomes totally independent, as shown in Figure 1-1.
Network
layer
LLC layer
Data link
layer
MAC layer
Physical
layer
The following sections describe concepts involved in the physical layer and data link layer.
l 10BASE-2
l 10BASE-5
l 10BASE-T
l 10BASE-F
l 100BASE-T4
l 100BASE-TX
l 100BASE-FX
l 1000BASE-SX
l 1000BASE-LX
l 1000BASE-TX
l 10GBASE-T
l 10GBASE-LR
l 10GBASE-SR
In the preceding standards, 10, 100, 1000 and 10G stand for transmission rates, and BASE
represents baseband.
NOTE
Coaxial cables have a fatal defect: Devices are connected in series and therefore a single-point
failure can cause the breakdown of the entire network. As the physical standards of coaxial cables,
10BASE-2 and 10BASE-5 have fallen into disuse.
l 100M Ethernet cable standards
100M Ethernet is also called Fast Ethernet (FE). Compared with 10M Ethernet, 100M
Ethernet has a faster transmission rate at the physical layer, but they have no difference
at the data link layer.
Table 1-2 lists the 100M Ethernet cable standards.
Both 10Base-T and 100Base-TX apply to Category 5 twisted pair cables. They have
different transmission rates. The 10Base-T transmits data at 10 Mbit/s, whereas the
100Base-TX transmits data at 100 Mbit/s.
The 100Base-T4 is rarely used now.
l Gigabit Ethernet cable standards
Gigabit Ethernet is developed on the basis of the Ethernet standard defined in IEEE
802.3. Based on the Ethernet protocol, Gigabit Ethernet increases the transmission rate to
10 times the FE transmission rate, reaching 1 Gbit/s. Table 1-3 lists the Gigabit Ethernet
cable standards.
Gigabit Ethernet technology can upgrade the existing Fast Ethernet from 100 Mbit/s to
1000 Mbit/s.
The physical layer of Gigabit Ethernet uses 8B10B coding. In traditional Ethernet
technology, the data link layer delivers 8-bit data sets to its physical layer. After
processing the data sets, the physical layer sends them to the data link layer. The data
sets are still 8 bits after processing.
The situation is different on the Gigabit Ethernet of optical fibers. The physical layer
maps the 8-bit data sets transmitted from the data link layer to 10-bit data sets and then
sends them out.
l 10G Ethernet cable standards
10G Ethernet is currently defined in supplementary standard IEEE 802.3ae, which will
be combined with IEEE 802.3 later. Table 1-4 lists the 10G Ethernet cable standards.
1.2.3 CSMA/CD
l Definition of CSMA/CD
Ethernet was originally designed to connect computers and other digital devices on a
shared physical line. The computers and digital devices can access the shared line only in
half-duplex mode. Therefore, a mechanism of collision detection and avoidance is
required to prevent multiple devices from contending for the line. This mechanism is
called the carrier Sense Multiple Access with Collision Detection (CSMA/CD).
The concept of CSMA/CD is described as follows:
– Carrier sense (CS)
Before transmitting data, a station checks whether the line is idle to reduce chances
of collision.
Due to the limitation of the CSMA/CD algorithm, an Ethernet frame must be longer than or
equal to a specified length. On the Ethernet, the minimum frame length is 64 bytes, which is
determined jointly by the maximum transmission distance and the collision detection
mechanism.
The use of minimum frame length can prevent the following situation: station A finishes
sending the last bit, but the first bit does not arrive at station B, which is far from station A.
Station B considers that the line is idle and begins to send data, leading to a collision.
The upper layer protocol must ensure that the Data field of a packet contains at least 46 bytes,
so that the total length of the Data field, the 14-byte Ethernet frame header, and the 4-byte
check code at the frame tail can reach the minimum frame length, as shown in Figure 1-2. If
the Data field is less than 46 bytes, the upper layer must pad the field to 46 bytes.
The physical layer of Ethernet can work in either half-duplex or full-duplex mode.
l Half-duplex mode
The half-duplex mode has the following features:
– Data only be sent or received at any time.
– The CSMA/CD mechanism is used.
– The maximum transmission distance is limited.
Hubs work in half-duplex mode.
l Full-duplex mode
After Layer 2 switches replace hubs, the shared Ethernet changes to the switched
Ethernet, and the half-duplex mode is replaced by the full-duplex mode. As a result, the
transmission rate increases greatly, and the maximum throughput doubles the
transmission rate.
The full-duplex mode solves the problem of collisions and eliminates the need for the
CSMA/CD mechanism.
The full-duplex mode has the following features:
– Data can be sent and received at the same time.
– The maximum throughput doubles the transmission rate.
– This mode does not have the limitation on the transmission distance.
All network cards, Layer 2 devices (except hubs), and Layer 3 devices produced support
the full-duplex mode.
The following hardware components are required to realize the full-duplex mode:
– Full-duplex network cards and chips
– Physical media with separate data transmission and receiving channels
– Point-to-point connection
l Purpose of auto-negotiation
The earlier Ethernet adopts the 10 Mbit/s half-duplex mode; therefore, mechanisms such
as CSMA/CD are required to guarantee system stability. With development of
technologies, the full-duplex mode and 100M Ethernet emerge, which greatly improve
the Ethernet performance. How to achieve the compatibility between the earlier and new
Ethernet networks becomes a new problem.
The auto-negotiation technology is introduced to solve this problem. In auto-negotiation,
the devices on two ends of a link can choose the same operation parameters by
exchanging information. The main parameters to be negotiated are mode (half-duplex or
full-duplex), speed, and flow control. After the negotiation succeeds, the devices on two
ends operate in the negotiated mode and rate.
The auto-negotiation of duplex mode and speed is defined in the following standards:
– 100M Ethernet standard: IEEE 802.3u
In IEEE 802.3u, auto-negotiation is defined as an optional function.
16ms
1ms
Similar to an Ethernet network that uses twisted pair cables, an Ethernet network that
uses optical modules and optical fibers also implements auto-negotiation by sending
code streams. These code streams are called Configuration (C) code streams. Different
from electrical interfaces, optical interfaces do not negotiate traffic transmission rates
and they work in duplex mode. Optical interfaces only negotiate flow control parameters.
If auto-negotiation succeeds, the Ethernet card activates the link. Then, data can be
transmitted on the link. If auto-negotiation fails, the link is unavailable.
If one end does not support auto-negotiation, the other end that supports auto-negotiation
adopts the default operating mode, which is generally 10 Mbit/s half-duplex.
Auto-negotiation is implemented based on the chip design at the physical layer. As
defined in IEEE 802.3, auto-negotiation is implemented in any of the following cases:
– A faulty link recovers.
– A device is power recycled.
– Either of two connected devices resets.
– A renegotiation request packet is received.
In other cases, two connected devices do not always send auto-negotiation code streams.
Auto-negotiation does not use special packets or bring additional protocol costs.
l Auto-negotiation rules for interfaces
Two connected interfaces can communicate with each other only when they are working
in the same working mode.
– If both interfaces work in the same non-auto-negotiation mode, the interfaces can
communicate.
Collision Domain
On a legacy Ethernet network using thick coaxial cables as a transmission medium, multiple
nodes on a shared medium share the bandwidth on the link and compete for the right to use
the link. A network collision occurs when more than one node attempts to send a packet on
this link at the same time. The carrier sense multiple access with collision detection
(CSMA/CD) mechanism is used to solve the problem of collisions. Once a collision occurs on
a link, the CSMA/CD mechanism prevents data transmission on this link within a specified
time. Collisions are inevitable on an Ethernet network, and the probability that collision
occurs increases when more nodes are deployed on a shared medium. All nodes on a shared
medium constitute a collision domain. All the nodes in a collision domain compete for
bandwidth. Packets sent from a node, including unicast, multicast, and broadcast packets, can
reach all the other nodes in the collision domain.
Broadcast Domain
Packets are broadcast in a collision domain, which results in a low bandwidth efficiency and
degrades packet processing performance of network devices. Therefore, broadcasting of
packets must be restricted. For example, the ARP protocol sends broadcast packets to obtain
MAC addresses mapping specified IP addresses. The all 1s MAC address FFFF-FFFF-FFFF
is the broadcast MAC address. All nodes must process data frames with this MAC address as
the destination MAC address. A broadcast domain is a group of nodes, among which
broadcast packet from one node can reach all the other nodes. A network bridge forwards
unicast packets according to its MAC address table and forwards broadcast packets to all its
ports. Therefore, nodes connected to all ports of a bridge belong to a broadcast domain, but
each port belongs to a different collision domain.
The two types of MAC sub-layers are integrated in a network interface card. After the
network interface card is initialized, auto-negotiation is performed to choose an
operation mode, and then a MAC sub-layer is chosen according to the operation mode.
l Identifies stations at the data link layer.
The MAC sub-layer reserves a unique MAC address for each station.
The MAC sub-layer uses a MAC address to uniquely identify a station.
MAC addresses are managed by Institute of Electrical and Electronics Engineers (IEEE)
and allocated in blocks. An organization, generally a device manufacturer, obtains a
unique address block from IEEE. The address block is called an Organizationally Unique
Identifier (OUI). Using the OUI, the organization can allocate MAC addresses to
16777216 devices.
A MAC address has 48 bits, which are generally expressed in 12-digit dotted
hexadecimal notation. For example, the 48-bit MAC address
000000001110000011111100001110011000000000110100 is represented by
00e0:fc39:8034.
The first 6 digits in dotted hexadecimal notation stand for the OUI, and the last 6 digits
are allocated by the vendor. For example, in 00e0:fc39:8034, 00e0:fc is the OUI
allocated by IEEE to Huawei, and 39:8034 is the address number allocated by Huawei.
The second bit of a MAC address indicates whether the address is globally unique or
locally unique. Ethernet uses globally unique MAC addresses.
MAC addresses are divided into the following types:
– Physical MAC address
A physical MAC address is burned into hardware (such as a network interface card)
and uniquely identifies a terminal on the Ethernet.
– Broadcast MAC address
A broadcast MAC address indicates all the terminals on a network.
The 48 bits of a broadcast MAC address are all 1s, such as ffff.ffff.ffff.
– Multicast MAC address
A multicast MAC address indicates a group of terminals on a network.
The eighth bit of a multicast MAC address is 1, such as
000000011011101100111010101110101011111010101000.
l Transmits data over the data link layer. After receiving data from the LLC sub-layer, the
MAC sub-layer adds the MAC address and control information to the data, and then
transmits the data to the physical link. In the process, the MAC sub-layer provides other
functions such as the check function.
Data is transmitted at the data link layer as follows:
a. The upper layer delivers data to the MAC sub-layer.
b. The MAC sub-layer stores the data in the buffer.
c. The MAC sub-layer adds the destination MAC address and source MAC address to
the data, calculates the length of the data frame, and forms an Ethernet frame.
d. The Ethernet frame is sent to the peer according to the destination MAC address.
e. The peer compares the destination MAC address with entries in the MAC address
table.
n If a matching entry is found, the frame is accepted.
n If no matching entry is found, the frame is discarded.
SMAC It indicates the source MAC address. SMAC specifies the station
that sends the frame.
Type The 2-byte Type field identifies the upper layer protocol of the Data
field. The receiver can know the meaning of the Data field
according to the Type field.
Ethernet allows multiple protocols to coexist on a LAN. The
hexadecimal values in the Type field of an Ethernet_II frame stand
for different protocols.
l Frames with the Type field value 0800 are IP frames.
l Frames with the Type field value 0806 are Address Resolution
Protocol (ARP) frames.
l Frame with the Type field value 8035 are Reverse Address
Resolution Protocol (RARP) frames.
l Frames with the Type field value 8137 are Internetwork Packet
Exchange (IPx) and Sequenced Packet Exchange (SPx) frames.
Data The minimum length of the Data field is 46 bytes, which ensures
that the frame is at least 64 bytes in length. The 46-byte Data field is
required even if only 1-byte information needs to be transmitted.
If the payload of the Data field is less than 46 bytes, the Data field
must be padded to 46 bytes.
The maximum length of the Data field is 1500 bytes.
Field Description
As shown in Figure 1-5, the format of an IEEE 802.3 frame is similar to that of an
Ethernet_II frame except that the Type field is changed to the Length field in an IEEE
802.3 frame, and the LLC field and the Sub-Network Access Protocol (SNAP) field
occupy 8 bytes of the Data field.
Length The Length field specifies the number of bytes in the Data field.
SNAP The SNAP field consists of the Org Code field and the Type field.
Three bytes in the Org Code field are all 0s. The Type field
functions the same as the Type field in Ethernet_II frames.
NOTE
For description about other fields, see the description of Ethernet_II frames.
Based on the values of DSAP and SSAP, IEEE 802.3 frames can be divided into the
following types:
– If DSAP and SSAP are both 0xff, the IEEE 802.3 frame changes to a Netware-
Ethernet frame that carries NetWare data.
– If DSAP and SSAP are both 0xaa, the IEEE 802.3 frame changes to an
Ethernet_SNAP frame.
Ethernet_SNAP frames can be encapsulated with data of multiple protocols. The
SNAP can be considered as an extension of the Ethernet protocol. SNAP allows
vendors to define their own Ethernet transmission protocols.
The Ethernet_SNAP standard is defined by IEEE 802.1 to guarantee
interoperability between IEEE 802.3 LANs and Ethernet networks.
– Other values of DSAP and SSAP indicate IEEE 802.3 frames.
In an IEEE 802.3 frame, the LLC sub-layer defines useful features in addition to traditional
services of the data link layer. All these features are provided by the sub-fields of DSAP,
SSAP, and Control.
The following lists three types of point-to-point services:
l Connectionless service
Currently, the Ethernet implements this service.
l Connection-oriented service
A connection is set up before data is transmitted. The reliability of data is guaranteed
during the transmission.
l Connectionless data transmission with acknowledgement
A connection is not required before data transmission. The acknowledgement
mechanism is used to improve the reliability.
The following is an example that describes the applications of SSAP and DSAP. Assume that
terminals A and B use connection-oriented services. Data is transmitted in the following
process:
1. A sends a frame to B to require the establishment of a connection with B.
2. If B has enough resources, it returns an acknowledgement message that contains a
Service Access Point (SAP). The SAP identifies the connection required by A.
3. After receiving the acknowledgement message, A knows that B has set up a local
connection with A. After creating a SAP, A sends a message containing the SAP to B.
The connection is set up.
4. The LLC sub-layer of A encapsulates the data into a frame. The DSAP field is filled in
with the SAP sent by B; the SSAP field is filled in with the SAP created by A. Then the
LLC sub-layer sends the frame to the MAC sub-layer of A.
5. The MAC sub-layer of A adds the MAC address and the Length field into the frame, and
then sends the frame to the data link layer.
6. After the frame is received at the MAC sub-layer of B, the frame is transmitted to the
LLC sub-layer. The LLC sub-layer figures out the connection to which the frame belongs
according to the DSAP field.
7. After checking and acknowledging the frame based on the connection type, the LLC sub-
layer of B transmits the frame to the upper layer.
8. After the frame reaches its destination, A instructs B to release the connection by
sending a frame. At this time, the communications end.
receiving an Ethernet frame, the device searches for the destination MAC address of the frame
in the MAC table to determine through which port to forward this frame.
1. When the Layer 2 device receives an Ethernet frame, it records the source MAC address
and the inbound port of the frame in the MAC address table to guide Layer 2 forwarding.
If the same MAC address entry exists in the MAC address table, the device resets the
aging time of the entry. An aging mechanism is used to maintain entries in the MAC
address table. Entries that are not updated within the aging time are deleted from the
MAC address table.
2. The device looks up the MAC address table based on the destination MAC address of the
Ethernet frame. If no matching entry is found, the device forwards the frame to all its
ports except the port from which the frame is received. If the destination MAC address
of the frame is a broadcast address, the device forwards the frame to all its ports except
the port from which the frame is received. If a matching entry is found in the MAC
address table, the device forwards the frame to the port specified in the entry.
According to the preceding forwarding process, a Layer 2 device maintains a MAC address
table and forwards Ethernet frames based on destination MAC addresses. This forwarding
mechanism fully uses network bandwidth and improves network performance. Figure 1-6
shows an example of Layer 2 switching
PC A Port 2
Port 1
Port 3
PC C
MAC C MAC A Type Data MA
CC
MA
CA
Typ
e D
a ta
Although Layer 2 devices can isolate collision domains, they cannot isolate broadcast
domains. As described in the Layer 2 forwarding process, broadcast packets and packets that
do not match nay entry in the MAC address table are forwarded to all ports (except the port
from which the frame is received). Packet broadcasting consumes much bandwidth on
network links and brings security issues. Routers can isolate broadcast domains, but high
costs and low forwarding performance of routers limit the application of routers in Layer 2
forwarding. The virtual local area network (VLAN) technology is introduced to solve this
problem in Layer 2 switching.
intra-LAN traffic accounted for most of network traffic and little traffic was transmitted
between LANs. A few routers were enough to handle traffic transmission between LANs.
As data communication networks expand and more services emerge on the networks,
increasing traffic needs to be transmitted between networks. Routers cannot adapt to this
development trend because of their high costs, low forwarding performance, and small port
quantities. New devices capable of high-speed Layer 3 forwarding are required. Layer 3
switches are such devices.
Routers use CPUs to complete Layer 3 forwarding, whereas Layer 3 switches use hardware to
complete Layer 3 forwarding. Hardware forwarding has a much higher performance than
software forwarding (CPU based forwarding). Switches cannot replace routers in all scenarios
because routers provide rich interface types, good service class control, and powerful routing
capabilities that Layer 3 switches cannot provide.
Figure 1-7 shows the MAC addresses, IP addresses, and gateway addresses of the hosts,
MAC address of the Layer 3 switch, and IP addresses of Layer 3 interfaces configured in
VLANs on the Layer 3 switch. The process of a ping from PC A to PC B is as follows (the
Layer 3 switch has not created any MAC address entry):
1. PC A finds that the destination IP address 10.2.1.2 (PC B) is on a different network
segment than its own IP address. Therefore, PC A sends an ARP request to request for
the MAC address mapping the gateway address 10.1.1.1.
2. L3 Switch receives the ARP request from PC A and finds that 10.1.1.1 is the IP address
of its own Layer 3 interface. L3 switch then sends an ARP reply to PC A. The ARP reply
carries the MAC address of its Layer 3 interface (MAC Switch). In addition, L3 switch
adds the mapping between the IP address and MAC address of PC A (10.1.1.2 and MAC
A) to its ARP table. The IP address and MAC address of PC A are carried in the ARP
request sent from PC A.
3. After PC A receives the ARP reply from the gateway (L3 Switch), it sends an ICMP
request packet. In the ICMP request packet, the destination MAC address (DMAC) is
MAC Switch; the source MAC address (SMAC) is MAC A; the source IP address (SIP)
is 10.1.1.2; the destination IP address (DIP) is 10.2.1.2.
4. When L3 Switch receives the ICMP request packet, it updates the matching MAC
address entry according to the source MAC address and VLAN ID of the packet. Then
L3 Switch looks up the MAC address table according to the destination MAC address
and VLAN ID of the packet and finds the entry with the MAC address of its Layer 3
interface, the packet needs to be forwarded at Layer 3. Then L3 Switch looks up Layer 3
forwarding entries of the switching chip to guide Layer 3 forwarding.
5. The switching chip loops up Layer 3 forwarding entries according to the destination IP
address of the packet. The entry lookup fails because no entry has been created. The
switching chip then sends the packet to the CPU for software processing.
6. The CPU looks up the software routing table according to the destination IP address of
the packet and finds a directly connected network segment, network segment of PC B.
Then the CPU looks up its ARP table, and the lookup still fails. Therefore, L3 Switch
sends an ARP request to all ports in VLAN 3 (network segment of PC B), to request the
MAC address mapping IP address 10.2.1.2.
7. After PC B receives the ARP request from L3 Switch, it checks the ARP request and
finds that 10.2.1.2 is its own IP address. PC B then sends an ARP reply carrying its
MAC address (MAC B). Meanwhile, PC B records the mapping between the IP address
and MAC address of L3 Switch (10.2.1.1 and MAC Switch) in its ARP table.
8. When L3 Switch receives the ARP reply from PC B, it records the mapping between the
IP address and MAC address of PC B (10.2.1.2 and MAC B) in its ARP table. L3 Switch
changes the destination MAC address in the ICMP request packet sent from PC A to
MAC B and changes the source MAC address to its own MAC address (MAC Switch),
and then sends the ICMP request to PC B. The Layer 3 forwarding entry containing the
IP address and MAC address of PC B, outbound VLAN ID, and outbound port is also
added to the Layer 3 forwarding of the switching chip. Subsequent packets sent from PC
A to PC B are directly forwarded according to this hardware entry.
9. When PC B receives the ICMP request packet from L3 Switch, it sends an ICMP reply
packet to PC A. The forwarding process for the ICMP reply packet is similar to that for
the ICMP request packet except that the ICMP reply packet is directly forwarded to PC
A by the switching chip according to the hardware entry. The reason is that L3 Switch
has obtained the mapping between the IP address and MAC address of PC A and added
matching Layer 3 forwarding entry to the L3 forwarding table of the switching chip.
10. Subsequent packets exchanged between PC A and PC B are forwarded following the
same process: MAC address table lookup, Layer 3 forwarding table lookup, and
hardware forwarding by the switching chip.
In a summary, a Layer 3 switch provides high-speed Layer 3 switching through one routing
process (forwarding the first packet to the CPU and creating a hardware Layer 3 forwarding
entry) and multiple switching processes (hardware forwarding of subsequent packets).
Network
Aggregation/Core Layer
Access Layer ……
Terminal ……
Ethernet technology can connect various terminals to a network to allow employees to surf on
the Internet, make IP calls, access shared resources on servers, and print files using remote
printers over the network. The IT administrators of the enterprise can manage the network in a
centralized manner.
1.5 References
The following table lists the references for this document.
This chapter describes how to configure the Media Access Control (MAC) address table on
your switch. A MAC address table is a Layer 2 forwarding table that stores MAC addresses
learned from other devices. Your switch maintains a MAC address table for Layer 2 data
forwarding. Each workstation and server has a unique MAC address. When the switch
exchanges data with connected workstations and servers, the switch records their MAC
addresses, access interfaces, and VLAN IDs to facilitate unicast forwarding.
2.1 Introduction to the MAC Address
2.2 Principles
2.3 Application
2.4 Configuration Task Summary
2.5 Configuration Notes
2.6 Default Configuration
2.7 Configuring a MAC Address Table
A MAC address uniquely identifies a device. A network device maintains a MAC address
table for Layer 2 data forwarding.
2.8 Maintaining the MAC Address Table
2.9 Configuration Examples
2.10 Common Misconfigurations
2.11 FAQs
2.12 Reference
2.2 Principles
2.2.1 Definition and Classification of MAC Address Entries
Definition of a MAC Address Table
A MAC address table records MAC addresses that have been learned by the switch, interfaces
on which MAC addresses are learned, and VLANs that the interfaces belong to. Before
forwarding a packet, the switch looks up the destination MAC address of the packet in the
MAC address table. If a MAC address entry matches the destination MAC address, the switch
forwards the packet from the outbound interface recorded in the MAC address entry. If no
matching MAC address entry exists, the switch broadcasts the packet to all interfaces in the
corresponding VLAN, except the interface that received the packet.
Dynamic MAC address l Dynamic MAC address l You can check whether
entry entries are obtained by data is forwarded
learning the source MAC between two connected
addresses of packets devices by checking the
received by an interface, dynamic MAC address
and can be aged. entries.
l Dynamic MAC address l You can obtain the
entries are lost after a number of users
system restart, LPU hot communicating on an
swap, or LPU reset. interface by checking
the number of specified
dynamic MAC address
entries.
Static MAC address entry l Static MAC address When static MAC address
entries are manually entries are configured,
configured and delivered authorized users can use
to each LPU. Static MAC network resources and
address entries never age. other users are prevented
l The static MAC address from using the bound MAC
entries saved in the addresses to initiate attacks.
system are not lost after a
system restart, LPU hot
swap, or LPU reset.
l After an interface is
statically bound to a
MAC address, other
interfaces discard packets
from that source MAC
address.
l Each static MAC address
entry can have only one
outbound interface.
l Statically binding an
interface to a MAC
address does not affect the
learning of dynamic MAC
address entries on the
interface.
0011-0022-0034 10 GE3/0/1
0011-0022-0034 20 GE2/0/4
0011-0022-0035 30 Eth-Trunk 20
Functions
The MAC address table is used for unicast forwarding of packets. In Figure 2-1, when
packets sent from PC1 to PC3 reach the switch, the switch searches its MAC address table for
an entry matching the destination MAC address and VLAN ID of the packet. In this example,
it finds that MAC3 and VLAN 10 correspond to the outbound interface Port3. The switch
then forwards packets to PC3 through Port3.
PC1 Swtich
Port2
Port1
PC3
Port3
MAC3 MAC1 VLAN10 Type Data MAC
3 MAC
1 VLAN
10 T
y pe
Data
PortA
Data frame
HostA SwitchA
In Figure 2-2, HostA sends a data frame to SwitchA. When receiving the data frame,
SwitchA obtains the MAC address of HostA and the VLAN ID from the frame.
l If the MAC address entry does not exist in the MAC address table, SwitchA adds an
entry with the MAC address, PortA, and VLAN ID to the MAC address table.
l If the MAC address entry exists in the MAC address table, SwitchA resets the aging
timer of the MAC address entry.
NOTE
l If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC address entry is
Eth-TrunkA.
l If the default VLAN is not changed, the VLAN ID of all MAC address entries will be VLAN 1.
l The switch will not learn the BPDU MAC addresses (addresses in the 0180-c200-xxxx format).
The switch will only learn and update MAC address entries when receiving data frames.
When the switch is equipped with multiple LPUs, MAC address entries learned by each LPU
are synchronized to other LPUs to prevent unnecessary broadcast packets and improve the
packet forwarding efficiency.
1 2 3 4
0 T T T T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
In Figure 2-3, the aging time of MAC address entries is set to T. At t1, packets with source
MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an interface, which has joined VLAN
1. If no entry with MAC address 0e0-fc00-0001 and VLAN 1 exists in the MAC address
table, an entry is created with the hit flag of 1.
At each T, the switch checks all of its dynamic MAC address entries.
1. At t2, the switch finds that the hit flag of the MAC address entry is 1 and sets it to 0. The
MAC address entry is not deleted at this time.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the device
between t2 and t3, the hit flag of the matching MAC address entry remains 0.
3. At t3, the switch finds that the hit flag of the matching MAC address entry is 0. The
switch then deletes the MAC address entry because the aging time of the MAC address
entry has expired.
A dynamic MAC address entry can be stored on the switch for a period of T to 2T.
You can set the aging (T) time of MAC address entries to control the life cycle of dynamic
MAC address entries in a MAC address table.
NOTE
l By default, the switch does not age the MAC address entries that match the destination MAC
addresses of packets. Use the mac-address destination hit aging enable command to configure the
switch to age MAC address entries regardless of whether any packets destined for that MAC address
are received.
l When the interface frequently alternates between Up and Down, MAC address entries may be not
aged within two aging periods. If this occurs, you are advised to check the link quality or run the
port link-flap protection enable command to configure link flapping protection.
Disabling MAC After MAC address learning is l In most cases, attack packets
address learning disabled on a VLAN or an enter the switch through the
on a VLAN or an interface, the switch does not same interface. Therefore,
interface learn new dynamic MAC address both methods are effective in
entries on that VLAN or preventing these attack
interface. The learned dynamic packets from using up MAC
MAC address entries will age out address entry resources on the
when the aging time expires. switch.
They can also be manually l Limiting the number of MAC
deleted using commands. address entries that can be
learned from a VLAN or an
interface can also be used to
limit the number of access
users.
Network
Port1
MAC:11-22-33 SwitchA
NOTE
MAC address flapping detection allows a switch to detect changes in traffic transmission paths based on
learned MAC addresses, but the switch does not know the entire network topology. It is recommended
that this function be used on the interface connected to a user network where loops may occur.
If an authorized device associated with the correct entry is powered off, the MAC address entry of
another device can be learned. This will prevent the original entry to being learned when it is powered
back on.
In Figure 2-6, Port1 of the switch is connected to a server. To prevent unauthorized users
from connecting to the switch using the server's MAC address, you can set a high MAC
address learning priority for Port1.
Switch
MAC address-triggered ARP entry update enables a device to update the outbound interface
in an ARP entry immediately after the outbound interface in the corresponding MAC address
entry changes. In Figure 2-8, MAC address-triggered ARP entry update is enabled. At T2,
after the outbound interface in the MAC address entry is changed to GE1/0/2, the outbound
interface in the ARP entry is immediately changed to GE1/0/2. This prevents communication
interruptions encountered in the previous example.
NOTE
The MAC address-triggered ARP entry update function is often used on networks where devices in a
Virtual Router Redundancy Protocol (VRRP) group connect to servers (for more information, see 2.3.3
Configuring MAC Address-Triggered ARP Entry Update to Improve VRRP Switchover
Performance), or Layer 3 traffic switching scenarios where STP and Smart Link are used.
2.3 Application
Switch
MAC address l Checks all interfaces and The switch can only report alarms
flapping detection VLANs on a switch. after detecting a loop but cannot
l Is easy to configure as it eliminate the loop.
requires only one command.
This function is enabled by
default.
SwitchA SwitchB
(VRRP Master) (VRRP Backup)
Port1 Port1
Port1 Port2
Before After
Switch
switchover switchover
HostA
In Figure 2-11, a server is connected to a VRRP group. Generally, a server selects only one
network interface to send packets, only selecting another if there is a network or traffic
transmission failure.
l SwitchA functions as the master device, and the server uses Port2 to send packets.
SwitchA learns the ARP entry and MAC address entry matching the server on Port2, and
SwitchB learns the server MAC address on Port1.
l When the server detects that Port2 is faulty, the server sends packets through Port1.
SwitchA then learns the server MAC address on Port1. If the server does not send an
ARP Request packet to SwitchA, SwitchA maintains the ARP entry on Port2. In this
case, packets sent from SwitchA to the server are still forwarded through Port2 until the
ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update on the switches.
This function enables a switch to update the corresponding ARP entry when the outbound
interface in a MAC address entry changes.
Port2 Port2
Port1 Port1
Port1 Port2
Server
Bind static MAC Configure static MAC address entries 2.7.1.1 Configuring a
addresses and to bind MAC addresses and interfaces, Static MAC Address
interfaces improving security of authorized users. Entry
Flexibly control aging For stable networks, set a long aging 2.7.1.3 Setting the
of dynamic MAC time or set the aging time as 0 to not Aging Time of
address entries age dynamic MAC address entries. For Dynamic MAC
other scenarios, set a short aging time. Address Entries
Control MAC address Certain network attacks aim to exhaust 2.7.1.4 Disabling MAC
learning MAC address entries. To protect Address Learning
against this kind of attack, disable 2.7.1.5 Configuring the
MAC address learning or limit the MAC Address
number of MAC address entries that Limiting Function
can be learned.
Monitor the MAC You can configure various alarm 2.7.1.6 Enabling MAC
address table functions about MAC addresses to Address Alarm
monitor the usage of MAC address Functions
entries.
l Alarm threshold for MAC address
usage: When the MAC address
usage exceeds the upper threshold,
the switch generates an alarm.
When the MAC address usage falls
below the lower threshold, the
switch reports a clear message.
l MAC address learning or aging
alarm: When a MAC address entry
is learned or aged out, the switch
generates an alarm.
l MAC address hash conflict alarm:
If the switch cannot learn MAC
address entries even when its MAC
address table is not full, the switch
generates an alarm.
Detect MAC address MAC address flapping occurs when a 2.7.3 Configuring
flapping MAC address is learned by two MAC Address
interfaces in the same VLAN and the Flapping Detection
MAC address entry learned later
overrides the earlier one.
MAC address flapping detection
enables a switch to check whether any
MAC address flaps exist between
interfaces and determine whether a
loop exists. When MAC address
flapping occurs, the switch sends an
alarm to the NMS. The network
maintenance personnel can locate the
loop based on the alarm information
and historical records for MAC address
flapping. This greatly simplifies
network maintenance. If the network
connected to the switch does not
support loop prevention protocols,
configure the switch to shut down the
interfaces where MAC address
flapping occurs to reduce the impact of
MAC address flapping on the network.
Discard packets with A faulty host or device may send 2.7.4 Configuring the
an all-0 source or packets with an all-0 source or Switch to Discard
destination MAC destination MAC address to a switch. Packets with an All-0
address Configure the switch to discard such MAC Address
packets and send an alarm to the NMS
to help the network administrator
locate the faulty host or device.
Discard packets in After a DHCP user goes offline, the 2.7.5 Configuring the
which destination MAC address entry of the user ages Switch to Discard
MAC addresses do out. If there are packets destined for Packets That Do Not
not match the MAC this user, the system cannot find the Match Any MAC
address table MAC address entry. The system then Address Entry
broadcasts the packets to all interfaces
in the VLAN. In this case, all users
receive the packets, which brings
security risks. After the switch is
configured to discard packets that do
not match any MAC address entry, the
switch discards such packets. This
function mitigates the burden on the
switch and enhances security.
License Support
The MAC address table is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Context
A switch cannot distinguish packets from authorized and unauthorized users when it learns
source MAC addresses of packets to maintain the MAC address table. Therefore, if an
unauthorized user uses the MAC address of an attacker as the source MAC address of attack
packets and connects to another interface of the switch, the switch will learn an incorrect
MAC address entry. As a result, packets destined for the authorized user are forwarded to the
unauthorized user. To improve security, you can create static MAC address entries to bind
MAC addresses of authorized users to specified interfaces. This prevents unauthorized users
from intercepting data of authorized users.
Static MAC address entries have the following characteristics:
l A static MAC address entry will not be aged out. After being created, a static MAC
address entry will not be lost after a system restart, and can only be deleted manually.
l The VLAN bound to a static MAC address entry must already exist and be assigned to
the interface bound to the entry.
l The MAC address in a static MAC address entry must be a unicast MAC address, and
cannot be a multicast or broadcast MAC address.
l A static MAC address entry takes precedence over a dynamic MAC address entry. The
system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run:
system-view
NOTE
For details on how to configure a static MAC address entry for a VSI, see mac-address static vlanif and
mac-address static vsi.
----End
Context
To protect a device or network against MAC address attacks from hackers, configure MAC
addresses of untrusted users as blackhole MAC addresses. The device then directly discards
received packets where the source or destination MAC addresses match the blackhole MAC
address entries.
Procedure
Step 1 Run:
system-view
----End
Context
Setting the aging time for dynamic MAC address entries helps control the number of learned
MAC address entries. The aging time needs to be set properly for dynamic MAC address
entries so that the switch can delete unneeded MAC address entries. On network topologies
that change frequently, a shorter aging time makes the switch more sensitive to these network
changes. On more stable network topologies, a longer aging time can be used.
Procedure
Step 1 Run:
system-view
NOTE
When the aging time is 0, MAC address entries are fixed. To clear the fixed MAC address entries, set
the aging time to a non-0 value. The system then automatically deletes the MAC address entries after
twice the aging time.
----End
Background
The MAC address learning function is enabled by default on the switch. When receiving a
data frame, the switch records the source MAC address of the data frame and the interface
that receives the data frame in a MAC address entry. When receiving data frames destined for
this MAC address, the switch forwards the data frames through the outbound interface
according to the MAC address entry. The MAC address learning function reduces broadcast
packets on a network. After MAC address learning is disabled on an interface, the switch does
not learn source MAC addresses of data frames received by the interface. Dynamic MAC
address entries learned on the interface are not immediately deleted, but will be removed after
they are aged out or are manually deleted.
Procedure
l Disable MAC address learning on an interface.
a. Run:
system-view
When MAC address learning is disabled in a VLAN and an interface in the VLAN and the
discard action is configured for the interface, the interface does not discard packets from this
VLAN. For example, MAC address learning is disabled in VLAN 2 but enabled in VLAN 3; Port1
has MAC address learning disabled and performs the discard action; Port1 has been added to
VLAN 2 and VLAN 3. In this scenario, Port1 discards packets from VLAN 3 but forwards packets
from VLAN 2.
l Disable MAC address learning for a specified flow.
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which
means that:
○ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long
as they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
iii. Configure matching rules according to the following table.
NOTE
The if-match ip-precedence and if-match tcp commands are only valid for IPv4
packets.
The X1E series cards do not support traffic classifiers with advanced ACLs containing
the ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the
X1E card does not support nest top-most vlan-id vlan-id, remark 8021p [ 8021p-
value | inner-8021p ], remark cvlan-id cvlan-id, or remark vlan-id vlan-id.
iv. Run:
quit
Exit from the traffic classifier view.
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
If no matching order is specified when you create a traffic policy, the default
matching order is config.
After a traffic policy is applied, you cannot use the traffic policy command to
modify the matching order of traffic classifiers in the traffic policy. To modify
the matching order, delete the traffic policy, create a traffic policy, and specify
the matching order.
When creating a traffic policy, you can specify the matching order of matching
rules in the traffic policy. The matching order can be either automatic order or
configuration order:
○ If automatic order is used, traffic classifiers are matched based on the
priorities of their types. Traffic classifiers based on Layer 2 and Layer 3
information, Layer 2 information, and Layer 3 information are matched in
descending order of priority. The traffic classifier with the highest priority
is matched first. If data traffic matches multiple traffic classifiers, and the
traffic behaviors conflict with each other, the traffic behavior
corresponding to the highest priority rule takes effect.
○ If configuration order is used, traffic classifiers are matched based on
their priorities. The traffic classifier with the highest priority is matched
first. A smaller priority value indicates a higher priority of a traffic
classifier. If precedence-value is not specified, the system allocates a
priority to the traffic classifier. The allocated priority value is [(max-
precedence + 5) / 5] x 5, where max-precedence specifies the maximum
priority of a traffic classifier. For details about the priority of a traffic
classifier, refer to the traffic classifier command.
iii. Run:
2) Run:
traffic-policy policy-name global { inbound | outbound } [ slot
slot-id ]
Context
The MAC address limiting function controls the number of access users to protect MAC
addresses from hackers. When hackers send a large number of forged packets with different
source MAC addresses to the switch, the MAC address table of the switch will be filled with
useless MAC address entries. As a result, the switch cannot learn source MAC addresses of
valid packets.
You can limit the number of MAC address entries learned on the switch. When the number of
learned MAC address entries reaches the limit, the switch does not learn new MAC address
entries. You can also configure an action to take when the number of MAC address entries
reaches the limit. This prevents exhaustion of MAC address entries and improves network
security.
Procedure
l Limit the number of MAC address entries learned on an interface.
a. Run:
system-view
c. Run:
mac-limit maximum max-num
The maximum number of MAC address entries that can be learned on the interface
is set.
By default, the number of MAC address entries learned on an interface is not
limited.
d. Run:
mac-limit action { discard | forward }
The action to take when the number of learned MAC address entries reaches the
limit is configured.
By default, the switch discards packets with new MAC addresses when the number
of learned MAC address entries reaches the limit.
e. Run:
mac-limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.
l Limit the number of MAC address entries learned in a VLAN.
a. Run:
system-view
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not limited.
d. Run:
mac-limit action { discard | forward }
The action to take when the number of learned MAC address entries reaches the
limit is configured.
By default, the switch discards packets with new MAC addresses when the number
of learned MAC address entries reaches the limit.
SA boards of S series and F series cards do not support the discard action.
e. Run:
mac-limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.
The maximum number of MAC address entries learned in the VSI is set.
By default, the number of MAC address entries learned in a VSI is not limited.
d. Run:
mac-limit action { discard | forward }
The action to take when the number of learned MAC address entries reaches the
limit is configured.
By default, the switch discards packets with new MAC addresses when the number
of learned MAC address entries reaches the limit.
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch sends an alarm when the number of learned MAC address
entries reaches the limit.
l Limit the number of MAC address entries learned in a slot.
a. Run:
system-view
By default, the number of MAC address entries learned in a slot is not limited.
c. Run:
mac-limit slot slot-id action { discard | forward }
The action to take when the number of learned MAC address entries reaches the
limit is configured.
By default, the switch discards packets with new MAC addresses when the number
of learned MAC address entries reaches the limit.
d. Run:
mac-limit slot slot-id alarm { disable | enable }
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch sends an alarm when the number of learned MAC address
entries reaches the limit.
----End
Context
When alarm functions are enabled, the switch sends an alarm when the MAC address usage
exceeds the threshold, a MAC address changes, or a MAC address hash conflict occurs. The
alarms enable you to know the running status of the MAC address table in real time.
MAC address entry resources are key resources for the switch. Monitoring the use of the
MAC address table is important for ensuring normal system operations. The switch provides
three alarm functions for MAC address entries.
MAC address An alarm is generated when the MAC address usage is higher than
usage out of the 80%, and a clear alarm is generated when the MAC address usage is
specified range lower than 70%.
A threshold-exceeding alarm indicates that the MAC address usage
is too high. You are advised to redistribute traffic or expand your
network.
The clear alarm will only be generated if a threshold-exceeding
alarm has already been generated.
MAC address An alarm is generated when a MAC address entry is learned or aged.
learning or aging The switch does not send an alarm when a MAC address entry is
learned or aged in a VSI.
MAC address hash To improve the MAC address forwarding performance, the MAC
conflict address table of the switch is saved using a hash chain. When
multiple MAC addresses map the same key value in accordance with
the hash algorithm, some MAC addresses may not be learned. This
is called a MAC address hash conflict.
When this occurs, MAC address entries cannot be learned even
though the MAC address table is not full.
A MAC address hash conflict does not affect traffic forwarding. The
switch broadcasts traffic destined for the conflicting MAC addresses,
occupying bandwidth and system resources. You can replace the
device or network adapter of a terminal to prevent MAC address
hash conflicts.
NOTE
The SA boards of S series do not support the alarm function.
Procedure
l Enable the alarm function for MAC address usage out of the specified range.
a. Run:
system-view
The upper and lower alarm thresholds for the MAC address usage are set.
By default, the upper and lower alarm thresholds for the MAC address usage are 80%
and 70% respectively. An alarm is generated when the MAC address usage is higher than
80%, and a clear alarm is generated when the MAC address usage is lower than 70%.
l Enable the alarm function for MAC address learning or aging.
a. Run:
system-view
The interval at which the switch checks MAC address learning or aging is set.
By default, the switch checks MAC address learning or aging at intervals of 10s.
c. Run:
interface interface-type interface-number
The alarm function for MAC address learning and aging is enabled on the interface.
By default, the alarm function for MAC address learning or aging is disabled.
The number of MAC address hash conflict alarms reported per interval is set.
By default, 10 MAC address hash conflict alarms are reported per interval.
d. (Optional) Run:
mac-address trap hash-conflict interval interval-time
The interval at which MAC address hash conflict alarms are reported is set.
By default, MAC address hash conflict alarms are reported at intervals of 60s.
Context
A device usually uses a hash algorithm to learn MAC address entries to improve MAC
address forwarding performance. When multiple MAC addresses map the same key value, a
MAC address hash conflict may occur. This means that the device may fail to learn many
MAC addresses and can only broadcast packets destined for these MAC addresses, leading to
heavy increase in broadcast traffic. In this case, use an appropriate hash algorithm to mitigate
the hash conflict.
A proper MAC hash algorithm can reduce MAC address hash conflicts. You are not advised
to change the default hash algorithm unless you have special requirements.
NOTE
l MAC addresses on an interface card are stored using the following modes:
l Hash bucket
The interface card that uses the hash bucket performs hash calculation for VLAN IDs and
MAC addresses in MAC address entries to be stored and obtains hash bucket indexes. The
MAC addresses with the same hash bucket index are stored in the same hash bucket. If a hash
bucket with the maximum storage space cannot accommodate learned MAC addresses of the
hash bucket, a hash conflict occurs and MAC addresses cannot be stored. The maximum
number of MAC addresses learned by the interface card through the hash bucket may be not
reached.
l TCAM chip
The interface card that uses the TCAM mode stores all learned MAC addresses in the TCAM
chip in sequence. As long as the number of learned MAC addresses does not reach the
maximum value, MAC addresses can be learned. In TCAM mode, the device must be
equipped with the enhanced interface card that uses the TCAM chip.
SA, EA, and FA cards use the hash bucket and do not provide the TCAM chip, so the maximum
number of MAC addresses learned by the SA, EA, or FA card may be not reached. Other interface
cards excluding SA, EA, and FA cards use the TCAM mode by default.
l X1E series cards do not support this configuration.
l You are not advised to change the default hash algorithm unless you have special requirements.
l An appropriate hash algorithm can reduce hash conflicts, but cannot completely prevent them.
l After the hash algorithm is changed, restart the card to make the configuration take effect.
Procedure
Step 1 Run:
system-view
----End
Context
When the switch transmits heavy traffic, MAC address entries increase accordingly. However,
the switch has a limited space for MAC address entries. If the MAC address table size cannot
meet service requirements, service running efficiency is reduced. LPUs of the switch provide
the extended entry space register. You can configure an extended MAC entry resource mode
to increase the MAC address table size.
Procedure
Step 1 (Optional) Run:
display resource-assign configuration
Step 2 Run:
system-view
Step 3 Run:
assign resource-mode slot slot-id mode enhanced-mac
NOTE
After the extended MAC entry resource mode is configured, you must restart the LPU of the switch to make
the configuration take effect.
----End
Run the display resource-assign configuration command to check the configured and
current extended entry resource modes.
NOTE
SA cards of S series do not support this configuration.
Context
MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN and the MAC address entry learned later overrides the earlier one. To prevent MAC
address flapping, set different MAC address learning priorities for interfaces. When interfaces
learn the same MAC address, the MAC address entry learned by the interface with the highest
priority overrides the MAC address entries learned by the other interfaces.
NOTE
Procedure
1. Run:
system-view
2. Run:
interface interface-type interface-number
2.7.2.2 Preventing MAC Address Flapping Between Interfaces with the Same
Priority
Context
Preventing MAC address flapping between interfaces with the same priority can improve
network security.
If the switch is configured to prevent MAC address flapping between interfaces with the same
priority, the following problem may occur: If the network device (such as a server) connected
to an interface of switch is powered off and the same MAC address is learned on another
interface, the switch cannot learn the correct MAC address on the original interface after the
network device is powered on.
NOTE
Procedure
Step 1 Run:
system-view
The device is configured to prevent MAC address flapping between interfaces with the same
priority.
By default, the device allows MAC address flapping between interfaces with the same
priority.
----End
Context
Global MAC address flapping detection enables the switch to check all MAC addresses to
detect MAC address flapping.
NOTE
l Configuring an action to take for MAC address flapping on an uplink interface may cause
interruptions for important uplink traffic. Therefore, configuring an action is not recommended.
l The switch enabled with MAC address flapping detection can detect loops on a single point, but
cannot obtain the entire network topology. If the network connected to the switch supports loop
prevention protocols, use the loop prevention protocols instead of MAC address flapping detection
to eliminate loops.
l If only a few VLANs on the user network encounter loops, it is recommended that you set the loop
prevention action to quit-vlan.
l If a large number of VLANs on the user network encounter loops, it is recommended that you set the
loop prevention action to error-down to improve system performance. Additionally, the remote
switch can detect the error-down event so that it can quickly switch any traffic to a backup link.
Procedure
Step 1 Run:
system-view
One or more VLANs are excluded from MAC address flapping detection.
By default, the system performs MAC address flapping detection in all VLANs. In special
scenarios, a MAC address flapping event does not need to be handled and you can exclude a
VLAN from MAC address flapping detection. For example, when a switch is connected to a
server with two network adapters in active-active mode, the server's MAC address may be
learned on two interfaces of the switch.
Step 4 (Optional) Run:
mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all } security-level { high | middle | low }
The security level of MAC address flapping detection is configured in one or more specified
VLANs.
By default, the security level of MAC address flapping detection is middle. That is, the
system considers that MAC address flapping occurs when a MAC address flaps 10 times.
Step 5 (Optional) Run:
mac-address flapping aging-time aging-time
An action is specified for on the interface if MAC address flapping occurs on the
interface.
By default, no action is configured. If an interface is connected to a user network that
does not support loop prevention protocols, MAC address flapping may occur when
there is a loop on the user network. Use this command to configure an action to take
when MAC address flapping is detected on the interface. If the action is set to error-
down, the switch shuts down the interface. If the action is set to quit-vlan, the switch
removes the interface from the VLAN where the MAC address flapping occurs. This
action can only shut down one interface per aging interval.
NOTE
– Do not use the quit-vlan action together with dynamic VLAN functions such as GVRP,
HVRP.
– When a MAC address flaps between an interface configured with the error-down action and
an interface configured with the quit-vlan action, the former interface is shut down and the
latter interface is removed from the VLAN. If a loop could be generated between interfaces,
configure the same action for all the interfaces.
3. Run:
mac-address flapping action priority priority
----End
Context
After MAC address flapping detection is configured in a VLAN, the device checks all MAC
addresses in the VLAN to detect MAC address flapping. You can configure the device to
block the flapping MAC address or interface where MAC address flapping occurs, or to report
an alarm.
NOTE
Procedure
Step 1 Run:
system-view
When detecting MAC address flapping in a VLAN, the device can take either of the following
actions:
l Block the interface or MAC address. When block-mac is specified in the command, the
device does not block the interface but blocks traffic from the flapping MAC address.
l Send an alarm to the NMS.
----End
NOTE
Before using the reset loop-detect eth-loop command, run the display loop-detect eth-loop command
to check the blocked interface or MAC address.
Context
A faulty network device may send packets with an all-0 source or destination MAC address to
the switch. You can configure the switch to discard such packets and send an alarm to the
network management system (NMS) to help the network administrator locate the faulty
device.
You can configure the switch to discard packets with an all-0 source or destination MAC
address.
Procedure
Step 1 Run:
system-view
Step 2 Run:
drop illegal-mac enable
By default, the switch does not discard packets with an all-0 MAC address.
The switch is configured to send an alarm to the NMS when receiving packets with an all-0
MAC address.
By default, the switch does not send an alarm when receiving packets with an all-0 MAC
address.
NOTE
The drop illegal-mac alarm command allows the switch to generate only one alarm. You must run the
drop illegal-mac alarm command again if more than one alarm is required.
----End
Context
After a DHCP user goes offline, the MAC address entry of the user ages out. If there are
packets destined for this user, the switch cannot find the MAC address entry and therefore
broadcasts the packets to all interfaces in the VLAN. In this case, all users receive the packets,
which brings security risks. To reduce the load on the switch and enhance security, configure
the switch to discard packets that do not match any MAC address entries.
After the switch is configured to discard packets that do not match any MAC address entries,
such packets are discarded, which reduces the load on the switch and enhances system
security.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
Step 3 Run:
mac-miss action discard
The switch is configured to discard packets that do not match any MAC address entries.
By default, the switch broadcasts the packets that do not match any MAC address entries in a
VLAN.
----End
Context
MAC address-triggered ARP entry update enables the switch to update the corresponding
ARP entry when the outbound interface in a MAC address entry changes.
Each network device uses an IP address to communicate with other devices. On an Ethernet
network, a host, switching device, or routing device sends and receives Ethernet data frames
based on MAC addresses. The ARP protocol maps IP addresses to MAC addresses. When
two devices on different network segments communicate with each other, they need to map IP
addresses to MAC addresses and outbound interfaces according to ARP entries.
Generally, MAC address entries and ARP entries are consistent. In some scenarios, ARP
entries may not be updated immediately after MAC address entries are updated. In Figure
2-12, SwitchA and SwitchB run VRRP to enhance reliability, and the VRRP group functions
as the gateway of the server. VRRP packets are transmitted on the direct link between the two
switches. The server selects one of network interfaces to send packets. When the server
detects a network failure or traffic forwarding failure, it switches traffic to the other interface.
l SwitchA functions as the master device, and the server uses Port2 to send packets.
SwitchA learns the ARP entry and MAC address entry on Port2, and SwitchB learns the
server MAC address on Port1.
l When the server detects that Port2 is faulty, the server sends packets through Port1.
SwitchA then learns the server MAC address on Port1. If the server does not send an
ARP Request packet to SwitchA, SwitchA still maintains the ARP entry on Port2. In this
case, packets sent from SwitchA to the server are still forwarded through Port2 until the
ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update on SwitchA and
SwitchB. This function enables the switches to update the corresponding ARP entry when the
outbound interface in a MAC address entry changes.
Figure 2-12 Networking for configuring MAC address-triggered ARP entry update upon a
VRRP active/standby switchover
Port2 Port2
Port1 Port1
Port1 Port2
Server
Procedure
Step 1 Run:
system-view
NOTE
l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when
the corresponding MAC address entries change.
l The MAC address-triggered ARP entry update function does not take effect after ARP entry fixing
is enabled using the arp anti-attack entry-check enable command.
l After the MAC address-triggered ARP entry update function is enabled, the switch updates an ARP
entry only when the outbound interface in the corresponding MAC address entry changes.
----End
After the port bridge function is enabled on the interface, the interface forwards such a packet
if the destination MAC address of the packet is in the MAC address table.
The port bridge function is used in the following scenarios:
l The switch connects to devices that do not support Layer 2 forwarding. When users
connected to the devices need to communicate, the devices send packets of the users to
the switch for packet forwarding. Because source and destination MAC addresses of the
packets are the same, a port bridge needs to be enabled on the interface so that the
interface can forward such packets.
l The switch is used as an access device in a data center and is connected to servers. Each
server is configured with multiple virtual machines. The virtual machines need to
transmit data to each other. If servers perform data switching for virtual machines, the
data switching speed and server performance are reduced. To improve the data
transmission rate and server performance, enable a port bridge on the interfaces
connected to the servers so that the switch forwards data packets between the virtual
machines.
NOTE
This configuration is not supported on the ES1D2G48SBC0 and ES1D2G48TBC0 boards of S7700 and
the EH1D2G48TBC0 and EH1D2G48SBC0 boards of S9700.
Procedure
Step 1 Run:
system-view
----End
Context
The re-marking function enables the switch to change the specified fields of packets
according to traffic classification rules. After the re-marking action is configured, the switch
still processes outgoing packets based on the original priority but the downstream device
processes the packets based on the re-marked priority. You can also configure an action to re-
mark the destination MAC address of packets in a traffic behavior so that the downstream
device can identify packets and provide differentiated services.
NOTE
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as
they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
c. Configure matching rules according to the following table.
NOTE
The if-match ip-precedence and if-match tcp commands are only valid for IPv4 packets.
The X1E series cards do not support traffic classifiers with advanced ACLs containing the
ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the X1E card
does not support nest top-most vlan-id vlan-id, remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, or remark vlan-id vlan-id.
d. Run:
quit
quit
A traffic policy is created and the traffic policy view is displayed, or the view of an
existing traffic policy is displayed. If you do not specify a matching order for traffic
classifiers in the traffic policy, the default matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy command to
change the matching order of traffic classifiers in the traffic policy. To change the
matching order, delete the traffic policy and create a new traffic policy with the
required matching order.
When creating a traffic policy, you can specify the matching order of traffic
classifiers in the traffic policy. The traffic classifiers can be matched in automatic
order (auto) or configuration order (config):
n If the matching order is auto, traffic classifiers are matched in descending
order of priorities pre-defined in the system: traffic classifiers based on Layer
2 and Layer 3 information, traffic classifiers based on Layer 2 information, and
finally traffic classifiers based on Layer 3 information. If a data flow matches
multiple traffic classifiers that are associated with conflicting traffic behavior,
the traffic behavior associated with the traffic classifier of the highest priority
takes effect.
n If the matching order is config, traffic classifiers are matched in descending
order of priorities either manually or dynamically allocated to them. This is
determined by the precedence value; a traffic classifier with a smaller
precedence value has a higher priority and is matched earlier. If you do not
specify precedence-value when creating a traffic classifier, the system
allocates a precedence value to the traffic classifier. The allocated value is
[(max-precedence + 5)/5] x 5, where max-precedence is the greatest value
among existing traffic classifiers.
NOTE
If more than 128 rate limiting ACL rules are configured in the system, traffic policies must
be applied to the interface view, VLAN view, and system view in sequence. To update an
ACL rule, delete all the associated traffic policies from the interface, VLAN, and system.
Then, reconfigure the traffic policies and reapply them to the interface, VLAN, and system.
b. Run:
classifier classifier-name behavior behavior-name
Display MAC address entries learned in a display mac-address dynamic vlan vlan-id
VLAN.
Display statistics on MAC address entries. l Display the total statistics: display mac-
address total-number
l Display the statistics of various types of
MAC address entries: display mac-
address summary
Purpose Command
Purpose Command
Purpose Command
Display alarms about MAC address Run the display trapbuffer command to
flapping. check whether the following alarms exist:
l OID 1.3.6.1.4.1.2011.5.25.42.2.1.7.12
l OID 1.3.6.1.4.1.2011.5.25.160.3.7
l OID 1.3.6.1.4.1.2011.5.25.160.3.8
Networking Requirements
In Figure 2-13, the user PC with MAC address 0002-0002-0002 connects to the GE1/0/1 of
the Switch, and the server with MAC address 0004-0004-0004 connects to GE1/0/2 of the
Switch. The user PC and server communicate in VLAN 2.
l To prevent unauthorized users from using the user PC's MAC address to initiate attacks,
configure a static MAC address entry for the user PC on the Switch.
l To prevent unauthorized users from using the server's MAC address to intercept
information sent to other users, configure a static MAC address entry for the server on
the Switch.
NOTE
This example applies to scenarios with a small number of users. When there are many users, use
dynamic MAC address entries. For details, see Example for Configuring Port Security.
Figure 2-13 Example network for configuring static MAC address entries
Network
Switch
GE1/0/1 GE1/0/2
VLAN 2
PC:2-2-2 Server:4-4-4
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 2 and add the interfaces connected to the PC and server for Layer 2
forwarding.
2. Configure static MAC address entries to prevent attacks from unauthorized users.
Procedure
Step 1 Create static MAC address entries.
# Create VLAN 2 and add GigabitEthernet1/0/1 and GigabitEthernet1/0/2 to VLAN 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
# Run the display mac-address static vlan 2 command in any view to check whether the
static MAC address entries are successfully added to the MAC address table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/- GE1/0/1 static
0004-0004-0004 2/- GE1/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 2
#
mac-address static 0002-0002-0002 GigabitEthernet1/0/1 vlan 2
mac-address static 0004-0004-0004 GigabitEthernet1/0/2 vlan 2
#
return
Networking Requirements
In Figure 2-14, the Switch receives packets from an unauthorized PC that has the MAC
address of 0005-0005-0005 and belongs to VLAN 3. This MAC address entry can be
configured as a blackhole MAC address entry so that the Switch filters out packets from the
unauthorized PC.
Figure 2-14 Example network for configuring a blackhole MAC address entry
Switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN for Layer 2 forwarding.
2. Configure a blackhole MAC address entry to filter out packets from the unauthorized
PC.
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 3
[Switch-vlan3] quit
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
Networking Requirements
In Figure 2-15, user network 1 and user network 2 connect to the Switch through the LSW,
and the LSW connects to the Switch through GE1/0/1. User network 1 and user network 2
belong to VLAN 10 and VLAN 20 respectively. On the Switch, MAC address limiting can be
configured on GE1/0/1 to control the number of access users.
Figure 2-15 Example network for configuring MAC address limiting on an interface
Network
Switch
GE1/0/1
LSW
User User
network 1 network 2
VLAN 10 VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add the downlink interface to the VLANs to implement Layer 2
forwarding.
2. Configure MAC address limiting on the interface to control the number of access users.
Procedure
Step 1 Configure MAC address limiting.
# Create VLAN 10 and VLAN 20, and add GigabitEthernet1/0/1 to VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10 20
# Run the display mac-limit command in any view to check whether the MAC address
limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 20
mac-limit maximum 100
#
return
Networking Requirements
In Figure 2-16, user network 1 is connected to GE1/0/1 of the Switch through LSW1, and
user network 2 is connected to GE1/0/2 of the Switch through LSW2. GE1/0/1 and GE1/0/2
belong to VLAN 2. To control the number of access users, configure MAC address limiting in
VLAN 2.
Network
Switch
GE1/0/1 GE1/0/2
LSW LSW
User User
network 1 VLAN 2 network 2
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure MAC address limiting.
# Configure the following MAC address limiting rule in VLAN 2: In the following
configuration, a maximum of 100 MAC addresses can be learned. When the number of
learned MAC address entries reaches the limit, the Switch forwards packets with new source
MAC address entries and sends an alarm, but does not add the MAC address entries to the
MAC address table.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 action forward alarm enable
[Switch-vlan2] return
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100 action forward
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
return
Networking Requirements
In Figure 2-17, the enterprise establishes a backbone network. MAC address limiting needs to
be configured in VSIs on the PEs for access control of CEs, ensuring the backbone network
security.
GE1/0/0 GE1/0/0
VLANIF10 VLANIF40
10.1.1.1/24 10.1.1.2/24
CE1 CE2
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create VLANs on the CE, PE, and P devices, add interfaces to respective VLANs, and assign
IP addresses to VLAN interfaces.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan 10
[CE1-vlan10] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 255.255.255.0
[CE1-Vlanif10] quit
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan 40
[CE2-vlan40] quit
[CE2] interface vlanif 40
[CE2-Vlanif40] ip address 10.1.1.2 255.255.255.0
[CE2-Vlanif40] quit
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 40
[CE2-GigabitEthernet1/0/0] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 10 20
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 4.4.4.4 255.255.255.0
[PE1-Vlanif20] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type trunk
[PE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet2/0/0] quit
# Configure the P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface vlanif 20
[P-Vlanif20] ip address 4.4.4.2 255.255.255.0
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 5.5.5.5 255.255.255.0
[P-Vlanif30] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type trunk
[P-GigabitEthernet1/0/0] port trunk allow-pass vlan 20
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type trunk
[P-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
[P-GigabitEthernet2/0/0] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30 40
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 5.5.5.2 255.255.255.0
[PE2-Vlanif30] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type trunk
[PE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 40
[PE2-GigabitEthernet2/0/0] quit
# Configure the P.
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 5.5.5.2 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on PE1, P,
and PE2. The command output shows that PE1, P, and PE2 have learned routes from each
other. The display on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
# Configure the P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command on PE1, P,
and PE2. You can see that a peer relationship is set up between PE1 and P, and between P and
PE2. The peer relationship is in Operational state. Run the display mpls lsp command to
check the LSP status. The display on PE1 is used as an example.
[PE1] display mpls ldp session
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 or
PE2. You can see that the peer relationship between PE1 and PE2 is in Operational state. That
is, the peer relationship is set up.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.1
[PE2-vsi-a2-ldp] quit
[PE2-vsi-a2] quit
# Configure PE2.
[PE2] interface vlanif 40
[PE2-Vlanif40] l2 binding vsi a2
[PE2-Vlanif40] quit
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 5 minutes, 1 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 3.3.3.3
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 4098
Peer Type : dynamic
Session : up
Tunnel ID : 0x1
Broadcast Tunnel ID : 0x1
**PW Information:
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
vlan batch 30 40
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
l2 binding vsi a2
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 40
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
Server
MAC:11-22-33
GE1/0/1 VLAN 10
Switch
GE1/0/2 PC4
MAC:11-22-33
LSW
VLAN10
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Run the display current-configuration command in any view to check whether the MAC
address learning priority is set correctly.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
mac-learning priority 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Networking Requirements
As shown in Figure 2-19, a loop occurs on a user network because two LSWs are incorrectly
connected using a network cable. This loop causes MAC address flapping on the Switch.
To detect loops in a timely manner, configure MAC address flapping detection on the Switch.
This function enables the Switch to detect loops by checking whether a MAC address flaps
between interfaces. To remove loops on the network, configure an action against MAC
address flapping on the interfaces.
Network
Switch
GE1/0/1 GE1/0/2
LSW1 LSW2
Incorrect connection
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Enable MAC address flapping detection.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] mac-address flapping detection
Step 3 Configure the action against MAC address flapping as error-down on the GE1/0/1 and
GE1/0/2.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] mac-address flapping action error-down
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] mac-address flapping action error-down
[Switch-GigabitEthernet1/0/2] quit
Step 4 Enable error-down interfaces to go Up automatically and set the automatic recovery time. In
the following configuration, it is set to 500s.
[Switch] error-down auto-recovery cause mac-address-flapping interval 500
When the MAC address learned on the GE moves to GE1/0/2, GE1/0/2 is shut down
automatically. You can run the display mac-address flapping record command to view
MAC address flapping records.
-------------------------------------------------------------------------------
Total items on slot 1: 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
interface GigabitEthernet1/0/1
mac-address flapping action error-down
#
interface GigabitEthernet1/0/2
mac-address flapping action error-down
#
return
Fault Symptom
MAC address entries cannot be learned on an interface, causing Layer 2 forwarding failures.
Procedure
Step 1 Check the configuration on the device.
Whether the Run the display vlan vlan- Run the vlan vlan-id command in the
VLAN that the id command in any view. If system view to create the VLAN.
interface belongs the system displays the
to has been message "Error: The
created VLAN does not exist", the
VLAN has not been created.
Whether the Run the display vlan vlan- Run one of the following commands in
interface id command in any view to the interface view to add the interface
transparently check whether the interface to the VLAN.
transmits packets name exists. If not, the l Run the port trunk allow-pass
from the VLAN interface does not vlan command if the interface is a
transparently transmit trunk interface.
packets from the VLAN.
l Run the port hybrid tagged vlan
or port hybrid untagged vlan
command if the interface is a
hybrid interface.
l Run the port default vlan
command if the interface is an
access interface.
Whether MAC Run the display this | Run the undo mac-address learning
address learning is include learning command disable command in the interface view
disabled on the in the interface view and or VLAN view to enable MAC address
interface or in the VLAN view to check learning.
VLAN whether the mac-address
learning disable
configuration exists. If so,
MAC address learning is
disabled on the interface or
in the VLAN.
Whether MAC Run the display this | l Run the mac-limit command in the
address limiting is include mac-limit interface view or VLAN view to
configured on the command in the interface increase the maximum number of
interface and in view and VLAN view to learned MAC address entries.
the VLAN check whether MAC l Run the undo mac-limit command
address limiting is in the interface view or VLAN
configured. If so, the view to remove the MAC address
maximum number of limit.
learned MAC address
entries is set.
Whether port Run the display this | l Run the undo port-security
security is include port-security enable command in the interface
configured on the command in the interface view to disable port security.
interface view to check whether port l Run the port-security max-mac-
security is configured. num command in the interface
view to increase the maximum
number of secure dynamic MAC
address entries on the interface.
The interface connects to another network Run the display mac-address command
device. on the connected device to view MAC
address entries. Use the displayed MAC
address entries to locate the interface
connected to the malicious host. If the
located interface is connected to another
network device, repeat this step until you
find the malicious host.
Scenario Solution
----End
2.11 FAQs
Versions earlier than Run the loop-detect eth-loop Run the undo loop-detect eth-
V200R001 support alarm-only in the VLAN view. loop alarm-only in the VLAN
only MAC address view.
flapping detection in
a VLAN.
V200R001 and later Run the mac-address flapping Run the undo mac-address
versions support detection in the system view. flapping detection in the
global MAC address system view.
flapping detection in
all VLANs. By
default, global MAC
address flapping
detection is enabled.
If the alarm is reported multiple times, find the first and second interfaces where the MAC
address is learned. Shut down the second interface to locate the loop. Then adjust the
networking to remove the loop.
Check whether MAC address flapping occurs to rapidly determine a loop on a network.
Generally, a loop occurs if a MAC address flapping alarm is generated consecutively.
Versions earlier than Run the loop-detect eth-loop Run the undo loop-detect eth-
V200R001 support alarm-only in the VLAN view. loop alarm-only in the VLAN
only MAC address view.
flapping detection in
a VLAN.
V200R001 and later Run the mac-address flapping Run the undo mac-address
versions support detection in the system view. flapping detection in the
global MAC address system view.
flapping detection in
all VLANs. By
default, global MAC
address flapping
detection is enabled.
Check whether MAC address flapping occurs according to the following table.
Version Command
2.12 Reference
The following table lists the references of this document.
This chapter describes how to configure link aggregation. Link aggregation bundles multiple
Ethernet links into a logical link to increase bandwidth, improve reliability, as well as load
balance traffic.
Definition
Ethernet link aggregation, also called Eth-Trunk, bundles multiple physical links to form a
logical link to increase link bandwidth. The bundled links implement redundancy, increasing
reliability.
Purpose
As the network scale expands, users have increasingly high requirements on the bandwidth
and reliability of the Ethernet backbone network. Originally, to increase the bandwidth, users
used high-speed cards or devices with high-speed interface cards to replace old interface cards
or devices. This solution, however, is costly and inflexible.
Link aggregation increases bandwidth by bundling a group of physical interfaces into a single
logical interface, without the need to upgrade hardware. In addition, link aggregation provides
link backup mechanisms, greatly improving link reliability.
Link aggregation has the following advantages:
l Increased bandwidth
The bandwidth of the link aggregation interface is the sum of bandwidth of member
interfaces.
l Higher reliability
When an active link fails, traffic on this active link is switched to another active link,
improving reliability of the link aggregation interface.
l Load balancing
In a link aggregation group (LAG), traffic is load balanced among active links of
member interfaces.
3.2 Principles
3.2.1 Concepts
In Figure 3-1, DeviceA and DeviceB are connected through three Ethernet physical links.
These three Ethernet physical links are bundled into an Eth-Trunk link, increasing bandwidth
and reliability.
The upper threshold for the number of active interfaces does not apply to the manual load
balancing mode.
l Lower threshold for the number of active interfaces
When the number of active interfaces falls below the lower threshold, the Eth-Trunk
goes Down. This ensures that an active Eth-Trunk has the minimum required bandwidth.
For example, if the Eth-Trunk is required to provide a minimum bandwidth of 2 Gbit/s
and each member link's bandwidth is 1 Gbit/s, the minimum number of Up member links
must be set to 2 or larger.
l Link aggregation mode
There are two link aggregation modes: manual and Link Aggregation Control Protocol
(LACP). Table 3-1 compares the two modes.
Data forwarding Generally, all links are Generally, only some links
active links. If one active are active links. If an
link fails, traffic is load active link fails, the
balanced among the system selects a link
remaining active links. among inactive links to
replace it. This ensures
that the total number of
links performing data
forwarding remains
unchanged.
Fault detection This mode can only detect This mode can detect
member link member link
disconnections, but cannot disconnections and other
detect other faults such as faults such as link layer
link layer faults and faults and incorrect link
incorrect link connections. connections.
NOTE
For more information, see 3.2.2 Link Aggregation in Manual Mode and 3.2.3 Link Aggregation in
LACP Mode.
l Link aggregation modes supported by the device
– Intra-card: Member interfaces of an Eth-Trunk are located on the same card.
DeviceA DeviceB
D%
E%
Eth-Trunk
D%+E%=100%
Eth-Trunk
DeviceC
Concepts
l LACP system priority
LACP system priorities are set on devices at both ends of an Eth-Trunk. In LACP mode,
active member interfaces selected by both devices must be consistent with each other;
otherwise, an LAG cannot be established. To ensure consistency between active member
interfaces at both ends, set a higher priority for one device. The remote device will select
active member interfaces based on the priority. A smaller LACP system priority value
indicates a higher LACP system priority.
l LACP interface priority
Interface LACP priorities are used to prioritize interfaces of an Eth-Trunk. Interfaces
with higher priorities are selected as active interfaces. A smaller LACP interface priority
value indicates a higher LACP interface priority.
l M:N backup of member interfaces
In LACP mode, LACP is used to negotiate parameters to determine active links in an
LAG. This is also called the M:N mode, where M is the number of active links and N is
the number of backup links. This mode guarantees high reliability and allows traffic to
be load balanced among the active links.
In Figure 3-4, M+N links with the same attributes (in the same LAG) are set up between
two devices. When data is transmitted over the aggregated link, traffic is only load
balanced between the active links; no data is transmitted over the backup links.
Therefore, the actual bandwidth of the aggregated link is the sum of the active links'
bandwidth, and the maximum bandwidth of the aggregated link is the total bandwidth
between the active and backup links.
If one of active links fails, LACP selects a link from the backup links to replace the
faulty link. The actual bandwidth remains the same, but the maximum bandwidth of the
aggregated link is reduced accordingly.
Eth-Trunk
Eth-Trunk 1 Eth-Trunk 1
Active link
Backup link
M:N backup is mainly applied to ensure a consistent bandwidth between two devices. If
no available backup link is found and the number of active links is smaller than the lower
threshold for the number of active interfaces, the system shuts down the LAG.
NOTE
The device with the higher system priority becomes the Actor. If the two devices have the same system
priority, the device with a smaller MAC address functions as the Actor.
LACPDU
l LACP preemption
When LACP preemption is enabled, interfaces with higher priorities in an LAG will
always be the active interfaces as long as they are available.
In Figure 3-8, Port 1 and Port 2 are active interfaces because their LACP priorities are
higher, and Port 3 is used as the backup interface.
Active link
Backup link
Background
A data flow is a group of data packets with one or more identical attributes. The attributes
include the source MAC address, destination MAC address, source IP address, destination IP
address, source TCP/UDP port number, and destination TCP/UDP port number.
Forwarding Principle
In Figure 3-9, an Eth-Trunk is deployed in the data link layer between the LLC and MAC
sub-layers.
LLC
Data link Eth-Trunk
layer
MAC
Physical layer PHY
The Eth-Trunk module maintains a forwarding table that consists of the following entries:
l HASH-KEY value
The HASH-KEY value is calculated through the hash algorithm based on the MAC
address or IP address in a data packet.
l Interface number
Eth-Trunk forwarding entries are related to the number of member interfaces in an Eth-
Trunk. Different HASH-KEY values map to different outbound interfaces.
For example, an Eth-Trunk supports a maximum of eight member interfaces. If physical
interfaces 1, 2, 3, and 4 are bundled into an Eth-Trunk, the Eth-Trunk forwarding table
contains four entries, as shown in Figure 3-10. In the Eth-Trunk forwarding table, the
HASH-KEY values are 0, 1, 2, 3, 4, 5, 6, and 7, and the corresponding interface numbers
are 1, 2, 3, 4, 1, 2, 3, and 4.
HASH-KEY 0 1 2 3 4 5 6 7
PORT 1 2 3 4 1 2 3 4
The Eth-Trunk module forwards a packet according to the Eth-Trunk forwarding table:
1. The Eth-Trunk module receives a packet from the MAC sub-layer, and then extracts its
source MAC address/IP address or destination MAC address/IP address.
2. The Eth-Trunk module calculates the HASH-KEY value using the hash algorithm.
3. Using the HASH-KEY value, the Eth-Trunk module searches the Eth-Trunk forwarding
table for the interface number, and then sends the packet from the corresponding
interface.
DeviceA DeviceA
Eth-Trunk Eth-Trunk
CSS CSS
l This function is only valid for known unicast packets, and does not work with unknown unicast
packets, broadcast packets, and multicast packets.
l Before configuring an Eth-Trunk to preferentially forward local traffic, ensure that member
interfaces of the local Eth-Trunk have sufficient bandwidth to forward local traffic; otherwise, traffic
may be discarded.
3.2.6 E-Trunk
Enhanced Trunk (E-Trunk) is an extension of LACP. It controls and implements link
aggregation among multiple devices. E-Trunk implements device-level link reliability, instead
of the card-level link reliability implemented by LACP.
E-Trunk is mainly applied to a scenario where a CE is dual-homed to a VPLS, VLL, or PWE3
network. Without E-Trunk, a CE can connect to only one PE by using an Eth-Trunk link. If
the Eth-Trunk or PE fails, the CE cannot communicate with the PE. By using E-Trunk, the CE
can be dual-homed to PEs to protect PEs and links between the CE and PEs, enabling device-
level protection.
Eth-Trunk20
E-Trunk1
CE
Eth-Trunk10 PE2
Basic Concepts
l LACP system priority
LACP system priorities are used to differentiate priorities of devices at both ends of an
Eth-Trunk link. A smaller value indicates a higher LACP system priority.
l System ID
In LACP, the system ID is used to determine the priorities of the two devices at both
ends of an Eth-Trunk link if their LACP priorities are the same. A smaller system ID
indicates a higher priority. By default, the system ID is the MAC address of an Eth-
Trunk.
To enable a CE to consider the PEs as a single device, you must configure the same
system LACP priority and system ID for the PEs at both ends of an E-Trunk link.
l E-Trunk priority
The E-Trunk priority determines the master/backup status of two devices in an LAG. A
device with a higher E-Trunk priority becomes the master device, and the other one
becomes the backup device. A smaller E-Trunk priority value indicates a higher E-Trunk
priority.
l E-Trunk ID
An E-Trunk ID is an integer that identifies an E-Trunk.
l Working mode
The working mode depends on the working mode of the Eth-Trunk added to the E-
Trunk. The Eth-Trunk can work in one of the following modes:
– Automatic
– Forced master
– Forced backup
l Timeout interval
The master and backup devices in an E-Trunk periodically send hello packets to each
other. If the backup device does not receive any hello packets within the timeout interval,
it becomes the master device.
In normal situations:
n PE1 functions as the master and Eth-Trunk 10 of PE1 enters the master state
with a link status of Up.
n PE2 functions as the backup and Eth-Trunk 10 of PE2 enters the backup state
with a link status of Down.
If the link between the CE and PE1 fails, the following occurs:
i. PE1 sends an E-Trunk packet containing information about faulty Eth-Trunk
10 of PE1 to PE2.
ii. After receiving the E-Trunk packet, PE2 finds that Eth-Trunk 10 on PE1 is
faulty. Eth-Trunk 10 on PE2 becomes the master. Through LACP negotiation,
Eth-Trunk 10 on PE2 becomes Up.
The Eth-Trunk status on PE2 becomes Up, and traffic from the CE is
forwarded through PE2, preventing traffic interruption.
If PE1 fails, the following occurs:
i. If the PEs are configured with BFD, PE2 detects that the BFD session status
becomes Down and then switches to be the master, and Eth-Trunk 10 on PE2
enters the master state.
ii. If the PEs are not configured with BFD, PE2 will not receive any E-Trunk
packets from PE1 before the timeout, causing PE2 to take over as the master.
Eth-Trunk 10 on PE2 will also function as the master.
Through LACP negotiation, Eth-Trunk 10 on PE2 becomes Up. The traffic of
the CE is forwarded through PE2. This protects traffic destined for the remote
CE.
l Sending and receiving of E-Trunk packets
E-Trunk packets carrying the source IP address and port number configured on the local
device are sent through UDP. E-Trunk packets are sent in the following situations:
– The packet sending timer times out.
– The configurations change. For example, the E-Trunk priority, packet sending
interval, timeout interval multiplier, or the source/destination IP address of the E-
Trunk changes, or member Eth-Trunks are added or deleted.
– A member Eth-Trunk fails or recovers.
E-Trunk packets need to carry their timeout interval. The remote device uses this interval
as the timeout interval of the local device.
l BFD
BFD enables a device to quickly detect a fault on the remote device based on the timeout
interval of received packets. The IP address of the remote device needs to be specified on
the local device, and a BFD session needs to be established to detect the reachability of
the route to the remote device. Then the E-Trunk can detect any fault detected by BFD.
l Switchback mechanism
If the Eth-Trunk on the local device in master state goes Down or the local device fails,
the remote device becomes the master and the member Eth-Trunk becomes Up.
When the local device recovers, the local Eth-Trunk enters the LACP negotiation state.
After LACP informs the local E-Trunk that the negotiation capability is Up, the local
device starts the switchback delay timer. After the switchback delay timer expires, the
local Eth-Trunk becomes the master and goes Up after LACP negotiation.
E-Trunk Constraints
Using Figure 3-12 as an example, to improve reliability links between the CE and PEs and
guarantee that traffic is properly switched between these links, pay attention to the following
points:
l The configurations at both ends of the E-Trunk link must be consistent. The Eth-Trunks
linked directly to the PEs and the CE must be configured with the same working rate and
duplex mode so that both Eth-Trunks have the same key and join the same E-Trunk.
After the Eth-Trunks are added to the E-Trunk, both PEs must contain the LACP system
priorities and IDs. The interfaces connecting the CE to PE1 and PE2 must be added to
the same Eth-Trunk. The Eth-Trunk on the CE can have a different ID from that of the
PEs. For example, the CE is configured with Eth-Trunk 1, and both PEs are configured
with Eth-Trunk 10.
l To ensure Layer 3 connectivity, the IP address of the local PE must be the same as the
local address of the remote PE and the IP address of the remote PE must be the same as
the remote address of the local PE. Therefore, it is recommended that the addresses of
the PEs are configured as loopback interface addresses.
l The E-Trunk must be bound to a BFD session.
l The two PEs must be configured with the same security key.
3.3 Applications
Core
Network
PE-AGG
Eth-Trunk 1
UPE
…… ……
VoIP DATA
IPTV
If devices at both ends of the Eth-Trunk support LACP, LACP mode is recommended;
otherwise, you must use manual mode.
QoS can be implemented on an Eth-Trunk as a common interface. This allows for traffic
shaping, congestion management, and congestion avoidance on outgoing traffic at both ends
(UPE and PE-AGG) of Eth-Trunk 1, ensuring that high-priority packets are sent promptly.
Figure 3-14 Switches connected across a transmission device through link aggregation
Transmission
device
Transmission
device
Transmission Transmission
device device
Access Access
site 1 site 3
Transmission
device
Access
site 2
Different models of network adapters use different link aggregation configurations. See the corresponding
network adapter operation guide for more information.
Network
Eth-Trunk 1
Network
CSS
VLAN 2 VLAN 3
PE1
Eth-Trunk10
Eth-Trunk20
E-Trunk1 Internet
CE1
Eth-Trunk10 PE2
Loopback1
Switches Directly Connected Through Link Perform either of these two operations:
Aggregation l 3.7.1 Configuring Link Aggregation in
Manual Mode
l 3.7.2 Configuring Link Aggregation in
LACP Mode
Scenario Task
License Support
Ethernet link aggregation is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Switches Connected Across a Transmission l The switches at both ends must use link
Device Through Link Aggregation aggregation in LACP mode.
l The transmission device between
switches must be configured to
transparently transmit LACPDUs.
Switches Are Connected Through Inter-card Interfaces on different cards of a switch can
Link Aggregation join the same Eth-Trunk, that is, inter-card
Eth-Trunk. Interfaces on cards without Eth-
Trunk specification extension can constitute
an inter-card Eth-Trunk. Before interfaces
on a card with Eth-Trunk specification
extension and interfaces on another card
constitute an inter-card Eth-Trunk, use the
eth-trunk load-balance hash-mode
command to configure the hash mode for
the card with Eth-Trunk specification
extension.
l When interfaces on different cards with
Eth-Trunk specification extension form
an Eth-Trunk, ensure that the cards use
the same hash mode.
l When interfaces on the card with Eth-
Trunk specification extension form an
Eth-Trunk with interfaces on the card
without Eth-Trunk specification
extension, configure the normal hash
mode on the card with Eth-Trunk
specification extension.
In earlier versions of V200R010C00, only X
series cards among cards with Eth-Trunk
specification extension support the hash
mode configuration. The hash mode on
other cards with Eth-Trunk specification
extension has a fixed value of advance. In
V200R010C00 and later versions, interfaces
on only X series cards among cards with
Eth-Trunk specification extension can form
Eth-Trunks with interfaces on cards without
Eth-Trunk specification extension.
Interfaces on other cards with Eth-Trunk
specification extension cannot form Eth-
Trunks with interfaces on cards without Eth-
Trunk specification extension.
In V200R010C00 and later versions, cards
with Eth-Trunk specification extension
support the hash mode configuration. When
the hash mode on a card with Eth-Trunk
specification extension is set to normal,
interfaces on the card with Eth-Trunk
specification extension can form an Eth-
Trunk with interfaces on the card without
Eth-Trunk specification extension.
3.7.1.1 (Optional) Setting the Maximum Number of LAGs and the Maximum
Number of Member Interfaces in Each LAG
Context
A switch supports a fixed maximum number of LAGs and a fixed maximum number of
member interfaces in each LAG. When a chassis switch is only equipped with the following
cards, you can run the assign trunk command to set the maximum number of LAGs and the
maximum number of member interfaces in each LAG. This implements flexible networking
and meets requirements of various services:
l The FC-series, SC-series, the EE card of the E series, and X1E-series cards that using
advanced hash mode on the S7700.
l The EH1D2X48SEC0, FC-series, SC-series, the EE card of the E series, and X1E-series
cards that using advanced hash mode on the S9700.
Cards are classified into low-specification cards and high-specification cards depending on
the support for Eth-Trunk specification extension. The card that supports Eth-Trunk
specification extension is called high-specification card, and the card that does not support
Eth-Trunk specification extension is called low-specification card. The X1E card using the
advanced hash mode can be considered as a high-specification card, and the X1E card using
the normal hash mode can be considered as a low-specification card. The X1E card using the
normal hash mode does not support Eth-Trunk specification extension. For details about the
hash mode, see eth-trunk load-balance hash-mode.
Procedure
Step 1 Run:
system-view
The maximum number of LAGs and the maximum number of member interfaces in each
LAG are set.
By default, the device supports a maximum of 128 LAGs and 8 member interfaces in each
LAG. member-number can be 2, 4, 8, 16, or 32, and member-number multiplied by group-
number cannot exceed 2048.
l When this command is used to change Eth-Trunk specifications on a switch of
V200R003, V200R005, or V200R006, you need to restart the switch to make the
configuration take effect.
l When this command is used to change Eth-Trunk specifications on a switch of
V200R007 or later, you need to save the configuration restart the switch to make the
configuration take effect.
l When this command is used to change Eth-Trunk specifications, there is no buildrun
information on the switch. You can run the display trunk configuration command to
check the configuration.
l When the switch is configured with all high-specification cards, this command takes
effect. When a low-specification card is installed on this switch, the index of the Eth-
Trunk cannot be larger than 127. If the index of the Eth-Trunk is larger than 127, the
low-specification card fails to be registered and the switch generates the alarm
L2IFPPI_1.3.6.1.4.1.2011.5.25.219.2.2.13_hwBoardPowerOff.
NOTE
You can run the display reset-reason command to check the registration failure cause. The system
displays the message "This LPU only supports the trunks with index 127 or smaller than 127." If
the low-specification card must be used, you must delete the Eth-Trunk with the index larger than
127.
The index is the internal number that the switch allocates to each Eth-Trunk, and is different from
the Eth-Trunk ID. If the configured number of Eth-Trunks supported by the switch is larger than
128 and many Eth-Trunks are created on the switch, the index larger than 127 may be occupied.
The low-specification card can only use the index of 127 or smaller, the system checks the index
and limits its registration. If the non-registered low-specification card is reserved, this card cannot
be registered even if the switch restarts.
l If incoming traffic enters the Eth-Trunk on the low-specification card (excluding X1E
series cards), outgoing traffic goes out of the Eth-Trunk on the high-specification card,
and the Eth-Trunk on the high-specification card has more than eight member interfaces,
traffic may be unevenly load balanced on the Eth-Trunk of the high-specification card
and known unicast traffic can be only sent out from the eight Eth-Trunk member
interfaces.
l On the switch used as the WLAN AC, when the X1E card is deployed at the user side
and connects to downstream APs through an inter-card Eth-Trunk, if the the X1E card is
used at the network side, the number of used Eth-Trunks cannot reach the value specified
by this command and the minimum of used Eth-Trunks may be half of the value
specified by this command.
l If you use this command to modify Eth-Trunk specifications, the existing Eth-Trunk
configuration will be invalid or lost. Exercise caution when you run this command.
– When the configured Eth-Trunk specifications are reduced and the Eth-Trunks that
exceed the specifications are configured, the configuration of excess Eth-Trunks is
invalid.
– When the configured value of group-number is larger than 128 or the configured
value of member-number is larger than 16, the switch can only use the enhanced
mode to load balance known unicast packets. The common mode is invalid for the
known unicast packets.
l The assign trunk command fails to be executed on the device enabled with SVF.
----End
Context
Each LAG corresponds to an Eth-Trunk. Before configuring link aggregation, create an Eth-
Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
If the device is equipped with cards specified in the assign trunk command, you can run the
assign trunk command to set the maximum number of LAGs and the maximum number of
member interfaces in each LAG and run the display trunk configuration command to view
the configuration.
If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk
interface view.
----End
Context
Link aggregation can work in manual load balancing mode and LACP mode.
In manual load balancing mode, you must manually create an Eth-Trunk and add member
interfaces to the Eth-Trunk. All active links forward data and evenly load balance traffic. The
manual load balancing mode is used when the peer device does not support LACP.
If an Eth-Trunk interface has member interfaces, you can switch the Eth-Trunk interface's
working mode between manual mode and LACP mode. However, if the Eth-Trunk interface is
added to an E-Trunk, you cannot change its working mode.
To delete existing member interfaces, run the undo eth-trunk command in the interface view
or the undo trunkport interface-type interface-number command in the Eth-Trunk interface
view.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
mode manual load-balance
Before configuring an Eth-Trunk, ensure that both ends use the same Eth-Trunk mode. If the
local end works in manual load balancing mode, the remote end must use the manual mode.
NOTE
When configuring an Eth-Trunk on the EH1D2S24CEA0 card of the S9700, do not configure the Eth-
Trunk to work in manual mode.
----End
Context
Before adding member interfaces to an Eth-Trunk, see 3.5 Configuration Notes for
information about configuration notes.
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
Interfaces on different cards of the switch can join the same Eth-Trunk. A hash mode of the
XlE card needs to be configured when interfaces on the X1E card form an Eth-Trunk with
interfaces on another card:
l Ensure that cards use the same hash mode. If interfaces on the X1E card form an Eth-
Trunk with interfaces on another card, the hash mode on the X1E card cannot be
changed. To change the hash mode, first remove interfaces on the X1E card from the
Eth-Trunk.
l When interfaces on the X1E card form an Eth-Trunk with interfaces on another high-
specification card except the X1E card, use advanced hash mode.
l When interfaces on the X1E card form an Eth-Trunk with interfaces on another low-
specification card, use normal hash mode.
NOTE
On the X1E card, if the index of the Eth-Trunk is larger than 127 or the Eth-Trunk has more than eight
member interfaces (see display trunk index-map), the hash mode cannot be changed to normal.
High-specification cards are as follows:
l The FC-series, SC-series, the EE card of the E series, and X1E-series cards that using advanced
hash mode on the S7700.
l The EH1D2X48SEC0, FC-series, SC-series, the EE card of the E series, and X1E-series cards that
using advanced hash mode on the S9700.
Figure 3-19 Recommended deployment mode (when the member interfaces of multiple Eth-
Trunks are deployed on different cards)
0 2 4 ...
Slot 1 ...
1 3 5 ...
0 2 4 ...
Slot 2 ...
1 3 5 ...
Figure 3-20 Deployment mode that is not recommended (when the member interfaces of
multiple Eth-Trunks are deployed on different cards)
0 2 4 ...
Slot 1 ...
1 3 5 ...
Eth-Trunk1
0 2 4 ...
... Eth-Trunk3
Slot 2
1 3 5 ...
Eth-Trunk2
0 2 4 ...
Slot 3 ...
1 3 5 ...
Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run:
system-view
A hash mode of the X1E card is configured so that interfaces on the X1E card can
form an Eth-Trunk with interfaces on another card.
c. Run:
interface eth-trunk trunk-id
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be
added to the Eth-Trunk, any subsequent interfaces in the batch will also not be added to the
Eth-Trunk.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run:
system-view
b. (Optional) Run:
eth-trunk load-balance hash-mode { advanced | normal } slot slot-id
A hash mode of the X1E card is configured so that interfaces on the X1E card can
form an Eth-Trunk with interfaces on another card.
c. Run:
interface interface-type interface-number
3.7.1.5 (Optional) Setting the Lower Threshold for the Number of Active
Interfaces
Context
The lower threshold for the number of active interfaces affects the status and bandwidth of an
Eth-Trunk. To ensure that the Eth-Trunk functions properly and is resistant to member link
status changes, set the lower threshold for the number of active interfaces appropriately.
When the number of active interfaces falls below the lower threshold, the Eth-Trunk goes
Down. This ensures that an active Eth-Trunk has the minimum required bandwidth.
The upper threshold for the number of active interfaces does not apply to the manual mode.
Procedure
Step 1 Run:
system-view
----End
Context
An Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that frames
of the same data flow are forwarded on the same physical link. Different data flows are
forwarded on different physical links to balance the network load.
You can configure a common load balancing mode in which IP addresses or MAC addresses
of packets are used to load balance packets; you can also configure an enhanced load
balancing mode for Layer 2 packets, IP packets, and MPLS packets.
Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different without affecting each other.
When more than 128 Eth-Trunks or 16 member interfaces are configured using the assign
trunk { trunk-group group-number | trunk-member member-number }* command, only the
enhanced mode can be used for load balancing. If the enhanced mode is not used, problems
such as packet loss and uneven load balancing may occur.
NOTE
SA series cards do not support the enhanced load balancing mode. SA series cards still use the common
load balancing mode even if enhanced load balancing is configured.
Procedure
l Configure a common load balancing mode.
a. Run:
system-view
A load balancing profile is created and its view is displayed. Only one load
balancing profile can be created.
c. Run the following commands as required. You can configure load balancing modes
for Layer 2 packets, IPv4 packets, IPv6 packets, and MPLS packets respectively.
n Run:
l2 field [ dmac | l2-protocol | smac | sport | vlan ] *
In an S9706, S9712, S7706, or S7712 CSS, the CSS links use the profile configured by
the load-balance-profile command to load balance traffic. If no profile for enhanced
load balancing is created, the CSS links use the default enhanced load balancing mode.
If traffic is not evenly distributed on the CSS links, some links may be congested and
packets may be dropped. To prevent this problem, it is recommended that you choose
multiple keywords in the mpls field, l2 field, ipv4 field, and ipv6 field commands
when configuring load balancing modes for various packets.
d. Run:
quit
----End
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information
about Eth-Trunk member interfaces.
l Run the display eth-trunk [ trunk-id ] load-balance command to check the load
balancing mode of the Eth-Trunk.
l Run the display load-balance-profile [ profile-name ] command to check the load
balancing profile of the Eth-Trunk.
l Run the display trunk configuration command to check the maximum number of
LAGs and the maximum number of member interfaces in each LAG.
----End
3.7.2.1 (Optional) Setting the Maximum Number of LAGs and the Maximum
Number of Member Interfaces in Each LAG
Context
A switch supports a fixed maximum number of LAGs and a fixed maximum number of
member interfaces in each LAG. When a chassis switch is only equipped with the following
cards, you can run the assign trunk command to set the maximum number of LAGs and the
maximum number of member interfaces in each LAG. This implements flexible networking
and meets requirements of various services:
l The FC-series, SC-series, the EE card of the E series, and X1E-series cards that using
advanced hash mode on the S7700.
l The EH1D2X48SEC0, FC-series, SC-series, the EE card of the E series, and X1E-series
cards that using advanced hash mode on the S9700.
Cards are classified into low-specification cards and high-specification cards depending on
the support for Eth-Trunk specification extension. The card that supports Eth-Trunk
specification extension is called high-specification card, and the card that does not support
Eth-Trunk specification extension is called low-specification card. The X1E card using the
advanced hash mode can be considered as a high-specification card, and the X1E card using
the normal hash mode can be considered as a low-specification card. The X1E card using the
normal hash mode does not support Eth-Trunk specification extension. For details about the
hash mode, see eth-trunk load-balance hash-mode.
Procedure
Step 1 Run:
system-view
Step 2 Run:
assign trunk { trunk-group group-number | trunk-member member-number }*
The maximum number of LAGs and the maximum number of member interfaces in each
LAG are set.
By default, the device supports a maximum of 128 LAGs and 8 member interfaces in each
LAG. member-number can be 2, 4, 8, 16, or 32, and member-number multiplied by group-
number cannot exceed 2048.
NOTE
You can run the display reset-reason command to check the registration failure cause. The system
displays the message "This LPU only supports the trunks with index 127 or smaller than 127." If
the low-specification card must be used, you must delete the Eth-Trunk with the index larger than
127.
The index is the internal number that the switch allocates to each Eth-Trunk, and is different from
the Eth-Trunk ID. If the configured number of Eth-Trunks supported by the switch is larger than
128 and many Eth-Trunks are created on the switch, the index larger than 127 may be occupied.
The low-specification card can only use the index of 127 or smaller, the system checks the index
and limits its registration. If the non-registered low-specification card is reserved, this card cannot
be registered even if the switch restarts.
l If incoming traffic enters the Eth-Trunk on the low-specification card (excluding X1E
series cards), outgoing traffic goes out of the Eth-Trunk on the high-specification card,
and the Eth-Trunk on the high-specification card has more than eight member interfaces,
traffic may be unevenly load balanced on the Eth-Trunk of the high-specification card
and known unicast traffic can be only sent out from the eight Eth-Trunk member
interfaces.
l On the switch used as the WLAN AC, when the X1E card is deployed at the user side
and connects to downstream APs through an inter-card Eth-Trunk, if the the X1E card is
used at the network side, the number of used Eth-Trunks cannot reach the value specified
by this command and the minimum of used Eth-Trunks may be half of the value
specified by this command.
l If you use this command to modify Eth-Trunk specifications, the existing Eth-Trunk
configuration will be invalid or lost. Exercise caution when you run this command.
– When the configured Eth-Trunk specifications are reduced and the Eth-Trunks that
exceed the specifications are configured, the configuration of excess Eth-Trunks is
invalid.
– When the configured value of group-number is larger than 128 or the configured
value of member-number is larger than 16, the switch can only use the enhanced
mode to load balance known unicast packets. The common mode is invalid for the
known unicast packets.
l The assign trunk command fails to be executed on the device enabled with SVF.
----End
Context
Each LAG corresponds to an Eth-Trunk. Before configuring link aggregation, create an Eth-
Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
If the device is equipped with cards specified in the assign trunk command, you can run the
assign trunk command to set the maximum number of LAGs and the maximum number of
member interfaces in each LAG and run the display trunk configuration command to view
the configuration.
If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk
interface view.
----End
Context
Link aggregation can work in manual mode or LACP mode.
In LACP mode, you must manually create an Eth-Trunk and add member interfaces to the
Eth-Trunk. LACP then determines active interfaces through negotiation.
If an Eth-Trunk interface has member interfaces, you can switch the Eth-Trunk interface's
working mode between manual mode and LACP mode. However, if the Eth-Trunk interface is
added to an E-Trunk, you cannot change its working mode.
To delete existing member interfaces, run the undo eth-trunk command in the interface view
or the undo trunkport interface-type interface-number command in the Eth-Trunk interface
view.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
mode lacp
Before configuring an Eth-Trunk, ensure that both ends use the same Eth-Trunk mode. If the
local end works in LACP mode, the remote end must use the LACP mode.
----End
Context
Before adding member interfaces to an Eth-Trunk, see 3.5 Configuration Notes for
information about configuration notes.
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
Interfaces on different cards of the switch can join the same Eth-Trunk. A hash mode of the
XlE card needs to be configured when interfaces on the X1E card form an Eth-Trunk with
interfaces on another card:
l Ensure that cards use the same hash mode. If interfaces on the X1E card form an Eth-
Trunk with interfaces on another card, the hash mode on the X1E card cannot be
changed. To change the hash mode, first remove interfaces on the X1E card from the
Eth-Trunk.
l When interfaces on the X1E card form an Eth-Trunk with interfaces on another high-
specification card except the X1E card, use advanced hash mode.
l When interfaces on the X1E card form an Eth-Trunk with interfaces on another low-
specification card, use normal hash mode.
NOTE
On the X1E card, if the index of the Eth-Trunk is larger than 127 or the Eth-Trunk has more than eight
member interfaces (see display trunk index-map), the hash mode cannot be changed to normal.
High-specification cards are as follows:
l The FC-series, SC-series, the EE card of the E series, and X1E-series cards that using advanced
hash mode on the S7700.
l The EH1D2X48SEC0, FC-series, SC-series, the EE card of the E series, and X1E-series cards that
using advanced hash mode on the S9700.
Figure 3-21 Recommended deployment mode (when the member interfaces of multiple Eth-
Trunks are deployed on different cards)
0 2 4 ...
Slot 1 ...
1 3 5 ...
0 2 4 ...
Slot 2 ...
1 3 5 ...
Figure 3-22 Deployment mode that is not recommended (when the member interfaces of
multiple Eth-Trunks are deployed on different cards)
0 2 4 ...
Slot 1 ...
1 3 5 ...
Eth-Trunk1
0 2 4 ...
... Eth-Trunk3
Slot 2
1 3 5 ...
Eth-Trunk2
0 2 4 ...
Slot 3 ...
1 3 5 ...
Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run:
system-view
A hash mode of the X1E card is configured so that interfaces on the X1E card can
form an Eth-Trunk with interfaces on another card.
c. Run:
interface eth-trunk trunk-id
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be
added to the Eth-Trunk, any subsequent interfaces in the batch will also not be added to the
Eth-Trunk.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run:
system-view
b. (Optional) Run:
eth-trunk load-balance hash-mode { advanced | normal } slot slot-id
A hash mode of the X1E card is configured so that interfaces on the X1E card can
form an Eth-Trunk with interfaces on another card.
c. Run:
interface interface-type interface-number
3.7.2.5 (Optional) Setting the Upper and Lower Thresholds for the Number of
Active Interfaces
Context
The number of Up member links affects the status and bandwidth of an Eth-Trunk. To ensure
that the Eth-Trunk functions properly and is resistant to member link status changes, set the
following thresholds for the number of active interfaces:
l Lower threshold: When the number of active interfaces falls below this threshold, the
Eth-Trunk goes Down. This ensures that an active Eth-Trunk has the minimum required
bandwidth.
l Upper threshold: Used for improving network reliability with stable bandwidth. When
the number of active interfaces reaches this threshold, you can add new member
interfaces to the Eth-Trunk, but excess member interfaces only go Up to back up active
interfaces that go Down.
Procedure
Step 1 Run:
system-view
Step 3 Run:
least active-linknumber link-number
----End
Context
An Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that frames
of the same data flow are forwarded on the same physical link. Different data flows are
forwarded on different physical links to balance the network load.
You can configure a common load balancing mode in which IP addresses or MAC addresses
of packets are used to load balance packets; you can also configure an enhanced load
balancing mode for Layer 2 packets, IP packets, and MPLS packets.
Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different without affecting each other.
When more than 128 Eth-Trunks or 16 member interfaces are configured using the assign
trunk { trunk-group group-number | trunk-member member-number }* command, only the
enhanced mode can be used for load balancing. If the enhanced mode is not used, problems
such as packet loss and uneven load balancing may occur.
NOTE
SA series cards do not support the enhanced load balancing mode. SA series cards still use the common
load balancing mode even if enhanced load balancing is configured.
Procedure
l Configure a common load balancing mode.
a. Run:
system-view
A load balancing profile is created and its view is displayed. Only one load
balancing profile can be created.
c. Run the following commands as required. You can configure load balancing modes
for Layer 2 packets, IPv4 packets, IPv6 packets, and MPLS packets respectively.
n Run:
l2 field [ dmac | l2-protocol | smac | sport | vlan ] *
In an S9706, S9712, S7706, or S7712 CSS, the CSS links use the profile configured by
the load-balance-profile command to load balance traffic. If no profile for enhanced
load balancing is created, the CSS links use the default enhanced load balancing mode.
If traffic is not evenly distributed on the CSS links, some links may be congested and
packets may be dropped. To prevent this problem, it is recommended that you choose
multiple keywords in the mpls field, l2 field, ipv4 field, and ipv6 field commands
when configuring load balancing modes for various packets.
d. Run:
quit
----End
Context
LACP system priority differentiates priorities of devices at both ends. In LACP mode, active
interfaces selected by devices at both ends must be consistent; otherwise, the LAG cannot be
set up. To keep active interfaces consistent at both ends, you can set the priority of one device
to be higher than the other device. The device with a lower priority will select active
interfaces based on those selected by the device with a higher priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
lacp priority priority
A smaller priority value indicates a higher LACP priority. By default, the LACP priority is
32768.
The device with a smaller priority value functions as the Actor. If both devices have the same
priority, the device with a smaller MAC address functions as the Actor.
----End
Context
In LACP mode, LACP interface priorities are set to prioritize interfaces of the same device.
Interfaces with higher priorities are selected as active interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
lacp priority priority
By default, the LACP interface priority is 32768. A smaller priority value indicates a higher
LACP priority.
By default, the system selects active interfaces based on interface priorities. However, low-
speed member interfaces with high priorities may be selected as active interfaces. To select
high-speed member interfaces as active interfaces, run the lacp selected { priority | speed }
command to configure the system to select active interfaces based on the interface rate.
----End
Context
The LACP preemption function ensures that the interface with the highest LACP priority
always functions as an active interface. For example, the interface with the highest priority
becomes inactive due to a fault. If LACP preemption is enabled, the interface becomes active
again after it recovers; if LACP preemption is disabled, the interface cannot become active
interface after it recovers.
The LACP preemption delay is the period after which an inactive interface switches to active.
The LACP preemption delay prevents unstable data transmission on an Eth-Trunk link due to
frequent link status changes.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
lacp preempt enable
Step 4 Run:
lacp preempt delay delay-time
By default, the LACP preemption delay is 30 seconds. If both devices of an Eth-Trunk use
different preemption delays, the longer preemption delay is used.
----End
Context
If the Eth-Trunk on the local device cannot detect a self-loop or fault that occurred on a
member interface in the LAG on the remote device, data on the local device will still be load
balanced among the active interfaces. As a result, data traffic on the faulty link is discarded.
After the timeout interval at which LACPDUs are received is set, if a local member interface
does not receive any LACPDUs within the configured timeout interval, the local member
interface becomes Down.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
lacp timeout { fast [ user-defined user-defined ] | slow }
l After you run the lacp timeout command, the local end notifies the remote end of the
timeout interval by sending LACPDUs. When fast is specified, the interval for sending
LACPDUs is 1 second. When slow is specified, the interval for sending LACPDUs is 30
seconds.
l The timeout interval for receiving LACPDUs is three times the interval for sending
LACPDUs. When fast is specified, the timeout interval for receiving LACPDUs is 3
seconds. When slow is specified, the timeout interval for receiving LACPDUs is 90
seconds.
l You can use different timeout intervals at both ends. However, to facilitate maintenance,
you are advised to use the same timeout interval at both ends.
l Each member interface in an Eth-Trunk processes a maximum of 20 LACPDUs every
second; a card on a switch processes a maximum of 50 LACPDUs every second. Extra
LACPDUs are discarded.
----End
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information
about Eth-Trunk member interfaces.
l Run the display eth-trunk [ trunk-id ] load-balance command to check the load
balancing mode of the Eth-Trunk.
l Run the display load-balance-profile [ profile-name ] command to check the load
balancing profile of the Eth-Trunk.
l Run the display trunk configuration command to check the maximum number of
LAGs and the maximum number of member interfaces in each LAG.
----End
Context
You can configure an Eth-Trunk to preferentially forward local traffic (or not) according to
the following guidelines:
l If active interfaces in the local Eth-Trunk have sufficient bandwidth to forward traffic on
the local device, configure the Eth-Trunk to preferentially forward local traffic. This
improves traffic forwarding efficiency and increases bandwidth use efficiency between
devices in the CSS.
l If active interfaces in the local Eth-Trunk do not have sufficient bandwidth to forward
traffic on the local device, do not configure the Eth-Trunk to preferentially forward local
traffic. A portion of the traffic on the local device is then forwarded through member
interfaces of an Eth-Trunk on another device, preventing packet loss.
NOTE
Pre-configuration Tasks
Before configuring an Eth-Trunk to preferentially forward local traffic, complete the
following tasks:
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
local-preference enable
NOTE
This function is only valid for known unicast packets, and does not work with unknown unicast packets,
broadcast packets, and multicast packets.
----End
Context
If Layer 2 switching devices belong to different VLANs, and hosts in the VLANs need to
communicate with each other, you need to create sub-interfaces on the Eth-Trunk connecting
a Layer 3 device to a Layer 2 switching device, bind a VLAN to each sub-interface, and
configure an IP address for each sub-interface.
After the configuration is complete, hosts in the VLANs can use these sub-interfaces to
communicate with each other. Eth-Trunk sub-interfaces can be configured to terminate Dot1q
and QinQ VLAN tags.
After Layer 2 Eth-Trunk sub-interfaces are configured, the Eth-Trunk provides Layer 2
functions and the sub-interfaces provide Layer 3 functions.
VPLS/MPLS/IP
PE1 PE2
Eth-Trunk
Sub-interface
Eth-Trunk
CE1 CE2
S1 S2 S3 S4
VLAN VLAN
Procedure
Step 1 Run:
system-view
NOTE
Only E series, X1E series, F series, and SC series cards on the S7700&S9700 support Eth-Trunk sub-
interfaces. For details about the cards, see the Hardware Description
Eth-Trunk sub-interfaces can only be configured on the Layer 3 interface, hybrid interface, and trunk
interface.
Step 5 Run:
ip address ip-address { mask | mask-length } [ sub ]
----End
Context
In an E-Trunk, the two PEs must be configured with the same LACP system ID and priority
so that the CE considers the two PEs as one device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
lacp e-trunk system-id mac-address
By default, the MAC address of an Ethernet interface on the MPU is used as the LACP
system ID.
The master and backup devices in an E-Trunk must use the same LACP system ID.
Step 3 Run:
lacp e-trunk priority priority
The master and backup devices in an E-Trunk must use the same LACP priority.
----End
Context
The E-Trunk priority determines whether an E-Trunk member device is the master or backup
device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
e-trunk e-trunk-id
An E-Trunk is created and the E-Trunk view is displayed or the view of an existing E-Trunk
view is directly displayed.
The member devices in an E-Trunk must be configured with the same E-Trunk ID.
Step 3 Run:
priority priority
The E-Trunk priority is used for master/backup negotiation between two devices. The device
with a higher priority is the master. A smaller E-Trunk priority value indicates a higher E-
Trunk priority.
If the two devices have the same priority, the device with a smaller system ID is the master.
----End
Context
E-Trunk packets are sent with the source IP address and protocol port number configured on
the local device. When you change the local or remote IP address on a device, you must
change the corresponding address on the remote device. Otherwise, protocol packets will be
discarded.
Procedure
Step 1 Run:
system-view
----End
Context
When the local device of an E-Trunk cannot promptly detect whether the remote device is
faulty by sending E-Trunk packets, it can instead use the Bidirectional Fast Detection (BFD)
protocol. You need to specify the remote IP address on the local device and create a BFD
session to check the reachability of the route to the remote device. The E-Trunk then can
detect faults reported by the BFD session and the device can handle the faults quickly.
Procedure
Step 1 Run:
system-view
----End
Context
After an E-Trunk is configured, you can add Eth-Trunks to it.
Procedure
Step 1 Run:
system-view
----End
Context
You can configure the working mode for only the Eth-Trunks that have been added to an E-
Trunk. The working mode of an Eth-Trunk can be automatic, forced master, or forced backup.
Procedure
Step 1 Run:
system-view
NOTE
While the E-Trunk is running, changing the hello packet sending interval or timeout interval will cause the E-
Trunk to alternate between the master and the backup. Before changing the hello packet sending interval or
timeout interval, you are advised to configure member Eth-Trunks to work in forced master/backup state.
After the new configuration takes effect, restore the working mode to auto.
----End
Context
You can set a password for encrypting E-Trunk packets transmitted over an E-Trunk link to
improve system security. The two member devices of an E-Trunk must use the same
password.
Procedure
Step 1 Run:
system-view
NOTICE
If simple is specified, the password is saved in plaintext in the configuration file. In this case,
other users can obtain the password by querying the configuration file, which poses a security
risk. You are advised to specify cipher so that the password is saved in ciphertext.
To ensure device security, change the password frequently.
----End
Context
If the backup device in an E-Trunk does not receive any hello packet from the master device
within the timeout interval, the backup device becomes the master. The timeout interval is the
one specified in the hello packets sent by the remote device, not the timeout interval
configured on the local device.
NOTE
While the E-Trunk is running, changing the hello packet sending interval or timeout interval will cause the E-
Trunk to alternate between the master and the backup. Before changing the hello packet sending interval or
timeout interval, you are advised to configure member Eth-Trunks to work in forced master/backup state.
After the new configuration takes effect, restore the working mode to auto.
Procedure
Step 1 Run:
system-view
----End
Context
In a scenario where an E-Trunk works with other services, a member Eth-Trunk may be
restored earlier than other services after the faulty master device recovers. If traffic is
immediately switched back to the master device, service traffic will be interrupted.
Setting the revertive switching delay prevents this problem. After the revertive switching
delay is set, the local Eth-Trunk becomes Up only after the delay expires. Then the local
device becomes the master again.
Procedure
Step 1 Run:
system-view
----End
Context
You can disable revertive switching on an E-Trunk to prevent traffic from being discarded
when a faulty master device recovers and takes over services.
Procedure
Step 1 Run:
system-view
Step 3 Run:
revert disable
----End
Procedure
l Run the display e-trunk e-trunk-id command to check E-Trunk information.
----End
Displaying inbound and 1. Run the system-view command to enter the system view.
outbound interfaces of 2. Run the collect forward-path sip source-ip-address dip
specified flows destination-ip-address [ sport source-port dport
destination-port [ protocol { protocol-number | gre | icmp |
igmp | ip | ipinip | ospf | tcp | udp } ] ] { ingress | egress |
both } [ interval interval-time ] command to configure the
device to collect inbound and outbound interfaces and
traffic information about packets with 5-tuple information.
3. Run the display forward-path command to check
information about collected packets with 5-tuple
information by the collect forward-path command and the
report ID by the display forward-path report report-id.
4. Run the display forward-path report report-id command
to check the inbound and outbound interfaces of packets
with 5-tuple information and statistics.
NOTE
You can run the display forward-path command to view report-
id.
Displaying the Eth-Trunk Run the display eth-trunk [ trunk-id [ interface interface-type
configuration interface-number | verbose ] ] command to check the Eth-
Trunk configuration.
Displaying the Eth-Trunk Run the display interface eth-trunk [ trunk-id ] command.
status
Displaying statistics on Run the display lacp statistics eth-trunk [ trunk-id [ interface
received and sent interface-type interface-number ] ] command.
LACPDUs in LACP
mode
Clearing LACPDU Run the reset lacp statistics eth-trunk [ trunk-id [ interface
statistics interface-type interface-number ] ] command in the user view.
NOTICE
The cleared LACPDU
statistics cannot be
restored.
Networking Requirements
In Figure 3-24, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20 through
Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB.
The customer hopes that SwitchA and SwitchB can provide increased link bandwidth to
enable inter-VLAN communication. They also want redundancy and to ensure quality data
transmission and link reliability.
VLAN10 VLAN10
VLAN20 VLAN20
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.
2. Create VLANs and add interfaces to the VLANs.
3. Configure a load balancing mode to ensure that traffic is load balanced among Eth-Trunk
member interfaces.
Procedure
Step 1 Create an Eth-Trunk on SwitchA and SwitchB, and add member interfaces to the Eth-Trunk.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3
[SwitchA-Eth-Trunk1] quit
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3
[SwitchB-Eth-Trunk1] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through. The
configuration for SwitchB is the same as that for SwitchA.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
[SwitchA-Eth-Trunk1] quit
Step 3 Configure a load balancing mode for Eth-Trunk 1. The configuration for SwitchB is the same
as that for SwitchA.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] load-balance src-dst-mac
[SwitchA-Eth-Trunk1] quit
The preceding command output shows that Eth-Trunk 1 has three member interfaces:
GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3. The member interfaces
are all in Up state. The Operate status of Eth-Trunk 1 is Up.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
interface GigabitEthernet1/0/1
eth-trunk 1
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return
Networking Requirements
In Figure 3-25, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20 through
Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB. The customer
hopes that SwitchA and SwitchB can provide increased link bandwidth to enable inter-VLAN
communication. Link aggregation in LACP mode can be configured on SwitchA and SwitchB
to improve the bandwidth and reliability. The requirements are as follows:
Figure 3-25 Networking diagram for configuring link aggregation in LACP mode
VLAN 10 VLAN 10
VLAN 20 VLAN 20
Active link
Backup link
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to implement
link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Set the LACP system priority and determine which device is the Actor. The Partner
device selects active interfaces based on the interface priorities of the Actor.
4. Set the upper threshold for the number of active interfaces to improve reliability.
5. Set LACP interface priorities and determine active interfaces so that interfaces with
higher priorities are selected as active interfaces.
6. Create VLANs and add interfaces to the VLANs.
Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode. The
configuration for SwitchB is the same as that for SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] mode lacp
[SwitchA-Eth-Trunk1] quit
Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration for SwitchB is the
same as that for SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] eth-trunk 1
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] eth-trunk 1
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] eth-trunk 1
[SwitchA-GigabitEthernet1/0/3] quit
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] max active-linknumber 2
[SwitchA-Eth-Trunk1] quit
Step 5 Set the LACP interface priority and determine active links on SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] lacp priority 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] lacp priority 100
[SwitchA-GigabitEthernet1/0/2] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through. The
configuration for SwitchB is the same as that for SwitchA.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
[SwitchA-Eth-Trunk1] quit
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey
PortState
GigabitEthernet1/0/1 32768 00e0-fca6-7f85 32768 6145
2609 11111100
GigabitEthernet1/0/2 32768 00e0-fca6-7f85 32768 6146
2609 11111100
GigabitEthernet1/0/3 32768 00e0-fca6-7f85 32768 6147
2609 11110000
[SwitchB] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo
PortKey PortState Weight
GigabitEthernet1/0/1 Selected 1GE 32768 6145 2609
11111100 1
GigabitEthernet1/0/2 Selected 1GE 32768 6146 2609
11111100 1
GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2609
11100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo
PortKey PortState
GigabitEthernet1/0/1 100 00e0-fca8-0417 100 6145
2865 11111100
GigabitEthernet1/0/2 100 00e0-fca8-0417 100 6146
2865 11111100
GigabitEthernet1/0/3 100 00e0-fca8-0417 32768 6147
2865 11110000
The preceding information shows that the LACP system priority value of SwitchA is 100,
which means it has a higher LACP system priority than SwitchB. Member interfaces
GigabitEthernet1/0/1 and GigabitEthernet1/0/2 are the active interfaces and are in Selected
state. Interface GigabitEthernet1/0/3 is in Unselect state. Two links are active and work in
load balancing mode, and one link is the backup link.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
lacp priority 100
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
mode lacp
max active-linknumber 2
#
interface GigabitEthernet1/0/1
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet1/0/2
eth-trunk 1
lacp priority 100
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return
On the network shown in Figure 3-26, Switch3 and Switch4 are connected through CSS
cables to increase the total capacity. The two switches form one logical switch. To improve
reliability, physical interfaces on the two switches are added to an Eth-Trunk. When the
network runs properly, traffic from VLAN 2 is forwarded through GE1/0/1 and GE1/0/2, and
traffic from VLAN 3 is forwarded through GE1/0/1 and GE1/0/2. This increases bandwidth
use efficiency between devices but reduces traffic forwarding efficiency.
To improve traffic forwarding efficiency, traffic from VLAN 2 should be forwarded through
GE1/0/1 and traffic from VLAN 3 should be forwarded through GE1/0/2. To achieve this
goal, configure the Eth-Trunk to preferentially forward local traffic.
Figure 3-26 Preferentially forwarding traffic through the local member interface
Network
PE
GE1/0/1 GE1/0/2
Eth-Trunk 10
GE1/0/2 GE1/0/2
Switch1
Switch2
GE1/0/1 GE1/0/1
VLAN 2 VLAN 3
CSS cable
VLAN 2 data flow
VLAN 3 data flow
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
3. Configure the Eth-Trunk to preferentially forward local traffic.
4. Configure the Layer 2 forwarding function.
Procedure
Step 1 Create an Eth-Trunk and configure the Eth-Trunk to allow packets from all VLANs to pass
through.
Step 3 In the CSS view, configure the Eth-Trunk to preferentially forward local traffic.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] local-preference enable
[CSS-Eth-Trunk10] quit
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 2
[Switch1-vlan2] quit
[Switch1] interface gigabitethernet 1/0/1
[Switch1-GigabitEthernet1/0/1] port link-type trunk
[Switch1-GigabitEthernet1/0/1] port trunk allow-pass vlan 2
[Switch1-GigabitEthernet1/0/1] quit
[Switch1] interface gigabitethernet 1/0/2
[Switch1-GigabitEthernet1/0/2] port link-type trunk
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan 3
[Switch2-vlan3] quit
[Switch2] interface gigabitethernet 1/0/1
[Switch2-GigabitEthernet1/0/1] port link-type trunk
[Switch2-GigabitEthernet1/0/1] port trunk allow-pass vlan 3
[Switch2-GigabitEthernet1/0/1] quit
[Switch2] interface gigabitethernet 1/0/2
[Switch2-GigabitEthernet1/0/2] port link-type trunk
[Switch2-GigabitEthernet1/0/2] port trunk allow-pass vlan 3
[Switch2-GigabitEthernet1/0/2] quit
----End
Configuration Files
l CSS configuration file
#
sysname CSS
#
vlan batch 2 3
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet1/1/0/3
port link-type trunk
port trunk allow-pass vlan 2
#
interface GigabitEthernet2/1/0/3
port link-type trunk
port trunk allow-pass vlan 3
#
interface GigabitEthernet1/1/0/4
eth-trunk 10
#
interface GigabitEthernet2/1/0/4
eth-trunk 10
#
return
l PE configuration file
#
sysname PE
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/2
eth-trunk 10
#
return
Networking Requirements
If no E-Trunk is configured, a CE can be connected to only one PE using an Eth-Trunk link. If
the Eth-Trunk or PE fails, the CE cannot communicate with the PE. After an E-Trunk is
configured, the CE can be dual homed to PEs, improving link reliability between devices.
In Figure 3-27, CE1 is dual homed to PE1 and PE2 using two Eth-Trunks in LACP mode and
connected to a VPLS network.
CE1 communicates with CE2 on the VPLS network through PE1. If PE1 or the Eth-Trunk
link between CE1 and PE1 fails, CE1 cannot communicate with CE2. To prevent service
interruptions, configure an E-Trunk on PE1 and PE2. When communication between CE1 and
PE1 fails, traffic is switched to PE2 so that CE1 can communicate with CE2 through PE2.
When PE1 or the Eth-Trunk link between CE1 and PE1 recovers, traffic is switched back to
PE1.
The E-Trunk implements backup of LAGs between PE1 and PE2 and improves network
reliability.
PE1
Eth-Trunk10
/1
Eth-Trunk20 1 /0 GE
GE /0/2 1 /0
/1 1 /3 Loopback1
1 /0 GE GE
GE /0/2 1/0
1 / 1
GE PE3
E-Trunk1
GE GE1/0/3
CE1 GE1 1 /0
/3 /2
/0 /
4 GE G E1 / 0 CE2
1 /0 / 0/ 3
GE
1 /0 /1 G E1
/2
Eth-Trunk10
PE2
Loopback1
PE1 GigabitEthernet1/0/1 - -
- GigabitEthernet1/0/2 - -
- Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet1/0/1 - -
- GigabitEthernet1/0/2 - -
- Loopback1 - 2.2.2.9/32
- GigabitEthernet1/0/3 GigabitEthernet1/0/3.1 -
- Loopback1 - 3.3.3.9/32
CE1 GigabitEthernet1/0/1 - -
- GigabitEthernet1/0/2 - -
- GigabitEthernet1/0/3 - -
- GigabitEthernet1/0/4 - -
CE2 GigabitEthernet1/0/3 - -
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an E-Trunk as follows:
– Create Eth-Trunks in LACP mode between CE1 and PE1, and between CE1 and
PE2. Add member interfaces to the Eth-Trunks.
– Create an E-Trunk on PE1 and PE2 and add the two Eth-Trunks to the E-Trunk.
– Set the following parameters of the E-Trunk:
n E-Trunk priority
n LACP system ID and LACP priority
n Interval for sending hello packets
n Time multiplier for detecting hello packets
n IP addresses of the local and remote devices
– Bind the E-Trunk to a BFD session.
2. Configure PEs so that CE1 can access the VPLS network.
– Configure a routing protocol on the backbone network to ensure that devices can
communicate with each other.
– Configure basic MPLS functions and the Label Distribution Protocol (LDP).
– Enable MPLS L2VPN on the PEs.
– Configure a virtual service instance (VSI) and specify LDP as the signaling
protocol.
– Create Eth-Trunk sub-interfaces and bind the VSI to the sub-interfaces.
Procedure
Step 1 Configure VLANs and IP addresses on pseudo wire (PW) side interfaces. Configure a routing
protocol on the backbone network to ensure that devices can communicate with each other.
The OSPF protocol is used in this example.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 100
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/3] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip address 10.1.1.1 24
[PE1-Vlanif100] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 200
[PE2] interface gigabitethernet 1/0/3
[PE2-GigabitEthernet1/0/3] port link-type trunk
[PE2-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[PE2-GigabitEthernet1/0/3] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] ip address 10.1.2.1 24
[PE2-Vlanif200] quit
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.9 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 10.1.2.1 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# Configure PE3.
<HUAWEI> system-view
[HUAWEI] sysname PE3
[PE3] vlan batch 100 200
[PE3] interface gigabitethernet 1/0/1
[PE3-GigabitEthernet1/0/1] port link-type trunk
[PE3-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE3-GigabitEthernet1/0/1] quit
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] port link-type trunk
[PE3-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[PE3-GigabitEthernet1/0/2] quit
[PE3] interface vlanif 100
[PE3-Vlanif100] ip address 10.1.1.2 24
[PE3-Vlanif100] quit
[PE3] interface vlanif 200
[PE3-Vlanif200] ip address 10.1.2.2 24
[PE3-Vlanif200] quit
[PE3] interface loopback 1
[PE3-LoopBack1] ip address 3.3.3.9 32
[PE3-LoopBack1] quit
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE3-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255
After the configuration is complete, PE1, PE2, and PE3 use OSPF to discover IP routes to
Loopback1 of one another, and they can ping each other. Run the display ip routing-table
command on PE1, PE2, and PE3 to verify that the PEs have learned the routes to one another.
NOTE
l Do not add the attachment circuit (AC) side interface and PW side interface of a PE to the same
VLAN. If they are added to the same VLAN, a loop may occur.
l When using OSPF, configure PE1, PE2, and PE3 to advertise 32-bit loopback addresses.
Step 2 Configure Eth-Trunks in LACP mode on CE1, PE1, and PE2, and add member interfaces to
the Eth-Trunks. Configure Layer 2 forwarding on CE1.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface eth-trunk 20
[CE1-Eth-Trunk20] port link-type trunk
[CE1-Eth-Trunk20] port trunk allow-pass vlan 10
[CE1-Eth-Trunk20] mode lacp
[CE1-Eth-Trunk20] trunkport GigabitEthernet 1/0/1 to 1/0/4
[CE1-Eth-Trunk20] quit
# Configure PE1.
[PE1] interface eth-trunk 10
[PE1-Eth-Trunk10] port link-type trunk
[PE1-Eth-Trunk10] mode lacp
[PE1-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2
[PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] port link-type trunk
[PE2-Eth-Trunk10] mode lacp
[PE2-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2
[PE2-Eth-Trunk10] quit
Step 3 Create an E-Trunk and set the LACP priority, LACP system ID, E-Trunk priority, local and
remote IP addresses, time multiplier for detecting hello packets, and interval for sending hello
packets.
# Configure PE1.
[PE1] e-trunk 1
[PE1-e-trunk-1] quit
[PE1] lacp e-trunk priority 1
[PE1] lacp e-trunk system-id 00E0-FC00-0000
[PE1] e-trunk 1
[PE1-e-trunk-1] priority 10
[PE1-e-trunk-1] timer hold-on-failure multiplier 3
[PE1-e-trunk-1] timer hello 9
[PE1-e-trunk-1] peer-address 2.2.2.9 source-address 1.1.1.9
[PE1-e-trunk-1] quit
# Configure PE2.
[PE2] e-trunk 1
[PE2-e-trunk-1] quit
[PE2] lacp e-trunk priority 1
# Configure PE2.
[PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] e-trunk 1
[PE2-Eth-Trunk10] quit
The IP addresses of the local and remote devices of a BFD session must be the same as
those of the E-Trunk.
# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
[PE2] bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9
[PE2-bfd-session-hello2] discriminator local 2
[PE2-bfd-session-hello2] discriminator remote 1
[PE2-bfd-session-hello2] commit
[PE2-bfd-session-hello2] quit
# Configure PE2.
[PE2] e-trunk 1
[PE2-e-trunk-1] e-trunk track bfd-session session-name hello2
[PE2-e-trunk-1] quit
Step 6 Configure PEs so that CE1 can access the VPLS network.
1. Configure basic MPLS functions and LDP on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 200
[PE2-Vlanif200] mpls
[PE2-Vlanif200] mpls ldp
[PE2-Vlanif200] quit
# Configure PE3.
[PE3] mpls lsr-id 3.3.3.9
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3] interface vlanif 100
[PE3-Vlanif100] mpls
[PE3-Vlanif100] mpls ldp
[PE3-Vlanif100] quit
[PE3] interface vlanif 200
[PE3-Vlanif200] mpls
[PE3-Vlanif200] mpls ldp
[PE3-Vlanif200] quit
After the configuration is complete, run the display mpls ldp session command on the
PEs. You can see that the LDP session status is Operational, indicating that LDP sessions
have been set up.
2. Enable MPLS L2VPN on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
3. Create VSI ldp1 on PE1, PE2, and PE3 and specify LDP as the signaling protocol in the
VSI.
# Configure PE1.
[PE1] vsi ldp1 static
[PE1-vsi-ldp1] pwsignal ldp
[PE1-vsi-ldp1-ldp] vsi-id 2
[PE1-vsi-ldp1-ldp] peer 3.3.3.9
[PE1-vsi-ldp1-ldp] quit
[PE1-vsi-ldp1] quit
# Configure PE2.
[PE2] vsi ldp1 static
[PE2-vsi-ldp1] pwsignal ldp
[PE2-vsi-ldp1-ldp] vsi-id 2
[PE2-vsi-ldp1-ldp] peer 3.3.3.9
[PE2-vsi-ldp1-ldp] quit
[PE2-vsi-ldp1] quit
# Configure PE3.
4. Configure an Eth-Trunk sub-interface on PE1 and PE2, and bind the VSI to the Eth-
Trunk sub-interface.
# Configure PE1.
[PE1] interface Eth-Trunk 10.1
[PE1-Eth-Trunk10.1] dot1q termination vid 10
[PE1-Eth-Trunk10.1] l2 binding vsi ldp1
[PE1-Eth-Trunk10.1] quit
# Configure PE2.
[PE2] interface Eth-Trunk 10.1
[PE2-Eth-Trunk10.1] dot1q termination vid 10
[PE2-Eth-Trunk10.1] l2 binding vsi ldp1
[PE2-Eth-Trunk10.1] quit
5. Configure a Dot1q sub-interface on PE3, and bind the VSI to the sub-interface.
# Configure PE3.
[PE3] interface gigabitethernet 1/0/3.1
[PE3-GigabitEthernet1/0/3.1] dot1q termination vid 10
[PE3-GigabitEthernet1/0/3.1] l2 binding vsi ldp1
[PE3-GigabitEthernet1/0/3.1] quit
Description : -
------------------------------------------------------------------------------
--
The Member
information
Type ID LocalPhyState Work-Mode State Causation Remote-
ID
Eth-Trunk 10 Down auto Backup ETRUNK_BACKUP 10
According to the preceding information, the E-Trunk priority value on PE1 is 10 and the
E-Trunk status is Master; the E-Trunk priority value on PE2 is 20 and the E-Trunk status
is Backup. Link backup is achieved.
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Eth-Trunk20
port link-type trunk
port trunk allow-pass vlan 10
mode lacp
#
interface GigabitEthernet1/0/1
eth-trunk 20
#
interface GigabitEthernet1/0/2
eth-trunk 20
#
interface GigabitEthernet1/0/3
eth-trunk 20
#
interface GigabitEthernet1/0/4
eth-trunk 20
#
return
mpls ldp
#
e-trunk 1
priority 10
peer-address 2.2.2.9 source-address 1.1.1.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello1
#
interface Eth-Trunk10
port link-type trunk
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
dot1q termination vid 10
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/2
eth-trunk 10
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9
discriminator local 1
discriminator remote 2
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
vlan batch 200
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
mpls
mpls ldp
#
e-trunk 1
priority 20
peer-address 1.1.1.9 source-address 2.2.2.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello2
#
interface Eth-Trunk10
port link-type trunk
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
dot1q termination vid 10
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/2
eth-trunk 10
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 200
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9
discriminator local 2
discriminator remote 1
commit
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return
l PE3 configuration file
#
sysname PE3
#
vlan batch 100 200
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
peer 2.2.2.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif200
ip address 10.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/3.1
dot1q termination vid 10
l2 binding vsi ldp1
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return
Fault Description
Traffic is unevenly load balanced among Eth-Trunk member interfaces due to an incorrect
load balancing mode.
Procedure
1. Run the display eth-trunk command to check whether the load balancing mode of the
Eth-Trunk meets your network requirements. For example, source or destination IP
address-based load balancing is not recommended in Layer 2 networking.
2. Run the load-balance command to set an appropriate load balancing mode.
Fault Description
The Eth-Trunk is Down because the lower threshold for the number of active interfaces is
incorrect.
Procedure
1. Run the display eth-trunk trunk-id command to check whether the lower threshold for
the number of active interfaces of an Eth-Trunk is set.
If the number of Eth-Trunk member interfaces in Up state is lower than the lower
threshold, the Eth-Trunk becomes Down.
2. Run the least active-linknumber link-number command in the Eth-Trunk view to
configure the lower threshold to be smaller than the number of Eth-Trunk member
interfaces in Up state.
The local and remote devices can use different lower thresholds for the number of active
interfaces. If the lower thresholds are different, the larger value is used.
3.11 FAQ
When an Eth-Trunk interface in LACP mode goes Up and Down frequently due to unstable
physical links, LACP goes Up and Down accordingly. As a result, services transmitted on the
Eth-Trunk link are affected. After the LACP preemption delay is set, LACP negotiation is not
performed during the delay period. The possibility of LACP flapping is reduced, and services
will not be affected.
You can run the lacp preempt enable command to enable the LACP preemption function on
the current Eth-Trunk interface and run the lacp preempt delay delay-time command to
configure the preemption delay.
3.12 References
The following table lists the reference of this document.
IEEE 802.3AD IEEE Std 802.3ad - 2005 IEEE Standard for Link -
Aggregation operation, Link Aggregation Control, Link
Aggregation Control Protocol, Marker protocol and
configuration capabilities and restrictions.
4 VLAN Configuration
This chapter describes how to configure VLAN technology. VLAN technology provides
broadcast domain isolation, security hardening, flexible networking, and high extensibility.
Definition
Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple
broadcast domains, each of which is called a VLAN. Hosts within a VLAN can communicate
with each other but cannot communicate directly with hosts in other VLANs. Consequently,
broadcast packets are confined to within a single VLAN.
Purpose
Ethernet technology implements data communication over shared media based on Carrier
Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a
large number of hosts, collision becomes a serious problem and can lead to broadcast storms.
As a result, network performance deteriorates, or can even result in a complete breakdown.
Using switches to connect LANs can mitigate collisions, but cannot isolate broadcast packets
or improve network quality.
VLAN technology divides a physical LAN into multiple VLANs to isolate broadcast
domains. Hosts within a VLAN can communicate with each other but cannot communicate
directly with hosts in other VLANs. Consequently, broadcast packets are confined to within a
single VLAN.
VLAN 2
VLAN 3
Figure 4-1 shows a typical VLAN networking environment. Two switches are deployed in
different locations (for example, on different floors of a building). Each switch is connected to
two PCs belonging to different VLANs, which likely belong to different entities or
companies.
Benefits
VLAN technology offers the following benefits:
l Limits broadcast domains. Broadcast domains are limited to conserve bandwidth and
improve network efficiency.
l Enhances LAN security. Packets from different VLANs are transmitted separately. Hosts
in a VLAN cannot communicate directly with hosts in another VLAN.
l Improves network robustness. A fault in a VLAN does not affect hosts in other VLANs.
l Allows flexible definition of virtual groups. With VLAN technology, hosts in different
geographical locations can be grouped together, thereby simplifying network
construction and maintenance.
4.2 Principles
A VLAN tag contains four fields. Table 4-1 describes the fields.
TPID 2 Tag Protocol Identifier (TPID), The value 0x8100 indicates an 802.1Q-
bytes indicating the frame type. tagged frame. An 802.1Q-incapable
device discards the 802.1Q frames.
IEEE 802.1Q protocol defines the
value of the field as 0x8100. However,
manufacturers can define their own
TPID values and users can then modify
the value to realize interconnection of
devices from different manufacturers.
PRI 3 bits Priority (PRI), indicating the The value ranges from 0 to 7. A larger
frame priority. value indicates a higher priority. If
congestion occurs, the switch sends
packets with higher priorities first.
CFI 1 bit Canonical Format Indicator The value 0 indicates that the MAC
(CFI), indicating whether a address is encapsulated in canonical
MAC address is encapsulated in format, and the value 1 indicates that
canonical format over different the MAC address is encapsulated in
transmission media. CFI is used non-canonical format. The CFI field
to ensure compatibility between has a fixed value of 0 on Ethernet
Ethernet and token ring networks.
networks.
VID 12 VLAN ID (VID), indicating the VLAN IDs range from 0 to 4095. The
bits VLAN to which a frame values 0 and 4095 are reserved, and
belongs. therefore valid VLAN IDs range from
1 to 4094.
The switch identifies the VLAN that a frame belongs to according to the information
contained in the VID field. Broadcast frames are forwarded only in the local VLAN. That is, a
broadcast domain is confined to within a single VLAN.
All frames processed in a switch carry VLAN tags so as to improve frame processing
efficiency.
All frames processed in a switch carry VLAN tags. On a network, some devices connected to
a switch can only receive and send untagged frames. To enable communication between the
switch and these devices, the switch interfaces must be able to identify the untagged frames
and add or remove VLAN tags from the frames. Hosts in the same VLAN may be connected
to different switches, and more than one VLAN may span multiple switches. To enable
communication between hosts, interfaces between switches must be able to identify and send
VLAN frames.
To accommodate different connections and networking, Huawei defines four interface types
(access, trunk, hybrid, and QinQ) and two link types (access and trunk). Figure 4-3 shows
access, trunk, and hybrid interfaces. 10 QinQ Configuration shows the QinQ interface.
4
2
Trunk
Hub Switch Switch Hub
Access link
Trunk link Untagged frame
Access interface 2 Tagged frame, VID=2
Trunk interface 3 Tagged frame, VID=3
4 Tagged frame, VID=4
Hybrid interface
Link Types
As shown in Figure 4-3, Ethernet links fall into the following types, depending on the number
of allowed VLANs:
l Access link
An access link can transmit data frames of only one VLAN. It connects a switch to a user
terminal, such as a host, server, and simplified Layer 2 switch. Generally, user terminals
do not need to know the VLANs to which they belong and cannot identify tagged
frames; therefore, only untagged frames are transmitted along an access link.
l Trunk link
A trunk link can transmit data frames from multiple VLANs. It connects a switch to
another switch or a router. Frames on a trunk link must be tagged so that other network
devices can correctly identify VLAN information in the frames.
Interface Types
As shown in Figure 4-3, Ethernet interfaces are classified into the following types depending
on the objects connected to them and the way they process frames:
l Access interface
An access interface often connects to a user terminal such as a user host or server that
cannot identify VLAN tags, or is used when VLANs do not need to be differentiated.
Access interfaces can only receive and send untagged frames, and can add only a unique
VLAN tag to untagged frames.
l Trunk interface
A trunk interface often connects to a switch, router, AP, or voice terminal that can
receive and send tagged and untagged frames simultaneously. It allows tagged frames
from multiple VLANs and untagged frames from only one VLAN.
l Hybrid interface
A hybrid interface can connect to not only a user terminal (such as a user host or server)
or network device (such as a hub or simplified Layer 2 switch) that cannot identify tags,
but also a switch, router, voice terminal, or AP that can receive and send tagged and
untagged frames. It allows tagged frames from multiple VLANs. Frames sent out from a
hybrid interface are tagged or untagged according to the VLAN configuration.
Hybrid and trunk interfaces can be interchanged in some scenarios, but hybrid interfaces
must be used in specified scenarios, for example, 2 to 1 VLAN mapping scenario. Before
packets from multiple VLANs provided by a service provider enter a user network, the
outer VLAN tags must be removed. The trunk interface cannot be used here because the
trunk interface allows only untagged packets from the default VLAN of the interface to
pass through. For details about 2 to 1 VLAN mapping, see 11.2 Principles.
l QinQ interface
An 802.1Q-in-802.1Q (QinQ) interface often connects a private network to a public
network. It can add an additional 802.1Q tag to a tagged frame. QinQ supports up to
4094 x 4094 VLANs, thereby extending VLANs over the network. The outer tag is often
called the public tag and identifies the VLAN ID of the public network, whereas the
inner tag is often called the private tag and identifies the VLAN ID of the private
network.
For details about the QinQ interface and QinQ frame format, see 10.2.1 QinQ
Fundamentals.
The default VLAN ID of an interface is called the port default VLAN ID (PVID). Frames
processed in a switch all carry VLAN tags. When the switch receives an untagged frame, it
adds a VLAN tag to the frame according to the default VLAN of the interface that receives
the frame. The PVID is used in the following scenarios:
l When an interface receives an untagged frame, the interface adds a tag with the PVID to
the frame and sends the frame to the switch for processing. When an interface receives a
tagged frame, the switch does not add a tag with the PVID to the frame.
l When an interface sends a frame in which the VLAN ID is the same as the PVID, the
switch removes the tag from the frame before sending it out from the interface.
Each interface has a default VLAN. By default, the default VLAN ID of all interfaces is
VLAN 1. You can change the default VLAN ID as required:
l The default VLAN of an access interface is the VLAN allowed by the access interface.
To change the default VLAN of an access interface, change the allowed VLAN.
l Trunk and hybrid interfaces allow multiple VLANs but have only one default VLAN.
Changing the allowed VLANs will not change the default VLAN.
Ethernet data frames are tagged or untagged based on the interface type and default VLAN.
The following describes how access, trunk, and hybrid interfaces process data frames.
NOTE
A QinQ interface adds an additional tag to a tagged frame. For details, see 10 QinQ Configuration.
Access Interface
Figure 4-4 and Figure 4-5 shows how an access interface adds and removes VLAN tags.
Receive a
frame
No
Carry tag?
Yes
Same No
Discard
VID and PVID?
Yes
Accept it and
add PVID Accept the frame
Further processing
Remove tag
Trunk Interface
Figure 4-6 and Figure 4-7 shows how a trunk interface adds and removes VLAN tags.
Receive a
frame
No
Carry tag?
Yes
No
Is VID
Add the PVID Discard
allowed?
Yes
Further processing
Prepare for
sending a frame
No Same as
PVID?
Yes
Remove tag
Hybrid Interface
Figure 4-8 and Figure 4-9 shows how a hybrid interface adds and removes VLAN tags.
Receive a
frame
No
Carry tag?
Yes
No
Is VID
Add the PVID Discard
allowed?
Yes
Further processing
Prepare for
sending a frame
No Does device
add tag to it?
Yes
Retain tag
Access Accepts an untagged l Accepts the tagged After the PVID tag is
port frame and adds a tag with frame if the frame's stripped, the frame is
the default VLAN ID to VLAN ID matches the transmitted.
the frame. default VLAN ID.
l Discards the tagged
frame if the frame's
VLAN ID differs from
the default VLAN ID.
Hybrid l Adds a tag with the l Accepts a tagged If the frame's VLAN
port default VLAN ID to an frame if the VLAN ID ID is permitted by the
untagged frame and carried in the frame is port, the frame is
accepts the frame if the permitted by the port. transmitted. The port
port permits the default l Discards a tagged can be configured
VLAN ID. frame if the VLAN ID whether to transmit
l Adds a tag with the carried in the frame is frames with tags.
default VLAN ID to an denied by the port.
untagged frame and
discards the frame if
the port denies the
default VLAN ID.
l Access, trunk, and hybrid interfaces add VLAN tags to received untagged frames. Trunk
and hybrid interfaces determine whether to accept untagged frames depending on
whether VLANs specified by the VLAN IDs in the frames are allowed, whereas an
access interface accepts the untagged frames unconditionally.
l Access, trunk, and hybrid interfaces determine whether to accept tagged frames
depending on whether VLANs specified by the VLAN IDs in the frames are allowed (the
VLAN ID allowed by an access interface is the default VLAN ID).
l Interfaces send frames as follows:
– An access interface directly removes VLAN tags from frames before sending the
frames.
– A trunk interface removes VLAN tags from frames only when their VLAN IDs are
the same as the PVID on the interface.
– A hybrid interface determines whether to remove VLAN tags from frames based on
the interface configuration.
Frames sent by an access interface are all untagged. On a trunk interface, only frames of
one VLAN are sent without tags, and frames of other VLANs are sent with tags. On a
hybrid interface, you can specify the VLANs of which frames are sent with or without
tags.
4.2.2 LNP
Definition
Link-type Negotiation Protocol (LNP) dynamically negotiates the link type of an Ethernet
interface. The negotiated link type can be access or trunk.
l When the link type on an Ethernet interface is negotiated as access, the interface joins
VLAN 1 by default.
l When the link type on an Ethernet interface is negotiated as trunk, the interface joins
VLAN 1 to VLAN 4094 by default.
Background
The switch supports the following link types on an Ethernet interface: access, hybrid, trunk,
and Dot1q tunnel. The four link types are applicable to different network positions and are
manually specified. If the network topology changes, link types of Ethernet interfaces also
need to be reconfigured and the configuration is complex. To simplify the configuration, LNP
supports auto-negotiation of the link types on Ethernet interfaces and allows Ethernet
interfaces to join VLANs after the auto-negotiation.
Implementation
When Layer 2 devices on the network shown in Figure 4-10 are successfully connected, the
physical status of interfaces becomes Up. After LNP negotiation is complete, user-side
interfaces on Switch4, Switch5, Switch6, and Switch7 join VLAN 1 as access interfaces, and
interfaces between switches become trunk interfaces and allow all VLANs.
S1
S2 S3
Trunk
S4 S5 S6 S7
Access
An interface that is negotiated as a trunk interface allows all VLANs by default; therefore, a loop
prevention protocol needs to be deployed to prevent loops.
If a loop prevention protocol (for example, STP, RSTP, MSTP, or VBST) is deployed on a Layer 2
network, LNP negotiation can succeed on a blocked interface regardless of the link type.
l LNP negotiation
The link type of a Layer 2 Ethernet interface determines the negotiation result. Table 4-3
describes LNP negotiation results on a Layer 2 interface in Up state.
NOTE
l If the two ends of an Eth-Trunk link have different numbers of member interfaces, the LNP
negotiation may fail.
l If the link type of the Layer 2 Ethernet interface is set to access, hybrid, trunk, or Dot1q
tunnel, LNP negotiation does not take effect on the interface.
l The link type of an interface will be set to access when the negotiation fails.
IP subnet- VLANs are assigned based l When physical Users are Applies to
based on source IP addresses and locations of distributed scenarios
VLAN subnet masks. users change, regularly where there
assignment A network administrator the network and are high
preconfigures mappings administrator multiple requiremen
between IP addresses and does not need users are ts for
VLAN IDs. When to reconfigure on the mobility
receiving an untagged VLANs for the same and
frame, the switch adds the users. network simplified
VLAN tag mapping the IP l This mode segment. manageme
address of the frame to the reduces nt and low
frame. Then the frame is communicatio requiremen
transmitted in the specified n traffic and ts for
VLAN. allows a security.
broadcast For
domain to example,
span multiple this mode
switches. can be used
if a PC
with
multiple IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a new
VLAN
automatical
ly after the
PC's IP
address
changes.
Protocol- VLANs are assigned based This mode binds l The Applies to
based on protocol (suite) types service types to network networks
VLAN and encapsulation formats VLANs, adminis using
assignment of frames. facilitating trator multiple
A network administrator management and must protocols.
preconfigures mappings maintenance. preconfi
between protocol types and gure
VLAN IDs. When mappin
receiving an untagged gs
frame, the switch adds the between
VLAN tag mapping the all
protocol type of the frame protocol
to the frame. The frame is types
then transmitted in the and
specified VLAN. VLAN
IDs.
l The
switch
needs to
analyze
protocol
address
formats
and
convert
the
formats,
which
consum
es
excessi
ve
resourc
es.
Therefo
re, this
mode
slows
down
switch
respons
e time.
No
No
No No
Yes
Is
Subnet-based Yes
MAC-VLAN
VLAN assignment
enabled?
enabled?
No No
Yes Protocol-based
VLAN enabled?
No
No
Is default VLAN Discard frame
ID set?
Yes
Allocate VLAN ID to
frame and forward it
at Layer 2
different network segments, the frame needs to be forwarded by the gateway. The source
host obtains the gateway's MAC address, and uses it as the destination MAC address to
send the frame to the gateway.
l Ethernet switching in a switch
The switch determines whether to forward a received frame at Layer 2 or Layer 3 based
on the information in the destination MAC address, VLAN ID, and Layer 3 forwarding
bit.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry of the switch and the Layer 3 forwarding bit is set, the switch searches for a
Layer 3 forwarding entry based on the destination IP address. If no entry is found,
the switch sends the frame to the CPU. The CPU then searches for a route to
forward the frame at Layer 3.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry but the Layer 3 forwarding bit is not set, the switch directly forwards the
frame from the outbound interface specified in the matching MAC address entry.
– If the destination MAC address and VLAN ID of the frame do not match any MAC
address entry, the switch broadcasts the frame to all the interfaces allowing the
VLAN specified in the VID to obtain the MAC address of the destination host.
For details about Layer 2 and Layer 3 switching, see 1.3.1 Layer 2 Switching and 1.3.2
Layer 3 Switching.
l Adding and removing VLAN tags during the exchange between devices (for example,
between a switch and a user host, another switch, or another network device)
Frames processed in a switch all carry VLAN tags. The switch needs to add or remove
VLAN tags according to the interface setting to communicate with other network
devices. For details on how VLAN tags are added and removed on different interfaces,
see 4.2.1.4 Adding and Removing VLAN Tags.
After VLANs are assigned, broadcast packets are forwarded at Layer 2 in the same VLAN.
That is, users in the same VLAN can directly communicate at Layer 2. There are two intra-
VLAN communication scenarios depending on whether hosts in the same VLAN connect to
the same or multiple switches.
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the switch):
1. Host_1 determines that the destination IP address is on the same network segment as its
IP address, and therefore broadcasts an ARP Request packet to obtain the MAC address
of Host_2. The ARP Request packet carries the all-F destination MAC address and
destination IP address of 10.1.1.3 (Host_2's IP address).
2. When the packet reaches IF_1 on the Switch, the Switch detects that the ARP Request
packet is untagged and adds VLAN 2 (PVID of IF_1) to the packet. The Switch then
adds the binding of the source MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) to
its MAC address table.
3. The Switch does not find a MAC address entry matching the destination MAC address
and VLAN ID of the ARP Request packet, so it broadcasts the ARP Request packet to
all interfaces that allow VLAN 2 (IF_2 in this example).
4. Before sending the ARP Request packet, IF_2 on the Switch removes the tag with
VLAN 2 from the packet.
5. Host_2 receives the ARP Request packet and records the mapping between the MAC
address and IP address of Host_1 in the ARP table. Then Host_2 compares the
destination IP address with its own IP address. If they are the same, Host_2 sends an
ARP Reply packet. The ARP Reply packet carries Host_2's MAC address of 2-2-2 and
Host_1's IP address of 10.1.1.2 as the destination IP address.
6. After receiving the ARP Reply packet, IF_2 on the Switch tags the packet with VLAN 2.
7. The Switch adds the mapping between the source MAC address, VLAN ID, and
interface (2-2-2, 2, IF_2) to its MAC address table, and then searches for an entry in its
MAC address table based on the destination MAC address and VLAN ID (1-1-1, 2). The
entry is found because the mapping has been recorded before (see step 5). The Switch
forwards the ARP Reply packet to IF_1.
8. Before forwarding the ARP Reply packet to IF_1, the Switch removes the tag with
VLAN 2 from the packet.
9. Host_1 receives the ARP Reply packet and records the mapping between the MAC
address and IP address of Host_2 in the ARP table.
Host_1 and Host_2 have learned the MAC address of each other, so they directly fill the
destination MAC address fields of packets with the learned MAC addresses of the packets in
subsequent communication.
In the preceding networking, if hosts in the same VLAN are on different network segments,
they encapsulate the gateway's MAC address into packets. If the Switch is a Layer 2 switch,
hosts cannot communicate. If the Switch is a Layer 3 switch, hosts can communicate through
VLANIF interfaces (with primary and secondary IP addresses configured). The principles are
similar to those in Inter-VLAN Communication Through the Same Switch, and are not
mentioned here.
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.1.3
Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on Switch_1 and Switch_2):
1. The first two steps are similar to steps 1 and 2 in Intra-VLAN Communication
Through the Same Switch. After the two steps are complete, Host_1 broadcasts the
ARP Request packet to IF_2 on Switch_1.
2. IF_2 on Switch_1 transparently transmits the ARP Request packet to IF_2 on Switch_2
without removing the tag of the packet, because the VLAN ID of the packet is different
from the PVID of IF_2 on Switch_1.
3. After receiving the ARP Request packet, IF_2 on Switch_2 determines that VLAN 2 is
an allowed VLAN and accepts the packet.
4. Following the four steps similar to steps 3 to 6 in Intra-VLAN Communication
Through the Same Switch, Switch_2 forwards the ARP Reply packet of Host_2 to
IF_2. IF_2 on Switch_2 transparently transmits the ARP Reply packet to IF_2 on
Switch_1, because IF_2 is a trunk interface and its PVID is different from the VLAN ID
of the packet.
5. After receiving the ARP Reply packet, IF_2 on Switch_1 determines that VLAN 2 is an
allowed VLAN and accepts the packet. Subsequent steps are similar to steps 7 to 9 in
Intra-VLAN Communication Through the Same Switch.
In addition to transmitting frames from multiple VLANs, a trunk link can transparently
transmit frames without adding or removing the tags of the packets.
In the preceding networking, if hosts in the same VLAN are on different network segments
and Switch_1 or Switch_2 is a Layer 2 switch, hosts cannot communicate. If Switch_1 or
Switch_2 is a Layer 3 switch, hosts can communicate through VLANIF interfaces. The
principles are similar to those in Inter-VLAN Communication Through the Same Switch,
and are not mentioned here.
Figure 4-14 Using VLANIF interfaces to implement inter-VLAN communication through the
same switch
VLANIF 2 VLANIF 3
IP: 10.1.1.1/24 IP: 10.2.2.1/24
MAC: 3-3-3 Switch MAC: 4-4-4
IF_1 IF_2
access access
VLAN 2 VLAN 3
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.2.2.2
Gateway address: 10.1.1.1 Gateway address: 10.2.2.1
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the switch):
1. Host_1 determines that the destination IP address is on a different network segment from
its own IP address, and therefore sends an ARP Request packet to request the gateway
MAC address. The ARP Request packet carries the destination IP address of 10.1.1.1
(gateway's IP address) and all-F destination MAC address.
2. When the ARP Request packet reaches IF_1 on the Switch, the Switch tags the packet
with VLAN 2 (PVID of IF_1). The Switch then adds the mapping between the source
MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) in its MAC address table.
3. The Switch detects that the packet is an ARP Request packet and the destination IP
address is the IP address of VLANIF 2. The Switch then encapsulates VLANIF 2's MAC
address of 3-3-3 into the ARP Reply packet and removes the tag with VLAN 2 from the
packet before sending it from IF_1. In addition, the Switch adds the binding of the IP
address and MAC address of Host_1 in its ARP table.
4. After receiving the ARP Reply packet from the Switch, Host_1 adds the binding of the
IP address and MAC address of VLANIF 2 on the Switch in its ARP table and sends a
packet to the Switch. The packet carries the destination MAC address of 3-3-3 and
destination IP address of 10.2.2.2 (Host_2's IP address).
5. After the packet reaches IF_1 on the Switch, the Switch tags the packet with VLAN 2.
6. The Switch updates its MAC address table based on the source MAC address, VLAN
ID, and inbound interface of the packet, and compares the destination MAC address of
the packet with the MAC address of VLANIF 2. If they are the same, the Switch
determines that the packet should be forwarded at Layer 3 and searches for a Layer 3
forwarding entry based on the destination IP address. If no entry is found, the Switch
sends the packet to the CPU. The CPU then searches for a routing entry to forward the
packet.
7. The CPU looks up the routing table based on the destination IP address of the packet and
detects that the destination IP address matches a directly connected network segment
(network segment of VLANIF 3). The CPU continues to look up its ARP table but finds
no matching ARP entry. Therefore, the Switch broadcasts an ARP Request packet with
the destination address of 10.2.2.2 to all interfaces in VLAN 3. Before sending the ARP
Request packet from IF_2, the Switch removes the tag with VLAN 2 from the packet.
8. After receiving the ARP Request packet, Host_2 detects that the IP address is its own IP
address and sends an ARP Reply packet with its own. Additionally, Host_2 adds the
mapping between the MAC address and IP address of VLANIF 3 to its ARP table.
9. After IF_2 on the Switch receives the ARP Reply packet, IF_2 tags the packet with
VLAN 3 to the packet and adds the binding of the MAC address and IP address of
Host_2 in its ARP table. Before forwarding the packet from Host_1 to Host_2, the
Switch removes the tag with VLAN 3 from the packet. The Switch also adds the binding
of Host_2's IP address, MAC address, VLAN ID, and outbound interface in its Layer 3
forwarding table.
The packet sent from Host_1 then reaches Host_2. The packet transmission process from
Host_2 to Host_1 is similar. Subsequent packets between Host_1 and Host_2 are first sent to
the gateway (Switch), and the Switch forwards the packets at Layer 3 based on its Layer 3
forwarding table.
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.2.2
Gateway address: 10.1.1.1 Gateway address: 10.1.2.1
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on Switch_1 and Switch_2):
1. The first six steps are similar to steps 1 to 6 in inter-VLAN communication when hosts
connect to the same switch. After the steps are complete, Switch_1 sends the packet to
its CPU and the CPU looks up the routing table.
2. The CPU of Switch_1 searches for the routing table based on the destination IP address
of 10.1.2.2 and finds a static route. In the static route, the destination network segment is
10.1.2.0/24 and the next hop address is 10.1.4.2. The CPU continues to look up its ARP
table but finds no matching ARP entry. Therefore, Switch_1 broadcasts an ARP Request
packet with the destination address of 10.1.4.2 to all interfaces in VLAN 4. IF_2 on
Switch_1 transparently transmits the ARP Request packet to IF_2 on Switch_2 without
removing the tag from the packet.
3. After the ARP Request packet reaches Switch_2, Switch_2 finds that the destination IP
address of the ARP Request packet is the IP address of VLANIF 4. Switch_2 then sends
an ARP Reply packet with the MAC address of VLANIF 4 to Switch_1.
4. IF_2 on Switch_2 transparently transmits the ARP Reply packet to Switch_1. After
Switch_1 receives the ARP Reply packet, it adds the binding of the MAC address and IP
address of VLANIF4 in its ARP table.
5. Before forwarding the packet of Host_1 to Switch_2, Switch_1 changes the destination
MAC address of the packet to the MAC address of VLANIF 4 on Switch_2 and the
source MAC address to the MAC address of VLANIF 4 on itself. In addition, Switch_1
records the forwarding entry (10.1.2.0/24, next hop IP address, VLAN, and outbound
interface) in its Layer 3 forwarding table. Similarly, the packet is transparently
transmitted to IF_2 on Switch_2.
6. After Switch_2 receives packets of Host_1 forwarded by Switch_1, the steps similar to
steps 6 to 9 in inter-VLAN communication when hosts connect to the same switch
are performed. In addition, Switch_2 records the forwarding entry (Host_2's IP address,
MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table.
to communicate with each other. This user isolation method uses a large number of VLANs
and makes configuration more complex, increasing the maintenance workload of the network
administrator.
Huawei provides intra-VLAN Layer 2 isolation technologies including port isolation, MUX
VLAN, and Modular QoS Command-Line Interface (MQC).
Port Isolation
Port isolation can isolate interfaces in a VLAN. You can add interfaces to a port isolation
group to disable Layer 2 packet transmission between the interfaces. Interfaces in different
port isolation groups or out of port isolation groups can exchange packets with other
interfaces. In addition, interfaces can be isolated unidirectionally, providing more secure and
flexible networking.
For details about port isolation, see Configuring Port Isolation in S7700&S9700 Series
Switches Configuration Guide - Interface Management.
MUX VLAN
Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources using
VLANs. It can implement inter-VLAN communication and intra-VLAN isolation.
For example, an enterprise has the following requirements:
l Employees can communicate with each other but customers are isolated.
l Both employees and customers can access enterprise servers.
You can deploy the MUX VLAN to meet the preceding requirements.
For details about the MUX VLAN feature, see 7 MUX VLAN Configuration.
classifiers with the permit or deny behavior in a traffic policy. The switch then permits or
rejects the packets matching the traffic classifiers. This technology implements flexible inter-
VLAN isolation.
The switch supports inter-VLAN Layer 3 isolation based on MQC and simplified ACL-based
traffic policies. For details about MQC and simplified ACL-based traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in S7700&S9700
Series Switches Configuration Guide - QoS.
4.3 Applications
Internet
L3 switch
L2 switch
To isolate services and ensure service security of different companies, add interfaces
connected to the companies to different VLANs. Each company has a virtual router and each
VLAN is a virtual work group.
Switch_1
Server
VLAN 10
Switch_2 Switch_3
Office Office
area 1 area 2
User_1 User_1
VLAN 10 VLAN 10
To enable employees to access network resources such as servers after they move from one
office area to the other, configure MAC address-based VLAN assignment on Switch_2 and
Switch_3. As long as the MAC address of User_1 remains unchanged, the user belongs to the
same VLAN and can still access the company's network resources after changing the location.
Server of department 2
VLAN 20
Switch_2 Switch_3
Department Department
1 2
To ensure that employees retain the rights to access network resources after changing
locations, configure IP subnet-based VLAN assignment on the company's central switch.
Different network segments of servers are assigned to different VLANs to isolate data flows
of different application services, improving security.
Figure 4-19 Using VLANIF interfaces to implement inter-VLAN communication through the
same Layer 3 switch
Switch
(L3)
VLANIF 2 VLANIF 3
Switch_1
Switch_2
(L2)
(L2)
Department 1 Department 2
PC_1 PC_2
VLAN 2 VLAN 3
Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently
transmit VLAN packets to the Layer 3 switch, and configure a VLANIF interface for each
VLAN on the Layer 3 switch to allow communication between VLAN 2 and VLAN 3.
Layer 3 network
VLANIF 2 VLANIF 3
L2 Switch L2 Switch
Department 1 Department 2
PC_1 PC_2
VLAN 2 VLAN 3
Assign VLANs on the Layer 2 switches, and configure the Layer 2 switches to transparently
transmit VLAN packets to Layer 3 switches. Configure a VLANIF interface for each user
VLAN and interconnected VLANs on Switch_1 and Switch_2, and configure VLANIF
interfaces for interconnected VLANs on other Layer 3 devices. In addition, configure static
routes or a dynamic routing protocol between Switch_1 and Switch_2 (a dynamic routing
protocol is recommended when devices are connected across more than two Layer 3
switches).
Internet
Router
VLANIF 20
After the central switch (Switch) is configured with VLANIF 10, VLANIF 20, VLANIF 30,
and VLANIF 100 and a route to the router, employees, visitors, and servers can access the
Internet and communicate with each other. To control access rights of visitors, configure a
traffic policy on the central switch and define the following rules:
l ACL rule 1: denies the packets sent from the IP network segment of visitors to the IP
segment of employees.
l ACL rule 2: permits the packets from the IP network segment of visitors to the IP
address of Server_1, and denies the packets from the IP network segment of visitors and
to the IP segment of servers.
l ACL rule 3: denies the packets from the IP network segment of employees to the IP
segment of visitors.
l ACL rule 4: denies the packets from the IP network segment of servers to the IP segment
of visitors.
Apply the traffic policy to the inbound and outbound direction of the switch interface
connected to the visitor area. Visitors can then only access Server_1 and cannot communicate
with employees.
Egress
Core switch
router
Enterprise intranet GE1/0/1 ISP
VLANIF 10 GE1/0/1.1 network
10.1.1.1/24 10.1.1.2/24
To access the ISP network, the core Layer 3 switch and egress router need to interwork at
Layer 3. Most Layer 3 switches do not support routed interfaces or support limited routed
interfaces. Generally, a VLANIF interface is used as a Layer 3 interface to communicate with
the Layer 3 sub-interface of the router, and then static route or a dynamic routing protocol is
configured to implement Layer 3 connectivity between the core switch and egress router.
Assign VLANs
Configure MQC to
implement inter-VLAN
isolation
4.7.1 Assigning VLANs VLANs can isolate the hosts that do not need to
communicate with each other, which improves network
security, reduces broadcast traffic, and mitigates broadcast
storms.
4.7.2 Configuring Inter- After VLANs are assigned, users in different VLANs
VLAN Communication cannot directly communicate with each other. If users in
different VLANs need to communicate, configure VLANIF
interfaces to implement inter-VLAN Layer 3 connectivity.
NOTE
You can also configure a VLAN termination sub-interface or
VLAN Switch to implement inter-VLAN connectivity. For details
about the VLAN termination sub-interface and VLAN switching,
see 8.6.1 Configuring a Dot1q Termination Sub-interface to
Implement Inter-VLAN Communication and 6 VLAN Switch
Configuration.
4.7.3 Configuring a Traffic After VLANs are assigned, users in the same VLAN can
Policy to Implement Intra- directly communicate with each other. If some users in the
VLAN Layer 2 Isolation same VLAN need to be isolated, configure MQC-based
intra-VLAN Layer 2 isolation.
NOTE
Intra-VLAN isolation can also be implemented using port
isolation. For details about port isolation, see Configuring Port
Isolation in S7700&S9700 Series Switches Configuration Guide -
Interface Management.
License Support
VLAN technology is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Maximum number of VLANs in the 4096 (VLAN 0 and VLAN 4095 are
system reserved)
Maximum number of VLANIF interfaces S9703 and S7703: 2048; other models:
in the system 4094
l If LNP is used to dynamically negotiate the link type (LNP is enabled by default), it is
recommended that each interface should be added to a maximum of 1000 VLANs and a
maximum of 200 interfaces should be configured on a switch. If 4094 VLANs are
configured globally, it is recommended that a maximum of 50 interfaces should be
enabled with LNP. Otherwise, the alarm about a high CPU usage is generated for a short
time.
l You are advised to plan service and management VLANs so that any broadcast storms in
service VLANs do not affect switch management.
l In practice, specify VLANs from which packets need to be transparently transmitted by a
trunk interface. Do not use the port trunk allow-pass vlan all command if possible.
l In earlier versions of V200R005, before changing the interface type, restore the default
VLAN of the interface.
l In earlier versions of V200R005, before deleting a VLAN where a VLANIF interface
has been configured, run the undo interface vlanif vlan-id command to delete the
VLANIF interface.
l All interfaces join VLAN 1 by default. When unknown unicast, multicast, or broadcast
packets of VLAN 1 exist on the network, broadcast storms may occur. When VLAN 1 is
used, pay attention to the following points:
– You are not advised to use VLAN 1 as the management VLAN or service VLAN.
– Remove the interfaces that do not need to join VLAN 1 from VLAN 1 to prevent
loops. A trunk interface often permits packets from VLAN 1 to pass through. If a
trunk interface rejects packets from VLAN 1, some protocol packets such as
BPDUs transmitted in VLAN 1 may be incorrectly discarded. To prevent such
faults, take measures to prevent potential risks when packets of VLAN 1 are
allowed to pass through.
– If a spanning tree protocol is used and a trunk interface on the switch rejects packets
from VLAN 1, run the stp bpdu vlan command to enable the switch to encapsulate
the specified VLAN ID in outgoing STP BPDUs so that the spanning tree protocol
runs properly.
– You are advised to remove interfaces from VLAN 1 in Eth-Trunk or ring
networking.
– When the switch connects to an access device, to prevent broadcast storms in
VLAN 1, do not configure the uplink interface of the access device to transparently
transmit packets from VLAN 1.
– When an interface is bound to a VLANIF interface for Layer 3 forwarding, remove
the interface from VLAN 1 to prevent Layer 2 loops in VLAN 1.
VLA l VLAN 1 that access interfaces join in untagged mode (port default
N vlan 1)
that l VLANs 1 to 4094 that trunk interfaces join in tagged mode (port
an trunk allow-pass vlan 1 to 4094)
interf
ace
joins
Damping time 0s
Context
Interface-based VLAN assignment is the simplest and most effective method. VLANs are
assigned based on interfaces. After an interface is added to a VLAN, the interface can forward
packets from the VLAN. Interface-based VLAN assignment allows hosts in the same VLAN
to communicate and prevents hosts in different VLANs from communicating, so broadcast
packets are limited in a VLAN.
Ethernet interfaces are classified into access, trunk, and hybrid interfaces according to the
objects connected to the Ethernet interfaces and number of VLANs from which untagged
frames are permitted (see Interface Types):
l Access interface
The switch processes only tagged frames and an access interface connected to devices
only receive and send untagged frames, so the access interface needs to add a VLAN tag
to received frames. That is, you must configure the default VLAN for the access
interface. After the default VLAN is configured, the access interface joins the VLAN.
An access interface needs to process only untagged frames. If a user connects a
switching device to a user-side interface without permission, the user-side interface may
receive tagged frames. You can configure the user-side interface to discard tagged
frames, preventing unauthorized access.
l Trunk interface
When a trunk interface connects to a device such as an AP or a voice terminal that can
receive and send tagged and untagged frames simultaneously, you need to configure the
default VLAN for the trunk interface so that the trunk interface can add the VLAN tag to
untagged frames.
l Hybrid interface
When a hybrid interface connects to an AP, a voice terminal, a hub, a host, or a server
that sends untagged frames to the switch, you need to configure the default VLAN for
the hybrid interface so that the hybrid interface can add the VLAN tag to untagged
frames.
Frames sent by a switch all carry VLAN tags. In some scenarios, VLAN tags need to be
removed from frames sent by a hybrid interface. For example, in VLAN stacking
scenarios, before packets from multiple VLANs on an ISP network enters a user
network, outer VLAN tags need to be removed from the packets. A trunk interface
allows untagged packets from only one VLAN, so the interface must be configured as
hybrid. For details about VLAN stacking, see 10 QinQ Configuration.
By default, the type of an interface is negotiation-auto.
Procedure
l Configuring the default VLAN for an access interface
a. Run:
system-view
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
c. Run:
quit
The default VLAN is configured for the interface and the interface is added to the
specified VLAN.
g. (Optional) Run:
port discard tagged-packet
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
c. Run:
quit
When the VLAN allowed by an interface is the default VLAN of the interface, packets from the
VLAN are forwarded in untagged mode.
l Configuring the default VLAN for a hybrid interface
a. Run:
system-view
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
c. Run:
quit
Configuration Tips
Creating VLANs in a batch
To create multiple VLANs in a batch, run the vlan batch command in the system view.
For example:
l Create 10 contiguous VLANs: VLAN 11 to VLAN 20.
<HUAWEI> system-view
[HUAWEI] vlan batch 11 to 20
l Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to VLAN 30.
<HUAWEI> system-view
[HUAWEI] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four incontiguous VLAN ranges.
# After a name is configured for a VLAN, you can directly enter the VLAN view using the
name.
[HUAWEI] vlan vlan-name huawei
[HUAWEI-vlan10] quit
Adding interfaces to a VLAN in a batch
To perform the same VLAN configuration for multiple Ethernet interfaces, use the port group,
which can reduce the workload. To add access interfaces to a VLAN in a batch, you can also
run the port interface-type { interface-number1 [ to interface-number2 ] }&<1-10> command
in the VLAN view. For details, see 4.11.2 How Do I Add Interfaces to a VLAN in a
Batch?.
Restoring the default VLAN configuration of an interface
If the VLAN planning of an interface is changed, you need to delete the original VLAN
configuration of the interface. If many incontiguous VLANs are configured on the interface,
you need to delete the original VLAN configuration multiple times. To reduce deletion
operations, restore the default VLAN configuration of the interface. For details, see 4.11.3
How Do I Restore the Default VLAN Configuration of an Interface?.
Changing the interface type
When the interface planning changes or the current interface type is different from the
configured one, the interface type needs to be changed. For details, see 4.11.4 How Do I
Change the Link Type of an Interface?.
Deleting a VLAN
If a VLAN is not in use, you are advised to delete it immediately to save VLAN resources and
reduce packets on a network. For details, see 4.11.6 How Do I Delete a Single VLAN or
VLANs in a Batch?.
Context
The switch supports the following link types on an Ethernet interface: access, hybrid, trunk,
and Dot1q tunnel. The four link types are applicable to different network positions and are
manually specified. If the network topology changes, link types of Ethernet interfaces also
need to be reconfigured and the configuration is complex. To simplify the configuration, LNP
supports auto-negotiation of the link types on Ethernet interfaces and allows Ethernet
interfaces to join VLANs after the auto-negotiation.
When Link-type Negotiation Protocol (LNP) is deployed, the VLAN Central Management
Protocol (VCMP) needs to be deployed so that VLANs can be created and deleted in a
centralized manner and user configurations are simplified. For details about VCMP, see 13
VCMP Configuration.
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo lnp disable
By default, global LNP is enabled. That is, LNP is enabled on all interfaces.
Step 3 Run:
interface interface-type interface-number
The view of the Ethernet interface that needs to be enabled with LNP is displayed.
Step 4 Run:
undo port negotiation disable
NOTE
When performing this step, ensure that the interface is a Layer 2 interface. If the interface is not a Layer
2 interface, run the portswitch command to configure the interface as a Layer 2 interface.
When an LNP-capable device is used with an LNP-incapable device, the LNP-capable device
continuously sends LNP packets, which wastes bandwidth. You can run the port negotiation disable
command in the Layer 2 Ethernet interface view to disable LNP.
To ensure successful negotiation, ensure that LNP is enabled globally and in the interface view.
Step 5 Run:
port link-type { negotiation-desirable | negotiation-auto }
There are limitations on the interface where the LNP mode is set to negotiation-desirable or
negotiation-auto:
l The sub-interface cannot be created.
l The MUX VLAN cannot be enabled.
l The interface cannot be used as the source or destination interface in VLAN Switch.
l The voice VLAN in auto mode cannot be configured on the interface.
When the interface that connects to an AP or voice terminal receives untagged and
tagged frames, configure the default VLAN for the interface so that interface adds
the VLAN tag to untagged frames.
By default, the default VLAN of a trunk interface is VLAN 1.
l When an access interface is negotiated, perform the following operation.
Run:
port default vlan vlan-id
The default VLAN is configured for the access interface and the access interface is
added to a specified VLAN.
By default, the default VLAN of an access interface and the VLAN that an access
interface joins are both VLAN 1.
----End
Context
In MAC address-based VLAN assignment mode, when physical locations of users change,
you do not need to reconfigure VLANs for the users. This improves security and access
flexibility on a network.
The switch that has MAC address-based VLAN assignment enabled processes only untagged
frames, and treats tagged frames in the same manner as interface-based VLAN assignment.
When receiving an untagged frame, an interface matches the source MAC address of the
frame against the MAC-VLAN table.
l If an entry is matched, the interface forwards the frame based on the VLAN ID and
priority in the entry.
l If no entry is found, the interface matches the frame against other matching rules.
The switch supports 1024 MAC-VLAN entries. The total number of MAC-VLAN entries is
the number of configured MAC-VLAN entries multiplied by the number of interfaces where
MAC-VLAN entries are delivered.
The switch supports a maximum of 1024 MAC-VLAN entries and a maximum of 100 MAC-
VLAN entries with the mask. The total number of MAC-VLAN entries is the number of
configured MAC-VLAN entries multiplied by the number of interfaces where MAC-VLAN
entries are delivered.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in a batch, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a batch, and then
run the vlan vlan-id command to enter the view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
The vlan configuration command completes the VLAN configuration when the VLAN is not created.
Step 3 Run:
mac-vlan mac-address mac-address [ mac-address-mask | mac-address-mask-length ]
[ priority priority ]
NOTE
When the mac-vlan mac-address command with the same MAC address specified is executed multiple
times, MAC-VLAN entries take effect according to the longest match principle on X1E series cards, and
the MAC-VLAN entry with the 48-bit mask has the highest priority. On other cards, MAC-VLAN
entries take effect according to the longest match principle only when the mask has 47 bits or less than
47 bits, and the MAC-VLAN entry with the 48-bit mask has the lowest priority.
l The MAC address is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits,
such as 00e0 and fc01. If you enter less than four digits, 0s are padded before the input
digits. For example, if e0 is entered, 00e0 is displayed. The MAC address cannot be all
Fs, all 0s, or a multicast MAC address.
l If a MAC-VLAN entry with the mask specified (excluding the 48-bit mask or mask with
all Fs), run the undo mac-vlan mac-address command to delete the MAC-VLAN entry
and then run the mac-vlan mac-address command to change the priority.
l priority specifies the 802.1p priority of a MAC address-based VLAN. The value ranges
from 0 to 7. A larger value indicates a higher priority. The default value is 0. After the
802.1p priority of a MAC address-based VLAN is specified, the switch first forwards
high-priority frames in the case of congestion.
Step 4 Run:
quit
The view of the interface that allows the MAC address-based VLAN is displayed.
2. Run:
port link-type hybrid
Step 7 Run:
mac-vlan enable
NOTE
MAC address-based VLAN assignment cannot be used with the MUX VLAN and MAC address
authentication on the same interface.
MAC address-based VLAN assignment is invalid for packets with the VLAN ID of 0 only when the
mask of the MAC VLAN is specified. On the X1E-series cards, MAC address-based VLAN assignment
is invalid for packets with the VLAN ID of 0 regardless of whether the mask of the MAC VLAN is
specified.
----End
Context
Both IP subnet-based and protocol-based VLAN assignment are called network layer-based
VLAN assignment, which reduces manual VLAN configuration workload and allows users to
easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN. IP subnet-
based VLAN assignment applies to scenarios where there are high requirements for mobility
and simplified management and low requirements for security, for example, scenario where a
PC configured with multiple IP addresses need to access servers on different network
segments and scenario where the switch adds PCs to other VLANs when the PCs' IP
addresses change.
The switch that has IP subnet-based VLAN assignment enabled processes only untagged
frames, and treats tagged frames in the same manner as interface-based VLAN assignment.
After receiving untagged frames from an interface, the switch determines the VLANs to
which the frames belong according to source IP addresses or network segments and transmits
the frames in specified VLANs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in a batch, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a batch, and then
run the vlan vlan-id command to enter the view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
The vlan configuration command completes the VLAN configuration when the VLAN is not created.
Step 3 Run:
ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length }
[ priority priority ]
Step 4 Run:
quit
NOTE
Step 7 Run:
ip-subnet-vlan enable
NOTE
IP subnet-based VLAN assignment is invalid for packets with the VLAN ID of 0 on the X1E card.
----End
Context
Both IP subnet-based and protocol-based VLAN assignment are called network layer-based
VLAN assignment, which reduces manual VLAN configuration workload and allows users to
easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN. The switch
that has protocol-based VLAN assignment enabled processes only untagged frames, and treats
tagged frames in the same manner as interface-based VLAN assignment.
When receiving an untagged frame from an interface, the switch identifies the protocol profile
of the frame and then determines the VLAN that the frame belongs to.
l If protocol-based VLANs are configured on the interface and the protocol profile of the
frame matches a protocol-based VLAN, the switch adds the VLAN tag to the frame.
l If protocol-based VLANs are configured on the interface and the protocol profile of the
frame matches no protocol-based VLAN, the switch adds the PVID of the interface to
the frame.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in a batch, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a batch, and then
run the vlan vlan-id command to enter the view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
The vlan configuration command completes the VLAN configuration when the VLAN is not created.
Step 3 Run:
protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc |
raw | snap } | mode { ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id
| snap-etype etype-id2 } }
The view of the interface that allows the protocol-based VLAN is displayed.
2. Run:
port link-type hybrid
NOTE
Protocol-based VLAN assignment is invalid for packets with the VLAN ID of 0 on the X1E card.
----End
Context
Policy-based VLAN assignment implements plug-and-play of user terminals and provides
secure data isolation for terminal users.
The switch provides policy-based VLAN assignment based on MAC and IP addresses or
based on MAC and IP addresses and interfaces.
The switch that has policy-based VLAN assignment enabled processes only untagged frames,
and treat tagged frames in the same manner as VLANs configured based on ports.
When receiving an untagged frame, the switch determines the VLAN according to the policy
matching both MAC and IP addresses of the frame, and transmits the frame in the VLAN.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in a batch, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a batch, and then
run the vlan vlan-id command to enter the view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
The vlan configuration command completes the VLAN configuration when the VLAN is not created.
Step 3 Run:
policy-vlan mac-address mac-address ip ip-address [ interface interface-type
interface-number ] [ priority priority ]
Step 4 Run:
quit
The view of the interface that allows the policy-based VLAN is displayed.
2. Run:
port link-type hybrid
NOTE
----End
Procedure
l Run the display vlan command to check information about all VLANs or a specified
VLAN.
l Run the display lnp interface interface-type interface-number command to check the
auto-negotiation status of a specified Layer 2 interface, including the link type
negotiation result and auto-negotiation mode of the interface.
l Run the display lnp summary command to check the summary of auto-negotiation
information on all interfaces of the Layer 2 device, including the LNP-enabled Layer 2
Ethernet interface, link type negotiation mode and result of the interface, and link type
auto-negotiation mode of the interface.
l Run the display mac-vlan command to check the configuration of MAC address-based
VLAN assignment.
l Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check
the IP subnets associated with VLANs.
l Run the display protocol-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check
the protocols and indexes of the protocols associated with VLANs.
Context
A VLANIF interface is a Layer 3 logical interface and can implement inter-VLAN Layer 3
connectivity. It is simple to configure a VLANIF interface, so the VLANIF interface is the
most commonly used technology. Each VLAN corresponds to a VLANIF interface. After an
IP address is configured for a VLANIF interface, the VLANIF interface is used as the
gateway of the VLAN and forwards packets across network segments at Layer 3 based on IP
addresses.
Generally, a VLANIF interface requires only IP address. In some scenarios, you need to
configure multiple IP addresses for the VLANIF interface. For example, a switch connects to
a physical network through an interface, and hosts on this network belong to multiple network
segments (multiple PCs connect to the network through hubs or simplified Layer 2 switches,
or one PC uses dual network adapters to connect to the network). To enable the switch to
communicate with all hosts on the physical network, configure a primary IP address and
multiple secondary IP address for this interface.
If a VLAN goes Down because all interfaces in the VLAN go Down, the system immediately
reports the VLAN Down event to the corresponding VLANIF interface, instructing the
VLANIF interface to go Down. To avoid network flapping caused by the change of the
VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last
interface in Up state in a VLAN goes Down, the device enabled with VLAN damping starts a
delay timer and informs the corresponding VLANIF interface of the VLAN Down event after
the timer expires. If an interface in the VLAN goes Up during the delay, the VLANIF
interface remains Up.
The Maximum Transmission Unit (MTU) determines the maximum number of bytes each
time a sender can send. If the size of packets exceeds the MTU supported by a receiver or a
transit node, the receiver or transit node fragments the packets or even discards them,
aggravating the network transmission load. To avoid this problem, set the MTU of the
VLANIF interface.
After configuring bandwidth for a VLANIF interface, you can use the NMS to query the
bandwidth. This facilitates traffic monitoring.
NOTE
Pre-configuration Tasks
Before configuring inter-VLAN communication, complete the following tasks:
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
A VLANIF interface goes Up only when at least one physical interface in the corresponding
VLAN is in Up state.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
Each VLANIF interface can be configured with one primary IP address and multiple
secondary IP addresses. A maximum of 255 secondary IP addresses can be configured.
NOTE
An IP address of a VLANIF interface can be statically configured or dynamically obtained using DHCP.
For details about DHCP, see DHCP Configuration in S7700&S9700 Series Switches Configuration
Guide - IP Services.
The value ranges from 0 to 20, in seconds. By default, the delay is 0 seconds, indicating that
VLAN damping is disabled.
NOTE
l After using the mtu command to change the MTU of an interface, restart the interface to make the
new MTU take effect. To restart the interface, run the shutdown command and then the undo
shutdown command, or run the restart command in the interface view.
l The MTU plus the Layer 2 frame header of a VLANIF interface must be smaller than the maximum
frame length of the remote interface by the jumboframe command; otherwise, some frames may be
discarded.
l If the MTU is too small whereas the packet size is large, the packet may be split into many
fragments. Consequently, the device may discard the packet due to the insufficient QoS queue
length. To prevent this problem, run the qos queue length command to increase the QoS queue
length.
----End
Only the VLANIF interface in Up state can forward packets at Layer 3. When the VLANIF
interface goes Down, rectify the fault according to 4.10.2 A VLANIF Interface Goes Down.
Context
A traffic policy is configured by binding traffic classifiers to traffic behaviors. The
switchdevice classifies packets according to packet information, and associates a traffic
classifier with a traffic behavior to reject the packets matching the traffic classifier,
implementing intra-VLAN isolation.
The switch provides intra-VLAN Layer 2 isolation based on MQC and based on the
simplified ACL-based traffic policy.
Pre-configuration Tasks
Before configuring a traffic policy to implement intra-VLAN Layer 2 isolation, perform the
task of 4.7.1 Assigning VLANs.
Procedure
l Configure MQC to implement intra-VLAN Layer 2 isolation.
For details about how to configure MQC, see Configuring Packet Filtering in
S7700&S9700 Series Switches Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement intra-VLAN Layer 2
isolation.
For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in S7700&S9700 Series Switches
Configuration Guide - QoS.
----End
Context
Inter-VLAN Layer 3 isolation is implemented using a traffic policy. A traffic policy is
configured by binding traffic classifiers to traffic behaviors. The switch classifies packets
according to IP addresses or other information in packets, and associates a traffic classifier
with a traffic behavior to reject the packets matching the traffic classifier, implementing inter-
VLAN Layer 3 isolation.
The switch provides inter-VLAN Layer 3 isolation based on MQC and based on the
simplified ACL-based traffic policy. You can select one of them according to your needs.
Pre-configuration Tasks
Before configuring a traffic policy to implement inter-VLAN Layer 3 isolation, perform the
task of 4.7.2 Configuring Inter-VLAN Communication.
Procedure
l Configure MQC to implement inter-VLAN Layer 3 isolation.
For details about how to configure MQC, see Configuring Packet Filtering in
S7700&S9700 Series Switches Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement inter-VLAN Layer 3
isolation.
For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in S7700&S9700 Series Switches
Configuration Guide - QoS.
----End
Context
To use a remote network management system (NMS) to manage devices in a centralized
manner, configure a management IP address on the switch. You can then log in to the switch
in Telnet mode and manage the switch by using the management IP address. The management
IP address can be configured on a management interface or VLANIF interface. If a user-side
interface is added to the VLAN, users connected to the interface can also log in to the switch.
This brings security risks to the switch.
After a VLAN is configured as an mVLAN, no access interface or Dot1q tunnel interface can
be added to the VLAN. Access and Dot1q tunnel interfaces are often connected to users.
When these interfaces are prevented from joining the mVLAN, users connected to the
interfaces cannot log in to the device, improving device security.
You can only log in to the local device using the management interface, whereas you can log
in to both local and remote devices using a VLANIF interface of an mVLAN. When logging
in to the remote device using the VLANIF interface of an mVLAN, you need to configure
VLANIF interfaces on both local and remote devices and assign IP addresses on the same
network segment to them.
Pre-configuration Tasks
Before configuring an mVLAN, perform the task of 4.7.1 Assigning VLANs.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
----End
Follow-up Procedure
Log in to the switch to implement centralized management through the NMS. Select either of
the following login modes according to your needs:
l To manage local devices, log in to the local switch using Telnet, STelnet, HTTPS. For
details, see Configuring Telnet Login, Configuring STelnet Login, or Web System Login
Configuration in S7700&S9700 Series Switches Configuration Guide – Basic
Configurations.
l To manage remote devices, log in to the local device using Telnet or STelnet and log in
to remote devices using Telnet or STelnet from the local device.see (Optional) Using
Telnet to Log In to Another Device From the Local Device, or (Optional) Using STelnet
to Log In to Another Device From the Local Device in S7700&S9700 Series Switches
Configuration Guide – Basic Configurations.
The login IP address is the IP address of the VLANIF interface of an mVLAN.
Context
When the device used as the gateway or Layer 2 switches is enabled with snooping functions
such as DHCP/IGMP/MLD snooping, the device needs to parse and process protocol packets
such as ARP, DHCP, and IGMP packets. That is, protocol packets received by an interface are
sent to the CPU for processing. The interface sends protocol packets without differentiating
VLANs. If the preceding functions are deployed, protocol packets from all VLANs are sent to
the CPU for processing.
To address this issue, deploy transparent transmission of protocol packets in VLANs where
protocol packets do not need to be processed. This function enables the device to
transparently transmit the protocol packets in the VLANs to other devices, which improves
the forwarding speed and efficiency.
The switch can transparently transmit the following protocol packets: CFM/ARP/BFD/
DHCP/DHCPV6/HTTP/IGMP/MLD/ND/PIM/PIMv6/PPPoE/TACACS.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in a batch, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a batch, and then
run the vlan vlan-id command to enter the view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
The vlan configuration command completes the VLAN configuration when the VLAN is not created.
Step 3 Run:
protocol-transparent
NOTE
After transparent transmission of protocol packets is configured in a VLAN, the VLAN cannot be
configured as the multicast VLAN or control VLAN.
Before running this command, ensure that IGMP or MLD snooping has been disabled in the VLAN.
Otherwise, the configuration may fail.
----End
Context
You can enable traffic statistics collection in a VLAN and view traffic statistics about the
VLAN to monitor VLAN traffic.
Procedure
l Check VLAN traffic statistics.
a. (Optional) Run the vlan statistics interval command in the system view to set the
interval for VLAN traffic statistics collection.
b. Run the statistic enable command in the VLAN view to enable VLAN traffic
statistics collection.
c. Run the display vlan vlan-id statistics [ slot slot-id ] command in any view to
check traffic statistics about a specified VLAN.
l Check traffic statistics about a VLANIF interface.
a. Run the display interface vlanif [ vlan-id ] command in any view to check traffic
statistics about a VLANIF interface.
----End
Context
Before collecting traffic statistics in a given period of time on an interface, clear existing
statistics on the interface.
NOTICE
The cleared VLAN traffic statistics cannot be restored. Exercise caution when you use the
reset vlan command.
To clear VLAN traffic statistics, run the reset vlan statistics command in the user view.
Procedure
l Run the reset vlan vlan-id statistics [ slot slot-id ] command to clear traffic statistics
about a specified VLAN.
----End
Context
NOTICE
The cleared LNP packet statistics cannot be restored. Exercise caution when you run the reset
lnp statistics command.
Procedure
l Run the reset lnp statistics [ interface interface-type interface-number ] command in
the user view to clear LNP packet statistics.
----End
Context
Similar to IP ping, GMAC ping detects whether a fault occurs on an Ethernet link or monitors
the link quality. GMAC ping efficiently detects and locates Ethernet faults.
GMAC ping is applicable to networks where no MD, MA, or MEP is configured.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ping mac enable
GMAC ping is performed to check connectivity of the link between the local and remote
devices.
A MEP is not required to initiate GMAC ping. The destination node can be not a MEP or
MIP. You can perform GMAC ping without configuring the MD, MA, or MEP on the source
device, intermediate device, and destination device.
The two devices must be configured with IEEE 802.1ag of the same version. If the local
device is configured with IEEE 802.1ag Draft 7 and the remote device is configured with
IEEE Standard 802.1ag-2007, the ping mac command does not take effect. That is, the local
device cannot ping the remote device.
----End
Context
Similar to IP traceroute, GMAC ping detects whether a fault occurs on an Ethernet link or
monitors the link quality. GMAC trace efficiently detects and locates Ethernet faults.
GMAC trace is applicable to the network where no MD, MA, or MEP is configured.
Procedure
Step 1 Configure the devices on both ends of a link and the intermediate device.
Perform the following operations on the devices at both ends of the link to be tested and
intermediate device.
1. Run:
system-view
The device is configured to locate connectivity faults between the local and remote
devices.
A MEP is not required to initiate GMAC trace. The destination node can be not a MEP
or MIP. The destination node can be not a MEP or MIP. That is, GMAC trace can be
implemented without configuring the MD, MA, or MEP on the source device,
intermediate device, and destination device. All the intermediate devices can respond
with an LTR.
The two devices must be configured with IEEE 802.1ag of the same version. If the local
device is configured with IEEE 802.1ag Draft 7 and the remote device is configured with
IEEE Standard 802.1ag-2007, the trace mac command does not take effect. That is, the
connectivity fault cannot be located.
----End
GE1/0/3 GE1/0/3
SwitchA SwitchB
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces connecting to user terminals to VLANs to isolate
Layer 2 traffic between users who use different services.
2. Configure the type of link between SwitchA and SwitchB and VLANs to allow users
who use the same service to communicate.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on SwitchA, and add interfaces connected to user terminals to
different VLANs. The configuration of SwitchB is similar to that of SwitchA, and is not
mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 3
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 2
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 3
[SwitchA-GigabitEthernet1/0/2] quit
Step 2 Configure the type of the interface connected to SwitchB on SwitchA and VLANs. The
configuration of SwitchB is similar to that of SwitchA, and is not mentioned here.
Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24; add
User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
Only User1's and User2's terminals can ping each other, and only User3's and User4's
terminals can ping each other.
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Network
Switch3
GE1/0/1 GE1/0/2
Switch1 Switch2
GE1/0/2 GE1/0/2
……
GE1/0/1 GE1/0/3 GE1/0/1 GE1/0/3
……
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable LNP in the system view and interface view to implement auto-negotiation.
Because PCs do not support LNP, so switch interfaces connected to terminals are used as
access interfaces and interfaces between switches are used as trunk interfaces through
negotiation.
2. Create VLANs and add interfaces to VLANs to implement Layer 2 connectivity.
Procedure
Step 1 Enable global LNP
By default, global LNP is enabled. If LNP is disabled, run the undo lnp disable command in
the system view to enable LNP.
Step 2 Create VLANs.
You can create VLANs on each switch, or create VLANs on Switch3 and use the VLAN
Central Management Protocol (VCMP) to synchronize created VLANs to other switches. The
following describes how to create VLANs. If VCMP is used, you need to configure Switch3
as the VCMP server and Switch1 and Switch2 as the VCMP clients. For details, see 13
VCMP Configuration.
# Create VLAN 10 and VLAN 20 on Switch3. The configurations of Switch1 and Switch2 are
similar to the configuration of Switch3, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname Switch3
[Switch3] vlan batch 10 20
Step 3 Enable LNP on interfaces, and add switch interfaces connected to PCs to a VLAN as access
interfaces and interfaces between switches to VLANs as trunk interfaces
NOTE
l If the interface is not a Layer 2 interface, you need to run the portswitch command to set the
interface to work in Layer 2 mode.
l By default, LNP is enabled. If LNP is disabled, run the undo port negotiation disable command to
enable LNP on the interface.
# Configure Switch3.
[Switch3] interface GigabitEthernet 1/0/1
[Switch3-GigabitEthernet1/0/1] port trunk allow-pass only-vlan 10 20
[Switch3-GigabitEthernet1/0/1] quit
[Switch3] interface GigabitEthernet 1/0/2
[Switch3-GigabitEthernet1/0/2] port trunk allow-pass only-vlan 10 20
[Switch3-GigabitEthernet1/0/2] quit
NOTE
The port trunk allow-pass only-vlan 10 20 command configures the interface to allow only VLAN 10
and VLAN 20.
Packets statistics
56 packets received
0 packets dropped
bad version: 0, bad TLV(s): 0, bad port link type: 0,
bad negotiation state: 0, other: 0
58 packets output
0 packets dropped
other: 0
Run the display lnp summary command to view auto-negotiation information on all
interfaces of the Layer 2 device.
[Switch1] display lnp summary
Global LNP : Negotiation enable
-------------------------------------------------------------------------------
C: Configured; N: Negotiated; *: Negotiation disable;
Port link-type(C) link-type(N) InDropped OutDropped FSM
-------------------------------------------------------------------------------
GE1/0/1 desirable access 0 0 access
GE1/0/2 desirable trunk 0 0 trunk
GE1/0/3 desirable access 0 0 access
----End
Configuration Files
l Switch1 configuration file
#
sysname Switch1
#
vlan batch 10 20
#
interface GigabitEthernet1/0/1
port default vlan 10
#
interface GigabitEthernet1/0/2
port trunk allow-pass only-vlan 10 20
#
interface GigabitEthernet1/0/3
port default vlan 20
#
return
Networking Requirements
On a company intranet, the network administrator adds the PCs in a department to the same
VLAN. To improve information security, only employees in this department are allowed to
access the intranet.
As shown in Figure 4-26, only PC1, PC2, and PC3 are allowed to access the intranet through
the switch.
You can assign VLANs based on MAC addresses and associate MAC addresses of PCs with
the specified VLAN.
Enterprise
network
GE1/0/1
Switch
GE1/0/2 GE1/0/4
GE1/0/3
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and determine which VLAN the PCs of employees belong to.
2. Add Ethernet interfaces to VLANs so that packets of the VLANs can pass through the
interfaces.
3. Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that the
VLAN of the packets can be determined based on the source MAC address.
Procedure
Step 1 Configure the Switch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
# Add interfaces to the VLANs. The configuration of GE1/0/3 or GE1/0/4 is similar to that of
GE1/0/2, and is not mentioned here.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type hybrid
[Switch-GigabitEthernet1/0/2] port hybrid untagged vlan 10
[Switch-GigabitEthernet1/0/2] quit
# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.
[Switch] vlan 10
[Switch-vlan10] mac-vlan mac-address 22-22-22
[Switch-vlan10] mac-vlan mac-address 33-33-33
[Switch-vlan10] mac-vlan mac-address 44-44-44
[Switch-vlan10] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
vlan 10
mac-vlan mac-address 0022-0022-0022 priority 0
mac-vlan mac-address 0033-0033-0033 priority 0
mac-vlan mac-address 0044-0044-0044 priority 0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid untagged vlan 10
mac-vlan enable
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid untagged vlan 10
mac-vlan enable
#
interface GigabitEthernet1/0/4
port link-type hybrid
port hybrid untagged vlan 10
mac-vlan enable
#
return
Networking Requirements
On an enterprise network, the network administrator assigns different VLANs to different
departments. PCs of each department connect to the enterprise network through a Layer 2
switch. To improve information security, the enterprise allows only employees in the same
department to communicate with each other.
As shown in Figure 4-27, PC1 and PC2 belong to the same department, and access the
enterprise network and communicate with each other through VLAN 10. PC3 and PC4 belong
to the other department, and access the enterprise network and communicate with each other
through VLAN 20. Employees in the two departments are not allowed to communicate with
each other even if their PCs are moved to the same area.
Enterprise
network
GE1/0/2
Switch1
GE1/0/1
Layer 2
switch
VLAN 10 VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and determine the VLANs to which the PCs belong.
2. Associate PCs' MAC addresses with VLANs so that VLANs are assigned based on
source MAC addresses in packets.
3. Add interfaces to VLANs to implement Layer 2 forwarding.
Procedure
Step 1 Configure Switch1.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan batch 10 20
# Associate MAC addresses of PC1 and PC2 with VLAN 10 and MAC addresses of PC3 and
PC4 with VLAN 20.
[Switch1] vlan 10
[Switch1-vlan10] mac-vlan mac-address 11-11-11
[Switch1-vlan10] mac-vlan mac-address 22-22-22
[Switch1-vlan10] quit
[Switch1] vlan 20
[Switch1-vlan20] mac-vlan mac-address 33-33-33
[Switch1-vlan20] mac-vlan mac-address 44-44-44
[Switch1-vlan20] quit
# Configure GE1/0/1 connected to the Layer 2 switch as a hybrid interface and add it to the
VLANs associated with MAC addresses in untagged mode.
[Switch1] interface gigabitethernet 1/0/1
[Switch1-GigabitEthernet1/0/1] port link-type hybrid
[Switch1-GigabitEthernet1/0/1] port hybrid untagged vlan 10 20
[Switch1-GigabitEthernet1/0/1] quit
----End
Configuration Files
Switch1 configuration file
#
sysname Switch1
#
vlan batch 10 20
#
vlan 10
mac-vlan mac-address 0011-0011-0011 priority 0
mac-vlan mac-address 0022-0022-0022 priority 0
vlan 20
mac-vlan mac-address 0033-0033-0033 priority 0
mac-vlan mac-address 0044-0044-0044 priority 0
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 10 20
mac-vlan enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
Router
GE1/0/1
GE1/0/2
Switch
GE1/0/1
Simplified Layer 2
switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to VLANs so that the interfaces allow the IP subnet-
based VLANs.
2. Enable IP subnet-based VLAN assignment and associate IP subnets with VLANs so that
the Switch determines VLANs according to IP addresses or network segments of
packets.
NOTE
You do not need to perform any configuration on a simplified Layer 2 switch. To enable the router to
transmit packets with different VLAN IDs to different servers, perform the following operations:
l Add the router interface connected to the Switch to all service VLANs in tagged mode.
l Add each interface of each service network to a service VLAN and configure a VLANIF interface.
For details, see the router configuration guide.
Procedure
Step 1 Create VLANs.
# Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200 300
# On the Switch, configure GE1/0/1 as the hybrid interface, add GE1/0/1 to VLAN 100,
VLAN 200, and VLAN 300 in untagged mode, and enable IP subnet-based VLAN
assignment.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type hybrid
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 300
[Switch-GigabitEthernet1/0/1] ip-subnet-vlan enable
[Switch-GigabitEthernet1/0/1] quit
# On the Switch, configure GE1/0/2 as the trunk interface, add GE1/0/2 to VLAN 100, VLAN
200, and VLAN 300 in tagged mode,
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 300
[Switch-GigabitEthernet1/0/2] quit
# On the Switch, associate IP subnet 192.168.1.2/24 with VLAN 100 and set the 802.1p
priority of VLAN 100 to 2.
[Switch] vlan 100
[Switch-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2
[Switch-vlan100] quit
# On the Switch, associate IP subnet 192.168.2.2/24 with VLAN 200 and set the 802.1p
priority of VLAN 200 to 3.
[Switch] vlan 200
[Switch-vlan200] ip-subnet-vlan 1 ip 192.168.2.2 24 priority 3
[Switch-vlan200] quit
# On the Switch, associate IP subnet 192.168.3.2/24 with VLAN 300 and set the 802.1p
priority of VLAN 300 to 4.
[Switch] vlan 300
[Switch-vlan300] ip-subnet-vlan 1 ip 192.168.3.2 24 priority 4
[Switch-vlan300] quit
Run the display ip-subnet-vlan vlan all command on the Switch. The following information
is displayed:
[Switch] display ip-subnet-vlan vlan all
----------------------------------------------------------------
Vlan Index IpAddress SubnetMask Priority
----------------------------------------------------------------
100 1 192.168.1.2 255.255.255.0 2
200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4
----------------------------------------------------------------
ip-subnet-vlan count: 3 total count: 3
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 200 300
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
ip-subnet-vlan 1 ip 192.168.2.2 255.255.255.0 priority 3
vlan 300
ip-subnet-vlan 1 ip 192.168.3.2 255.255.255.0 priority 4
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 100 200 300
ip-subnet-vlan enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 200 300
#
return
Voice
Network Internet
RouterA RouterB
GE1/0/2 GE1/0/3
Switch
GE1/0/1
GE1/0/1
Switch1
GE1/0/2 GE1/0/3
IPv4 IPv6
VLAN 10 VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and determine which VLAN each service belongs to.
2. Associate protocols with VLANs so that the VLANs that received packets belong to can
be assigned based on protocols.
3. Add interfaces to VLANs so that packets of the protocol-based VLANs can pass through
the interfaces.
4. Associate interfaces with VLANs.
After the Switch receives a frame of a specified protocol, it assigns the VLAN ID
associated with the protocol to the frame.
Procedure
Step 1 Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan batch 10 20
[Switch1] vlan 10
[Switch1-vlan10] protocol-vlan ipv4
[Switch1-vlan10] quit
# Associate GE1/0/2 with VLAN 10 and set the 802.1p priority of VLAN 10 to 5 on Switch1.
[Switch1] interface gigabitethernet 1/0/2
[Switch1-GigabitEthernet1/0/2] protocol-vlan vlan 10 all priority 5
[Switch1-GigabitEthernet1/0/2] quit
# Associate GE1/0/3 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6 on Switch1.
[Switch1] interface gigabitethernet 1/0/3
[Switch1-GigabitEthernet1/0/3] protocol-vlan vlan 20 all priority 6
[Switch1-GigabitEthernet1/0/3] quit
----End
Configuration Files
l Switch1 configuration file
#
sysname Switch1
#
vlan batch 10 20
#
vlan 10
protocol-vlan 0 ipv4
vlan 20
protocol-vlan 0 ipv6
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid untagged vlan 10
protocol-vlan vlan 10 0 priority 5
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid untagged vlan 20
protocol-vlan vlan 20 0 priority 6
#
return
GE1/0/1 GE1/0/2
VLANIF10 VLANIF20
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
User1 User2
10.10.10.3/24 10.10.20.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and determine VLANs that users belong to.
2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 connectivity.
NOTE
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
Procedure
Step 1 Configure the switch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 20
#
return
Switch_1 Switch_2
GE1/0/2 GE1/0/2
OSPF
GE1/0/1 GE1/0/1
GE1/0/1
GE1/0/1
VLAN10 VLAN10
Configuration Roadmap
The configuration roadmap is as follows:
1. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
2. Configure IP addresses for VLANIF interfaces to implement Layer 3 connectivity.
3. Configure basic OSPF functions to implement interworking.
Procedure
Step 1 Configure Switch_1.
On the PC of the Layer 2 network connected to Switch_2, set the default gateway address to
the IP address of VLANIF10, that is, 10.10.20.1/24.
After the configuration is complete, PCs on the two Layer 2 networks are isolated at Layer 2
and interwork at Layer 3.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
Networking Requirements
On the enterprise network shown in Figure 4-32, hosts in the same VLAN belong to network
segments of 10.1.1.1/24 and 10.1.2.1/24. Hosts on the two network segments are required to
access the Internet through the Switch and communicate.
Internet
Router 10.10.10.2/24
VLANIF10
GE1/0/3 Primary IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
Switch VLANIF20
10.10.10.1/24
GE1/0/1 GE1/0/2
VLAN10
Host1 Host2
10.1.1.2/24 10.1.2.2/24
Configuration Roadmap
If only one IP address is configured for the VLANIF interface on the Switch, only hosts on
one network segment can access the Internet through the Switch. To enable all hosts on the
LAN can access the Internet through the Switch, configure a secondary IP address for the
VLANIF interface. To enable hosts on the two network segments to communicate, the hosts
on the two network segments need to use the primary and secondary IP addresses of the
VLANIF interface as default gateway addresses.
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to the VLANs.
2. Configure VLANIF interfaces and assign IP addresses to them so that hosts on the two
network segments can communicate.
3. Configure a routing protocol so that hosts can access the Internet through the Switch.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Create VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 10
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type trunk
[Switch-GigabitEthernet1/0/3] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/3] quit
NOTE
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
#
interface Vlanif20
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.10.10.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 4-33, to ensure communication security, a company assigns visitors,
employees, and servers to VLAN 10, VLAN 20, and VLAN 30 respectively. The
requirements are as follows:
l Employees, visitors, and servers can access the Internet.
l Visitors can access only the Internet, and cannot communicate with employees in any
other VLANs.
l Employee A can access all resources in the server area, and other employees can access
port 21 (FTP service) of server A.
Internet
Router
VLANIF 100
GE1/0/4 10.1.100.1/24
GE1/0/1 GE1/0/3
Switch_4 GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of
visitors, employees, and servers.
2. Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
3. Configure a routing protocol so that visitors, employees, and servers can access the
Internet through the Switch.
4. Configure and apply a traffic policy so that employee A can access all resources in the
server area, other employees can access only port 21 (FTP service) of server A,
employees can access only servers, and visitors can access only the Internet.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of visitors,
employees, and servers.
# Create VLAN 10 on Switch_1, add GE1/0/1 to VLAN 10 in untagged mode and GE1/0/2 to
VLAN 10 in tagged mode. The configurations of Switch_2 and Switch_3 are similar to the
configuration of Switch_1, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 on Switch_4, and add GE1/0/1-
GE1/0/4 to VLAN 10, VLAN 20, VLAN 30, and VLAN 100 in tagged mode.
<HUAWEI> system-view
[HUAWEI] sysname Switch_4
[Switch_4] vlan batch 10 20 30 100
[Switch_4] interface gigabitethernet 1/0/1
[Switch_4-GigabitEthernet1/0/1] port link-type trunk
[Switch_4-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch_4-GigabitEthernet1/0/1] quit
[Switch_4] interface gigabitethernet 1/0/2
[Switch_4-GigabitEthernet1/0/2] port link-type trunk
[Switch_4-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch_4-GigabitEthernet1/0/2] quit
[Switch_4] interface gigabitethernet 1/0/3
[Switch_4-GigabitEthernet1/0/3] port link-type trunk
[Switch_4-GigabitEthernet1/0/3] port trunk allow-pass vlan 30
[Switch_4-GigabitEthernet1/0/3] quit
[Switch_4] interface gigabitethernet 1/0/4
[Switch_4-GigabitEthernet1/0/4] port link-type trunk
[Switch_4-GigabitEthernet1/0/4] port trunk allow-pass vlan 100
[Switch_4-GigabitEthernet1/0/4] quit
Step 2 Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
# On Switch_4, Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 and assign IP
addresses of 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.100.1/24 to them respectively.
[Switch_4] interface vlanif 10
[Switch_4-Vlanif10] ip address 10.1.1.1 24
[Switch_4-Vlanif10] quit
[Switch_4] interface vlanif 20
[Switch_4-Vlanif20] ip address 10.1.2.1 24
[Switch_4-Vlanif20] quit
[Switch_4] interface vlanif 30
[Switch_4-Vlanif30] ip address 10.1.3.1 24
[Switch_4-Vlanif30] quit
[Switch_4] interface vlanif 100
[Switch_4-Vlanif100] ip address 10.1.100.1 24
[Switch_4-Vlanif100] quit
Step 3 Configure a routing protocol so that visitors, employees, and servers can access the Internet
through the Switch.
# Configure basic OSPF functions on Switch_4 and configure OSPF to advertise network
segments of hosts and the network segment between Switch_4 and the router.
[Switch_4] ospf
[Switch_4-ospf-1] area 0
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] network 10.1.100.0 0.0.0.255
[Switch_4-ospf-1-area-0.0.0.0] quit
[Switch_4-ospf-1] quit
NOTE
Step 4 Configure and apply a traffic policy to control access of employees, visitors, and servers.
1. Configure ACLs to define flows.
# Configure ACL 3000 on Switch_4 to prevent visitors from accessing employees' PCs
and servers.
[Switch_4] acl 3000
[Switch_4-acl-adv-3000] rule deny ip destination 10.1.2.1 0.0.0.255
[Switch_4-acl-adv-3000] rule deny ip destination 10.1.3.1 0.0.0.255
[Switch_4-acl-adv-3000] quit
# Configure ACL 3001 on Switch_4 so that employee A can access all resources in the
server area and other employees can access only port 21 of server A.
[Switch_4] acl 3001
[Switch_4-acl-adv-3001] rule permit tcp destination 10.1.3.2 0 destination-
port eq 21
[Switch_4-acl-adv-3001] rule permit ip source 10.1.2.2 0 destination 10.1.3.1
0.0.0.255
[Switch_4-acl-adv-3001] rule deny ip destination 10.1.3.1 0.0.0.255
[Switch_4-acl-adv-3001] quit
4. Configure traffic policies and associate traffic classifiers with the traffic behavior in the
traffic policies.
# Create traffic policies p_custom, and p_staff on Switch_4, and associate traffic
classifiers c_custom, and c_staff with traffic behavior b1.
[Switch_4] traffic policy p_custom
[Switch_4-trafficpolicy-p_custom] classifier c_custom behavior b1
[Switch_4-trafficpolicy-p_custom] quit
[Switch_4] traffic policy p_staff
[Switch_4-trafficpolicy-p_staff] classifier c_staff behavior b1
[Switch_4-trafficpolicy-p_staff] quit
5. Apply the traffic policies to control access of employees, visitors, and servers.
# On Switch_4, apply traffic policies p_custom, and p_staff in the inbound direction of
VLAN 10, and VLAN 20 respectively.
[Switch_4] vlan 10
[Switch_4-vlan10] traffic-policy p_custom inbound
[Switch_4-vlan10] quit
[Switch_4] vlan 20
[Switch_4-vlan20] traffic-policy p_staff inbound
[Switch_4-vlan20] quit
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Networking Requirements
As shown in Figure 4-34, users need to securely log in to the Switch for remote management.
There is no idle management interface on the Switch.
10.1.1.1/24 10.10.10.2/24
IP GE1/0/1
network
PC Switch
Configuration Roadmap
A management interface or VLANIF interface of an mVLAN can be used to log in to the
device for remote management. The device has no idle management interface, so the mVLAN
is used. STelnet is used to ensure login security. The configuration roadmap is as follows:
l The user PC needs to be configured with the software for logging in to the SSH server, key pair
generation software, and public key conversion software.
l To ensure device security, change the password periodically.
Procedure
Step 1 Configure an mVLAN and add an interface to the mVLAN.
# Create VLAN 10 on the Switch and specify VLAN 10 as the mVLAN, and add GE1/0/1 to
VLAN 10 in tagged mode.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] management-vlan
[Switch-vlan10] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
Step 2 Configure a VLANIF interface and assign an IP address to the VLANIF interface.
# Create VLANIF 10 on the Switch and configure the IP address of 10.10.10.2/24 for it.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24
[Switch-Vlanif10] quit
# Create an SSH user named client001 on the Switch and configure password
authentication.
[Switch] aaa
[Switch-aaa] local-user client001 password irreversible-cipher Huawei@123
[Switch-aaa] local-user client001 privilege level 3
[Switch-aaa] local-user client001 service-type ssh
[Switch-aaa] quit
[Switch] ssh user client001 authentication-type password
NOTE
The PC connects to the switch through the intermediate device. The intermediate device needs to
transparently transmit packets from mVLAN 10 and has a route from 10.1.1.1/24 to 10.10.10.2/24.
After the configuration is complete, the user can log in to the Switch from the PC using
password authentication.
# Run the Putty software on the user PC. The dialog box shown in Figure 4-35 is displayed.
Enter 10.10.10.2 (IP address of the Switch) and select SSH.
# Click Open. On the page that is displayed on the Switch, enter the user name and password,
and press Enter.
login as: client001
SSH server: User Authentication
Using keyboard-interactive authentication.
Password:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2014-02-25 05:45:41+00:00.
<Switch>
The user can successfully log in to the Switch for remote management.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
vlan 10
management-vlan
#
aaa
local-user client001 password irreversible-cipher %^%#EqZEVTq=/
@T2XM0q0W{Ec[Fs2@&4YII@-=(lbr[K>4Dq76]3#BgqMOAxu^%$%^%#
local-user client001 privilege level 3
local-user client001 service-type ssh
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
#
user-interface vty 0 14
authentication-mode aaa
#
return
Parent Company
Pac
ket
GE1/0/2
s
of V
Switch
LAN
GE1/0/1 GE1/0/3
20
VLAN 10 VLAN 20
SwitchA SwitchB
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs.
2. Enable transparent transmission of protocol packets in a VLAN.
3. Add Ethernet interfaces to VLANs.
Procedure
Step 1 Configure the Switch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
Step 2 Configure SwitchA and SwitchB. Add upstream interfaces on SwitchA and SwitchB to
VLAN 10 and VLAN 20 in tagged mode, and add downstream interfaces to VLAN 10 and
VLAN 20 in default mode. The configuration details are not mentioned here.
# After the configuration is complete, run the display this command in the view of VLAN 20.
The command output shows that transparent transmission of protocol packets in a VLAN is
enabled.
[Switch] vlan 20
[Switch-vlan20] display this
#
vlan 20
protocol-transparent
#
return
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
vlan 20
protocol-transparent
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 20
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 20
#
return
Fault Symptom
When a user attempts to create a VLANIF interface, the system displays an error message. As
a result, the VLANIF interface fails to be created.
Procedure
Step 1 Check the error message during VLANIF interface creation.
Rectify the fault according to the error message. See Table 4-9.
Error: Can not create this The number of created Run the undo interface
interface because the interface VLANIF interfaces on the vlanif vlan-id command
number of this type has reached device has reached the to delete unnecessary
its maximum. limit. VLANIF interfaces, and
Run the display interface then create a specified
brief command to check VLANIF interface.
the number of VLANIF
interfaces, and check
whether the number of
VLANIF interfaces has
reached the limit in Table
4-7.
Step 2 If the fault persists, collect alarms and logs and contact Huawei technical support personnel.
----End
Fault Symptom
A VLANIF interface goes Down.
The VLAN corresponding to the VLANIF Run the vlan vlan-id command to create a
interface is not created. VLAN corresponding to the VLANIF
interface.
The interface is not added to the VLAN. Run the following commands as required.
NOTE l Run the port default vlan vlan-id [ step
l The port trunk pvid vlan vlan-id command step-number [ increased | decreased ] ]
only configures the PVID on a trunk command in the interface view to add an
interface, but does not add a trunk interface access interface to a VLAN.
to a VLAN.
l Run the port trunk allow-pass vlan
l The port hybrid pvid vlan vlan-id command
only configures the PVID on a hybrid { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
interface, but does not add a hybrid interface all } command in the interface view to
to a VLAN. add a trunk interface to a VLAN.
l You can add a hybrid interface to a
VLAN in tagged or untagged mode.
– Run the port hybrid tagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in tagged mode.
– Run the port hybrid untagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in untagged
mode.
The physical status of all interfaces added to Rectify this fault. A VLANIF interface goes
the VLAN is Down. Up as long as one interface in the VLAN is
Up.
The VLANIF interface is shut down. Run the undo shutdown command in the
VLANIF interface view to start the
VLANIF interface.
Fault Symptom
Users in a VLAN cannot communicate.
Procedure
Step 1 Check that the interfaces connected to user terminals are in Up state.
Run the display interface interface-type interface-number command in any view to check the
status of the interfaces.
l If the interface is Down, rectify the interface fault.
l If the interface is Up, go to Step 2.
Step 2 Check whether the IP addresses of user terminals are on the same network segment. If they
are on different network segments, change the IP addresses of the user terminals to be on the
same network segment. If the fault persists, go to Step 3.
Step 3 Check that the MAC address entry is correct.
Run the display mac-address command on the Switch to check whether MAC addresses,
interfaces, and VLANs in the learned MAC address entries are correct. If the learned MAC
address entries are incorrect, run the undo mac-address mac-address vlan vlan-id command
in the system view to delete MAC address entries so that the Switch can learn MAC address
entries again.
After the MAC address table is updated, check the MAC address entries again.
l If the MAC address entries are incorrect, go to Step 4.
l If the MAC address entries are correct, go to Step 5.
Step 4 Check that the VLAN is properly configured.
Check the VLAN configuration according to the following table.
Whether the Run the display vlan vlan-id command in any view to check whether
VLAN has been the VLAN has been created. If not, run the vlan command in the
created system view to create the VLAN.
Whether the Run the display vlan vlan-id command in any view to check whether
interfaces are the VLAN contains the interfaces. If not, add the interfaces to the
added to the VLAN.
VLAN NOTE
If the interfaces are located on different switches, add the interfaces
connecting the switches to the VLAN.
The default type of an interface is Negotiation. You can run the port link-type
command to change the link type of an interface.
l Add an access interface to the VLAN by using either of the
following methods:
– Run the port default vlan command in the interface view.
– Run the port command in the VLAN view.
l Add a trunk interface to the VLAN.
Run the port trunk allow-pass vlan command in the interface
view.
l Add a hybrid interface to the VLAN by using either of the
following methods:
– Run the port hybrid tagged vlan command in the interface
view.
– Run the port hybrid untagged vlan command in the interface
view.
After the preceding operations, if the MAC address entries are correct, go to Step 5.
Step 5 Check whether port isolation is configured.
Run the interface interface-type interface-number command in the system view to enter the
interface view, and then run the display this command to check whether port isolation is
configured on the interface.
l If port isolation is not configured, go to Step 6.
l If port isolation is configured, run the undo port-isolate enable command on the
interface to disable port isolation. If the fault persists, go to Step 6.
Step 6 Check whether correct static Address Resolution Protocol (ARP) entries are configured on the
user terminals. If the static ARP entries are incorrect, modify them. Otherwise, go to Step 7.
Step 7 Collect logs and alarms and contact Huawei technical support personnel.
----End
Fault Symptom
As shown in Figure 4-37, the IP address of VLANIF 10 on Switch_2 cannot be pinged from
Switch_1. Similarly, the IP address of VLANIF 10 on Switch_1 cannot be pinged from
Switch_2.
Procedure
Step 1 Check whether the VLANIF interface is Up.
Run the display interface vlanif vlan-id command on Switch_1 and Switch_2 and check the
current state and Line protocol current state fields.
l If the value of any one of the two fields is DOWN, the VLANIF interface is Down.
Rectify this fault according to 4.10.2 A VLANIF Interface Goes Down.
l If the values of the two fields are UP, the VLANIF interface is Up. Go to Step 2.
Step 2 Check whether the connected Ethernet interfaces between switches join a VLAN.
Run the display vlan vlan-id command on Switch_1 and Switch_2 and check the Ports field.
Check whether the connected Ethernet interfaces exist in the VLAN.
l If the connected Ethernet interfaces do not exist in the VLAN, add the connected
Ethernet interfaces to the VLAN.
l If the connected Ethernet interfaces exist in the VLAN and at least one of them joins the
VLAN in untagged mode (UT displayed before the interface), change the untagged mode
to tagged mode.
l If the connected Ethernet interfaces exist in the VLAN but the interfaces go Down (D
displayed after the interface), rectify the fault according to An Ethernet Interface Is
Physically Down.
l If none of the preceding configurations exists, go to Step 3.
Step 3 Check whether the PVID values on the connected Ethernet interface between switches are the
same.
Run the display port vlan interface-type interface-number command on Switch_1 and
Switch_2 to check the PVID values.
l If the PVID values are different, change them to be the same.
l If the PVID values are the same, go to Step 4.
Step 4 Collect logs and alarms and contact Huawei technical support personnel.
----End
4.11 FAQ
l Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to VLAN 30.
<HUAWEI> system-view
[HUAWEI] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four incontiguous VLAN ranges.
NOTE
l Hybrid interface
# Add GE1/0/1-GE1/0/5 to VLAN 10 and VLAN 20 in a batch.
<HUAWEI> system-view
[HUAWEI] port-group pg1
The link type of an interface can be access, trunk, hybrid, or Dot1q-tunnel. The methods used
to change the link type of an interface in different versions are different.
l In V200R005 and later versions, run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command and enter y or n as prompted. When the interface uses the
default VLAN configuration, the system does not display any message. The link type of
the interface is changed directly.
– When you enter y and press Enter, the device automatically deletes the non-default
VLAN configuration of the interface and sets the link type of the interface to the
specified one.
– When you enter n and press Enter, the device retains the current link type and
VLAN configuration of the interface.
Change the link type of the interface to hybrid.
<HUAWEI> system-view
[HUAWEI] interface GigabitEthernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type hybrid
Warning: This command will delete VLANs on this port. Continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment...done.
l In earlier versions of V200R005, an interface joins VLAN 1 by default, and the PVID of
an interface is VLAN 1. You can run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command to change the link type of the interface.
– Change the link type of the interface to access.
<HUAWEI> system-view
[HUAWEI] interface GigabitEthernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] port link-type access
[HUAWEI-GigabitEthernet1/0/1] port default vlan 10
When you change the link type of an interface that does not use the default VLAN
configuration, the system displays the message "Error: Please renew the default
configurations."
You need to restore the default configuration of the interface, and then change the link
type of the interface.
– Restore the default VLAN configuration of an access or Dot1q-tunnel interface.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo port default vlan
Ethernet3/0/4 hybrid 1 -
Ethernet3/0/5 hybrid 1 -
Ethernet3/0/6 hybrid 1 -
Ethernet3/0/7 hybrid 1 -
Ethernet3/0/8 hybrid 1 -
Ethernet3/0/9 hybrid 1 -
Ethernet3/0/10 hybrid 1 -
Ethernet3/0/11 hybrid 1 -
Ethernet3/0/12 hybrid 1 -
Ethernet3/0/13 hybrid 1 -
Ethernet3/0/14 hybrid 1 -
Ethernet3/0/15 hybrid 1 -
Ethernet3/0/16 hybrid 1 -
Ethernet3/0/17 hybrid 1 -
Ethernet3/0/18 hybrid 1 -
Ethernet3/0/19 hybrid 1 -
Ethernet3/0/20 hybrid 1 -
Ethernet3/0/21 hybrid 1 -
Ethernet3/0/22 hybrid 1 -
Ethernet3/0/23 hybrid 1 -
Ethernet3/0/24 hybrid 1 -
Ethernet3/0/25 hybrid 1 -
Ethernet3/0/26 hybrid 1 -
Ethernet3/0/27 hybrid 1 -
Ethernet3/0/28 hybrid 1 -
Ethernet3/0/29 hybrid 1 -
Ethernet3/0/30 hybrid 1 -
Ethernet3/0/31 hybrid 1 -
Ethernet3/0/32 hybrid 1 -
Ethernet3/0/33 hybrid 1 -
Ethernet3/0/34 hybrid 1 -
Ethernet3/0/35 hybrid 1 -
Ethernet3/0/36 hybrid 1 -
Ethernet3/0/37 hybrid 1 -
Ethernet3/0/38 hybrid 1 -
Ethernet3/0/39 hybrid 1 -
Ethernet3/0/40 hybrid 1 -
Ethernet3/0/41 hybrid 1 -
Ethernet3/0/42 hybrid 1 -
Ethernet3/0/43 hybrid 1 -
Ethernet3/0/44 hybrid 1 -
Ethernet3/0/45 hybrid 1 -
Ethernet3/0/46 hybrid 1 -
Ethernet3/0/47 trunk 1 1
The Link Type field indicates the link type of an interface, the PVID field indicates the
default VLAN, and the Trunk VLAN List field indicates the list of VLANs allowed by a
trunk interface. If the interface does not join any VLAN, the Trunk VLAN List field is
displayed as -. If the link type of an interface is negotiation-desirable or negotiation-auto,
the Trunk VLAN List field is displayed as 1 to 4094.
NOTE
The earlier versions of V200R005, before deleting a VLAN where a VLANIF interface has been
configured, run the undo interface vlanif command to delete the VLANIF interface.
Figure 4-38 Communication for hosts on multiple network segments in the same VLAN
Switch VLANIF 10
Primary IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
GE1/0/1 GE1/0/2
VLAN 10
Host1 Host2
10.1.1.2/24 10.1.2.2/24
After the preceding configurations are performed, Host_1 and Host_2 can communicate.
If the value of any one of the two fields is DOWN, the VLANIF interface is Down.
Rectify this fault according to Table 4-11.
Table 4-11 Common causes and solutions to the VLANIF interface Down event
The VLAN corresponding to the Run the vlan vlan-id command to create a
VLANIF interface is not created. VLAN corresponding to the VLANIF
interface.
The interface is not added to the VLAN. Run the following commands as required.
NOTE l Run the port default vlan vlan-id
l The port trunk pvid vlan vlan-id command in the interface view to add
command only configures the PVID on a an access interface to a VLAN.
trunk interface, but does not add a trunk
interface to a VLAN. l Run the port trunk allow-pass vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
l The port hybrid pvid vlan vlan-id
command only configures the PVID on a | all } command in the interface view
hybrid interface, but does not add a hybrid to add a trunk interface to a VLAN.
interface to a VLAN. l You can add a hybrid interface to a
VLAN in tagged or untagged mode.
Run the port hybrid tagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in tagged mode,
or run the port hybrid untagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in untagged
mode.
The physical status of all interfaces added Rectify this fault. A VLANIF interface
to the VLAN is Down. goes Up as long as one interface in the
VLAN is Up.
The VLANIF interface is shut down. That Run the undo shutdown command in the
is, the value of current state is VLANIF interface view to start the
Administratively DOWN. VLANIF interface.
PC1 PC2
IP : 1 0 .1 .1 .2 IP : 1 0 .1 .2 .2
G a te w a y : 1 0 .1 .1 .1 G a te w a y : 1 0 .1 .2 .1
If routing entries do not exist, run the ip route-static command to configure a static
route.
– Switch1: ip route-static 10.1.2.0 255.255.255.0 10.1.4.2
– Switch2: ip route-static 10.1.1.0 255.255.255.0 10.1.4.1
As shown in Figure 4-40, the switch has been configured to transparently transmit Layer 2
packets. Do VLANs need to be assigned?
l If Switch1 and Switch2 where VLANs are not assigned use default VLAN configuration,
VLANs do not need to be assigned on the switch.
l If VLANs are assigned on Switch1 and Switch2, VLANs need to be assigned on the
switch.
For example, GE1/0/1 interfaces connecting Switch1 and Switch2 to the switch
transparently transmit packets from VLAN 10 and VLAN 20, so GE1/0/2 and GE1/0/3
on the switch need be configured to transparently transmit packets from VLAN 10 and
VLAN 20. Perform the following configurations.
[HUAWEI] vlan batch 10 20
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] port link-type trunk
[HUAWEI-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 20
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI] interface gigabitethernet 1/0/3
[HUAWEI-GigabitEthernet1/0/3] port link-type trunk
[HUAWEI-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
MAC-VLAN entries are only valid for untagged packets. If MAC-VLAN entries are invalid,
check whether incoming packets carry VLAN tags.
4.12 References
The following table lists the references of this document.
This chapter describes how to configure VLAN aggregation. VLAN aggregation implements
communication of hosts on the same network segment in different VLANs. A network can
significantly save IP addresses with VLAN aggregation technology.
Definition
VLAN aggregation, also called super-VLAN, partitions a broadcast domain into multiple
VLANs (sub-VLANs) on a physical network and aggregates the sub-VLANs into a single
logical VLAN (super-VLAN). The sub-VLANs use the same IP subnet and default gateway
address, so the number of IP addresses used is reduced.
Purpose
VLAN technology is widely applied to packet switching networks because it is capable of
flexibly controlling broadcast domains and is easy to deploy. Usually, a Layer 3 switch uses a
Layer 3 logical interface in each VLAN to allow hosts in different broadcast domains to
communicate. This wastes IP addresses. On a subnet corresponding to a VLAN, the subnet
ID, directed broadcast address, and subnet default gateway address cannot be used as IP
addresses of hosts in the VLAN. In addition, the number of hosts on a subnet may be less than
the number of IP addresses available in the subnet. These remaining IP addresses are
essentially wasted because they cannot be used by other VLANs.
As shown in Figure 5-1, VLAN 2 requires 10 host addresses. The subnet 10.1.1.0/28 with a
28-bit mask is assigned to VLAN 2, where 10.1.1.0 is the subnet ID, 10.1.1.15 is the directed
broadcast address, and 10.1.1.1 is the default gateway address. Hosts cannot use these three
addresses, but the other 13 addresses ranging from 10.1.1.2 to 10.1.1.14 are available to them.
At least three IP addresses are wasted for VLAN 2, and at least nine IP addresses are wasted
for three VLANs. Although VLAN 2 requires only 10 IP addresses, the remaining 3 IP
addresses cannot be used by other VLANs and are wasted. If more VLANs are added, more
IP addresses will be wasted.
VLANIF 3: 10.1.1.17
VLAN aggregation is used to solve the preceding problem. VLAN aggregation maps each
sub-VLAN to a broadcast domain, associates a super-VLAN with multiple sub-VLANs, and
assigns only one IP subnet to the super-VLAN. This ensures that all sub-VLANs share the IP
address of the associated super-VLAN as the gateway IP address, effectively implementing
Layer 3 connectivity.
Sub-VLANs share one gateway address so that the number of subnet IDs, subnet default
gateway addresses, and directed broadcast IP addresses used is reduced. The switch assigns IP
addresses to hosts in sub-VLANs according to the actual number of hosts, ensuring that each
sub-VLAN is used as an independent broadcast domain to implement isolation. Therefore,
VLAN aggregation conserves IP addresses and implements flexible addressing.
5.2 Principles
VLAN aggregation defines the super-VLAN and sub-VLAN. A sub-VLAN, as an
independent broadcast domain, contains only physical interfaces; a super-VLAN contains no
physical interface, and is used for creating a Layer 3 VLANIF interface. By mapping a super-
VLAN to sub-VLANs, VLAN aggregation associates the Layer 3 VLANIF interface with
physical interfaces so that all sub-VLANs share one gateway to communicate with an external
network. In addition, proxy ARP is used to implement Layer 3 connectivity between sub-
VLANs. This technology isolates broadcast domains and conserves IP addresses.
Implementation
The super-VLAN and sub-VLAN are different from common VLANs that contain a Layer 3
logical interface and multiple physical interfaces:
l Sub-VLAN: contains only physical interfaces, and is used to isolate broadcast domains.
A sub-VLAN cannot be used for creating a Layer 3 VLANIF interface. Hosts in each
sub-VLAN use the VLANIF interface of the associated super-VLAN to communicate
with external devices at Layer 3.
l Super-VLAN: is only used for creating a Layer 3 VLANIF interface and contains no
physical interface. It corresponds to the subnet gateway. Unlike a VLANIF interface that
is Up as long as a physical interface in a common VLAN is Up, a VLANIF interface in a
super-VLAN is Up as long as a physical interface in any associated sub-VLAN is Up.
A super-VLAN can contain one or more sub-VLANs. A sub-VLAN does not occupy an
independent subnet. IP addresses of hosts in any sub-VLAN of a super-VLAN belong to the
subnet corresponding to the sub-VLAN.
That is, sub-VLANs share the same gateway. VLAN aggregation reduces subnet IDs, subnet
default gateway addresses, and directed broadcast IP addresses, allows different broadcast
domains to use the same subnet address, implements flexible addressing, and conserves IP
addresses.
The network topology used in 5.1 Introduction to VLAN Aggregation is used as an
example. Configure VLAN 10 as the super-VLAN, assign the subnet address 10.1.1.0/24 to
VLAN 10, and configure VLAN 2, VLAN 3, and VLAN 4 as sub-VLANs of super-VLAN
10, as shown in Figure 5-2.
NOTE
For details about proxy ARP, see Proxy ARP in S7700&S9700 Series Switches Configuration Guide - IP
Services.
The networking in Figure 5-2 is used as an example. Assuming that Host_1 in sub-VLAN 2
needs to communicate with Host_2 in sub-VLAN 3, enable proxy ARP on the VLANIF
interface of super-VLAN 10, as shown in Figure 5-3.
Figure 5-3 Using proxy ARP to implement Layer 3 communication between sub-VLANs
Super-VLAN 10
L3 switch VLANIF10: 10.1.1.1/24
Proxy ARP
As shown in Figure 5-4, user hosts and servers are on different network segments, sub-
VLANs 2 to 4 and VLAN 10 are configured on Switch_1, and VLAN 10 and VLAN 20 are
configured on Switch_2.
Figure 5-4 Layer 3 communication between hosts in sub-VLANs and on an external network
Switch_2 VLANIF 20
10.1.2.1/24
VLANIF 10
10.1.10.2/24
Server
10.1.2.2/24
VLANIF 10
10.1.10.1/24
Super-VLAN 4
Switch_1 VLANIF 4
10.1.1.1/24
Host_1 Host_2
Sub-VLAN 2 Sub-VLAN 3
10.1.1.2/24 10.1.1.12/24
When Host_1 in sub-VLAN 2 wants to communicate with the server connected to Switch_2,
the packet forwarding process is as follows (assume that a route to 10.1.2.0/24 has been
configured on Switch_1, a route to 10.1.1.0/24 has been configured on Switch_2, and no
Layer 3 forwarding entry exists on the two switches):
1. Host_1 compares the server's IP address (10.1.2.2) with its network segment 10.1.1.0/24
and finds that they are on different network segments. Host_1 then sends an ARP
Request packet to its gateway to request the gateway's MAC address. The ARP Request
packet carries an all-F destination MAC address and destination IP address 10.1.1.1.
2. After receiving the ARP Request packet, Switch_1 searches the mapping between the
super-VLAN and sub-VLANs. Switch_1 then sends an ARP Reply packet with the MAC
address of VLANIF 4 (corresponding to super-VLAN 4) from an interface of sub-VLAN
2 to Host_1.
3. After learning the gateway's MAC address, Host_1 sends a packet with the destination
MAC address as the MAC address of VLANIF 4 (corresponding to super-VLAN 4) and
destination IP address of 10.1.2.2.
4. After receiving the packet from Host_1, Switch_1 determines that the packet should be
forwarded at Layer 3 according to the mapping between the super-VLAN and sub-
VLANs and destination MAC address. Switch_1 searcher its Layer 3 forwarding table
for a matching entry, but no entry is found. Switch_1 sends the packet to the CPU, and
the CPU searches its routing table and obtains the next hop address of 10.1.10.2 and the
outbound interface of VLANIF 10. Switch_1 determines the outbound interface
according to the ARP entry and MAC address entry, and sends the packet to Switch_2.
5. Switch_2 sends the packet to server according to the Layer 3 forwarding process.
After receiving the packet from Host_1, the server sends a response packet with the
destination IP address of 10.1.1.2 and destination MAC address as the MAC address of
VLANIF 20 on the Switch_2. The process is as follows:
1. The response packet reaches Switch_1 according to the Layer 3 forwarding process.
When the response packet reaches Switch_1, the destination MAC address is changed to
the MAC address of VLANIF 10 on Switch_1.
2. After receiving the packet, Switch_1 determines that the packet should be forwarded at
Layer 3 according to the destination MAC address. Switch_1 searcher its Layer 3
forwarding table for a matching entry, but no entry is found. Switch_1 sends the packet
to the CPU, and the CPU searches its routing table and obtains the next hop address of
10.1.1.2 and the outbound interface of VLANIF 4. Switch_1 searches the mapping
between the super-VLAN and sub-VLANs and determines that the packet should be sent
to Host_1 from an interface in sub-VLAN 2 according to the ARP entry and MAC
address entry.
3. The response packet reaches Host_1.
Figure 5-5 Layer 2 communication between hosts in sub-VLANs and on an external network
Internet
Switch_2
Trunk IF_1
Allowed VLAN=2,3 IF_3
Super-VLAN 4
Switch_1 VLANIF 4
10.1.1.1/24
IF_1 IF_2
Host_1 Host_2
Sub-VLAN 2 Sub-VLAN 3
10.1.1.2/24 10.1.1.12/24
The tag with VLAN 2 is added to packets sent from Host_1 to Switch_1. Although sub-
VLAN 2 belongs to super-VLAN 4, Switch_1 does not change the tag with VLAN 2 to the
tag with VLAN 4 in packets. That is, packets sent from IF_3 of Switch_1 still carry VLAN 2.
Switch_1 itself does not send packets from VLAN 4. When another device sends packets
from VLAN 4 to Switch_1, Switch_1 discards the packets because there is no physical
interface corresponding to super-VLAN 4 on Switch_1. Actually, IF_3 on Switch_1 does not
allow packets from super-VLAN 4. For other devices, only sub-VLAN 2 and sub-VLAN 3
are valid, and all packets are exchanged in the VLANs.
The communication between Switch_1 configured with VLAN aggregation and other devices
is similar to normal Layer 2 communication without using the super-VLAN, and is not
described here.
Internet
Switch
Proxy ARP
Super-VLAN 2 Super-VLAN 3
VLAN aggregation can be deployed to meet the preceding requirements. Deploy super-
VLAN 2 and super-VLAN 3 on the switch, and add sub-VLAN 21 and sub-VLAN 22 to
super-VLAN 2 and sub-VLAN 31 and sub-VLAN 32 to super-VLAN 3. After IP addresses
are assigned to super-VLAN 2 and super-VLAN 3 on the switch, users in department 1 and
department 2 can access the Internet using the IP address of super-VLAN 2, and users in
department 3 and department 4 can access the Internet using the IP address of super-VLAN 3.
VLAN aggregation implements Internet access for each department and conserves IP
addresses.
Configure proxy ARP in super-VLAN 2 and super-VLAN 3 on the switch to implement
communication between department 1 and department 2, and between department 3 and
department 4.
License Support
VLAN aggregation, also called super-VLAN, is a basic feature of a switch and is not under
license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Context
In VLAN aggregation, physical interfaces can be added to a sub-VLAN but no VLANIF
interface can be created for the sub-VLAN. All the interfaces in a sub-VLAN use the same IP
address of the VLANIF interface corresponding to a super-VLAN. VLAN aggregation
reduces subnet IDs, subnet default gateway addresses, and directed broadcast IP addresses,
allows the switch to assign IP addresses to hosts in sub-VLANs according to the actual
number of hosts, ensures that each sub-VLAN is used as independent broadcast domain to
implement isolation, saves IP addresses, and implements flexible addressing.
Procedure
Step 1 Run:
system-view
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
The vlan configuration command completes the VLAN configuration when the VLAN is not created.
Step 3 Run:
interface interface-type interface-number
----End
Context
A super-VLAN consists of several sub-VLANs. No physical interface can be added to a
super-VLAN, but a VLANIF interface can be configured for the super-VLAN and an IP
address can be assigned to the VLANIF interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
Step 3 Run:
aggregate-vlan
A super-VLAN is created.
Step 4 Run:
access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Before adding sub-VLANs to a super-VLAN, ensure that these sub-VLANs are not
configured with VLANIF interfaces.
If too many sub-VLANs are added to the super-VLAN, the ARP broadcast storm degrades the
system performance and affects the ARP learning. The number of sub-VLANs that are added
to a super-VLAN cannot exceed 50.
----End
Context
The IP address of the VLANIF interface corresponding to a super-VLAN must contain the
subnets that users in sub-VLANs belong to. All the sub-VLANs use the IP address of the
VLANIF interface corresponding to the super-VLAN, thereby saving IP addresses.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
----End
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other at the network layer.
PCs in common VLANs can communicate with each other at the network layer using
different gateway addresses. VLAN aggregation enables PCs in a super-VLAN to use the
same subnet address and gateway address. Because PCs in different sub-VLANs belong to
one subnet, they communicate with each other only at Layer 2 but not Layer 3. These PCs are
isolated from each other at Layer 2. Consequently, PCs in different sub-VLANs cannot
communicate with each other.
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another
sub-VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are
created, proxy ARP must be enabled to allow the super-VLAN to forward or process ARP
Request and Reply packets. Proxy ARP allows PCs in sub-VLANs to communicate with each
other at the network layer.
NOTE
After proxy ARP is enabled on the VLANIF interface corresponding to a super-VLAN, hosts in all sub-
VLANs of the super-VLAN can communicate. If hosts in some sub-VLANs of the super-VLAN need to
communicate, see 5.8.1 How Do I Implement Communication Between Some Sub-VLANs in a
Super-VLAN.
VLAN aggregation simplifies configurations for the network where many VLANs are
configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
Step 3 Run:
arp-proxy inter-sub-vlan-proxy enable
----End
Internet
Router
GE1/0/1
VLAN 10
SwitchB Super-VLAN 4
GE1/0/5
GE1/0/5
SwitchA
GE1/0/1 GE1/0/4
GE1/0/2 GE1/0/3
VLAN 2 VLAN 3
Configuration Roadmap
Configure VLAN aggregation on SwitchB to add VLANs of different departments to a super-
VLAN so that PCs in different departments can access the Internet using the super-VLAN.
Deploy proxy ARP in the super-VLAN so that PCs in different departments can
communicate. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on SwitchA and SwitchB, add PCs of different
departments to different VLANs, and configure interfaces to transparently transmit
packets from VLANs to SwitchB.
2. Configure a super-VLAN, a VLANIF interface, and a static route on SwitchB so that
PCs in different departments can access the Internet.
3. Configure proxy ARP in the super-VLAN on SwitchB so that PCs in different
departments can communicate at Layer 3.
Procedure
Step 1 Configure VLANs and interfaces on SwitchA and SwitchB, add PCs of different departments
to different VLANs, and configure interfaces to transparently transmit packets from VLANs
to SwitchB.
1. Configure SwitchA.
# Configure GE1/0/1 as an access interface. The configurations of GE1/0/2, GE1/0/3,
and GE1/0/4 are similar to the configuration of GE1/0/1, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] quit
2. Configure SwitchB.
# Create VLAN 2, VLAN 3, VLAN 4, and VLAN 10 and configure the interface of
SwitchB connected to SwitchA to transparently transmit packets from VLAN 2 and
VLAN 3 to SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 2 3 4 10
[SwitchB] interface gigabitethernet 1/0/5
[SwitchB-GigabitEthernet1/0/5] port link-type trunk
[SwitchB-GigabitEthernet1/0/5] port trunk allow-pass vlan 2 3
[SwitchB-GigabitEthernet1/0/5] quit
# Create and configure VLANIF 4 so that PCs in different departments can access the Internet
using super-VLAN 4.
[SwitchB] interface vlanif 4
[SwitchB-Vlanif4] ip address 10.1.1.1 255.255.255.0
[SwitchB-Vlanif4] quit
# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the IP
address for connecting SwitchB and the router (egress gateway).
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.10.1.1 255.255.255.0
[SwitchB-Vlanif10] quit
# Configure a static route to the router on SwitchB so that PCs can access the Internet.
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
NOTE
Configure the router interface connected to SwitchB and assign the IP address of 10.10.1.2 to the router
interface. See the router configuration manual.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
5.8 FAQ
5.8.1 How Do I Implement Communication Between Some Sub-
VLANs in a Super-VLAN
When VLAN aggregation is configured, hosts in a super-VLAN use IP addresses on the same
network segment and share the same gateway address. Hosts in different sub-VLANs belong
to the same subnet, so the switch forwards packets between the hosts by searching for ARP
entries but not through the gateway. Proxy ARP allows the switch to establish ARP entries for
all sub-VLANs for interworking.
To implement interworking between some sub-VLANs, configure static ARP entries to bind
destination MAC addresses to the gateway IP address on hosts in the sub-VLANs.
For example, when host A with the gateway IP address of 192.168.1.1/24 wants to access host
B with the MAC address of 00-aa-00-62-c6-09, perform the following operations:
1. Choose Start > Run, enter cmd, and press Enter.
2. Enter arp -s 192.168.1.1 00-aa-00-62-c6-09.
After the preceding configuration is complete, host A can access host B. If host B needs to
access host A, configure a static ARP entry to bind host A's MAC address to the gateway IP
address on host B.
The VLAN Switch function allows communication between user hosts in different VLANs
and between user hosts in the same VLAN that reside in different network segments. With the
VLAN Switch function, a device only searches a VLAN Switch table, but does not need to
search its MAC address table when forwarding data. Therefore, this function improves device
forwarding efficiency and security, and prevents MAC address attacks as well as broadcast
storms.
Stack-vlan
Similar to the VLAN stacking function, the stack-vlan function is a Layer 2 feature that adds
an outer VLAN tag to each frame, and decides which outer VLAN tags to be added to frames
depending on information in the original VLAN tags carried in the frames. Table 6-1 lists the
comparison between VLAN stacking and stack-vlan. For details about VLAN stacking, see
10.2.3 Selective QinQ.
Switch-vlan
Similar to the VLAN mapping function, the switch-vlan function implements inter-VLAN
communication. Table 6-2 lists the comparison between VLAN mapping and switch-vlan. For
details about VLAN mapping, see 11.2 Principles.
Port2 Port3
SwitchA
VLAN 2 VLAN 3
PC1 PC2
through Port3, and to change VLAN 3 in packets received by Port3 to VLAN 2 and send them
through Port2. In this manner, switch-vlan implements communication between VLAN 2 and
VLAN 3.
NOTE
If SwitchA is a Layer 3 switch, you can also use a VLANIF interface to implement inter-VLAN
communication. If SwitchA is a Layer 2 switch, you can only use switch-vlan to implement inter-VLAN
communication.
License Support
The VLAN switch function is a basic feature of a switch and is not under license control.
Version Support
Table 6-3 Products and versions supporting the VLAN switch function
Product Product Software Version
Model
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan-switch vlan-switch-name interface interface-type1 interface-number1 vlan
vlan-id1 [ inner-vlan vlan-id2 [ to vlan-id3 ] ] interface interface-type2
interface-number2 [ switch-vlan vlan-id4 ]
NOTE
----End
Context
VLAN Switch is a forwarding method that forwards data according to the information in
VLAN tags of received frames. This method requires a pre-configured static forwarding path
along switching nodes on the network. When receiving VLAN-tagged frames matching
VLAN Switch entries, a switching node forwards the frames to the interfaces manually
specified in the VLAN Switch table. VLAN Switch improves device forwarding efficiency
and security, and prevents MAC address attacks as well as broadcast storms.
Similar to the VLAN stacking function, the stack-vlan function adds outer VLAN tags to
frames to implement communication within a VLAN across different ISP networks.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan-switch vlan-switch-name interface interface-type interface-number vlan vlan-
id1 [ to vlan-id2 ] interface interface-type interface-number [ stack-vlan vlan-
id3 ]
NOTE
----End
Procedure
l Run the display vlan-switch [ vlan-switch-name | interface interface-type interface-
number ] command to check the VLAN Switch configuration, including the VLAN
Switch entry name, source interface, source VLAN, destination interface, destination
VLAN, operation type, and VLAN Switch status.
----End
Context
If VLAN resources are insufficient when you configure VLAN Switch, run the display vlan-
translation resource command to view the total number of VLAN resources in the inbound
or outbound direction, and numbers of used and available VLAN resources. Refer to the
command output to determine the location of faults or congestion.
Procedure
l Run the display vlan-translation resource [ slot slot-number ] command to check
VLAN resources on a card.
----End
GE1/0/1 GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Add the uplink and downlink interfaces of SwitchA and SwitchB to the VLANs.
2. Configure the VLAN Switch function on the Switch.
NOTE
Ensure that VLAN 10 and VLAN 20 have not been created on the Switch , and GE1/0/1 and GE1/0/2
have not been added to VLAN 10 and VLAN 20 respectively. Otherwise, the VLAN Switch function
cannot be configured.
Procedure
Step 1 Create VLAN 10 on SwitchA, add GE1/0/1 to VLAN 10 in tagged mode, and add GE1/0/2
and GE1/0/3 to VLAN 10 in access mode. Configuration of SwitchB is the same as that of
SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid tagged vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 10
#
return
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 20
#
return
This chapter describes how to configure the Multiplex VLAN (MUX VLAN). The MUX
VLAN allows communication between some users, and prohibits communication between
other users.
7.1 Introduction to MUX VLAN
7.2 Configuration Notes
7.3 Default Configuration
7.4 Configuring the MUX VLAN
The MUX VLAN can implement inter-VLAN communication and intra-VLAN isolation.
7.5 Configuration Examples
For example, both enterprise employees and customers can access the servers on an enterprise
network. The enterprise allows employees to communicate with each other but prevents
customers from communicating with each other.
To allow all users to access the enterprise servers, inter-VLAN communication must be
configured. If there are a large number of users in an enterprise, VLANs need to be assigned
to the users that the enterprise wishes to restrict communication. This wastes VLAN IDs and
adds significant workload to network configuration and maintenance.
Basic Concepts
A MUX VLAN consists of principal VLANs and subordinate VLANs; subordinate VLANs
are classified into separate VLANs and group VLANs. See Table 7-1 for a description of
these roles.
Enterprise Enterprise
employee customer
On an aggregation device, you can create a VLANIF interface for the principal VLAN. The IP
address of the VLANIF interface can be used as the gateway address for servers or user hosts.
As shown in Figure 7-2, MUX VLAN is configured on the aggregation device Switch1 to
implement user isolation or interworking.
Internet
Switch2
Switch1 Server
VLAN2
(Principal VLAN)
License Support
The MUX VLAN is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Item Specification
l When the interface is enabled with MUX VLAN and configured with the PVID using the
port trunk pvid vlan command, do not configure the PVID as the ID of the principal
VLAN or subordinate VLAN of the MUX VLAN. For example, VLAN 10 is the
principal VLAN, VLAN 11 is a subordinate group VLAN, and VLAN 12 is a
subordinate separate VLAN. After the port mux vlan enable 10 command is used on
the interface to enable MUX VLAN, do not run the port trunk pvid vlan command to
set the PVID to VLAN 11 or VLAN 12.
Context
Interfaces in a principal VLAN can communicate with other interfaces in the same MUX
VLAN.
Procedure
Step 1 Run:
system-view
A VLAN is created and the VLAN view is displayed. If the VLAN already exists, the VLAN
view is displayed.
The VLAN ID ranges from 1 to 4094. To create VLANs in a batch, run the vlan batch { vlan-
id1 [ to vlan-id2 ] } &<1-10> command. Then run the vlan vlan-id command to enter the
view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configure names for the VLANs to facilitate VLAN
management.
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
Step 3 Run:
mux-vlan
The VLAN ID assigned to a principal VLAN cannot be used to configure VLAN mapping,
VLAN stacking, super-VLAN, or sub-VLAN.
----End
Context
A VLAN associated with a group interface is called a group VLAN. Group interfaces in a
group VLAN can communicate with each other.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
Step 3 Run:
subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>
The VLAN ID assigned to a group VLAN cannot be used to configure VLANIF interface, ,
VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
----End
Context
A VLAN associated with separate interfaces is called a separate VLAN. Interfaces in a
separate VLAN cannot communicate with each other.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
----End
Context
After the MUX VLAN function is enabled on an interface, the principal VLAN and
subordinate VLAN can communicate with each other; interfaces in a group VLAN can
communicate with each other; interfaces in a separate VLAN cannot communicate with each
other.
Pre-configuration Tasks
Before enable MUX VLAN function, complete the following task:
l The port has been added to a principal or subordinate VLAN as an access, hybrid, or
trunk interface.
l The port can allows multiple common VLANs, but can join only one MUX VLAN.
Procedure
Step 1 Run:
system-view
After the MUX VLAN function is enabled on an interface, VLAN mapping or VLAN
stacking cannot be configured on the interface.
You can create a VLANIF interface for a principal VLAN, but cannot create a VLANIF
interface for a subordinate group VLAN or separate VLAN.If a VLANIF interface is created
for a principal VLAN, you cannot run the port mux-vlan enable vlan vlan-id command on
an interface of the SA boards of S series to enable the MUX VLAN function including the
principle and subordinate VLANs.
The port mux-vlan enable command is not supported on a negotiation-auto or negotiation-
desirable port.
NOTE
l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface
will compromise the performance of the MUX VLAN function.
l MUX VLAN and port security cannot be configured on the same interface.
l MUX VLAN and MAC address authentication cannot be configured on the same interface.
l MUX VLAN and 802.1x authentication cannot be configured on the same interface.
l If a DHCP server is configured in the subordinate VLAN and DHCP clients are configured in the
principal VLAN, the DHCP clients may fail to obtain IP addresses. Therefore, when the DHCP
snooping function is configured, configure the DHCP server in the principal VLAN.
----End
VLAN2
(Principal VLAN)
GE1/0/2 GE1/0/5
GE1/0/3 GE1/0/4
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a principal VLAN.
2. Configure a group VLAN.
3. Configure a separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function.
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 3 4
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type access
[Switch-GigabitEthernet1/0/1] port default vlan 2
[Switch-GigabitEthernet1/0/1] port mux-vlan enable vlan 2
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 3
[Switch-GigabitEthernet1/0/2] port mux-vlan enable vlan 3
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type access
The server, HostB, HostC, HostD, and HostE are on the same subnet.
The server can communicate with HostB, HostC, HostD, and HostE at Layer 2.
HostB and HostC cannot communicate with HostD and HostE at Layer 2.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
port mux-vlan enable vlan 2
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 3
port mux-vlan enable vlan 3
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 3
port mux-vlan enable vlan 3
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 4
port mux-vlan enable vlan 4
#
interface GigabitEthernet1/0/5
port link-type access
port default vlan 4
port mux-vlan enable vlan 4
#
return
Internet
Switch2
Switch1 GE1/0/2 Server
(Principal VLAN)
4/
1/0
1/0
GE
/5
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a principal VLAN and a VLANIF interface. The IP address of the VLANIF
interface is used as the gateway IP address of user hosts and server.
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4, and VLANIF 2 on Switch1. The IP address of
VLANIF 2 is used as the gateway IP address for user hosts and server.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan batch 2 3 4
[Switch1] interface vlanif 2
[Switch1-Vlanif2] ip address 192.168.100.100 24
[Switch1-Vlanif2] quit
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[Switch1] interface gigabitethernet 1/0/2
[Switch1-GigabitEthernet1/0/2] port link-type trunk
[Switch1-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
[Switch1-GigabitEthernet1/0/2] port mux-vlan enable vlan 2
[Switch1-GigabitEthernet1/0/2] quit
[Switch1] interface gigabitethernet 1/0/3
[Switch1-GigabitEthernet1/0/3] port link-type trunk
[Switch1-GigabitEthernet1/0/3] port trunk allow-pass vlan 3
[Switch1-GigabitEthernet1/0/3] port mux-vlan enable vlan 3
[Switch1-GigabitEthernet1/0/3] quit
[Switch1] interface gigabitethernet 1/0/4
[Switch1-GigabitEthernet1/0/4] port link-type trunk
[Switch1-GigabitEthernet1/0/4] port trunk allow-pass vlan 3
[Switch1-GigabitEthernet1/0/4] port mux-vlan enable vlan 3
[Switch1-GigabitEthernet1/0/4] quit
[Switch1] interface gigabitethernet 1/0/5
[Switch1-GigabitEthernet1/0/5] port link-type trunk
[Switch1-GigabitEthernet1/0/5] port trunk allow-pass vlan 4
[Switch1-GigabitEthernet1/0/5] port mux-vlan enable vlan 4
[Switch1-GigabitEthernet1/0/5] quit
[Switch1] interface gigabitethernet 1/0/6
[Switch1-GigabitEthernet1/0/6] port link-type trunk
[Switch1-GigabitEthernet1/0/6] port trunk allow-pass vlan 4
[Switch1-GigabitEthernet1/0/6] port mux-vlan enable vlan 4
[Switch1-GigabitEthernet1/0/6] quit
Step 2 Add interfaces of access switches to VLANs. The configuration details are not mentioned
here.
Step 3 Verify the configuration.
The server can communicate with HostB, HostC, HostD, and HostE at Layer 2.
HostB can communicate with HostC at Layer 2.
HostD cannot communicate with HostE at Layer 2.
HostB and HostC cannot communicate with HostD and HostE at Layer 2.
----End
Configuration Files
Switch1 configuration file
#
sysname Switch1
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Vlanif2
ip address 192.168.100.100 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2
port mux-vlan enable vlan 2
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 3
port mux-vlan enable vlan 3
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 3
port mux-vlan enable vlan 3
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk allow-pass vlan 4
port mux-vlan enable vlan 4
#
interface GigabitEthernet1/0/6
port link-type trunk
port trunk allow-pass vlan 4
port mux-vlan enable vlan 4
#
return
This chapter describes how to configure VLAN termination. The VLAN termination function
includes two sub-functions: Dot1q termination and QinQ termination. Dot1q termination
allows for inter-VLAN communication. Dot1q termination and QinQ termination can be used
together to implement LAN and WAN interconnection.
A device with VLAN termination enabled processes incoming and outgoing packets as
follows:
l Removes single or double VLAN tags from the packets received on interfaces, and then
selects an appropriate action such as forwarding the packets over Layer 3.
l Adds VLAN tags to the packets that will be sent out through interfaces.
Classification
Depending on the selected method for VLAN tagged packets processing, VLAN termination
has the following sub-functions:
l Dot1q termination: removes the outer VLAN tag from any received single-tagged or
double-tagged packets, and adds a VLAN tag to packets to be sent by an interface.
l QinQ termination: removes double VLAN tags from any received double-tagged
packets, and adds double VLAN tags to packets to be sent by an interface.
NOTE
Dot1q and QinQ VLAN tag termination sub-interfaces do not support transparent transmission of
packets that do not contain a VLAN tag and will discard received packets without a VLAN tag.
Purpose
After VLANs are assigned on a network, hosts in the same VLAN can communicate with
each other over Layer 2 but cannot communicate with different VLANs. You can use
VLANIF interfaces on a Layer 3 switch to implement inter-VLAN Layer 3 connectivity, but
this encounters the following problem. As shown in Figure 8-1, when a Layer 3 switch uses
only one Layer 3 Ethernet interface to connect to users or a network, this interface needs to
transmit packets from multiple VLANs. A VLANIF interface cannot provide this function. o
solve this, you can virtualize a Layer 3 Ethernet interface into multiple logical sub-interfaces
with the Layer 3 Ethernet interface as the main interface.
However, a Layer 3 Ethernet sub-interface treats received VLAN packets as invalid packets
and discards them; therefore, VLAN termination needs to be configured on the Layer 3
Ethernet sub-interface so that the sub-interface can remove VLAN tags from packets.
Port1.1 Port1.2
VLAN trunk
Layer 2 switch
Port1.1 Port1.2
VLAN trunk
SwitchB
PE1 PE2
ISP
Port1.1 PWE3/VLL/VPLS
Port1.1
CE1 CE2
Branch 1 Branch 2
Single-tagged packet
Dot1q termination and PWE3/VLL/VPLS are configured on sub-interfaces of PE1 and PE2.
When Branch 1 sends packets to Branch 2, the process is as follows:
1. 1. PE1 checks the outer VLAN tag of data packets sent from CE1. If the VLAN tag is the
same as that specified in the Dot1q termination configuration on Port1.1, PE1
encapsulates the packets with double MPLS labels and forwards the packets to the
carrier's PWE3/VLL/VPLS network. VLAN tags are transparent to the carrier's
PWE3/VLL/VPLS network.
2. When receiving the packets, PE2 removes the double MPLS labels from the packets, and
forwards the packets to CE2 according to the Dot1q termination configuration on
Port1.1.
3. CE2 forwards packets to user hosts.
The process is reversed when Branch 2 sends packets to Branch 1.
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
Port1.1 PE1 PE2
ISP Port1.1
Port1.2 MPLS L3VPN Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
Dot1q termination and L3VPN are configured on sub-interfaces of PE1 and PE2. When a host
in branch 1 of VPN 1 sends packets to a host in branch 2 of VPN 1, the process is as follows:
1. Depending on the Dot1q termination configuration on Port1.1, PE1 removes the outer
VLAN tag of the packets sent from CE1.
2. PE1 binds the outer VLAN tag to VPN1, and forwards the packets to the L3VPN.
3. After the packets reach PE2, PE2 determines that the packets are destined for CE3 based
on the VPN instance.
4. PE2 adds an outer VLAN tag to the packets according to the Dot1q termination
configuration on Port1.1, and then forwards the packets to CE3.
5. CE3 forwards the packets to the destination user host.
The process is reversed when a host in branch 2 of VPN 1 sends packets to branch 1 of VPN
1.
PE1 PE2
ISP
Port1.1 PWE3/VLL/VPLS
Port1.1
CE1 CE2
Branch 1 Branch 2
Double-tagged packet
QinQ termination and PWE3/VLL/VPLS are configured on sub-interfaces of PE1 and PE2.
When Branch 1 sends packets to Branch 2, the process is as follows:
1. PE1 checks the inner and outer VLAN tags of data packets sent from CE1. If these
VLAN tags are the same as those specified in the QinQ termination configuration on
Port1.1, PE1 encapsulates the packets with double MPLS labels and forwards the packets
to the carrier's PWE3/VLL/VPLS network. VLAN tags are transparent to the carrier's
PWE3/VLL/VPLS network.
2. When receiving the packets, PE2 removes double MPLS labels from the packets, and
forwards the packets to CE2 according to the QinQ termination configuration on Port1.1.
3. CE2 forwards packets to user hosts.
The process is reversed when Branch 2 sends packets to Branch 1.
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
Port1.1 PE1 PE2
ISP Port1.1
Port1.2 MPLS L3VPN Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
QinQ termination and L3VPN are configured on sub-interfaces of PE1 and PE2. When a host
in Branch 1 of VPN 1 sends packets to a host in Branch 2 of VPN 1, the process is as follows:
1. Depending on the Dot1q termination configuration on Port1.1, PE1 removes the inner
and outer VLAN tags of the packets sent from CE1.
2. PE1 binds the inner and outer VLAN tags to VPN1, and forwards the packets to the
L3VPN.
3. After the packets reach PE2, PE2 determines that the packets are destined for CE3 based
on the VPN instance.
4. PE2 adds inner and outer VLAN tags to the packets according to the QinQ termination
configuration on Port1.1, and then forwards the packets to CE3.
5. CE3 forwards the packets to the destination user host.
The process is reversed when a host in branch 2 of VPN 1 sends packets to branch 1 of VPN
1.
8.6.2 A carrier's network provides the L2VPN service for users. PEs
Configuring a function as user access devices and connect to CEs through sub-
Dot1q interfaces to access user networks. The data packets that CEs send to
Termination PEs carry a single VLAN tag. User networks are required to interwork
Sub-interface with each other.
and Connecting
It to an L2VPN
8.6.3 A carrier's network provides the L2VPN service for users. PEs
Configuring a function as user access devices and connect to CEs through sub-
Dot1q interfaces to access user networks. The data packets that CEs send to
Termination PEs carry a single VLAN tag. User networks are required to interwork
Sub-interface with each other.
and Connecting
It to an L3VPN
8.6.4 A carrier's network provides the L2VPN service for users. PEs
Configuring a function as user access devices and connect to CEs through sub-
QinQ interfaces to access user networks. The data packets that CEs send to
Termination PEs carry double VLAN tags. User networks are required to interwork
Sub-interface with each other.
and Connecting
It to an L2VPN
8.6.5 A carrier's network provides the L2VPN service for users. PEs
Configuring a function as user access devices and connect to CEs through sub-
QinQ interfaces to access user networks. The data packets that CEs send to
Termination PEs carry double VLAN tags. User networks are required to interwork
Sub-interface with each other.
and Connecting
It to an L3VPN
License Support
VLAN termination, that is, QinQ and Dot1q on a subinterface, is often used on an MPLS
network, so the device must be enabled with MPLS. MPLS requires a license. By default,
MPLS of a newly purchased device is disabled. To use MPLS, apply for and purchase the
license from the equipment supplier. VLAN termination itself can be used without a license.
Software Version
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Context
When a Layer 3 switch connects to users on different network segments across different
VLANs, configure Dot1q termination and IP addresses for the sub-interfaces to implement
Layer 3 connectivity.
NOTE
l To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding sub-interface as the default gateway address.
l When VLAN IDs terminated by a subinterface are used for Layer 3 forwarding, only the first VLAN
takes effect even if multiple inner VLAN IDs are specified.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
port link-type { hybrid | trunk }
Step 4 Run:
quit
Step 5 Run:
interface interface-type interface-number.subinterface-number
NOTE
When VLAN IDs terminated by a sub-interface are used for Layer 3 forwarding, it is recommended that
128 VLANs be in all VLAN ranges.
Step 8 Run:
arp broadcast enable
----End
Pre-configuration Tasks
Before configuring a Dot1q termination sub-interface and connecting it to an L2VPN,
complete the following tasks:
l Ensure that devices are connected correctly.
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that each
packet sent from CEs to PEs carries one VLAN tag.
l Ensure that the device is not a VCMP client.
Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. A QinQ termination sub-interface can remove double VLAN
tags carried by packets sent from CEs to PEs.
Procedure
Step 1 On the PE device, run:
system-view
----End
Context
After a Dot1q termination sub-interface is configured, you need to configure the virtual
private network (VPN) service on the sub-interface so that users at both ends of the L2VPN
can communicate with each other.
L2VPN includes Virtual leased line (VLL), Pseudo-Wire Emulation Edge to Edge (PWE3),
and Virtual Private LAN Service (VPLS).
l VLL technology emulates leased lines on an IP network to provide inexpensive,
asymmetrical digital data network (DDN) service. As a point-to-point (P2P) L2VPN
technology, VLL can support almost all link layer protocols.
For details about L2VPN, see "VLL Configuration, "PWE3 Configuration", and "VPLS
Configuration" in S7700&S9700 Series Switches Configuration Guide - VPN.
NOTE
A Dot1q termination sub-interface can be bound to a VLL that provides homogeneous or heterogeneous
transport in the following modes:
l Local Kompella connection
l Remote Kompella connection
l Local Martini connection
l Remote Martini connection
A Dot1q termination sub-interface supports the following VPLS connections:
l Martini VPLS
l Kompella VPLS
Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display vsi [ name vsi-name ] [ verbose ] command to check VSI information.
l Run the display mpls static-l2vc command to check static VC information.
l Run the display mpls l2vc command on the PE to check Martini VLL information on
the local PE.
l Run the display mpls l2vc remote-info command on the PE to check Martini VLL
information on the remote PE.
l Run the display vll ccc [ ccc-name | type { local | remote } ] command to check CCC
connection information.
----End
Pre-configuration Tasks
Before configuring a Dot1q termination sub-interface and connecting it to an L3VPN,
complete the following tasks:
Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. A QinQ termination sub-interface can remove double VLAN
tags carried by packets sent from CEs to PEs.
Procedure
Step 1 On the PE device, run:
system-view
----End
Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
VPN instance information.
----End
Pre-configuration Tasks
Before configuring a QinQ termination sub-interface and connecting it to an L2VPN,
complete the following tasks:
l Ensure that devices are connected correctly.
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags.
l Ensure that the device is not a VCMP client.
Configuration Process
Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. A QinQ termination sub-interface can remove double VLAN
tags carried by packets sent from CEs to PEs.
Procedure
Step 1 Run:
system-view
----End
Context
L2VPN includes Virtual leased line (VLL), Pseudo-Wire Emulation Edge to Edge (PWE3),
and Virtual Private LAN Service (VPLS).
l VLL technology emulates leased lines on an IP network to provide inexpensive,
asymmetrical digital data network (DDN) service. As a point-to-point (P2P) L2VPN
technology, VLL can support almost all link layer protocols.
l PWE3 is an implementation mode of VLL and an extension of the Martini protocol.
PWE3 reduces signaling costs and defines multi-segment PWs (MS-PWs), making
networking modes more flexible.
l VPLS technology implements multipoint-to-multipoint VPN networking. Using VPLS
technology, an ISP can provide Ethernet-based multipoint-to-multipoint services for
users through an MPLS backbone network.
For details about L2VPN, see "VLL Configuration, "PWE3 Configuration", and "VPLS
Configuration" in S7700&S9700 Series Switches Configuration Guide - VPN.
NOTE
A QinQ termination sub-interface can be bound to a VLL that provides homogeneous or heterogeneous
transport in the following modes:
l Local CCC connection
l Remote CCC connection
l Remote SVC connection
l Local Kompella connection
l Remote Kompella connection
l Remote Martini connection
A QinQ termination sub-interface supports the following VPLS connections:
l Martini VPLS
l Kompella VPLS
Procedure
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
l Run the display vsi [ name vsi-name ] [ verbose ] command to check VSI information.
l Run the display vll ccc [ ccc-name | type { local | remote } ] command to check CCC
connection information.
l Run the display mpls static-l2vc command to check static VC information.
l Run the display mpls l2vc command on the PE to check Martini VLL information on
the local PE.
l Run the display mpls l2vc remote-info command on the PE to check Martini VLL
information on the remote PE.
----End
Pre-configuration Tasks
Before configuring a QinQ termination sub-interface and connecting it to an L3VPN,
complete the following tasks:
l Ensure that devices are connected correctly.
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags.
l Ensure that the device is not a VCMP client.
Configuration Process
Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. A QinQ termination sub-interface can remove double VLAN
tags carried by packets sent from CEs to PEs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
----End
Procedure
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
VPN instance information.
----End
In the networking example shown in Figure 8-7, both department 1 and department 2 located
in different VLANs and network segments need to use the Internet access service, and users
in department 1 and department 2 need to communicate with each other.
Figure 8-7 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication
Switch
GE1/0/1.1 GE1/0/2.1
10.10.10.1/24 10.10.20.1/24
GE1/0/2 GE1/0/2
SwitchA SwitchB
GE1/0/1 GE1/0/1
Department 1 Department 2
PC1 PC2
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
Configuration Roadmap
The configuration roadmap is as follows.
1. Configure the ID of the VLAN to which each interface belongs.
2. Configure Dot1q termination sub-interfaces.
3. Assign IP addresses to the sub-interfaces.
NOTE
Procedure
Step 1 Add the uplink interface of SwitchA to VLAN 10 in tagged mode and the user-side interface
to VLAN 10 in untagged mode, and add the uplink interface of SwitchB to VLAN 20 in
tagged mode and the user-side interface to VLAN 20 in untagged mode.Configure VLANs on
interfaces of SwitchA and SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet1/0/2] quit
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 20
[SwitchB] interface gigabitethernet1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type access
[SwitchB-GigabitEthernet1/0/1] port default vlan 20
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet1/0/2
[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[SwitchB-GigabitEthernet1/0/2] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vcmp role silent
#
interface GigabitEthernet1/0/1
port link-type hybrid
#
interface GigabitEthernet1/0/1.1
Figure 8-8 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication across a network
SwitchA SwitchB
GE1/0/2 GE1/0/1
OSPF
GE1/0/1.1 GE1/0/2.1
VLAN 10 VLAN 20
PC A PC B
10.10.10.2/24 10.10.20.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VLANs that interfaces belong to.
2. Assign IP addresses to VLANIF interfaces.
3. Set the encapsulation mode of sub-interfaces.
4. Configure VLANs allowed by sub-interfaces.
5. Assign IP addresses to the sub-interfaces.
6. Configure basic OSPF functions.
NOTE
Procedure
Step 1 Configure SwitchA.
# Create a VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 30
# Create a VLAN.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 30
On the PCs residing on the Layer 2 network connected to SwitchA, set the default gateway
address to 10.10.10.1/24, which is the IP address of GE1/0/1.1. The switch connected to
SwitchA allows VLAN 10.
On the PCs residing on the Layer 2 network connected to SwitchB, set the default gateway
address to 10.10.20.1/24, which is the IP address of GE1/0/2.1. The switch connected to
SwitchA allows VLAN 20.
After the configuration is complete, PCs on the two Layer 2 networks are isolated at Layer 2
and interwork at Layer 3.
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
router id 1.1.1.1
#
vcmp role silent
#
vlan batch 30
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
#
interface GigabitEthernet1/0/1.1
dot1q termination vid 10
ip address 10.10.10.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
interface GigabitEthernet1/0/2
port link-type hybrid
#
interface GigabitEthernet1/0/2.1
dot1q termination vid 20
ip address 10.10.20.1 255.255.255.0
arp broadcast enable
#
ospf 1
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
Networking Requirements
In the networking example shown in Figure 8-9, CE1 and CE2 are connected to PE1 and
PE2, respectively, through VLANs.
A Martini VLL is created between CE1 and CE2 so that users residing on the networks
connected to CE1 and CE2 can communicate with each other.
Figure 8-9 Networking diagram for connecting Dot1q sub-interfaces to a VLL network
GE 2/0/0 GE 1/0/0
PE 1 PE 2
GE 2/0/0 GE1/0/0
GE1/0/0 GE 2/0/0
P
GE1/0/0 GE 1/0/0
Martini
CE 1 CE 2
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
1. Configure a routing protocol on PE and P of the backbone network to implement
interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP to transmit data.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to implement VLL
access.
NOTE
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP addresses
to VLANIF interfaces according to Figure 8-9.
# Configure CE1 to ensure that each packet that CE1 sends to PE1 carries a single VLAN tag.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.10.10.1 24
[CE1-Vlanif10] quit
# Configure CE2 to ensure that each packet that CE2 sends to PE2 carries a single VLAN tag.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.10.10.2 24
[CE2-Vlanif10] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 10.1.1.1 24
[PE1-Vlanif20] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 10.1.1.2 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 10.2.2.2 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 10.2.2.1 24
[PE2-Vlanif30] quit
Step 2 Configure an IGP, for example, OSPF, on the MPLS backbone network.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 10.2.2.1 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command to verify that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command to verify that the PEs
learn the route to the Loopback1 interface of each other. The following is the display on PE1:
[PE1] display ospf peer
Step 3 Configure basic MPLS functions and LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. An LDP session is set up between PE1 and PE2 as shown in the
following display:
[PE1] display mpls ldp session
Check L2VPN connections on PEs. You can see that an L2VC connection has been set up and
is in Up state.
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : --
Color : --
DomainId : --
Domain Name : --
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
mpls l2vc 3.3.3.3 101
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 10
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
Networking Requirements
In the example network shown in Figure 8-10, CE1 and CE2 are connected to PE1 and PE2,
respectively, through VLANs.
Selective QinQ needs to be configured on the interfaces connected to CEs so that the Switch
adds the VLAN tags specified by the carrier to the packets sent from CEs.
A Switch connected to multiple CEs can add the same VLAN tag to the packets from those
CEs, thereby saving VLAN IDs on the public network.
Figure 8-10 Networking diagram for connecting QinQ termination sub-interfaces to a VLL
network
GE2/0/0 GE1/0/0
PE1 PE2
GE2/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
1. Configure a routing protocol on PE and P of the backbone network to implement
interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP to transmit data.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure QinQ sub-interfaces on PE interfaces connected to the switches to implement
VLL access.
5. Configure selective QinQ on the switch interfaces connected to CEs.
NOTE
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP addresses
to VLANIF interfaces according to Figure 8-10.
# Configure CE1 to ensure that each packet sent from CE1 to Switch1 carries a single VLAN
tag.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.10.10.1 24
[CE1-Vlanif10] quit
# Configure CE2 to ensure that each packet sent from CE2 to Switch2 carries a single VLAN
tag.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.10.10.2 24
[CE2-Vlanif10] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 10.1.1.1 24
[PE1-Vlanif20] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 10.1.1.2 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 10.2.2.2 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 10.2.2.1 24
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on interfaces of each Switch and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet1/0/0
[Switch1-GigabitEthernet1/0/0] port link-type hybrid
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
Step 3 Configure an IGP, for example, OSPF, on the MPLS backbone network.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 10.2.2.1 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command to verify that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command to verify that the PEs
learn the route to the Loopback1 interface of each other. The following is the display on PE1:
[PE1] display ospf peer
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE1.
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see an LDP session has been set up between PE1 and
PE2.
The following is the display on PE1:
[PE1] display mpls ldp session
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
destination : 3.3.3.3
local group ID : 0 remote group ID : 0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --
PW template name : --
primary or secondary : primary
load balance type : flow
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10031
Backup TNL type : lsp , TNL ID : 0x0
create time : 1 days, 22 hours, 15 minutes, 9 seconds
up time : 0 days, 22 hours, 54 minutes, 57 seconds
last change time : 0 days, 22 hours, 54 minutes, 57 seconds
VC last up time : 2010/10/09 19:26:37
VC total up time : 1 days, 20 hours, 42 minutes, 30 seconds
CKey : 8
NKey : 3
PW redundancy mode : --
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : --
Color : --
DomainId : --
Domain Name : --
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 3.3.3.3 101
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
l Switch2 configuration file
#
sysname Switch2
#
vlan batch 100
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid untagged vlan 100
port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 100
#
return
l CE2 configuration file
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
Figure 8-11 Networking diagram for connecting Dot1q termination sub-interfaces to a VPLS
network
Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE 1/0/0 GE 2/0/0
PE 1 PE 2
GE 2/0/0 GE1/0/0
GE1/0/0 P GE 2/0/0
GE1/0/0 GE 1/0/0
CE 1 CE 2
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
1. Configure a routing protocol on the backbone network to implement interworking
between devices.
2. Configure Dot1q sub-interfaces on PE interfaces connected to CEs so that the Dot1q
sub-interfaces can connect to the VPLS network.
3. Set up a remote LDP session between PEs.
4. Establish tunnels between PEs to transmit service data.
5. Enable MPLS L2VPN on PEs.
6. Create VSIs on PEs and specify the signaling protocol as LDP.
NOTE
Procedure
Step 1 Configure the VLAN to which each interface belongs and assign IP addresses to VLANIF
interfaces according to Figure 8-11.
NOTE
l The AC-side and PW-side physical interfaces of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
l Ensure that each packet sent from a CE to a PE carries a VLAN tag.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.1.1.2 24
[CE2-Vlanif10] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 4.4.4.5 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 5.5.5.4 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 5.5.5.5 24
[PE2-Vlanif30] quit
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 4.4.4.4 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 4.4.4.5 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 5.5.5.4 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on PE1, P,
and PE2. You can view the routes that PE1, P, and PE2 have learned from each other. The
following is the display on PE1:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
After the configuration is complete, run the display mpls ldp session command on PE1, P,
and PE2. You can see that the peer relationships are set up between PE1 and P, and between P
and PE2. The status of the peer relationship is Operational. Run the display mpls ldp
command to view the MPLS LDP configuration. The following is the display on PE1:
[PE1] display mpls ldp session
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 or
PE2. You can see that the status of the peer relationship between PE1 and PE2 is
Operational.
[PE1] display mpls ldp session
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.1
[PE2-vsi-a2-ldp] quit
[PE2-vsi-a2] quit
# Configure PE2.
[PE2] vcmp role silent
[PE2] interface gigabitethernet2/0/0
[PE2-GigabitEthernet2/0/0] port link-type hybrid
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet2/0/0.1
[PE2-GigabitEthernet2/0/0.1] dot1q termination vid 10
[PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet2/0/0.1] quit
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 5 minutes, 1 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 3.3.3.3
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
Broadcast Tunnel ID : 0x22
Broad BackupTunnel ID : 0x0
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
Control Word : disable
**PW Information:
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
l CE2 configuration file
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
l PE1 configuration file
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 10
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
Figure 8-12 Networking diagram for connecting QinQ termination sub-interfaces to a VPLS
network
GE2/0/0 GE2/0/0
PE1 PE2
GE1/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
1. Configure a routing protocol on the backbone network to implement interworking
between devices.
2. Configure selective QinQ on Switch interfaces connected to CEs.
3. Set up a remote LDP session between PEs.
4. Establish tunnels between PEs to transmit service data.
5. Enable MPLS L2VPN on PEs.
6. Create VSIs on PEs and specify the signaling protocol as LDP.
Procedure
Step 1 Configure the VLAN to which each interface belongs according to Figure 8-12, and assign IP
addresses to VLANIF interfaces.
NOTE
l The AC-side and PW-side physical interfaces of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
l Ensure that each packet sent from a CE to the Switch carries a single VLAN tag.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.1.1.2 24
[CE2-Vlanif10] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 4.4.4.4 24
[PE1-Vlanif20] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet1/0/0] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 5.5.5.5 24
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on interfaces of the Switch and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet1/0/0
[Switch1-GigabitEthernet1/0/0] port link-type hybrid
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan 100
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet2/0/0
[Switch2-GigabitEthernet2/0/0] port link-type hybrid
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet1/0/0
[Switch2-GigabitEthernet1/0/0] port link-type hybrid
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[Switch2-GigabitEthernet1/0/0] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 4.4.4.5 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 5.5.5.4 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on PE1, P,
and PE2. You can view the routes that PE1, P, and PE2 have learned from each other. The
following is the display on PE1:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command on PE1, P,
and PE2. You can see that the peer relationships are set up between PE1 and P, and between P
and PE2. The status of the peer relationship is Operational. Run the display mpls ldp
command to view the MPLS LDP configuration. The following is the display on PE1:
[PE1] display mpls ldp session
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 or
PE2. You can see that the status of the peer relationship between PE1 and PE2 is Operational.
[PE1] display mpls ldp session
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.1
[PE2-vsi-a2-ldp] quit
[PE2-vsi-a2] quit
# Configure PE2.
[PE2] vcmp role silent
[PE2] interface gigabitethernet2/0/0
[PE2-GigabitEthernet2/0/0] port link-type hybrid
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet2/0/0.1
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet2/0/0.1] quit
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 5 minutes, 1 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 3.3.3.3
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
Broadcast Tunnel ID : 0x22
Broad BackupTunnel ID : 0x0
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
Control Word : disable
**PW Information:
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid untagged vlan 100
port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 100
#
return
l PE1 configuration file
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
2.2.2.2/32
GE1/0/0 GE1/0/0
PE1 PE2
Loopback1 GE1/0/0 GE2/0/0 Loopback1
1.1.1.1/32 GE3/0/0 GE3/0/0 3.3.3.3/32
GE2/0/0 P GE2/0/0
MPLS backbone
AS: 100
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440
Configuration Roadmap
1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.
Procedure
Step 1 Configure an IGP, for example, OSPF, on the MPLS backbone network so that PEs and the P
can communicate with each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] vlan batch 30
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type hybrid
[PE1-GigabitEthernet3/0/0] port hybrid pvid vlan 30
[PE1-GigabitEthernet3/0/0] port hybrid untagged vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 7.7.7.7 24
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 7.7.7.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 60
[P-GigabitEthernet2/0/0] port hybrid untagged vlan 60
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 7.7.7.8 24
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] ip address 6.6.6.6 24
[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 7.7.7.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 6.6.6.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] vlan batch 60
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] port link-type hybrid
[PE2-GigabitEthernet3/0/0] port hybrid pvid vlan 60
[PE2-GigabitEthernet3/0/0] port hybrid untagged vlan 60
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip address 6.6.6.7 24
[PE2-Vlanif60] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 6.6.6.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command. You can see that the
PEs learn each others routes to the Loopback1 interface.
The following is the display on PE1:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] mpls
[PE2-Vlanif60] mpls ldp
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. You can see that the
Status field is Operational. Run the display mpls ldp lsp command to view the MPLS LDP
configuration.
The following is the display on PE1:
[PE1] display mpls ldp session
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] vcmp role silent
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24
After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to view the configurations of VPN instances. Each PE can successfully ping its connected
CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.
Step 4 Set up EBGP peer relationships between PEs and CEs and configure CEs to import VPN
routes.
# Configure CE1. The configurations of CE2, CE3, and CE4 are the same as the configuration
of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
# Configure PE1. The configuration of PE2 is the same as the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. You can see that BGP peer relationships between PEs and CEs have been established
and are in the Established state.
The following is the peer relationship between PE1 and CE1:
[PE1] display bgp vpnv4 vpn-instance vpna peer
# Configure PE2.
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PEs. You can see that the BGP peer relationships have been established between
the PEs.
[PE1] display bgp peer
Gigabitethernet2/0/0.1
10.2.1.2/32 Direct 0 0 D 127.0.0.1
Gigabitethernet2/0/0.1
10.4.1.0/24 IBGP 255 0 RD 3.3.3.3 Vlanif30
CEs in the same VPN can successfully ping each other but CEs in different VPNs cannot.
For example, CE1 can successfully ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
----End
Configuration Files
l PE1 configuration file
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.7 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet3/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.2.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 7.7.7.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.8 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 6.6.6.6 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 6.6.6.0 0.0.0.255
network 7.7.7.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 60
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif60
ip address 6.6.6.7 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 20
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet3/0/0
port link-type hybrid
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.3.1.1 as-number 65430
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.4.1.1 as-number 65440
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 6.6.6.0 0.0.0.255
#
return
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 10
port hybrid tagged vlan 10
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l CE2 configuration file
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
l CE3 configuration file
#
sysname CE3
#
vlan batch 10
#
interface Vlanif10
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 10
port hybrid tagged vlan 10
#
bgp 65430
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.2 enable
#
return
l CE4 configuration file
#
sysname CE4
#
vlan batch 20
#
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
bgp 65440
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return
Networking Requirements
In the network example shown in Figure 8-14, CE1 and CE3 belong to VPN-A, and CE2 and
CE4 belong to VPN-B. The VPN targets of VPN-A and VPN-B are 111:1 and 222:2
respectively. Users in different VPNs cannot communicate with each other.
Selective QinQ needs to be configured on the interfaces connected to CEs so that the Switch
adds the VLAN tags specified by the carrier to the packets sent from CEs.
When the Switch is connected to multiple CEs, the Switch can add the same VLAN tag to the
packets from different CEs, thereby saving VLAN IDs on the public network.
AS:
VPN-A AS: 65430 VPN-A
65410
CE1 CE3
GE1/0/0 GE1/0/0 GE1/0/0
GE1/0/0
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440
Configuration Roadmap
1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.
2. Configure OSPF on PEs to implement interworking between PEs.
3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.
4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-
IBGP) on PEs to exchange VPN routing information.
5. Configure EBGP on CEs and PEs to exchange VPN routing information.
6. Configure QinQ termination sub-interfaces on PE interfaces connected to the Switch, so
that the QinQ termination sub-interfaces can connect to the L3VPN.
7. Configure selective QinQ on Switch interfaces connected to CEs.
NOTE
Procedure
Step 1 Configure selective QinQ on interfaces of the Switch and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface GigabitEthernet 2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface GigabitEthernet 1/0/0
[Switch1-GigabitEthernet1/0/0] port link-type hybrid
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan 200
[Switch2-vlan200] quit
[Switch2] interface GigabitEthernet 2/0/0
# Configure Switch3.
<HUAWEI> system-view
[HUAWEI] sysname Switch3
[Switch3] vlan 100
[Switch3-vlan100] quit
[Switch3] interface GigabitEthernet 2/0/0
[Switch3-GigabitEthernet2/0/0] port link-type hybrid
[Switch3-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch3-GigabitEthernet2/0/0] quit
[Switch3] interface GigabitEthernet 1/0/0
[Switch3-GigabitEthernet1/0/0] port link-type hybrid
[Switch3-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch3-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[Switch3-GigabitEthernet1/0/0] quit
# Configure Switch4.
<HUAWEI> system-view
[HUAWEI] sysname Switch4
[Switch4] vlan 200
[Switch4-vlan200] quit
[Switch4] interface GigabitEthernet 2/0/0
[Switch4-GigabitEthernet2/0/0] port link-type hybrid
[Switch4-GigabitEthernet2/0/0] port hybrid tagged vlan 200
[Switch4-GigabitEthernet2/0/0] quit
[Switch4] interface GigabitEthernet 1/0/0
[Switch4-GigabitEthernet1/0/0] port link-type hybrid
[Switch4-GigabitEthernet1/0/0] port hybrid untagged vlan 200
[Switch4-GigabitEthernet1/0/0] port vlan-stacking vlan 20 stack-vlan 200
[Switch4-GigabitEthernet1/0/0] quit
Step 2 Configure an IGP, for example, OSPF, on the MPLS backbone network so that PEs and the P
can communicate with each other.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] vlan batch 30
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type hybrid
[PE1-GigabitEthernet3/0/0] port hybrid pvid vlan 30
[PE1-GigabitEthernet3/0/0] port hybrid untagged vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 7.7.7.7 24
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 7.7.7.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 60
[P-GigabitEthernet2/0/0] port hybrid untagged vlan 60
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 7.7.7.8 24
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] ip address 6.6.6.6 24
[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 7.7.7.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 6.6.6.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] vlan batch 60
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] port link-type hybrid
[PE2-GigabitEthernet3/0/0] port hybrid pvid vlan 60
[PE2-GigabitEthernet3/0/0] port hybrid untagged vlan 60
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] ip address 6.6.6.7 24
[PE2-Vlanif60] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 6.6.6.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command. You can see that the
PEs learn each others routes to the Loopback1 interface.
The following is the display on PE1:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Step 3 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] mpls
[PE2-Vlanif60] mpls ldp
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. You can see that the
Status field is Operational. Run the display mpls ldp lsp command to view the MPLS LDP
configuration.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] vcmp role silent
[PE1] interface GigabitEthernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type hybrid
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface GigabitEthernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] arp broadcast enable
[PE1-GigabitEthernet1/0/0.1] quit
[PE1] interface GigabitEthernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface GigabitEthernet 2/0/0.1
[PE1-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 20
[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] vcmp role silent
[PE2] interface GigabitEthernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface GigabitEthernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24
[PE2-GigabitEthernet1/0/0.1] arp broadcast enable
[PE2-GigabitEthernet1/0/0.1] quit
[PE2] interface GigabitEthernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type hybrid
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface GigabitEthernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 20
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0.1] ip address 10.4.1.2 24
[PE2-GigabitEthernet2/0/0.1] arp broadcast enable
[PE2-GigabitEthernet2/0/0.1] quit
After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to check the VPN instance configuration. Each PE can successfully ping its connected
CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.
Interfaces : Gigabitethernet1/0/0.1
Address family ipv4
Create date : 2013-08-28 21:01:00+00:00
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per instance
Per-Instance Label : 4098
Log Interval : 5
Step 5 Set up EBGP peer relationships between PEs and CEs and configure CEs to import VPN
routes.
# Configure CE1. The configurations of CE2, CE3, and CE4 are the same as the configuration
of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
# Configure PE1. The configuration of PE2 is the same as the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. You can see that BGP peer relationships between PEs and CEs have been established
and are in the Established state.
The following is the peer relationship between PE1 and CE1:
[PE1] display bgp vpnv4 vpn-instance vpna peer
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PEs. You can see that the BGP peer relationships have been established between
the PEs.
[PE1] display bgp peer
Run the display ip routing-table vpn-instance command on a PE. You can view the routes to
the remote CE.
The following is the display on PE1:
[PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 3 Routes : 3
CEs in the same VPN can successfully ping each other but CEs in different VPNs cannot.
For example, CE1 can successfully ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
----End
Configuration Files
l PE1 configuration file
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.7 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 200 ce-vid 20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet3/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 7.7.7.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.8 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 6.6.6.6 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 7.7.7.0 0.0.0.255
network 6.6.6.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 60
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif60
ip address 6.6.6.7 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 200 ce-vid 20
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet3/0/0
port link-type hybrid
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpna
peer 10.3.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpnb
peer 10.4.1.1 as-number 65440
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
import-route direct
peer 10.3.1.2 enable
#
return
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid untagged vlan 100
port vlan-stacking vlan 10 stack-vlan 100
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 100
#
return
This chapter describes how to configure voice VLAN. A voice VLAN changes the priority of
voice data packets to improve voice data transmission quality.
Purpose
Data, voice, and video services are often transmitted simultaneously over a network. Packet
loss and delay seriously affect the voice communication quality. Voice services, in particular,
require a higher forwarding priority than data or video services. When bandwidth is limited,
voice data must have transmission preference over other types of data. This can be done by
configuring a voice VLAN on the switch to transmit voice data and setting QoS parameters in
the voice VLAN so that voice data is given preference when congestion occurs.
Related Content
Videos
Huawei Switches Voice VLAN Feature Introduction
Network
PC IP Phone Switch
Network
IP Phone Switch
Some IP phones (for example, Cisco 7960) send tagged voice packets and some IP phones
(for example, Huawei MC850) send untagged voice packets. The following sections describe
how the MAC address-based voice VLAN and VLAN ID-based voice VLAN transmit tagged
and untagged voice packets.
9.3 Principles
A switch configured with voice VLAN can:
l Identify voice data.
l Increase the priority of voice data.
l Forward the voice data based on the increased priority.
The switch can identify voice data flows based on MAC addresses and VLAN IDs regardless
of whether the packets carry VLAN tags. However, OUIs must be configured in order for the
switch to differentiate untagged voice packets from data packets. If the voice packets are
tagged, configuring VLAN ID-based voice VLAN simplifies configuration when many IP
phones connect to the switch.
Network
PC IP Phone Switch
LLDP is one of multiple methods in which an IP phone can obtain voice VLAN information
from a switch.
Network
PC IP Phone Switch
① Send an LLDPDU
② Encapsulate the voice VLAN ④ High-priority voice packet
ID in the LLDPDU
③ Send the tagged voice
packet to the switch
Figure 9-4 shows a PC and an IP phone connecting to a switch. The IP phone obtains voice
VLAN information from the switch through LLDP as follows:
When receiving untagged packets, the switch still sends them in the VLAN specified by the
PVID. When congestion occurs, the switch preferentially sends voice packets.
Switch Switch1
Internet
IP Phone A
IP Phone C
IP Phone B
PC A PC C
Configure a voice VLAN according to the type of voice packets sent by IP phones:
l Configure MAC address-based voice VLAN if voice packets are untagged.
l Configure VLAN ID-based voice VLAN if IP phones are able to obtain voice VLAN
information on the switch.
License Support
The voice VLAN is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
– For X series cards, the priority configured using the remark (user group view)
command takes effect.
– For the non-X series cards, the priority configured using the voice-vlan remark
command takes effect.
Context
To implement the voice VLAN function, configure the VLAN used to forward voice packets
on the switch as a voice VLAN and enable the voice VLAN. You are advised to configure
different VLANs for voice and data services to facilitate management.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
voice-vlan vlan-id enable [ include-untagged ]
A voice VLAN is configured and the voice VLAN function is enabled on the interface.
By default, the voice VLAN function is disabled on an interface. To allow IP phones to send
untagged packets, specify include-untagged.
NOTE
----End
Context
The switch can identify voice data flows according to the source MAC address of the received
data packets. The switch considers data packets with the source MAC address matching the
Organizationally Unique Identifier (OUI) as voice data flows.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
voice-vlan remark-mode mac-address
----End
Context
An OUI is the first 24 bits of a 48-bit MAC address assigned to each vendor by the Institute
of Electrical and Electronics Engineers (IEEE). Voice packets sent by IP phones can be
identified by the MAC address ranges requested by IP phone vendors.
In voice VLAN, the OUI is user-defined and not necessarily 24 bits long. The OUI is the
result of the AND operation between the MAC address and mask in the voice-vlan mac-
address command.
Procedure
Step 1 Run:
system-view
Step 2 Run:
voice-vlan mac-address mac-address mask oui-mask [ description text ]
l The MAC address cannot be all 0s, multicast address, or broadcast address.
l The system supports a maximum of 100 OUIs. When the system is configured with 100
OUIs, subsequent configurations will not take effect.
l When you run the undo voice-vlan mac-address mac-address command to delete an
OUI, set mac-address to the result of the logical AND operation between the OUI and
the OUI mask that you set.
----End
Context
Based on MAC addresses, an interface can be added to a voice VLAN in auto or manual
mode. You can configure a mode in which an interface is added to a voice VLAN according
to data flows on the interface.
l Auto
The system adds the interface connected to a voice device to the voice VLAN if the
source MAC address of packets sent from the voice device matches the OUI.
l Manual
In manual mode, the interface connected to a voice device must be added to the voice
VLAN manually after the voice VLAN function is enabled on the interface. Otherwise,
the voice VLAN does not take effect on the interface.
Procedure
Step 1 Run:
system-view
NOTE
l The automatic mode of the voice VLAN is not supported on the X1E-series boards.
l In auto mode, access, negotiation-auto, or negotiation-desirable interfaces cannot be added to a voice
VLAN. To add the interface to the voice VLAN, run the port link-type command to change the link
type of the interface to trunk or hybrid.
l The automatic mode takes effect only when the voice-vlan remark-mode mac-address command is
configured to increase the priority of voice packets based on MAC addresses and the voice-vlan
enable command without include-untagged specified is configured to enable voice VLAN on the
interface and add voice VLAN IDs to only tagged packets.
Step 5 Add an interface to a voice VLAN in manual mode according to 4.7.1.1 Configuring
Interface-based VLAN Assignment (Statically Configured Interface Type).
----End
Context
Based on the data filtering mechanism, a voice VLAN works in either secure or normal mode.
Table 9-2 describes the voice VLAN working modes.
Secu The inbound interface If the source MAC The secure mode takes
re enabled with the voice address does not match effect only when the
VLAN function allows the OUI, the interface voice-vlan remark-mode
only the voice packets in does not change the mac-address command is
which the source MAC priority of voice packets configured to increase the
address matches the OUI and prevents the voice priority of voice packets
address of the voice packets from being based on MAC addresses.
VLAN, and discards non- forwarded in the voice
voice packets from the VLAN.
voice VLAN and If the source MAC
forwards packets from address matches the OUI,
other VLANs. the interface changes the
priority of voice packets
and allows the voice
packets to be forwarded
in the voice VLAN.
Nor The inbound interface If the source MAC Transmitting voice and
mal enabled with the voice address does not match service data at the same
VLAN function transmits the OUI, the interface time in a voice VLAN is
both voice packets and does not change the not recommended. If a
non-voice packets. In priority of voice packets voice VLAN must
normal mode, the and allows the voice transmit both voice and
interface is vulnerable to packets to be forwarded service data, ensure that
attacks from malicious in the voice VLAN. the voice VLAN works in
data traffic. If the source MAC normal mode.
address matches the OUI,
the interface changes the
priority of voice packets
and allows the voice
packets to be forwarded
in the voice VLAN.
Procedure
l Configuring the secure mode
a. Run:
system-view
c. Run:
voice-vlan security enable
----End
9.7.1.6 (Optional) Configuring the 802.1p Priority and DSCP Priority for a Voice
VLAN
Context
By default, the 802.1p priority and DSCP priority for a voice VLAN are 6 and 46
respectively. You can dynamically configure 802.1p priority and DSCP priority to plan
priorities for different voice services.
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN
frame. This field determines the transmission priority for data packets when a switching
device is congested.
l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4
packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP
networks. The traffic controller on the network gateway takes actions merely based on
the information carried by the 6 bits.
Procedure
Step 1 Run:
system-view
Step 2 Run:
voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *
The 802.1p priority and DSCP priority are configured for a voice VLAN.
By default, the 802.1p priority and DSCP priority for a voice VLAN are 6 and 46
respectively.
NOTE
When the outbound interface is located on the ES0D0G24SA00 or ES0D0G24CA00 of the S7700, the
802.1p priority cannot be changed.
----End
Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about a
voice VLAN, including the status, working mode, 802.1p priority and DSCP priority of
the voice VLAN, and interface enabled with voice VLAN.
l Run the display voice-vlan oui command to check the organizationally unique identifier
(OUI), OUI mask, and OUI description of the voice VLAN.
----End
Context
To implement the voice VLAN function, configure the VLAN used to forward voice packets
on the switch as a voice VLAN and enable the voice VLAN. You are advised to configure
different VLANs for voice and data services to facilitate management.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
voice-vlan vlan-id enable [ include-untagged ]
A voice VLAN is configured and the voice VLAN function is enabled on the interface.
By default, the voice VLAN function is disabled on an interface. When IP phones send
untagged packets, specify include-untagged and configure an OUI for the voice VLAN.
NOTE
----End
Context
If the VLAN ID in packets received by a switch interface is the same as the voice VLAN ID,
the switch considers the packets as voice packets and increases the packet priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
voice-vlan remark-mode vlan
----End
Context
When a VLAN ID-based voice VLAN is used, the interface connected to a voice device must
be added to the voice VLAN manually so that the voice VLAN can take effect.
Procedure
Step 1 Add an interface to a voice VLAN in manual mode according to 4.7.1.1 Configuring
Interface-based VLAN Assignment (Statically Configured Interface Type).
----End
Context
Generally, IP phones that can send tagged voice packets can obtain voice VLAN information
from the switch using a protocol such as LLDP (LLDP is used as an example). LLDP needs to
be enabled. When the switch receives an LLDPDU from an IP phone, the switch encapsulates
voice VLAN information in the LLDPDU and sends it to the IP phone. The IP phone then
sends tagged voice packets.
The switch can encapsulate voice VLAN information into LLDPDUs and send them to
connected IP phones. However, IP phones of some vendors send Cisco Discovery Protocol
(CDP) packets. You can run the voice-vlan legacy enable command to enable CDP-
compatible function so that the switch encapsulates voice VLAN information in CDP packets
and sends them to connected IP phones.
Procedure
l Configuring the switch to advertise voice VLAN information to an IP phone through
LLDP
a. Run:
system-view
----End
9.7.2.5 (Optional) Configuring the 802.1p Priority and DSCP Priority for a Voice
VLAN
Context
By default, the 802.1p priority and DSCP priority for a voice VLAN are 6 and 46
respectively. You can dynamically configure 802.1p priority and DSCP priority to plan
priorities for different voice services.
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN
frame. This field determines the transmission priority for data packets when a switching
device is congested.
l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4
packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP
networks. The traffic controller on the network gateway takes actions merely based on
the information carried by the 6 bits.
Procedure
Step 1 Run:
system-view
Step 2 Run:
voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *
The 802.1p priority and DSCP priority are configured for a voice VLAN.
By default, the 802.1p priority and DSCP priority for a voice VLAN are 6 and 46
respectively.
NOTE
When the outbound interface is located on the ES0D0G24SA00 or ES0D0G24CA00 of the S7700, the
802.1p priority cannot be changed.
----End
Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about a
voice VLAN, including the status, 802.1p priority and DSCP priority of the voice
VLAN, and interface enabled with voice VLAN.
----End
Networking Requirements
As shown in Figure 9-6, the switch connects to IP phones and a PC. The switch uses VLAN 2
to transmit voice packets and VLAN 3 to transmit data packets. PC A connects to IP phone A
and they connect to the switch, and IP phone B separately connects to the switch. IP phones
send untagged voice packets. Users require high quality of the VoIP service; therefore, voice
data flows must be transmitted with a high priority to ensure the call quality.
Switch Switch1
Internet
GE1/0/1 GE1/0/2
IP Phone A GE1/0/1
MAC:0003-6B00-0001
Mask:ffff-ff00-0000
IP Phone C
IP Phone B
MAC:0003-6B00-0002
Mask:ffff-ff00-0000
PC A
PC C
286E-D400-0001
Configuration Roadmap
Because voice and data packets received by the switch are untagged, you need to configure
OUIs to differentiate voice and data traffic. The configuration roadmap is as follows:
1. Create VLANs on the switch and add interfaces to VLANs to implement Layer 2
connectivity.
2. Configure an OUI so that the switch adds a VLAN tag to voice packets in which the
source MAC address matches the OUI.
3. Configure VLAN 2 as the voice VLAN and configure the interface to allow voice
packets to pass through.
Procedure
Step 1 Configure VLANs and interfaces on the Switch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 3
Step 3 # Enable the voice VLAN function on GE1/0/1. The configuration of GE1/0/2 is similar to the
configuration of GE1/0/1, and is not mentioned here.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] voice-vlan 2 enable include-untagged
[Switch-GigabitEthernet1/0/1] voice-vlan remark-mode mac-address
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type hybrid
Networking Requirements
As shown in Figure 9-7, the switch connects to IP phones and a PC. The switch uses VLAN 2
to transmit voice packets and VLAN 3 to transmit data packets. PC A connects to IP phone A
and they connect to the switch, and IP phone B separately connects to the switch. IP phones
can obtain voice VLAN information through LLDP and send tagged voice packets. Users
require high quality of the VoIP service; therefore, voice data flows must be transmitted with
a high priority to ensure the call quality. In addition, the administrator manages many IP
phones and requires simplified configurations.
Switch Switch1
Internet
GE1/0/1 GE1/0/2
GE1/0/1
IP Phone A
IP Phone C
IP Phone B
PC A PC C
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on the switch and add interfaces to VLANs to implement Layer 2
connectivity.
2. Enable LLDP so that IP phones cna obtain voice VLAN information through LLDP.
3. Configure VLAN 2 as the voice VLAN and configure the interface to allow voice
packets to pass through. Configure a VLAN ID-based voice VLAN, which relieves you
from configuring OUIs.
Procedure
Step 1 Configure VLANs and interfaces on the Switch.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 3
Step 3 # Enable the voice VLAN function on GE1/0/1. The configuration of GE1/0/2 is similar to the
configuration of GE1/0/1, and is not mentioned here.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] voice-vlan 2 enable
[Switch-GigabitEthernet1/0/1] voice-vlan remark-mode vlan
[Switch-GigabitEthernet1/0/1] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2 to 3
#
lldp enable
#
interface GigabitEthernet1/0/1
port link-type hybrid
voice-vlan 2 enable
port hybrid pvid vlan 3
port hybrid tagged vlan 2
port hybrid untagged vlan 3
#
interface GigabitEthernet1/0/2
port link-type hybrid
voice-vlan 2 enable
port hybrid tagged vlan 2
#
return
10 QinQ Configuration
Definition
QinQ expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged packets. It
allows services in a private VLAN to be transparently transmitted over a public network. A
packet transmitted on the backbone network carries two 802.1Q tags: a public VLAN tag and
a private VLAN tag.
Purpose
Ethernet is widely used on ISP networks, but 802.1Q VLANs are unable to identify and
isolate large numbers of users on metro Ethernet networks because the 12-bit VLAN tag field
defined in IEEE 802.1Q only identifies a maximum of 4096 VLANs. QinQ was developed to
expand VLAN space beyond 4096 VLANs so that a larger number of users can be identified
on a metro Ethernet network.
QinQ was originally developed to expand VLAN space by adding an additional 802.1Q tag to
an 802.1Q-tagged packet. In this way, the number of VLANs can increase to 4094 x 4094.
In addition to expanding VLAN space, QinQ is applied in other scenarios with the
development of metro Ethernet networks and carriers' requirements on refined service
operation. The outer and inner VLAN tags can be used to differentiate packets based on users
and services. For example, the inner tag represents a user, while the outer tag represents a
service. Moreover, QinQ is used as a simple and practical VPN technology because inner tags
of QinQ packets are transparently transmitted over a public network. It extends core MPLS
VPN services to metro Ethernet networks to establish an end-to-end VPN.
Since QinQ technology is easy to use, it has been widely applied in Internet Service Provider
(ISP) networks. For example, QinQ is combined with multiple services in metro Ethernet
solutions. Selective QinQ (VLAN stacking) makes QinQ more popular among ISPs. As the
metro Ethernet develops, equipment vendors have developed their own metro Ethernet
solutions, in which the simple and flexible QinQ technology plays an important role.
Benefits
QinQ offers the following benefits:
l Extends the VLAN space to isolate and identify more users.
l Facilitates service deployment by allowing the inner and outer tags to represent different
information. For example, the inner tag identifies a user and the outer tag identifies a
service.
l Allows ISPs to implement refined service operation by providing diversified
encapsulation and termination modes.
10.2 Principles
VLAN 4 VLAN 3
Pubilc
PE1 PE2
network
VLAN 3 VLAN 4
Customer Customer
network A network B
CE1 CE2
VLAN 1~10 VLAN 1~20
In Figure 10-1, customer network A is divided into private VLANs 1 to 10, and customer
network B is divided into private VLANs 1 to 20. The carrier allocates public VLANs 3 and 4
to customer networks A and B respectively. When tagged packets from networks A and B
arrive at the carrier network, the packets are tagged outer VLANs 3 and 4. Therefore, the
packets from different customer networks are separated on the carrier network, even though
the customer networks use overlapping VLAN ranges. When the packets reach the PE on the
other side of the carrier network, the PE removes public VLAN tags from the packets and
forwards the packets to the CE of the appropriate customer network.
NOTE
Because a QinQ packet has 4 more bytes than an 802.1Q packet, the maximum frame length allowed by
each interface on the carrier network should be at least 1504 bytes. The default frame length allowed by
interfaces of a switch is larger than 1504 bytes, so you do not need to adjust it. For details on how to
configure the frame length allowed by an interface, see Setting the Jumbo Frame Length Allowed on an
Interface.
QinQ Implementation
QinQ can be implemented in either of the following ways:
1. Basic QinQ
Basic QinQ is implemented based on interfaces. After basic QinQ is configured on an
interface, the device adds the default VLAN tag of this interface to all packets regardless
of whether the packets carry VLAN tags.
– If a single-tagged packet is received, the packet becomes a double-tagged packet.
– If an untagged packet is received, the packet is tagged with the default VLAN ID of
the local interface.
2. Selective QinQ
Selective QinQ is implemented based on interfaces and VLAN IDs. That is, an interface
can forward packets based on a single VLAN tag or double VLAN tags. In addition, the
device processes packets received on an interface as follows based on their VLAN IDs:
– Adds different outer VLAN tags to packets carrying different inner VLAN IDs.
– Marks outer 802.1p fields and adds different outer VLAN tags to packets according
to the 802.1p fields in inner VLAN tags.
In addition to separating carrier and customer networks, selective QinQ provides
extensive service features and allows flexible networking.
QinQ Encapsulation
QinQ encapsulation changes a single-tagged packet into a double-tagged packet, and is
usually performed on underlayer provider edge (UPE) interfaces connected to customer
networks.
When service data is transparently transmitted over an MPLS/IP core network using
PWE3/VLL/VPLS, a network-end provider edge (NPE) sub-interface adds an outer
VLAN tag to a packet based on the inner VLAN tag. Then the packet is transmitted on
the VLL/PWE3/VPLS network using the outer VLAN tag. Packets from multiple private
VLANs can be transparently transmitted through a sub-interface, which is called a QinQ
stacking sub-interface.
QinQ encapsulation on a sub-interface is also a form of flow-based QinQ encapsulation.
The QinQ stacking sub-interface must be used with the L2VPN service (PWE3/VLL/
VPLS), and cannot support Layer 3 forwarding.
Basic QinQ can be configured to expand VLAN space when multiple VLANs are required.
In Figure 10-3, Department 1 has two offices and Department 2 has three offices. These
offices are connected to PE1 and PE2, respectively. Department 1 and Department 2 can plan
their own VLANs as required.
…… Port3 ……
PE1 Port4
VLAN1000 VLAN4094 VLAN500 VLAN2500
Port1 Port2
Port3
…… ……
……
Table 10-1 describes the outer VLAN tag plan for Department 1 and Department 2.
Department 1 2 to 500 10
QinQ tunneling is configured on PE1 and PE2 in the following way to implement
communication within each department and isolate the two departments:
l Configure PE1 to add the outer VLAN 10 to packets received on Port1 and Port2 and
outer VLAN 20 to packets received on Port3.
l Configure PE2 to add the outer VLAN 20 to packets received on Port1 and Port2.
l Configure Port4 on PE1 and Port3 on PE2 to allow packets of VLAN 20 to pass.
Department 2 Department 2
PE2
Port1 Port2
…… Port3 ……
PE1 Port3
……
……
……
VLAN100 VLAN500
Department 1
VLAN2 VLAN500 VLAN1000 VLAN2000
Department 1 Department 2
Selective QinQ is configured on PE1 and PE2 in the following way to implement
communication within each department and isolate the two departments.
l Configure outer VLAN tags for packets received on interfaces of PE1 and PE2 according
to Table 10-2.
l Configure Port3 on PE1 and Port3 on PE2 to allow packets of VLAN 20 to pass.
10.2.4 TPID
The Tag Protocol Identifier (TPID) specifies the protocol type of a VLAN tag. The TPID
value defined in IEEE 802.1Q is 0x8100.
Figure 10-5 shows the Ethernet packet format defined in IEEE 802.1Q. An IEEE 802.1Q tag,
containing the TPID, lies between the Source Address field and the Length/Type field. A
device checks the TPID value in a received packet to determine whether the VLAN tag is an
S-VLAN tag or C-VLAN tag. The device compares the configured TPID value with the TPID
value in the packet. For example, if a frame carries the VLAN tag with TPID 0x8100 but the
TPID configured for a customer network on a device is 0x8200, the device considers the
frame untagged.
Carrier's systems may use different TPID values in outer VLAN tags. When a Huawei device
needs to interoperate with such a carrier system, set the TPID value to the value used by the
carrier so that QinQ packets sent from the Huawei device can be transmitted across the carrier
network. To prevent errors in packet forwarding and processing, do not set the TPID to any of
values listed in Table 10-3.
ARP 0x0806
RARP 0x8035
IP 0x0800
IPv6 0x86DD
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
LACP 0x8809
802.1x 0x888E
HGMP 0x88A7
Reserved 0xFFFD/0xFFFE/0xFFFF
ISP
IP 50 IP 50
VLAN Tag:50
Device2 Device3
GE1/0/2 GE1/0/2
GE1/0/1.1
QinQ Mapping GE1/0/1.1
IP 20 IP 40
Device1 Device4
PC1 PC2
172.16.0.1/24 172.16.0.7/24
In Figure 10-6, 2-to-1 QinQ mapping is configured on GE1/0/1.1 interfaces of Device2 and
Device3. Frames sent from PC1 to PC2 are processed as follows:
1. PC1 sends an untagged frame to Device1. After receiving the frame, Device1 adds
VLAN tag 20 to the frame.
2. Device1 forwards the frame with VLAN tag 20 to Device2. Device2 replaces VLAN tag
20 with S-VLAN tag 50 on sub-interface GE1/0/1.1.
3. Device2 sends the frame with S-VLAN tag 50 through GE1/0/2.
4. The frame is transparently transmitted on the ISP network.
5. When the frame arrives at GE1/0/1.1 of Device3, Device3 replaces VLAN tag 50 with
VLAN tag 40.
Frames sent from PC2 to PC1 are processed in a similar way.
QinQ mapping allows PC1 to communicate with PC2.
1-to-1 The interface maps the tag l QinQ mapping is performed on sub-
in a received single-tagged interfaces and used for VPLS access.
packet to a specified tag. l VLAN mapping is performed on main
interfaces and applies to Layer 2 networks
where packets are forwarded based on
VLANs.
10.3 Applications
Core Network
NPE
UPE
VLAN101 VLAN101
VLAN301 VLAN301
VLAN501 VLAN501
PVC101
PVC301
PVC501
In Figure 10-7, the digital subscriber line access multiplexers (DSLAMs) support multiple
permanent virtual channels (PVCs) so that a same user can use multiple services, such as
High-Speed Internet (HSI), Internet Protocol Television (IPTV), and voice over IP (VoIP).
The carrier assigns different PVCs and VLAN ranges to HSI, IPTV, and VoIP services, as
described in Table 10-5.
A user accesses the VoIP service. When a VoIP packet reaches a DSLAM through a specified
PVC, the DSLAM marks the packet with a VLAN in the VLAN range mapped to the PVC,
such as 301. When the VoIP packet reaches the UPE, the UPE tags the packets with an outer
VLAN ID mapping the VoIP VLAN ID range, such as 2000. The inner VLAN ID represents
user information and the outer VLAN ID represents service information and the location of
the DSLAM (packets from different DSLAMs are tagged with different outer VLAN IDs).
When the packet reaches the NPE indicated by the outer VLAN tag, the VLAN tag is
terminated on the QinQ termination sub-interface. According to the core network
configuration, the packet is forwarded on the IP network or enters the corresponding VPN.
HSI and IPTV services are processed in the same manner, except that VLAN tags of HSI
services are terminated on a broadband remote access server (BRAS).
The NPE can perform HQoS scheduling based on double tags and generate a DHCP binding
table to avoid network attacks. In addition, the NPE can implement DHCP authentication
based on double tags or other information. You can also configure VRRP on QinQ
termination sub-interfaces to ensure service reliability.
ME MPLS/IP ME
UPE UPE
NPE NPE
VLAN100 VLAN100
VLAN100
VLAN200 VLAN200
VLAN200
VLAN300 VLAN300
VLAN300
The carrier uses VPLS technology on the MPLS/IP core network and QinQ technology on the
metro Ethernet network. Each site is assigned three VLANs 100, 200 and 300, which
represent Finance, Marketing, and Others departments respectively. The UPEs at two ends tag
received packets with outer VLAN 1000 (different outer VLAN tags are allowed on two
ends), and the same VSI is configured on the NPEs. This configuration ensures that only users
of the same VLAN in different sites can communicate with each other.
Set the TPID value in an This configuration allows a 10.6.3 Configuring the
outer VLAN tag Huawei device to TPID Value in an Outer
communicate with a non- VLAN Tag
Huawei device.
Configure the device to add The device can be 10.6.4 Configuring the
double VLAN tags to configured to add double Device to Add Double
untagged packets VLAN tags to untagged VLAN Tags to Untagged
packets. Packets
License Support
QinQ is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
l The globally configured traffic-limit command that takes effect for all interfaces in the
inbound direction is invalid for QinQ packets.
l After VLAN stacking is configured on an interface of an SA series card, SEP, ERPS, or
RRPP cannot be configured on this interface.
l If the PW-side interface is a Layer 3 interface switched by the undo portswitch
command, the AC-side interface cannot be a Layer 3 interface or subinterface belonging
to a Layer 3 interface; otherwise, traffic forwarding is abnormal.
Background
To separate private networks from public networks and conserve VLAN resources, configure
double 802.1Q tags on QinQ interfaces of the device. Private VLAN tags are used on private
networks such as enterprise networks, and public VLAN tags are used on external networks
such as ISP networks. QinQ expands VLAN space to 4094x4094 and allows packets on
different private networks with the same VLAN IDs to be transparently transmitted.
Procedure
Step 1 Run:
system-view
Step 6 Run:
port default vlan vlan-id
The VLAN ID of the public VLAN tag, that is, the default VLAN of the interface, is
configured.
By default, VLAN 1 is the default VLAN of all interfaces.
----End
Pre-configuration Tasks
Before configuring selective QinQ, create the outer VLAN.
Context
VLAN ID-based selective QinQ allows an interface to add outer VLAN tags to packets based
on VLAN IDs of the packets.
NOTE
l Selective QinQ must be configured on the hybrid interface. Selective QinQ can only take effect on the
interface in the inbound direction.
l When an interface configured with VLAN stacking needs to remove the outer tag from outgoing frames,
the interface must join the VLAN specified by stack-vlan in untagged mode. If the outer VLAN does not
need to be removed, the interface must join the VLAN specified by stack-vlan in tagged mode.
Procedure
Step 1 Run:
system-view
Step 4 Run:
port hybrid untagged vlan vlan-id
NOTE
VLAN Switch stack-vlan can also add outer VLAN tags based on inner VLAN tags. For details, see 6
VLAN Switch Configuration.
Step 6 Run:
quit
The outer VLAN ID (stack-vlan) added to the original tagged packet is set.
----End
Configuration Tips
Deleting QinQ configuration
Use either of the following methods to delete the selective QinQ configuration on an
interface:
l Run the undo port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] [ stack-vlan vlan-id3 ]
command in the interface view to delete a selective QinQ entry on the interface.
l Run the undo port vlan-stacking all command in the interface view to delete all the
selective QinQ entries on the interface.
Background
A traffic policy is configured by associating traffic classifiers with traffic behaviors. You can
specify a VLAN ID or other information in a traffic classifier and associate the traffic
classifier with a traffic behavior to implement selective QinQ. Then the device adds the
specified outer VLAN tag to packets matching the traffic classifier.
Traffic policy-based selective QinQ enables the device to provide differentiated services
based on service types.
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as
they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
c. Configure matching rules according to the following table.
NOTE
The if-match ip-precedence and if-match tcp commands are only valid for IPv4 packets.
The X1E series cards do not support traffic classifiers with advanced ACLs containing the
ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the X1E card
does not support nest top-most vlan-id vlan-id, remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, or remark vlan-id vlan-id.
d. Run:
quit
A traffic policy is created and the traffic policy view is displayed, or the view of an
existing traffic policy is displayed.
If no matching order is specified when you create a traffic policy, the default
matching order is config.
After a traffic policy is applied, you cannot use the traffic policy command to
modify the matching order of traffic classifiers in the traffic policy. To modify the
matching order, delete the traffic policy, create a traffic policy, and specify the
matching order.
When creating a traffic policy, you can specify the matching order of matching rules
in the traffic policy. The matching order can be either automatic order or
configuration order:
n If automatic order is used, traffic classifiers are matched based on the priorities
of their types. Traffic classifiers based on Layer 2 and Layer 3 information,
Layer 2 information, and Layer 3 information are matched in descending order
of priority. The traffic classifier with the highest priority is matched first. If
data traffic matches multiple traffic classifiers, and the traffic behaviors
conflict with each other, the traffic behavior corresponding to the highest
priority rule takes effect.
n If configuration order is used, traffic classifiers are matched based on their
priorities. The traffic classifier with the highest priority is matched first. A
smaller priority value indicates a higher priority of a traffic classifier. If
precedence-value is not specified, the system allocates a priority to the traffic
classifier. The allocated priority value is [(max-precedence + 5) / 5] x 5, where
max-precedence specifies the maximum priority of a traffic classifier. For
details about the priority of a traffic classifier, refer to the traffic classifier
command.
c. Run:
classifier classifier-name behavior behavior-name
Context
802.1p priority-based selective QinQ allows an interface to add an outer VLAN tag based on
802.1p priorities and VLAN IDs of incoming packets. This ensures communication of high-
priority users.
Procedure
Step 1 Configure 802.1p priority-based selective QinQ on an inbound interface.
1. Run:
system-view
– VLAN stacking based on 802.1p priorities takes effect only for incoming packets.
– VLAN stacking based on 802.1p priorities can only be enabled on a trunk or hybrid interface.
3. Run:
8021p-outbound service-class color map 8021p-value
The device is configured to map the internal priority of outgoing packets to the 802.1p
priority in the DiffServ domain.
4. Run:
quit
The interface is bound to the DiffServ domain, and the mapping in the DiffServ domain
is applied to the interface.
----End
Context
Devices from different vendors or in different network plans may use different TPID values in
VLAN tags of VLAN packets. To adapt to an existing network plan, the switch supports TPID
value configuration. You can set the TPID value on the switch to be the same as the TPID
value in the network plan to ensure compatibility with the current network.
NOTE
l To implement interoperability with a non-Huawei device, ensure that the protocol type in the outer
VLAN tag added by the switch can be identified by the non-Huawei device.
l The qinq protocol command identifies incoming packets, and adds or changes the TPID value of
outgoing packets.
l The protocol ID configured on an interface by the qinq protocol command must be different from
other commonly used protocol IDs; otherwise, the interface cannot distinguish packets of these
protocols. For example, protocol-id cannot be set to 0x0806, which is the ARP protocol ID.
l A maximum of four VLAN TPIDs can be configured on one card, and the TPID configured on an
interface of an X1E series card takes effect on all interfaces of the card.
Procedure
Step 1 Run:
system-view
----End
Context
Generally, two devices are required to add double tags to packets. Configuring one device to
add double VLAN tags to untagged packets can simplify configuration. In addition, a Layer 2
interface can add double tags to untagged packets to differentiate services or users.
NOTE
This configuration is not supported on the ES0D0G24SA00 and ES0D0G24CA00 boards on the S7700.
Procedure
Step 1 Run:
system-view
vlan vlan-id
Step 3 Run:
quit
Step 4 Run:
interface interface-type interface-number
Step 5 Run:
port link-type hybrid
Step 6 Run:
port hybrid untagged vlan vlan-id
Step 7 Run:
port vlan-stacking untagged stack-vlan vlan-id1 stack-inner-vlan vlan-id2
NOTE
To enable an interface to add double VLAN tags to an untagged packet, you must set the link type of the
interface to hybrid, and add the interface to the outer VLAN in untagged mode.
If the PVID of an interface is not VLAN 1, restore the PVID to VLAN 1 before running the port vlan-
stacking untagged command.
The port vlan-stacking untagged command actually configures interface-based VLAN assignment.
Different VLAN assignment modes are in the following order of priority: policy-based VLAN
assignment > voice VLAN include-untagged > MAC address-based VLAN assignment > IP subnet-
based VLAN assignment > protocol-based VLAN assignment > interface-based VLAN assignment.
----End
Pre-configuration Tasks
Before configuring QinQ mapping, complete the following tasks:
l Connect the device correctly.
l Configure the VLANs that users belong to so that user packets carry one or double
VLAN tags.
l Ensure that the device is not a VCMP client.
NOTE
The mapped VLAN IDs specified in QinQ mapping configuration must be different from the control
VLAN IDs for ring protocols such as SEP, RRPP, and ERPS. Otherwise, an error message will be
displayed, indicating that the configuration fails.
Context
1-to-1 QinQ mapping allows a sub-interface to map a tag in a received single-tagged packet to
a specified tag.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
port link-type { hybrid | trunk }
Step 4 Run:
quit
Step 5 Run:
interface interface-type interface-number.subinterface-number
Step 6 Run:
qinq mapping vid vlan-id1 [ to vlan-id2 ] map-vlan vid vlan-id3
The original VLAN IDs of single-tagged packets specified in the command must be different
from the outer VLAN IDs specified on all the other sub-interfaces.
NOTE
QinQ mapping cannot be used with stacking, QinQ termination, and Dot1q termination commands on
the same sub-interface.
----End
Context
2-to-1 QinQ mapping allows a sub-interface to map an outer tag in a received double-tagged
packet to a specified tag and retain the inner VLAN tag.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
port link-type { hybrid | trunk }
Step 4 Run:
quit
Step 5 Run:
interface interface-type interface-number.subinterface-number
Step 6 Run:
qinq mapping pe-vid vlan-id1 ce-vid vlan-id2 [ to vlan-id3 ] map-vlan vid vlan-id4
The sub-interface is configured to map the outer tag of double-tagged packets to a specified
tag.
The original outer tag of double-tagged packets specified in the command must be different
from outer tags specified on all the other sub-interfaces.
NOTE
QinQ mapping cannot be used with stacking, QinQ termination, and Dot1q termination commands on
the same sub-interface.
----End
Context
During QinQ configuration (excluding basic QinQ configuration), VLAN translation
resources may be insufficient. You can run command to view the total number of inbound/
outbound VLAN translation resources, the number of used VLAN translation resources, and
the number of remaining VLAN translation resources. The command output helps you locate
faults.
Procedure
Step 1 Run the display vlan-translation resource [ slot slot-number ] command in any view to view
VLAN translation resource usage on a card.
Step 2 Run the display spare-bucket resource [ slot slot-number ] command in any view to view
the usage of backup resources when VLAN translation resources on a card conflict.
NOTE
Only the X1E series cards support this command.
----End
Networking Requirements
In Figure 10-9, there are two enterprises on the network, Enterprise 1 and Enterprise 2. Both
of them have two office locations, which connect to SwitchA and SwitchB of the ISP
network. A non-Huawei device on the ISP network uses the TPID value of 0x9100.
The requirements are as follows:
l Enterprise 1 and Enterprise 2 use independent VLAN plans that do not affect each other.
l Traffic of an enterprise's branches is transparently transmitted on the ISP network. Users
accessing the same service in an enterprise are allowed to communicate, and users
accessing different services are isolated.
You can configure QinQ to meet the preceding requirements. VLAN 100 and VLAN 200
provided by the ISP network can be used to transmit traffic for Enterprise 1 and Enterprise 2
respectively, thereby implementing communication within an enterprise and isolating the two
enterprises. To implement interoperation with the non-Huawei device, set the TPID value in
outer VLAN tags to 0x9100 on the interfaces of the Huawei devices connected to the non-
Huawei device.
ISP
VLAN 100,200
TPID=0x9100
GE1/0/3 GE1/0/3
SwitchA SwitchB
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB. Configure interfaces
connected to the two enterprises as QinQ interfaces and add them to VLAN 100 and
VLAN 200 respectively, so that packets from the two enterprises are tagged with
different outer VLAN tags.
2. Add interfaces of SwitchA and SwitchB connected to the ISP network to VLAN 100 and
VLAN 200 so that packets from the two VLANs are allowed to pass through.
3. On the interfaces of SwitchA and SwitchB connected to the ISP network, set the TPID in
outer VLAN tags to the value used on the non-Huawei device so that SwitchA and
SwitchB can interwork with the non-Huawei device.
4. Create VLANs on Switch1, Switch2, Switch3, and Switch4, and add interfaces to
VLANs to implement Layer 2 connectivity.
Procedure
Step 1 Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 200
Step 3 Configure the interfaces of SwitchA and SwitchB connected to the ISP network.
# Add GE1/0/3 of SwitchA to VLAN 100 and VLAN 200. The configuration of SwitchB is
similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet1/0/3] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
interface GigabitEthernet1/0/1
port link-type dot1q-tunnel
port default vlan 100
#
interface GigabitEthernet1/0/2
port link-type dot1q-tunnel
port default vlan 200
#
interface GigabitEthernet1/0/3
qinq protocol 9100
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
vlan batch 10 to 50
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 to 50
#
return
Networking Requirements
In Figure 10-10, Internet access users (using PCs) and VoIP users (using VoIP terminals)
connect to the ISP network through SwitchA and SwitchB and communicate with each other
through the ISP network.
The enterprise assigns VLAN 100 to PCs and VLAN 300 to VoIP terminals. Packets from
PCs and VoIP terminals need to be transmitted over the ISP network in VLAN 2 and VLAN 3
respectively.
SwitchA SwitchB
GE1/0/2 Carrier GE1/0/2
network
GE1/0/1 GE1/0/1
PC VoIP VoIP PC
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on SwitchA and SwitchB.
2. Configure link types of interfaces on SwitchA and SwitchB and add the interfaces to
VLANs.
3. Configure selective QinQ on interfaces of SwitchA and SwitchB.
Procedure
Step 1 Create VLANs.
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 3
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 2 3
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 stack-vlan 2
port vlan-stacking vlan 300 stack-vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
#
return
Networking Requirements
In Figure 10-11, Internet access, IPTV, and VoIP services are provided for users through
home gateways.
l VLANs for the Internet access service of different users: VLAN 1000 to VLAN 1100
l Shared VLAN for the IPTV service: VLAN 1101
l Shared VLAN for the VoIP service: VLAN 1102
l Shared VLAN for home gateways: VLAN 1103
Each community switch is connected to 50 downstream corridor switches, and maps VLAN
IDs in packets of the Internet access service from the corridor switches to VLANs 101-150.
Figure 10-11 Networking diagram for configuring selective QinQ and VLAN mapping
ME60
Internet
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure SwitchA.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 21 to 70 1101 to 1103
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 101 to 150 1000 to 1103
The Internet access service, IPTV service, and VoIP service are available.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 21 to 70 1101 to 1103
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 1101 to 1103
port hybrid untagged vlan 21
port vlan-stacking vlan 101 to 150 stack-vlan 21
#
return
Networking Requirements
In Figure 10-12, low-end switches at the user side connect to the Internet through the Switch.
The IPTV and Internet access services are deployed at the user side. User PCs obtain IP
addresses from ME60-A to connect to the Internet, and the set top boxes (STBs) obtain IP
addresses from ME60-B to provide the IPTV service.
The DSLAMs add different VLAN tags to packets of different services so that the PCs do not
obtain IP addresses from ME60-B.
The carrier assigns VLANs 100-999 to PPPoE packets and assigns VLANs 1000-1999 to
DHCP packets.
The STBs are provided by the carrier. The carrier can obtain MAC addresses of STBs but
cannot obtain MAC addresses of PCs. The MAC address segment of STBs is
00e0-8e00-0000/ffff-ff00-0000.
When a user starts a PC, a DHCP packet is sent to apply for an IP address. The DHCP packet
should be rejected, and the user must obtain an IP address using PPPoE.
Figure 10-12 Networking diagram for configuring selective QinQ and traffic policy
Internet
ME60-A ME60-B
GE3/0/0 GE4/0/0
GE1/0/0 GE2/0/0
Switch
SwitchA SwitchB
…… ……
SwitchC SwitchD SwitchE SwitchF
…… …… …… ……
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on the Switch.
2. Configure GE1/0/0 and GE2/0/0 on the Switch as hybrid interfaces and configure
selective QinQ on the two interfaces.
3. Configure a traffic classifier based on VLAN IDs and MAC addresses, a traffic behavior,
and a traffic policy.
4. Apply the traffic policy in the inbound direction of GE1/0/0 and GE2/0/0 to prevent PCs
from obtaining IP addresses through DHCP packets.
Procedure
Step 1 Configure selective QinQ.
# Create VLANs.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
# Apply the traffic policy in the inbound direction of GE1/0/0 and GE2/0/0.
[Switch] interface gigabitethernet 1/0/0
[Switch-GigabitEthernet1/0/0] traffic-policy PermitMAC inbound
[Switch-GigabitEthernet1/0/0] quit
[Switch] interface gigabitethernet 2/0/0
[Switch-GigabitEthernet2/0/0] traffic-policy PermitMAC inbound
[Switch-GigabitEthernet2/0/0] quit
The IPTV and Internet access services are available. STBs obtain IP addresses from ME60-B,
and PCs obtain IP addresses from ME60-A.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
acl number 4001
rule 1 permit source-mac 00e0-8e00-0000 ffff-ff00-0000
#
traffic classifier STB operator and precedence 5
if-match vlan-id 20
if-match acl 4001
#
traffic behavior PermitMAC
permit
#
traffic policy PermitMAC match-order config
classifier STB behavior PermitMAC
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid untagged vlan 10 20
port vlan-stacking vlan 100 to 999 stack-vlan 10
port vlan-stacking vlan 1000 to 1999 stack-vlan 20
traffic-policy PermitMAC inbound
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid untagged vlan 10 20
port vlan-stacking vlan 100 to 999 stack-vlan 10
port vlan-stacking vlan 1000 to 1999 stack-vlan 20
traffic-policy PermitMAC inbound
#
interface GigabitEthernet3/0/0
port link-type hybrid
port hybrid tagged vlan 10
#
interface GigabitEthernet4/0/0
port link-type hybrid
port hybrid tagged vlan 20
#
return
Networking Requirements
In Figure 10-13, Internet access users (using PCs) and VoIP users (using VoIP terminals)
connect to the ISP network through SwitchA and SwitchB. These users communicate with
each other through the ISP network.
Packets from PCs and VoIP terminals need to be transmitted over the ISP network in VLAN 2
and VLAN 3 respectively.
You can configure a traffic policy to implement selective QinQ on the Switch.
SwitchA SwitchB
GE1/0/2 Carrier GE1/0/2
network
GE1/0/1 GE1/0/1
PC VoIP VoIP PC
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create VLANs.
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 3
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 2 3
Step 3 Apply the traffic policy to interfaces of SwitchA and SwitchB to implement selective QinQ.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
traffic classifier name1 operator or precedence 5
if-match vlan-id 100 to 200
traffic classifier name2 operator or precedence 10
if-match vlan-id 300 to 400
#
traffic behavior name1
permit
nest top-most vlan-id 2
traffic behavior name2
permit
nest top-most vlan-id 3
#
traffic policy name1 match-order config
classifier name1 behavior name1
classifier name2 behavior name2
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 2 to 3
traffic-policy name1 inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
NOTE
Figure 10-14 Networking diagram for connecting a single-tag VLAN mapping sub-interface
to a VLL network
Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE 2/0/0 GE 1/0/0
PE 1 PE 2
GE 2/0/0 GE1/0/0
GE1/0/0 P GE 2/0/0
GE1/0/0 GE 1/0/0
Martini
CE 1 CE 2
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol on PE and P devices of the backbone network to implement
interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP for data transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Create a sub-interface on the interface of PE1 connected to CE1, configure VLAN
mapping of a single tag on the sub-interface, and create a VC to connect the sub-
interface to the VLL network.
5. Configure a Dot1q sub-interface on the interface of PE2 connected to CE2, and create a
VC to connect the sub-interface to the VLL network.
Procedure
Step 1 Add interfaces of CEs, PEs, and P to VLANs and configure IP addresses for the VLANIF
interfaces according to Figure 10-14.
# Configure CE1 to ensure that packets sent from CE1 to PE1 carry a VLAN tag.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.10.10.1 24
[CE1-Vlanif10] quit
# Configure CE2 to ensure that packets sent from CE2 to PE2 carry a VLAN tag.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 20
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 20
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 20
[CE2-Vlanif20] ip address 10.10.10.2 24
[CE2-Vlanif20] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 10.1.1.2 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 10.2.2.2 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 10.2.2.1 24
[PE2-Vlanif30] quit
Step 2 Configure an IGP on the MPLS backbone network. OSPF is used in this example.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 10.2.2.1 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command to verify that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command to verify that the PEs
learn the route to the Loopback1 interface of each other. The following is the display on PE1:
[PE1] display ospf peer
Step 3 Enable basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session has been set up between PE1
and PE2.
On PEs, check the L2VPN connections. You can see that an L2VC connection has been set up
and is in Up state.
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : --
Color : --
DomainId : --
Domain Name : --
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq mapping vid 10 map-vlan vid 20
mpls l2vc 3.3.3.3 101
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 20
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 10-15, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
Selective QinQ is required on the switch interfaces connected to CEs to tag packets sent from
CEs with the VLAN IDs specified by the carrier.
When Switch1 and Switch2 add different VLAN tags to packets, configure double-tag VLAN
mapping on PE sub-interfaces and connect the sub-interfaces to the VLL network so that CE1
and CE2 can communicate with each other.
When a Switch is connected to multiple CEs, the Switch can add the same outer VLAN tag to
packets with different VLAN tags from different CEs, thereby saving VLAN IDs on the
public network.
NOTE
Figure 10-15 Networking diagram for connecting a double-tag VLAN mapping sub-interface
to a VLL network
Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE1/0/0
PE1 PE2
GE2/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Switch Interface VLANIF Interface IP address
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol on PE and P devices of the backbone network to implement
interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP for data transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Create a sub-interface on the PE1 interface connected to Switch1, configure double-tag
VLAN mapping, and create a VC to connect the QinQ sub-interface to a VLL network.
5. Create a sub-interface on the PE2 interface connected to Switch2, and create a VC to
connect the QinQ sub-interface to a VLL network.
6. Configure selective QinQ on the switch interfaces connected to CEs.
Procedure
Step 1 Configure the VLANs on the CE, PE, and P devices, add interfaces to the VLANs, and assign
IP addresses to the corresponding VLANIF interfaces according to Figure 10-15.
# Configure CE1 to ensure that each packet sent from CE1 to Switch1 carries a single VLAN
tag.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.10.10.1 24
[CE1-Vlanif10] quit
# Configure CE2 to ensure that each packet sent from CE2 to Switch2 carries a single VLAN
tag.
<HUAWEI> system-view
[HUAWEI] sysname CE2
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 10.1.1.1 24
[PE1-Vlanif20] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 10.1.1.2 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 10.2.2.2 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 10.2.2.1 24
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on switch interfaces and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan 200
[Switch2-vlan200] quit
[Switch2] interface gigabitethernet2/0/0
[Switch2-GigabitEthernet2/0/0] port link-type hybrid
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 200
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet1/0/0
[Switch2-GigabitEthernet1/0/0] port link-type hybrid
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 200
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 200
[Switch2-GigabitEthernet1/0/0] quit
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used in this example.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 10.2.2.1 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command to verify that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command to verify that the PEs
learn the route to the Loopback1 interface of each other. The following is the display on PE1:
[PE1] display ospf peer
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session has been set up between PE1
and PE2.
[PE1] display mpls ldp session
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
mpls l2vc 3.3.3.3 101
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 200 ce-vid 10
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
l Switch2 configuration file
#
sysname Switch2
#
vlan batch 200
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid untagged vlan 200
port vlan-stacking vlan 10 stack-vlan 200
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 200
#
return
l CE2 configuration file
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
NOTE
Figure 10-16 Networking diagram for connecting a VLAN stacking sub-interface to a VLL
network
Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE1/0/0
PE1 PE2
GE2/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create VLANs on the CE, PE, and P devices, add interfaces to the VLANs, and assign IP
addresses to VLANIF interfaces according to Figure 10-16.
# Configure CE1 to ensure that each packet sent from CE1 to Switch1 carries a single VLAN
tag.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.10.10.1 24
[CE1-Vlanif10] quit
# Configure CE2 to ensure that each packet sent from CE2 to Switch2 carries a single VLAN
tag.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.10.10.2 24
[CE2-Vlanif10] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 10.1.1.1 24
[PE1-Vlanif20] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 10.1.1.2 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 10.2.2.2 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 10.2.2.1 24
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on switch interfaces and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 10
[Switch1-vlan10] quit
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 10
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet1/0/0
[Switch1-GigabitEthernet1/0/0] port link-type hybrid
[Switch1-GigabitEthernet1/0/0] port hybrid tagged vlan 10
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan 100
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet2/0/0
[Switch2-GigabitEthernet2/0/0] port link-type hybrid
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet1/0/0
[Switch2-GigabitEthernet1/0/0] port link-type hybrid
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[Switch2-GigabitEthernet1/0/0] quit
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used in this example.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.2.2.2 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 10.2.2.1 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command to verify that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command to verify that the PEs
learn the route to the Loopback1 interface of each other. The following is the display on PE1:
[PE1] display ospf peer
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.
[PE1] display mpls ldp session
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10031
Backup TNL type : lsp , TNL ID : 0x0
create time : 1 days, 22 hours, 15 minutes, 9 seconds
up time : 0 days, 22 hours, 54 minutes, 57 seconds
last change time : 0 days, 22 hours, 54 minutes, 57 seconds
VC last up time : 2010/10/09 19:26:37
VC total up time : 1 days, 20 hours, 42 minutes, 30 seconds
CKey : 8
NKey : 3
PW redundancy mode : --
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : --
Color : --
DomainId : --
Domain Name : --
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 10
#
return
l PE1 configuration file
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq stacking vid 10 pe-vid 100
mpls l2vc 3.3.3.3 101
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
NOTE
Figure 10-17 Networking diagram for connecting a single-tag VLAN mapping sub-interface
to a VPLS network
GE 1/0/0 GE 2/0/0
PE 1 PE 2
GE 2/0/0 GE1/0/0
GE1/0/0 GE 2/0/0
P
GE1/0/0 GE 1/0/0
CE 1 CE 2
Switch Interface VLANIF Interface IP Address
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol on the backbone network to implement interworking
between devices.
2. Set up a remote LDP session between PEs.
3. Establish tunnels between PEs to transmit service data.
4. Enable MPLS L2VPN on PEs.
5. Create a VSI on the PEs and specify LDP as the signaling protocol.
6. Configure single-tag VLAN mapping on the PE1 sub-interface connected to CE1 and
bind the sub-interface the VSI to connect it to the VPLS network.
7. Configure a Dot1q sub-interface on the interface of PE2 connected to CE2 and bind the
sub-interface to the VSI to connect it to the VPLS network.
Procedure
Step 1 Create VLANs on the CE, PE, and P devices, add interfaces to the VLANs, and assign IP
addresses to VLANIF interfaces according to Figure 10-17.
NOTE
l The AC-side and PW-side physical interfaces of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
l After the configuration is complete, the packets sent from a CE to a PE must carry a VLAN tag.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 20
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 20
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 20
[CE2-Vlanif20] ip address 10.1.1.2 24
[CE2-Vlanif20] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 4.4.4.4 24
[PE1-Vlanif20] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 4.4.4.5 24
[P-Vlanif20] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 5.5.5.5 24
[PE2-Vlanif30] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 4.4.4.5 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 5.5.5.4 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on PE1, P,
and PE2. You can view the routes that PE1, P, and PE2 have learned from each other. The
following is the display on PE1:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command on PE1, P,
and PE2. You can see that the peer relationships are set up between PE1 and P, and between P
and PE2. The status of the peer relationship is Operational. Run the display mpls ldp
command to view the MPLS LDP configuration. The following is the display on PE1:
[PE1] display mpls ldp session
------------------------------------------------------------------------------
2.2.2.2:0 Operational DU Passive 0000:15:29 3717/3717
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 or
PE2. You can see that the peer status is Operational, indicating that a peer relationship has
been set up between PE1 and PE2. The display on PE1 is used as an example.
[PE1] display mpls ldp session
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] pwsignal ldp
[PE1-vsi-a2-ldp] vsi-id 2
[PE1-vsi-a2-ldp] peer 3.3.3.3
[PE1-vsi-a2-ldp] quit
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.1
[PE2-vsi-a2-ldp] quit
[PE2-vsi-a2] quit
# Configure PE2.
[PE2] vcmp role silent
[PE2] interface gigabitethernet2/0/0
[PE2-GigabitEthernet2/0/0] port link-type hybrid
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet2/0/0.1
[PE2-GigabitEthernet2/0/0.1] dot1q termination vid 20
[PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet2/0/0.1] quit
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 5 minutes, 1 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 3.3.3.3
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
Broadcast Tunnel ID : 0x22
Broad BackupTunnel ID : 0x0
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
Control Word : disable
**PW Information:
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
return
l PE1 configuration file
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq mapping vid 10 map-vlan vid 20
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
NOTE
Figure 10-18 Networking diagram for connecting a double-tag VLAN mapping sub-interface
to a VPLS network
GE2/0/0 GE2/0/0
PE1 PE2
GE1/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
The configuration roadmap is as follows:
6. Create a VSI on the PEs and specify LDP as the signaling protocol.
7. Configure double-tag VLAN mapping on the sub-interface connected to Switch1 on PE1
and bind the sub-interface to the VSI to connect it to the VPLS network.
8. Configure a QinQ sub-interface on the interface connected to Switch2 on PE2 and bind
the sub-interface to the VSI to connect it to the VPLS network.
Procedure
Step 1 Create VLANs on the devices, add interfaces to the VLANs, and assign IP addresses to
VLANIF interfaces according to Figure 10-18.
NOTE
l The AC-side and PW-side physical interfaces of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
l Ensure that each packet sent from a CE to the Switch carries a single VLAN tag.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.1.1.2 24
[CE2-Vlanif10] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 4.4.4.4 24
[PE1-Vlanif20] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 4.4.4.5 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 5.5.5.4 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 5.5.5.5 24
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on switch interfaces and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet1/0/0
[Switch1-GigabitEthernet1/0/0] port link-type hybrid
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan 200
[Switch2-vlan200] quit
[Switch2] interface gigabitethernet2/0/0
[Switch2-GigabitEthernet2/0/0] port link-type hybrid
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 200
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet1/0/0
[Switch2-GigabitEthernet1/0/0] port link-type hybrid
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 200
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 200
[Switch2-GigabitEthernet1/0/0] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 4.4.4.5 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 5.5.5.4 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on PE1, P,
and PE2. You can view the routes that PE1, P, and PE2 have learned from each other. The
following is the display on PE1:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command on PE1, P,
and PE2. You can see that the peer relationships are set up between PE1 and P, and between P
and PE2. The status of the peer relationship is Operational. Run the display mpls ldp
command to view the MPLS LDP configuration. The following is the display on PE1:
[PE1] display mpls ldp session
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 or
PE2. You can see that the status of the peer relationship between PE1 and PE2 is
Operational. That is, the peer relationship is set up. The display on PE1 is used as an
example.
[PE1] display mpls ldp session
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.1
[PE2-vsi-a2-ldp] quit
[PE2-vsi-a2] quit
# Configure PE2.
[PE2] vcmp role silent
[PE2] interface gigabitethernet2/0/0
[PE2-GigabitEthernet2/0/0] port link-type hybrid
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet2/0/0.1
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 10
[PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet2/0/0.1] quit
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 5 minutes, 1 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 3.3.3.3
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
Broadcast Tunnel ID : 0x22
Broad BackupTunnel ID : 0x0
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
Control Word : disable
**PW Information:
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
#
vlan batch 200
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid untagged vlan 200
port vlan-stacking vlan 10 stack-vlan 200
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 200
#
return
l PE1 configuration file
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
#
interface GigabitEthernet1/0/0.1
qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 200 ce-vid 10
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
NOTE
Figure 10-19 Networking diagram for connecting a VLAN stacking sub-interface to a VPLS
network
Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE2/0/0 GE2/0/0
PE1 PE2
GE1/0/0 GE1/0/0
GE1/0/0 P GE2/0/0
GE2/0/0 GE2/0/0
Switch1 Switch2
GE1/0/0 GE1/0/0
GE1/0/0 GE1/0/0
CE1 CE2
Switch Interface VLANIF Interface IP Address
- Loopback1 - 1.1.1.1/32
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol on the backbone network to implement interworking.
2. Add the interface of Switch1 connected to CE1 to a specified VLAN.
3. Configure selective QinQ on the interface of Switch2 connected to CE2.
4. Set up a remote LDP session between PEs.
5. Establish tunnels between PEs to transmit service data.
6. Enable MPLS L2VPN on the PEs.
7. Create a VSI on the PEs and specify LDP as the signaling protocol.
8. Configure a VLAN stacking sub-interface on the interface of PE1 connected to Switch1
and bind the sub-interface to the VSI to connect it to the VPLS network.
9. Configure a QinQ sub-interface on the interface of PE2 connected to Switch2 and bind
the sub-interface to the VSI to connect the sub-interface to the VPLS network.
Procedure
Step 1 Create VLANs on the devices, add interfaces to the VLANs, and assign IP addresses to
VLANIF interfaces according to Figure 10-19.
NOTE
l The AC-side and PW-side physical interfaces of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
l Ensure that each packet sent from a CE to the Switch carries a single VLAN tag.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 10
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.1.1.2 24
[CE2-Vlanif10] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type hybrid
[PE1-GigabitEthernet2/0/0] port hybrid pvid vlan 20
[PE1-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 4.4.4.4 24
[PE1-Vlanif20] quit
# Configure P.
<HUAWEI> system-view
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 20
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 20
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] port link-type hybrid
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 4.4.4.5 24
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 5.5.5.4 24
[P-Vlanif30] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 30
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] ip address 5.5.5.5 24
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on switch interfaces and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 10
[Switch1-vlan10] quit
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 10
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet1/0/0
[Switch1-GigabitEthernet1/0/0] port link-type hybrid
[Switch1-GigabitEthernet1/0/0] port hybrid tagged vlan 10
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] vlan 100
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet2/0/0
[Switch2-GigabitEthernet2/0/0] port link-type hybrid
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet1/0/0
[Switch2-GigabitEthernet1/0/0] port link-type hybrid
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[Switch2-GigabitEthernet1/0/0] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] network 4.4.4.5 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 5.5.5.4 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.3 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on PE1, P,
and PE2. You can view the routes that PE1, P, and PE2 have learned from each other. The
following is the display on PE1:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command on PE1, P,
and PE2. You can see that the peer relationships are set up between PE1 and P, and between P
and PE2. The status of the peer relationship is Operational. Run the display mpls ldp
command to view the MPLS LDP configuration. The following is the display on PE1:
[PE1] display mpls ldp session
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command on PE1 or
PE2. You can see that the peer status is Operational, indicating that a peer relationship has
been set up between PE1 and PE2. The display on PE1 is used as an example.
[PE1] display mpls ldp session
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.1
[PE2-vsi-a2-ldp] quit
[PE2-vsi-a2] quit
# Configure PE2.
[PE2] vcmp role silent
[PE2] interface gigabitethernet2/0/0
[PE2-GigabitEthernet2/0/0] port link-type hybrid
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet2/0/0.1
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet2/0/0.1] quit
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 5 minutes, 1 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 3.3.3.3
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
Broadcast Tunnel ID : 0x22
Broad BackupTunnel ID : 0x0
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
Control Word : disable
**PW Information:
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 100 ce-vid 10
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
Procedure
1. Run the display this command in the view of the interface configured with selective
QinQ to check the outer VLAN tag.
2. Run the display vlan summary command in any view to check whether the outer
VLAN has been created.
<HUAWEI> display vlan summary
Static
vlan:
Total 3 static
vlan.
1 9 to
10
Dynamic
vlan:
Total 0 dynamic
vlan.
Reserved vlan:
Total 0 reserved vlan.
– If the command output contains the outer VLAN ID, the outer VLAN has been
created. Continue to check for other common misconfigurations.
– If the command output does not contain the outer VLAN ID, the outer VLAN is not
created. Run the vlan batch command to create a VLAN and check whether QinQ
traffic can be correctly transmitted. If traffic forwarding still fails, continue to check
for other common misconfigurations.
Fault Symptom
After selective QinQ is configured on an interface, traffic forwarding fails.
Procedure
1. Run the display this command in the view of the interface configured with selective
QinQ to check the outer VLAN tag.
2. Run the display vlan vlan-id command in any view to check whether the interface
configured with selective QinQ belongs to the outer VLAN. vlan-id specifies the outer
VLAN ID.
<HUAWEI> display vlan 3
------------------------------------------------------------------------------
--
U: Up; D: Down; TG: Tagged; UT:
Untagged;
MP: Vlan-mapping; ST: Vlan-
stacking;
#: ProtocolTransparent-vlan; *: Management-
vlan;
------------------------------------------------------------------------------
--
VID Type
Ports
------------------------------------------------------------------------------
--
3 common
UT:GE1/0/2(U)
– If the system displays the message "Error:The VLAN does not exist.", the outer
VLAN is not created. Run the vlan batch command to create the outer VLAN and
run the display vlan vlan-id command to check whether the interface belongs to the
VLAN.
– If there is no interface configured with selective QinQ, run the port hybrid
untagged vlan vlan-id command to add the interface to the VLAN in untagged
mode.
– If the command output does not display the interface configured with selective
QinQ but the flag before the interface is not UT, run the port hybrid untagged
vlan vlan-id command to add the interface to the VLAN in untagged mode.
– If the command output displays the interface configured with selective QinQ and
the interface has joined the VLAN in untagged mode, continue to check for other
common misconfigurations.
NOTE
Procedure
Run the display this command on the interface configured with selective QinQ to check
whether VLAN mapping is configured to map the VLAN ID to be transparently transmitted to
itself (for example, port vlan-mapping vlan 20 map-vlan 20).
l If such VLAN mapping is not configured, run the port vlan-mapping vlan vlan-id1
map-vlan vlan-id2 command on the interface to configure it.
l If such VLAN mapping is configured, collect logs and alarms and contact Huawei
technical support personnel.
10.10 FAQ
is configured on an interface of the SA card, VLAN mapping, for example, port vlan-
mapping vlan 20 map-vlan 20, must be configured to map the VLAN tag that needs to be
transparently transmitted to itself.
l If the switch is running V100R003 or an earlier version, one or more inner VLAN IDs in
QinQ cannot be directly deleted. You must delete the current selective QinQ
configuration, and then reconfigure the inner VLAN IDs that do not need to be deleted.
For example, the port vlan-stacking vlan 10 to 20 stack-vlan 100 command is
configured on the switch. To delete inner VLAN 15, perform the following operations:
a. Run the undo port vlan-stacking vlan 10 to 20 stack-vlan 100 command to delete
the current selective QinQ configuration.
b. Run the port vlan-stacking vlan 10 to 14 stack-vlan 100 and port vlan-stacking
vlan 16 to 20 stack-vlan 100 commands to reconfigure the inner VLAN IDs that
do not need to be deleted.
l If the switch is running a version later than V100R003, one or more inner VLAN IDs in
QinQ can be directly deleted.
10.11 References
The following table lists the references for the QinQ feature.
This chapter describes how to configure VLAN mapping. VLAN mapping is configured on
the edge device of the public network so that the VLANs of private networks are isolated
from S-VLANs. This saves S-VLAN resources.
Definition
VLAN mapping technology changes VLAN tags in packets to implement the mapping
between different VLANs.
Purpose
In some scenarios, two Layer 2 user networks in the same VLAN are connected through the
backbone network. To implement Layer 2 connectivity between users and deploy Layer 2
protocols such as MSTP uniformly, the two user networks need to seamlessly interwork with
each other. In this case, the backbone network needs to transmit VLAN packets from the user
networks. Generally, VLAN plan on the backbone network and user network is different, so
the backbone network cannot directly transmit VLAN packets from a user network.
One method is to configure a Layer 2 tunneling technology such as QinQ or VPLS to
encapsulate VLAN packets into packets on the backbone network so that VLAN packets are
transparently transmitted. However, this method increases extra cost because packets are
encapsulated. In addition, Layer 2 tunneling technology may not support transparent
transmission of packets of some protocol packets. The other method is to configure VLAN
mapping. When VLAN packets from a user network enter the backbone network, an edge
device on the backbone network changes the C-VLAN ID to the S-VLAN ID. After the
packets are transmitted to the other side, the edge device changes the S-VLAN ID to the C-
VLAN ID. This method implements seamless interworking between two user networks.
VLAN IDs in two directly connected Layer 2 networks are different because of different
plans. The user needs to manage the two networks as a single Layer 2 network. For example,
Layer 2 connectivity and Layer 2 protocols need to be deployed uniformly. VLAN mapping
can be configured on the switch connecting the two user networks to map VLAN IDs on the
two user networks. This implements Layer 2 connectivity and uniform management.
11.2 Principles
Basic Principles
After receiving a packet, the switch processes it based on tags:
l After receiving a tagged packet, the switch determines whether a single tag, double tags,
or the outer tag is to be replaced based on the VLAN mapping mode. Then the switch
learns the MAC addresses contained in the packet. Based on the source MAC address
and mapped VLAN ID, the switch updates the MAC address entries in the VLAN
mapping table. Based on the destination MAC address and the mapped VLAN ID, the
switch searches for the MAC address entries. If the destination MAC address matches no
entry, the switch broadcasts the packet in the specified VLAN; if the destination MAC
address matches an entry, the switch forwards the packet through the corresponding
outbound interface.
l If the packet has no tag, the switch determines whether to add a VLAN tag to the packet
based on the VLAN creation mode. If the packet cannot be added to a VLAN, the switch
delivers the packet to the CPU or discards it. If the packet can be added to a VLAN, the
switch adds a VLAN tag to it and learns the MAC addresses. Then the switch performs
Layer 2 forwarding based on the destination MAC address.
As shown in Figure 11-1, VLAN mapping between VLAN 2 and VLAN 3 is configured on
PORT 1. Before sending packets from VLAN 2 to VLAN 3, PORT 1 replaces the VLAN tags
with VLAN 3 tags. When receiving packets from VLAN 3 to VLAN 2, PORT 1 replaces the
VLAN tags with VLAN 2 tags. This implements the communication between devices in
VLAN 2 and VLAN 3.
VLAN 2 VLAN 3
2 3
PORT1
3
Switch Switch
A B
2
3
2
172.16.0.1/16 172.16.0.7/16
If devices in two VLANs need to communicate based on VLAN mapping, the IP addresses of
these devices must be on the same network segment. If their IP addresses are on different
network segments, communication between these devices must be implemented using Layer 3
routes, which makes VLAN mapping invalid.
MQC-based VLAN mapping uses a traffic classifier to classify packets based on VLAN IDs,
associates the traffic classifier with a traffic behavior defining VLAN mapping so that the
device can re-mark the VLAN ID in packets matching the traffic classifier. MQC-based
VLAN mapping implements differentiated services.
11.3 Applications
l 1 to 1 VLAN mapping
When receiving a single-tagged packet, the primary interface maps the VLAN tag to a
specified single VLAN tag.
1 to 1 VLAN mapping applies to the network shown in Figure 11-2.
VLAN 2
HSI
VLAN 2->VLAN 212
VLAN 3->VLAN 312
VLAN 3 VLAN 4->VLAN 412
IPTV
Residential
Gateway
VoIP VLAN 4
In the networking diagram shown in Figure 11-2, services (HSI, IPTV, and VoIP) of
each user are transmitted on different VLANs. Same services are transmitted on the same
C-VLAN. To differentiate users, deploy Corridor Switch to allow the same services used
by different users to be transmitted on different VLANs, which implements 1 to 1 VLAN
mapping. 1 to 1 VLAN mapping requires a large number of VLANs to isolate services of
different users; however, the VLAN quantity provided by the network access device at
the aggregation layer is limited. To resolve this problem, configure the VLAN
aggregation function to allow the same services to be transmitted on the same VLAN (N
to 1 VLAN mapping).
l 2 to 1 VLAN mapping
When the primary interface receives a double-tagged packet, the interface maps the outer
VLAN tag in the packet to an S-VLAN tag and transparently transmits the inner VLAN
tag.
2 to 1 VLAN mapping applies to the network shown in Figure 11-3.
Internet
Aggregation Switch
Community
Switch IP 501 2~3
S5
IP 501 4
Corridor IP 201 2 ~3
S3 S4
Switch IP 401 4
Residential
S1 Gateway S2
In the networking diagram shown in Figure 11-3, Residential Gateway, Corridor Switch,
and Community Switch are connected to the aggregation layer on the network. To
differentiate users and services to facilitate network management and charging, configure
the QinQ function for Corridor Switch. To save VLAN resources, configure VLAN
mapping on Community Switch to transmit the same services on the same VLAN.
l 2 to 2 VLAN mapping
2 to 2 VLAN mapping applies to the network shown in Figure 11-4.
Switch2 Switch3
Internet
outside tag:50
inner tag:60
GE1/0/1
GE1/0/1
Switch1 GE1/0/1 GE1/0/1 Switch4
In the networking diagram shown in Figure 11-4, QinQ is used to send double-tagged
packets, which prevents the conflict between C-VLAN IDs and S-VLAN IDs and
differentiates services and users. However, the primary interface will discard the packets
because C-VLAN IDs are different from S-VLAN IDs. To ensure communication
continuity, configure 2 to 2 VLAN mapping on the PE and replace double C-VLAN tags
with double S-VLAN tags.
License Support
VLAN mapping is a basic feature of a switch and is not under license control.
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Pre-configuration Tasks
l Creating the specified VLAN
l Adding the primary interface to the translated VLAN
Context
When receiving a tagged packet, an interface maps the VLAN ID in the packet to an S-VLAN
ID.
Procedure
Step 1 Run:
system-view
NOTE
l When N:1 VLAN mapping is configured (VLAN IDs can be incontiguous before mapping), the
interface needs to be added to these VLANs in tagged mode, and the VLAN specified by map-vlan
cannot be a VLAN corresponding to a VLANIF interface.
l N:1 VLAN mapping takes effect only when the packets with original VLANs are sent first. N:1
VLAN mapping is not supported on the SA boards of S series, X1E-series, and FA-series boards.
l N:1 VLAN mapping is not supported on the Eth-Trunk interface.
----End
Context
When receiving a tagged packet, an interface maps the VLAN ID in the packet to an S-VLAN
ID.
Procedure
Step 1 Run:
system-view
NOTE
The ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700 do not support VLAN mapping for
double-tagged packets.
----End
Context
When receiving a tagged packet, an interface maps the VLAN ID in the packet to an S-VLAN
ID.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
port link-type { hybrid | trunk }
Step 4 Run:
port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 map-vlan vlan-id3 map-inner-
vlan vlan-id4 [ remark-8021p 8021p-value ]
NOTE
The ES0D0G24SA00 and ES0D0G24CA00 cards of the S7700 do not support VLAN mapping for
double-tagged packets.
----End
Procedure
l Run the display vlan vlan-id command to check whether the interface is added to the
translated S-VLAN.
l Run the display current-configuration command to check the VLAN mapping
configuration on the interface.
----End
Context
After 802.1p priority-based VLAN mapping is configured on a switch, the switch processes
VLAN tags of packets flexibly based on the 802.1p priority. Communication of users with a
higher priority is ensured.
Procedure
l Configuring VLAN mapping on the inbound interface based on the 802.1p priority
a. Run:
system-view
VLAN mapping based on the 802.1p priority is not supported on the SA boards of S series.
l (Optional) Configuring VLAN mapping on the outbound interface based on the 802.1p
priority
If the DiffServ domain is created on the inbound interface and VLAN mapping is
configured based on the priority, the internal priority may be different from the 802p.1
priority. You are advised to configure VLAN mapping on the outbound interface based
on the 802.1p priority.
a. Run:
system-view
The DiffServ domain is created, and the DiffServ domain view is displayed.
c. Run:
8021p-outbound service-class color map 8021p-value
The internal priority of VLAN packets on the outbound interface in the DiffServ
domain is mapped to the 802.1p priority.
d. Run:
quit
The DiffServ domain is bound on the interface and the mapping in the DiffServ
domain is applied.
By default, an internal priority remains the same after being mapped to an external
priority.
----End
Context
A traffic policy is a QoS policy configured by binding traffic classifiers to traffic behaviors. A
traffic policy is bound to a traffic classifier and traffic behavior to implement VLAN mapping.
The traffic classifier defines rules based on VLAN IDs. VLAN mapping based on the traffic
policy implements differentiated services.
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as
they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
The if-match ip-precedence and if-match tcp commands are only valid for IPv4 packets.
The X1E series cards do not support traffic classifiers with advanced ACLs containing the
ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the X1E card
does not support nest top-most vlan-id vlan-id, remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, or remark vlan-id vlan-id.
d. Run:
quit
The traffic behavior is configured. The outer VLAN ID of the packet is re-marked.
c. (Optional) Run:
remark cvlan-id vlan-id4
The traffic behavior is configured. The inner VLAN ID of the packet is re-marked.
d. Run:
quit
A traffic policy is created and the traffic policy view is displayed, or the view of an
existing traffic policy is displayed. If you do not specify a matching order for traffic
classifiers in the traffic policy, the default matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy command to
change the matching order of traffic classifiers in the traffic policy. To change the
matching order, delete the traffic policy and create a new traffic policy with the
required matching order.
When creating a traffic policy, you can specify the matching order of traffic
classifiers in the traffic policy. The traffic classifiers can be matched in automatic
order (auto) or configuration order (config):
n If the matching order is auto, traffic classifiers are matched in descending
order of priorities pre-defined in the system: traffic classifiers based on Layer
2 and Layer 3 information, traffic classifiers based on Layer 2 information, and
finally traffic classifiers based on Layer 3 information. If a data flow matches
multiple traffic classifiers that are associated with conflicting traffic behavior,
the traffic behavior associated with the traffic classifier of the highest priority
takes effect.
n If the matching order is config, traffic classifiers are matched in descending
order of priorities either manually or dynamically allocated to them. This is
determined by the precedence value; a traffic classifier with a smaller
precedence value has a higher priority and is matched earlier. If you do not
specify precedence-value when creating a traffic classifier, the system
allocates a precedence value to the traffic classifier. The allocated value is
[(max-precedence + 5)/5] x 5, where max-precedence is the greatest value
among existing traffic classifiers.
NOTE
If more than 128 rate limiting ACL rules are configured in the system, traffic policies must
be applied to the interface view, VLAN view, and system view in sequence. To update an
ACL rule, delete all the associated traffic policies from the interface, VLAN, and system.
Then, reconfigure the traffic policies and reapply them to the interface, VLAN, and system.
b. Run:
classifier classifier-name behavior behavior-name
Context
During VLAN Mapping configuration, VLAN translation resources may be insufficient. You
can run command to view the total number of inbound/outbound VLAN translation resources,
the number of used VLAN translation resources, and the number of remaining VLAN
translation resources. The command output helps you locate faults.
Procedure
Step 1 Run the display vlan-translation resource [ slot slot-number ] command in any view to view
VLAN translation resource usage on a card.
Step 2 Run the display spare-bucket resource [ slot slot-number ] command in any view to view
the usage of backup resources when VLAN translation resources on a card conflict.
NOTE
Only the X1E series cards support this command.
----End
PE1 PE2
GE1/0/1 ISP GE1/0/1
VLAN10
CE1 GE1/0/3 GE1/0/3 CE2
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Community1 Community2
VLAN6 VLAN5
172.16.0.2/16 172.16.0.6/16
172.16.0.1/16 172.16.0.3/16 172.16.0.5/16 172.16.0.7/16
IP addresses of devices in the VLAN5 and VLAN6 must be in the same network segment.
Configuration Roadmap
The configuration roadmap is as follows:
1. Add the switch port connecting to community 1 to VLAN6 and add the switch port
connecting to community 2 to VLAN5.
2. Configure VLAN mapping on GE1/0/1 of PE1 and PE2 and map C-VLAN IDs to S-
VLAN IDs so that users in different VLANs can communicate with each other.
Procedure
Step 1 Add downlink interfaces on switches to specified VLANs.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan 6
[CE1-vlan6] quit
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] port link-type access
[CE1-GigabitEthernet1/0/1] port default vlan 6
[CE1-GigabitEthernet1/0/1] quit
[CE1] interface gigabitethernet 1/0/2
[CE1-GigabitEthernet1/0/2] port link-type access
[CE1-GigabitEthernet1/0/2] port default vlan 6
[CE1-GigabitEthernet1/0/2] quit
[CE1] interface gigabitethernet 1/0/3
[CE1-GigabitEthernet1/0/3] port link-type trunk
[CE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 6
[CE1-GigabitEthernet1/0/3] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan 5
[CE2-vlan5] quit
[CE2] interface gigabitethernet 1/0/1
[CE2-GigabitEthernet1/0/1] port link-type access
[CE2-GigabitEthernet1/0/1] port default vlan 5
[CE2-GigabitEthernet1/0/1] quit
[CE2] interface gigabitethernet 1/0/2
[CE2-GigabitEthernet1/0/2] port link-type access
[CE2-GigabitEthernet1/0/2] port default vlan 5
[CE2-GigabitEthernet1/0/2] quit
[CE2] interface gigabitethernet 1/0/3
[CE2-GigabitEthernet1/0/3] port link-type trunk
[CE2-GigabitEthernet1/0/3] port trunk allow-pass vlan 5
[CE2-GigabitEthernet1/0/3] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan 10
[PE2-vlan10] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type trunk
[PE2-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[PE2-GigabitEthernet1/0/1] port vlan-mapping vlan 5 map-vlan 10
[PE2-GigabitEthernet1/0/1] quit
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 6
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 6
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 6
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 6
#
return
#
return
Networking Requirements
As shown in Figure 11-6, a large number of switches need to be deployed at the corridor so
that the same service used by different users can be sent on different VLANs. To save VLAN
resources, configure the VLAN aggregation function (N:1) on the switches so that same
services are sent on the same VLAN.
Internet
VLAN10
Switch GE1/0/1
VLAN100~109
SwitchA
…… …… ……
Configuration Roadmap
The configuration roadmap is as follows:
1. Create the original VLAN and the translated VLAN on the Switch and add GE1/0/1 to
the VLANs in the tagged mode.
2. Configure VLAN mapping on GE1/0/1 on the Switch.
Procedure
Step 1 Configure the Switch.
# Create a VLAN.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 100 to 109
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 10 100 to 109
#
interface gigabitethernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100 to 109
port vlan-mapping vlan 100 to 109 map-vlan 10
#
return
sent to the ISP network successfully. To resolve this problem, ensure that the users of the
Switch5 and Switch6 can communicate with each other.
Switch3
Switch2 ISP
outside tag:50
inner tag:60
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Switch1 Switch4
GE1/0/1 GE1/0/1
GE1/0/2
GE1/0/2
Switch5 Switch6
GE1/0/1 GE1/0/1
VLAN 10 VLAN 30
VLAN Mapping
Configuration Roadmap
The configuration roadmap is as follows:
1. Add switch ports connecting to users to VLAN 10 and VLAN 30.
2. Configure the QinQ function on Switch1 and Switch4 so that packets sent to the ISP
network are double-tagged.
3. Configure 2 to 2 VLAN mapping on the switch connecting to the ISP network.
Procedure
Step 1 Add downlink interfaces on switches to specified VLANs.
# Configure Switch5.
<HUAWEI> system-view
[HUAWEI] sysname Switch5
[Switch5] vlan 10
[Switch5-vlan10] quit
[Switch5] interface gigabitethernet 1/0/1
[Switch5-GigabitEthernet1/0/1] port link-type access
# Configure Switch6.
<HUAWEI> system-view
[HUAWEI] sysname Switch6
[Switch6] vlan 30
[Switch6-vlan30] quit
[Switch6] interface gigabitethernet 1/0/1
[Switch6-GigabitEthernet1/0/1] port link-type access
[Switch6-GigabitEthernet1/0/1] port default vlan 30
[Switch6-GigabitEthernet1/0/1] quit
[Switch6] interface gigabitethernet 1/0/2
[Switch6-GigabitEthernet1/0/2] port link-type trunk
[Switch6-GigabitEthernet1/0/2] port trunk allow-pass vlan 30
Step 2 Configure the QinQ function on Switch1 and Switch4 so that packets sent to the ISP network
are double-tagged.
# Configure Switch 1.
<HUAWEI> system-view
[HUAWEI] sysname Switch1
[Switch1] vlan 20
[Switch1-vlan20] quit
[Switch1] interface gigabitethernet 1/0/1
[Switch1-GigabitEthernet1/0/1] port link-type hybrid
[Switch1-GigabitEthernet1/0/1] port hybrid untagged vlan 20
[Switch1-GigabitEthernet1/0/1] port vlan-stacking vlan 10 stack-vlan 20
[Switch1-GigabitEthernet1/0/1] quit
[Switch1] interface gigabitethernet 1/0/2
[Switch1-GigabitEthernet1/0/2] port link-type trunk
[Switch1-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch1-GigabitEthernet1/0/2] quit
# Configure Switch 4.
<HUAWEI> system-view
[HUAWEI] sysname Switch4
[Switch4] vlan 40
[Switch4-vlan40] quit
[Switch4] interface gigabitethernet 1/0/1
[Switch4-GigabitEthernet1/0/1] port link-type hybrid
[Switch4-GigabitEthernet1/0/1] port hybrid untagged vlan 40
[Switch4-GigabitEthernet1/0/1] port vlan-stacking vlan 30 stack-vlan 40
[Switch4-GigabitEthernet1/0/1] quit
[Switch4] interface gigabitethernet 1/0/2
[Switch4-GigabitEthernet1/0/2] port link-type trunk
[Switch4-GigabitEthernet1/0/2] port trunk allow-pass vlan 40
[Switch4-GigabitEthernet1/0/2] quit
Step 3 Configure 2 to 2 VLAN mapping on the switch connecting to the ISP network.
# Configure Switch2.
<HUAWEI> system-view
[HUAWEI] sysname Switch2
[Switch2] interface gigabitethernet 1/0/1
[Switch2-GigabitEthernet1/0/1] port link-type hybrid
[Switch2-GigabitEthernet1/0/1] port hybrid tagged vlan 50
[Switch2-GigabitEthernet1/0/1] port vlan-mapping vlan 20 inner-vlan 10 map-vlan
50 map-inner-vlan 60
# Configure Switch3.
<HUAWEI> system-view
[HUAWEI] sysname Switch3
[Switch3] interface gigabitethernet 1/0/1
[Switch3-GigabitEthernet1/0/1] port link-type hybrid
[Switch3-GigabitEthernet1/0/1] port hybrid tagged vlan 50
[Switch3-GigabitEthernet1/0/1] port vlan-mapping vlan 40 inner-vlan 30 map-vlan
50 map-inner-vlan 60
----End
Configuration Files
l Switch1 configuration file
#
sysname Switch1
#
vlan batch 20
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 20
port vlan-stacking vlan 10 stack-vlan 20
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
return
ISP Network
Outer VLAN 300
Inner VLAN 30
SwitchC SwitchD
GE1/0/1 GE1/0/2
Enterprises A Enterprises B
Outer VLAN 100 Outer VLAN 200
Inner VLAN 10 Inner VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure VLANs.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] vlan batch 300
# Configure the traffic classifier, traffic behavior, and traffic policy in the inbound direction of
SwitchA.
[SwitchA] traffic classifier name1 operator and
[SwitchA-classifier-name1] if-match vlan-id 300
[SwitchA-classifier-name1] if-match cvlan-id 30
[SwitchA-classifier-name1] quit
[SwitchA] traffic behavior name1
[SwitchA-behavior-name1] remark vlan-id 100
[SwitchA-behavior-name1] remark cvlan-id 10
[SwitchA-behavior-name1] quit
[SwitchA] traffic policy name1
[SwitchA-trafficpolicy-name1] classifier name1 behavior name1
[SwitchA-trafficpolicy-name1] quit
# Configure the traffic classifier, traffic behavior, and traffic policy in the outbound direction
of SwitchA.
[SwitchA] traffic classifier name2 operator and
[SwitchA-classifier-name2] if-match vlan-id 100
[SwitchA-classifier-name2] if-match cvlan-id 10
[SwitchA-classifier-name2] quit
[SwitchA] traffic behavior name2
[SwitchA-behavior-name2] remark vlan-id 300
[SwitchA-behavior-name2] remark cvlan-id 30
[SwitchA-behavior-name2] quit
[SwitchA] traffic policy name2
[SwitchA-trafficpolicy-name2] classifier name2 behavior name2
[SwitchA-trafficpolicy-name2] quit
# Configure the traffic classifier, traffic behavior, and traffic policy in the inbound direction of
SwitchB.
# Configure the traffic classifier, traffic behavior, and traffic policy in the outbound direction
of SwitchB.
[SwitchB] traffic classifier name2 operator and
[SwitchB-classifier-name2] if-match vlan-id 200
[SwitchB-classifier-name2] if-match cvlan-id 20
[SwitchB-classifier-name2] quit
[SwitchB] traffic behavior name2
[SwitchB-behavior-name2] remark vlan-id 300
[SwitchB-behavior-name2] remark cvlan-id 30
[SwitchB-behavior-name2] quit
[SwitchB] traffic policy name2
[SwitchB-trafficpolicy-name2] classifier name2 behavior name2
[SwitchB-trafficpolicy-name2] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 300
#
traffic classifier name1 operator and precedence 5
if-match vlan-id 300
if-match cvlan-id 30
traffic classifier name2 operator and precedence 10
if-match vlan-id 100
if-match cvlan-id 10
#
traffic behavior name1
permit
remark vlan-id 100
remark cvlan-id 10
traffic behavior name2
permit
Symptom
As shown in Figure 11-9, users in VLAN 6 need to communicate with users in VLAN 5 over
an ISP network. The carrier assigns VLAN 10 as the S-VLAN. Single-tag VLAN mapping is
configured on GE 1/0/1 of SwitchC and SwitchD to map C-VLANs 5 and 6 to S-VLAN 10.
ISP network
VLAN10
SwitchC SwitchD
GE1/0/1 GE1/0/1
SwitchA SwitchB
VLAN6 GE1/0/1 GE1/0/1 VLAN5
GE1/0/2 GE1/0/3 GE1/0/3
GE1/0/2
After VLAN mapping is configured on the interfaces, users in different VLANs cannot
communicate with each other. This fault is commonly caused by one of the following:
l The translated VLAN (map-vlan) has not been created.
l The interfaces configured with VLAN mapping are not added to the translated VLAN.
l The translated VLAN ID configured on SwitchC and SwitchD is different from the S-
VLAN ID assigned by the carrier.
l The interfaces configured with VLAN mapping are faulty.
Procedure
1. In the user view, run the display vlan command to verify that the translated VLAN
(map-vlan) is created.
– If the translated VLAN has not been created, run the vlan command to create it.
– If the translated VLAN is created, go to the next step.
2. In the interface view, run the display this command to verify that the interfaces
configured with VLAN mapping have been added to the translated VLAN in tagged
mode.
NOTE
l VLAN mapping can be configured only on a trunk or hybrid interface, and the hybrid interface
must be added to the translated VLAN in tagged mode.
l If a range of original VLANs is specified by vlan-id1 to vlan-id2 on an interface, the interface must
be added to all the original VLANs in tagged mode, and the translated VLAN cannot have a
VLANIF interface.
l Limiting MAC address learning on an interface may affect N to 1 VLAN mapping on the interface.
– If the interfaces configured with VLAN mapping have not been added to the
translated VLAN in tagged mode, run the port trunk allow-pass vlan or port
hybrid tagged vlan command in the interface view to add the interfaces to the
translated VLAN in tagged mode.
– If the interfaces have been added to the translated VLAN in tagged mode, go to the
next step.
3. In the interface view, run the display this command to verify that the translated VLAN
ID configured on the interface is the same as the S-VLAN ID assigned by the carrier.
– If the translated VLAN ID on an interface is different from the S-VLAN ID
assigned by the carrier, run the undo port vlan-mapping command on the interface
to delete the VLAN mapping configuration, and run the port vlan-mapping vlan
command to set the translated VLAN ID to the S-VLAN ID.
– If the translated VLAN ID is the same as the S-VLAN ID assigned by the carrier,
go to the next step.
4. In the user view, run the display vlan vlan-id command to verify that user-side interfaces
are added to C-VLANs.
– If the user-side interfaces are not in the C-VLANs, run the port trunk allow-pass
vlan, port hybrid tagged vlan, or port default vlan command to add the
interfaces to the C-VLANs.
12 GVRP Configuration
This chapter describes how to configure the Generic VLAN Registration Protocol (GVRP).
Definition
The Generic Attribute Registration Protocol (GARP) provides a mechanism to propagate
attributes so that a protocol entity can register and deregister attributes. By filling different
attributes into GARP packets, GARP supports different upper-layer applications.
The GARP VLAN Registration Protocol (GVRP) is used to register and deregister VLAN
attributes.
GARP identifies applications through destination MAC addresses. IEEE Std 802.1Q assigns
01-80-C2-00-00-21 to the VLAN application (GVRP).
Purpose
To deploy certain VLANs on all devices on a network, the network administrator needs to
manually create these VLANs on each device. As shown in Figure 12-1, three routers are
connected through trunk links. VLAN 2 is configured on Switch A, and VLAN 1 is
configured on Switch B and Switch C. To forward packets of VLAN 2 from Switch A to
Switch C, the network administrator must manually create VLAN 2 on Switch B and Switch
C.
SwitchB
When a network is complicated and the network administrator is unfamiliar with the network
topology or when many VLANs are configured on the network, huge workload is required for
manual configuration. In addition, configuration errors may occur. In this case, you can
configure GVRP on the network to implement automatic registration of VLANs.
Benefits
GVRP is based on GARP and is used to maintain VLAN attributes dynamically on devices.
Through GVRP, VLAN attributes of one device can be propagated throughout the entire
switching network. GVRP enables network devices to dynamically deliver, register, and
propagate VLAN attributes, reducing workload of the network administrator and ensuring
correct configuration.
12.2 Principles
Participant
On a device, each port running a protocol is considered as a participant. On a device running
GVRP, each GVRP-enabled port is considered as a GVRP participant, as shown in Figure
12-2.
GVRP participants
SwitchA SwitchC
SwitchB
GVRP registers and deregisters VLAN attributes through attribute declarations and reclaim
declarations as follows:
l When a port receives a VLAN attribute declaration, it registers the VLAN specified in
the declaration. That is, the port is added to the VLAN.
l When a port receives a VLAN attribute reclaim declaration, it deregisters the VLAN
specified in the declaration. That is, the port is removed from the VLAN.
Reclaim Deregister
SwitchA declaration SwitchB
GARP Messages
GARP participants exchange VLAN information through GARP messages. Major GARP
messages are Join messages, Leave messages, and LeaveAll messages.
l Join message
When a GARP participant expects other devices to register its attributes, it sends Join
messages to other devices. When the GARP participant receives a Join message from
another participant or is configured with attributes statically, it also sends Join messages
to other devices for the devices to register the new attributes.
Join messages are classified into JoinEmpty messages and JoinIn messages. The
difference between the two types of messages is:
– JoinEmpty: declares an unregistered attribute.
– JoinIn: declares a registered attribute.
l Leave message
When a GARP participant expects other devices to deregister its attributes, it sends
Leave messages to other devices. When the GARP participant receives a Leave message
from another participant or some of its attributes are deregistered statically, it also sends
Leave messages to other devices.
Leave messages are classified into LeaveEmpty messages and LeaveIn messages. The
difference between the two types of messages is:
– LeaveEmpty: deregisters an unregistered attribute.
– LeaveIn: deregisters a registered attribute.
l LeaveAll message
When a participant starts, it starts the LeaveAll timer. When the LeaveAll timer expires,
the participant sends LeaveAll messages to other devices.
A participant sends LeaveAll messages to deregister all attributes so that other
participants can re-register attributes of the local participant. LeaveAll messages are used
to periodically delete useless attributes on the network. For example, an attribute of a
participant is deleted but the participant does not send Leave messages to request other
participants to deregister the attribute because of a sudden power failure. Then this
attribute becomes useless.
GARP Timers
The GARP protocol defines four timers:
l Join timer
The Join timer controls sending of Join messages including JoinIn messages and
JoinEmpty messages.
After sending the first Join message, a participant starts the Join timer. If the participant
receives a JoinIn message before the Join timer expires, it does not send the second Join
message. If the participant does not receive any JoinIn message, it sends the second Join
message when the Join timer expires. This ensures that the Join message can be sent to
other participants. Each port maintains an independent Join timer.
l Hold timer
The Hold timer controls sending of Join messages (JoinIn messages and JoinEmpty
messages) and Leave messages (LeaveIn messages and LeaveEmpty messages).
After a participant is configured with an attribute or receives a message, it does not send
the message to other participants before the Hold timer expires. The participant
encapsulates messages received within the hold time into a minimum number of packets,
reducing the packets sent to other participants. If the participant does not use the Hold
timer but forwards a message immediately after receiving one, a large number of packets
are transmitted on the network. This makes the network unstable and wastes data fields
of packets.
Each port maintains an independent Hold timer. The Hold timer value must be equal to
or smaller than half of the Join timer value.
l Leave timer
The Leave timer controls attribute deregistration.
A participant starts the Leave timer after receiving a Leave or LeaveAll message. If the
participant does not receive any Join message of the corresponding attribute before the
Leave timer expires, the participant deregisters the attribute.
A participant sends a Leave message if one of its attributes is deleted, but this attribute
may still exist on other participants. Therefore, the participant receiving the Leave
message cannot deregister the attribute immediately and needs to wait for messages from
other participants.
For example, an attribute has two sources on the network: participant A and participant
B. Other participants register the attribute through GARP. If the attribute is deleted from
participant A, participant A sends a Leave message to other participants. After receiving
the Leave message, participant B sends a Join message to other participants because the
attribute still exists on participant B. After receiving the Join message from participant
B, other participants retain the attribute. Other participants deregister the attribute only if
they do not receive any Join message of the attribute within a period longer than two
times the Join timer value. Therefore, the Leave timer value must be greater than two
times the Join timer value.
Each port maintains an independent Leave timer.
l LeaveAll timer
When a GARP participant starts, it starts the LeaveAll timer. When the LeaveAll timer
expires, the participant sends a LeaveAll message and restarts the LeaveAll timer.
After receiving a LeaveAll message, a participant restarts all GARP timers. The
participant sends another LeaveAll message when its LeaveAll timer expires. This
reduces LeaveAll messages sent in a period of time.
If LeaveAll timers of multiple devices expire at the same time, they send LeaveAll
messages at the same time, which causes unnecessary LeaveAll messages. To solve this
problem, each device uses a random value between the LeaveAll timer value and 1.5
times the LeaveAll timer value as its LeaveAll timer value. When a LeaveAll event
occurs, all attributes on the entire network are deregistered. The LeaveAll event affects
the entire network; therefore, you need to set the LeaveAll timer to a proper value, at
least greater than the Leave timer value.
Registration Modes
A manually configured VLAN is a static VLAN, and a VLAN created through GVRP is a
dynamic VLAN. GVRP provides three registration modes. Static VLANs and dynamic
VLANs are processed differently in each registration mode as follows:
l Normal mode: Dynamic VLANs can be registered on a port, and the port can send
declarations of static VLANs and dynamic VLANs.
l Fixed mode: Dynamic VLANs cannot be registered on a port, and the port can send only
declarations of static VLANs.
l Forbidden mode: Dynamic VLANs cannot be registered on a port. All VLANs except
VLAN 1 are deleted from the port, and the port can send only the declaration of VLAN
1.
GARP packets are encapsulated in the IEEE 802.3 Ethernet format, as shown in Figure 12-4.
1 2 N
1 N
1 2 3 N
Attribute Length Attribute Event Attribute Value Attribute structure
Attribute Event Indicates the event that an The value can be:
attribute describes. l 0: LeaveAll Event
l 1: JoinEmpty Event
l 2: JoinIn Event
l 3: LeaveEmpty Event
l 4: LeaveIn Event
l 5: Empty Event
One-Way Registration
Port 2 Port 3
SwitchB
Static VLAN 2 is created on RouterA. Ports on RouterB and RouterC can join VLAN 2
automatically through one-way registration. The process is as follows:
1. After VLAN 2 is created on RouterA, Port 1 of RouterA starts the Join timer and Hold
timer. When the Hold timer expires, Port 1 sends the first JoinEmpty message to
RouterB. When the Join timer expires, Port 1 restarts the Hold timer. When the Hold
timer expires again, Port 1 sends the second JoinEmpty message.
2. After Port 2 of RouterB receives the first JoinEmpty message, RouterB creates dynamic
VLAN 2 and adds Port 2 to VLAN 2. In addition, RouterB requests Port 3 to start the
Join timer and Hold timer. When the Hold timer expires, Port 3 sends the first JoinEmpty
message to RouterC. When the Join timer expires, Port 3 restarts the Hold timer. When
the Hold timer expires again, Port 3 sends the second JoinEmpty message. After Port 2
receives the second JoinEmpty message, RouterB does not take any action because Port
2 has been added to VLAN 2.
3. After Port 4 of RouterC receives the first JoinEmpty message, RouterC creates dynamic
VLAN 2 and adds Port 4 to VLAN 2. After Port 4 receives the second JoinEmpty
message, RouterC does not take any action because Port 4 has been added to VLAN 2.
4. Every time the LeaveAll timer expires or a LeaveAll message is received, each router
restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Then Port 1 repeats
step 1 to send JoinEmpty messages. Port 3 of RouterB sends JoinEmpty messages to
RouterC in the same way.
Two-Way Registration
SwitchB
After one-way registration is complete, Port 1, Port 2, and Port 4 are added to VLAN 2 but
Port 3 is not added to VLAN 2 because only ports receiving a JoinEmpty or JoinIn message
can be added to dynamic VLANs. To transmit traffic of VLAN 2 in both directions, VLAN
registration from RouterC to RouterA is required. The process is as follows:
1. After one-way registration is complete, static VLAN 2 is created on RouterC (the
dynamic VLAN is replaced by the static VLAN). Port 4 of RouterC starts the Join timer
and Hold timer. When the Hold timer expires, Port 4 sends the first JoinIn message
(because it has registered VLAN 2) to RouterB. When the Join timer expires, Port 4
restarts the Hold timer. When the Hold timer expires, Port 4 sends the second JoinIn
message.
2. After Port 3 of RouterB receives the first JoinIn message, RouterB adds Port 3 to VLAN
2 and requests Port 2 to start the Join timer and Hold timer. When the Hold timer expires,
Port 2 sends the first JoinIn message to RouterA. When the Join timer expires, Port 2
restarts the Hold timer. When the Hold timer expires again, Port 2 sends the second
JoinIn message. After Port 3 receives the second JoinIn message, RouterB does not take
any action because Port 3 has been added to VLAN 2.
3. When RouterA receives the JoinIn message, it stops sending JoinEmpty messages to
RouterB. Every time the LeaveAll timer expires or a LeaveAll message is received, each
router restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Port 1 of
RouterA sends a JoinIn message to RouterB when the Hold timer expires.
4. RouterB sends a JoinIn message to RouterC.
5. After receiving the JoinIn message, RouterC does not create dynamic VLAN 2 because
static VLAN 2 has been created.
One-Way Deregistration
Static vlan 2
LeaveEmpty Port 4
Port 1
LeaveIn
Port 2 Port 3
SwitchB
When VLAN 2 is not required on the routers, the routers can deregister VLAN 2. The process
is as follows:
1. After static VLAN 2 is manually deleted from RouterA, Port 1 of RouterA starts the
Hold timer. When the Hold timer expires, Port 1 sends a LeaveEmpty message to
RouterB. Port 1 needs to send only one LeaveEmpty message.
2. After Port 2 of RouterB receives the LeaveEmpty message, it starts the Leave timer.
When the Leave timer expires, Port 2 deregisters VLAN 2. Then Port 2 is deleted from
VLAN 2, but VLAN 2 is not deleted from RouterB because Port 3 is still in VLAN 2. At
this time, RouterB requests Port 3 to start the Hold timer and Leave timer. When the
Hold timer expires, Port 3 sends a LeaveIn message to RouterC. Static VLAN 2 is not
deleted from RouterC; therefore, Port 3 can receive the JoinIn message sent from Port 4
after the Leave timer expires. In this case, RouterA and RouterB can still learn dynamic
VLAN 2.
3. After RouterC receives the LeaveIn message, Port 4 is not deleted from VLAN 2
because VLAN 2 is a static VLAN on RouterC.
Two-Way Deregistration
LeaveEmpty Port 4
Port 1 LeaveEmpty
LeaveEmpty LeaveIn
Port 2 Port 3
SwitchB
To delete VLAN 2 from all the routers, two-way deregistration is required. The process is as
follows:
1. After static VLAN 2 is manually deleted from RouterC, Port 4 of RouterC starts the
Hold timer. When the Hold timer expires, Port 4 sends a LeaveEmpty message to
RouterB.
2. After Port 3 of RouterB receives the LeaveEmpty message, it starts the Leave timer.
When the Leave timer expires, Port 3 deregisters VLAN 2. Then Port 3 is deleted from
dynamic VLAN 2, and dynamic VLAN 2 is deleted from RouterB. At this time, RouterB
requests Port 2 to start the Hold timer. When the Hold timer expires, Port 2 sends a
LeaveEmpty message to RouterA.
3. After Port 1 of RouterA receives the LeaveEmpty message, it starts the Leave timer.
When the Leave timer expires, Port 1 deregisters VLAN 2. Then Port 1 is deleted from
dynamic VLAN 2, and dynamic VLAN 2 is deleted from RouterA.
12.3 Applications
GVRP enables routers on a network to dynamically maintain and update VLAN information.
With GVRP, you can adjust the VLAN deployment on the entire network by configuring only
a few devices. You do not need to analyze the topology and manage configurations. As shown
in Figure 12-9, GVRP is enabled on all devices. Devices are interconnected through trunk
ports and each trunk port allows packets of all VLANs to pass. You simply need to configure
static VLANs 100 to 1000 on SwitchA and SwitchC. Then the other devices can learn
VLANs 100 to 1000 through GVRP.
SwitchA SwitchC
License Support
GVRP is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Table 12-2 Relationship between GARP timer values and number of dynamic VLANs
that need to be registered
Number of Dynamic VLANs to Be Registered (N)
Timer N <= 500 500 < N <= 1000 < N <= N > 1500
1000 1500
l The blocked port in instance 0 of STP/RSTP/MSTP can block GVRP packets; the
blocked ports of other MSTIs and other ring network protocols such as ERPS, SEP,
RRPP, Smart Link, and VBST cannot block GVRP packets. To ensure that GVRP runs
normally and prevent GVRP loops, do not enable GVRP on the blocked port of a ring
network protocol.
l The blocked ports of LDT and LBDT cannot block GVRP packets. To ensure that GVRP
runs normally and prevent GVRP loops, do not enable GVRP on the blocked port of
LDT and LBDT.
Context
Before enabling GVRP on an interface, you must enable GVRP globally. GVRP can be
enabled only on trunk interfaces. You must perform related configurations to ensure that all
dynamically registered VLANs can pass the trunk interfaces.
NOTE
When the VCMP role is the client or server, GVRP cannot be enabled. In this case, run the vcmp role
command to configure the VCMP role as silent or transparent. If GVRP has been enabled, do not switch the
VCMP role to client or server.
Procedure
Step 1 Run:
system-view
Step 2 Run:
gvrp
Step 3 Run:
interface interface-type interface-number
Step 4 Run:
port link-type trunk
Step 5 Run:
port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
Step 6 Run:
gvrp
NOTE
VLAN configuration will trigger GVRP messages. If too many VLANs are configured, you are advised
to configure VLANs on devices one by one and configure the timer. Otherwise, dynamic VLANs may
flap.
When many dynamically registered VLANs such as 4094 VLANs are configured, run the car packet-
type gvrp cir cir-value command to increase the CPCAR value. To prevent a high load on the CPU, the
CPCAR cannot be increased infinitely. If the CPCAR values are adjusted improperly, network services
are affected. To adjust the CPCAR values, contact Huawei technical support engineers.
If an interface is changed to another link type, such as access, hybrid, negotiation-desirable, or
negotiation-auto, the GVRP configuration on the interface is automatically deleted.
The blocking port in instance 0 of STP/RSTP/MSTP can block GVRP packets; the blocking ports of
other MSTIs and other ring network protocols such as ERPS, SEP, RRPP, Smart Link, and VBST cannot
block GVRP packets. To ensure that GVRP runs normally and prevent GVRP loops, do not enable
GVRP on the blocking port of a ring network protocol.
----End
Context
A GVRP interface supports three registration modes:
l Normal: In this mode, the GVRP interface can dynamically register and deregister
VLANs, and transmit dynamic VLAN registration information and static VLAN
registration information.
l Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static VLAN registration information. If
the registration mode is set to fixed for a trunk interface, the interface allows only the
manually configured VLANs to pass even if it is configured to allow all the VLANs to
pass.
l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering
and deregistering VLANs and can transmit only information about VLAN 1. If the
registration mode is set to forbidden for a trunk interface, the interface allows only
VLAN 1 to pass even if it is configured to allow all the VLANs to pass.
Procedure
Step 1 Run:
system-view
NOTE
Before setting the registration mode for an interface, enable GVRP on the interface.
----End
Context
When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer
expires, the GARP participant sends LeaveAll messages to request other GARP participants
to re-register all its attributes. Then the LeaveAll timer restarts.
Devices on a network may have different settings for the LeaveAll timer. In this case, all the
devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a
device expires, the device sends LeaveAll messages to other devices. After other devices
receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeaveAll
timer with the smallest value takes effect even if devices have different settings for the
LeaveAll timer.
When using the garp timer command to set the GARP timers, pay attention to the following
points:
l The undo garp timer command restores the default values of GARP timers. If the
default value of a timer is out of the valid range, the undo garp timer command does
not take effect.
l The value range of each timer changes with the values of the other timers. If a value you
set for a timer is not in the allowed range, you can change the value of the timer that
determines the value range of this timer.
l To restore the default values of all the GARP timers, restore the Hold timer to the default
value, and then sequentially restore the Join timer, Leave timer, and LeaveAll timer to
the default values.
When many dynamic VLANs need to be registered or the network radius is large, using
default values of timers may cause VLAN flapping and high CPU usage. In this case, increase
values of the timers. The following values are recommended depending on the number of
VLANs.
Table 12-3 Relationship between GARP timer values and number of dynamic VLANs that
need to be registered
Number of Dynamic VLANs to Be Registered (N)
Timer N<=500 500<N<=1000 1000<N<=150 N>1500
0
Procedure
Step 1 Run:
system-view
Step 2 Run:
garp timer leaveall timer-value
The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).
The Leave timer length on an interface is restricted by the global LeaveAll timer length.
When configuring the global LeaveAll timer, ensure that all the interfaces configured with a
GARP Leave timer are working properly.
Step 3 Run:
interface interface-type interface-number
Step 4 Run:
garp timer { hold | join | leave } timer-value
The value of the Hold timer, Join timer, or Leave timer is set.
By default, the value of the Hold timer is 10 centiseconds, the value of the Join timer is 20
centiseconds, and the value of the Leave timer is 60 centiseconds.
----End
Procedure
l Run the display gvrp status command to view the status of global GVRP.
----End
Context
NOTICE
GVRP statistics cannot be restored after being cleared. Confirm your action before using this
command.
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type
interface-number ] }&<1-10> ] command in the user view to clear GARP statistics on the
specified interfaces.
----End
Networking Requirements
As shown in Figure 12-10, company A, a branch of company A, and company B are
connected using switches. To implement dynamic VLAN registration, enable GVRP. The
branch of company A can communicate with the headquarters using SwitchA and SwitchB.
Company B can communicate with company A using SwitchB and SwitchC. Interfaces
connected to company A allow only the VLAN to which company B belongs to pass.
Branch of
Company B
company A
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable GVRP to implement dynamic VLAN registration.
2. Configure GVRP on all switches of company A and set the registration mode to normal
for the interfaces to simplify configurations.
3. Configure GVRP on all switches of company A and set the registration mode to fixed for
the interfaces connecting to company A to allow only the VLAN to which company B
belongs to pass.
NOTE
Before enabling GVRP, you must configure the VCMP role as transparent or silent.
Procedure
Step 1 Configure SwitchA.
# Enable GVRP globally.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vcmp role silent
[SwitchA] gvrp
# Set the link type of GE 1/0/1 and GE 1/0/2 to trunk and configure the interfaces to allow all
VLANs to pass through.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan all
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan all
[SwitchA-GigabitEthernet1/0/2] quit
The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
Step 2 Configure SwitchB.
# Enable GVRP globally.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vcmp role silent
[SwitchB] gvrp
# Set the link type of GE 1/0/1 and GE 1/0/2 to trunk and configure the interfaces to allow all
VLANs to pass through.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan all
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan all
[SwitchB-GigabitEthernet1/0/2] quit
# Set the link type of GE 1/0/1 and GE 1/0/2 to trunk and configure the interfaces to allow all
VLANs to pass through.
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan all
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan all
[SwitchC-GigabitEthernet1/0/2] quit
Run the display gvrp statistics command on SwitchA to view GVRP statistics on GVRP
interfaces, including the GVRP state of each interface, number of GVRP registration failures,
source MAC address of the last GVRP PDU, and registration mode of each interface.
[SwitchA] display gvrp statistics
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vcmp role silent
#
gvrp
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return
#
sysname SwitchB
#
vcmp role silent
#
gvrp
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return
12.9 FAQ
12.9.1 Why Is the CPU Usage High When VLANs Are Created or
Deleted Through GVRP in Default Configuration?
The switch supports VLAN configuration on devices at both ends. When GVRP is enabled on
the network, it advertises information about dynamic VLANs in two directions. Then the
intermediate devices dynamically create and delete VLANs based on the information.
Dynamic maintenance of VLANs can greatly reduce manual configurations.
The maximum 4 K dynamic VLANs are frequently created and deleted, which triggers larger
amount of packet communication. Receiving packets and delivering dynamic VLANs occupy
large amount of CPU resources.
In actual networking, you need to adjust GVRP timers to the recommended values.
NOTE
The recommended values of the GVRP timers are as follows:
GARP Hold timer: 100 centiseconds (1 second)
GARP Join timer: 600 centiseconds (6 seconds)
GARP Leave timer: 3000 centiseconds (30 seconds)
GARP LeaveAll timer: 12,000 centiseconds (2 minutes)
When more than 100 dynamic VLANs are created, use the preceding recommended values. When the
number of dynamic VLANs increases, lengths of the GARP timers need to be increased.
12.10 References
The following table lists the references of this document.
13 VCMP Configuration
This chapter describes how to configure the VLAN Central Management Protocol (VCMP).
VCMP allows VLAN creation and deletion on a switch to be synchronized to other specified
switches on a Layer 2 network, implementing centralized VLAN management and
maintenance and reducing network maintenance workload.
Definition
The Virtual Local Area Network Central Management Protocol (VCMP), a Layer 2 protocol
in the Open System Interconnection (OSI) model, transmits VLAN information and ensures
consistent VLAN information on the Layer 2 network.
Purpose
In most cases, switches on an enterprise network need to synchronize VLAN information with
each other to ensure that they can correctly forward data. On a small-scale enterprise network,
the network administrator can log in to each switch to configure and maintain VLANs. On a
large-scale enterprise network, a lot of switches are deployed, so a large amount of VLAN
information needs to be configured and maintained. If the network administrator manually
configures and maintains all VLANs, the workload is heavy and VLAN information may be
inconsistent.
NOTE
l VCMP can only help the network administrator synchronize VLAN information but not dynamically
assign VLANs. VCMP is often used with Link-type Negotiation Protocol (LNP) to simplify user
configurations. For details about LNP, see 4.2.2 LNP.
l Generic VLAN Registration Protocol (GVRP) can reduce VLAN configurations and dynamically
assign interfaces to VLANs. GVRP creates dynamic VLANs, but VCMP creates static VLANs.
Benefits to Customers
VCMP configured on a switch of a Layer 2 network brings in the following benefits:
l Implements centralized VLAN management and maintenance, and reduces the network
maintenance workload.
l Implements the plug-and-play function of access switches.
13.2 Principles
VCMP uses a VCMP domain to manage switches and determine attributes of switches in the
VCMP domain based on roles. VCMP defines four roles: server, client, transparent, and
silent. Figure 13-1 shows VCMP domains and roles in the VCMP domains.
Server
VCMP VCMP
domain 1 domain 2
Layer 2
network
Client Client Client
VCMP Domain
As shown in Figure 13-1, a VCMP domain is composed of switches that have the same
VCMP domain name and are connected through trunk or hybrid interfaces. All switches in the
VCMP domain must use the same domain name, and each switch can join only one VCMP
domain. Switches in different VCMP domains cannot synchronize VLAN information.
A VCMP domain specifies the scope for the administrative switch and managed switches.
Switches in a VCMP domain are managed by the administrative switch. There is only one
administrative switch and multiple managed switches in a VCMP domain.
VCMP Roles
VCMP determines attributes of switches based on VCMP roles. Table 13-1 describes VCMP
roles.
NOTE
l VCMP transparent and silent switches do not belong to any VCMP domain.
l If an edge switch in a VCMP domain needs to be managed, configure the edge switch as a VCMP
client. To prevent VCMP packets in the local VCMP domain from being transmitted to other VCMP
domains, disable VCMP on the edge switch interface connected to other VCMP domains.
13.2.2 Implementation
VCMP enables switches of different roles to exchange VCMP packets to implement
centralized VLAN management. VCMP packets can be only transmitted in VLAN 1 on trunk
or hybrid interfaces. To retain the same VLAN information on the VCMP server and clients,
VCMP defines two types of multicast packets: Summary-Advert and Advert-Request. Table
13-2 describes the functions and applicable scenarios of the two types of packets.
Summa The VCMP server sends l The VCMP server VCMP server
ry- Summary-Advert sends a Summary-
Advert packets to other devices Advert packet every
in the local VCMP 5 minutes to ensure
domain to notify them of real-time
the domain name, device synchronization of
ID, configuration VLAN information
revision number, and on the VCMP server
VLAN information. and clients and
prevent VLAN
information loss due
to packet loss.
l The VCMP server
configuration is
changed. For
example, VLANs are
created or deleted,
the VCMP domain
name or device ID is
changed, and the
VCMP server
restarts.
l The VCMP server
receives Advert-
Request packets
from VCMP clients
in the same VCMP
domain.
Summary-Advert packets sent by the VCMP server carry the configuration revision number.
A VCMP client uses it to determine whether VLAN information sent from the VCMP server
is newer than the local VLAN information. If so, the VCMP client synchronizes VLAN
information with the VCMP server.
A configuration revision number is represented by an 8-digit hexadecimal number. The four
left-most bits indicate the change of the VCMP domain or device ID and the four right-most
bits indicate the VLAN change. Upon a VLAN change on the VCMP server, the configuration
revision number is automatically increased. When the VCMP domain name or device ID
changes, the four left-most bits of the configuration revision number are recalculated and the
four right-most bits are reset.
In Figure 13-2:
l SwitchA: VCMP server
l SwitchB: VCMP transparent switch
l SwitchC, SwitchD and SwitchE: VCMP clients
l SwitchF: VCMP silent switch
Figure 13-2 VLAN synchronization when the VCMP server configuration changes
Create VLAN 100.
4. Discard packets.
Silent
VLAN 100 does not
SwitchF need to be created.
Summary-Advert packet
– If the VCMP client receives the packet for the first time, it learns the device ID,
revision number, and VLAN ID in the packet. If the VCMP domain name of the
VCMP client is empty, the VCMP client learns the VCMP domain name in the
packet.
– If it is not the first time the VCMP client receives the packet, the VCMP processes
the packet as follows:
i. The VCMP client performs VCMP authentication for the Summary-Advert
packet according to the configured authentication password, and VCMP
domain name, device ID, and configuration revision number in the Summary-
Advert packet. After the Summary-Advert packet is authenticated, the VCMP
client proceeds to the next step.
ii. If the VCMP domain name and device ID are saved locally, the VCMP client
compares the local ones with those in the Summary-Advert packet. When the
local ones are the same as those in the packet, the VCMP client proceeds to the
next step.
iii. The VCMP client compares the local configuration revision number with that
in the Summary-Advert packet:
○ If the four left-most bits are different, the VCMP client synchronizes
VLAN information with the VCMP server according to the Summary-
Advert packet and learns the VCMP domain name and device ID.
○ If the four left-most bits are the same, the VCMP client checks whether
the local four right-most bits are smaller than or equal to those in the
Summary-Advert packet. If so, the VCMP client only synchronizes
VLAN information with the VCMP server.
iv. The VCMP client forwards the Summary-Advert packet to other devices in the
local VCMP domain.
Here, it is not the first time the VCMP client receives the Summary-Advert packet. The
VCMP client finds that the highest four bits in the local revision number are the same as
those in the Summary-Advert packet but the lowest four bits in the local revision number
are smaller than or equal to those in the Summary-Advert packet. The VCMP client
therefore synchronizes information of the VCMP server according to the Summary-
Advert packet, and creates VLAN 100 locally.
4. SwitchF directly discards the packet.
NOTE
VLAN information synchronization is similar in other scenarios where Summary-Advert packets are
triggered.
l VLAN information synchronization is similar in other scenarios where Summary-Advert packets are
triggered.
l Within 30 minutes after a client synchronizes VLAN information from the server, the client
generates the vlan.dat file to store the current VLAN information. After the client restarts, the client
reads the vlan.dat file to obtain the VLAN information before the restart. The vlan.dat file cannot
be modified, deleted, or overwritten. The file is deleted when the following operations are
performed:
l Run the reset vcmp command to clear VCMP domain information.
l Run the vcmp role { server | silent | transparent } command to change the VCMP role to
non-client.
l Run the startup saved-configuration configuration-file command to configure a new
configuration file whose name is different from the name of the current configuration file.
l Run the reset saved-configuration command to delete the saved configuration file. This
operation will delete all the configuration.
In Figure 13-3:
l SwitchA: VCMP server
l SwitchB: VCMP transparent switch
l SwitchC and SwitchE: VCMP silent switches
l SwitchD: VCMP client
l SwitchF: new VCMP client
Transparent
SwitchB Directly forward VCMP packets.
Determine and
Silent Client Silent
forward VCMP
SwitchC SwitchD SwitchE
packets.
Directly discard Directly discard
VCMP packets. VCMP packets.
Trigger an Advert-
Request packet. Synchronize VLAN
information on the server.
New client
SwitchF
Summary-Advert packet
Advert-Request packet
After SwitchF is configured with VCMP and specified as a VCMP client, SwitchF becomes
the new VCMP client.
NOTE
Advert-Request packets are triggered when a VCMP client restarts or a VCMP interface goes Up.
VLAN information synchronization is similar.
Multi-Server Trap
Only one VCMP server exists in a VCMP domain. To prevent attacks of bogus VCMP
servers, the VCMP server matches the VCMP domain name, device ID, and source MAC
address in the received Summary-Advert packets with local ones. If the VCMP domain name
and device ID match local ones but the source MAC address in the packet is different from
the system MAC address, the VCMP server sends a trap about the multi-server event to the
NMS.
To prevent the VCMP server from being affected by too many traps, the VCMP server sends
traps to the NMS once every 30 minutes.
VCMP Authentication
When an unauthorized switch joins a VCMP domain, VLAN information on the switch may
be synchronized in the VCMP domain, affecting network stability. To prevent unauthorized
switches from joining a VCMP domain and enhance VCMP domain security, configure a
VCMP domain authentication password on the VCMP server and clients.
If the VCMP domain authentication password is configured on the VCMP server or a VCMP
client, the VCMP server or VCMP client uses the password character string (empty character
string is used by default) as the key and performs SHA-256 for the VCMP domain name, and
device ID to obtain a digest. Then the VCMP server encapsulates the digest in a Summary-
Advert packet or the VCMP client encapsulates the digest in an Advert-Request packet. When
each VCMP client in the VCMP domain receives a Summary-Advert packet from the VCMP
server, the VCMP client uses the locally configured password to perform SHA-256 for the
VCMP domain name, device ID, and configuration revision number, and compares the
calculated digest with the digest in the Summary-Advert packet. If the calculated digest
matches the digest in the Summary-Advert packet, the Summary-Advert packet passes
authentication and further VCMP processing is performed. Otherwise, the Summary-Advert
packet is discarded. When the VCMP server receives an Advert-Request packet from a
VCMP client, authentication and processing are similar.
If no domain authentication password is set, VCMP packets pass without authentication.
NOTE
l In a VCMP domain, the VCMP domain authentication password on the VCMP server and clients
must be the same.
l To ensure device security, change the password periodically.
Internet
Router
Core
switch
Department A Department B
Server Server
AGG1 AGG2 VCMP2
VCMP1
NOTE
VCMP packets can be only transmitted on trunk and hybrid interfaces. When deploying VCMP, you
need to deploy LNP to dynamically negotiate the link type, which simplifies use configurations. For
details about LNP, see 4.2.2 LNP.
License Support
VCMP is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
VLAN switch configuration. For details on how to configure the VLAN switch function,
see 6 VLAN Switch Configuration.
l After a VLAN is deleted on the VCMP server, VCMP clients delete the VLAN but do
not delete configurations in the VLAN. In addition, the vlan vlan-id configuration
command is generated in the configuration file, and the configurations in the deleted
VLAN specified by vlan-id are moved to the VLAN configuration view.
l When the device used as a VCMP client that connects to a VCMP server restarts, the
VLAN configuration before the restart takes effect. To make the saved VLAN
configuration take effect, use one of the following methods to delete the vlan.dat file
and then restart the device:
– Run the vcmp role { server | silent | transparent } command to change the device
role to a non-client.
– Run the startup saved-configuration configuration-file command to configure a
new configuration file. Ensure that the name of the new configuration file is
different from that of the current configuration file.
– Run the reset saved-configuration command to clear the saved configuration file.
This command will clear all the configuration.
NOTE
When the value of Server ID in the display vcmp status command output is not empty, the device
used as a VCMP client has been connected to a VCMP server.
Context
VCMP implements centralized VLAN management and manages network devices based on
VCMP domains (for details, see VCMP Domain). VCMP defines four roles: server, client,
transparent, and silent (for details, see VCMP Roles). Switches added to a VCMP domain as
clients are managed by the VCMP server in the same VCMP domain. After a VLAN is
created or deleted on the VCMP server, VCMP clients automatically synchronize VLAN
information with the server. VCMP reduces the workload on modifying the same VLAN
information on multiple switches and ensures VLAN information consistency.
You are advised to configure VCMP on an enterprise network as follows:
l Configure an aggregation or core switch as the VCMP server. Only one VCMP server
exists in a VCMP domain.
l Configure access switches as VCMP clients.
l Configure switches that do not need to be managed by the VCMP server and are located
between the VCMP server and clients as VCMP transparent switches.
l Configure edge devices connected to other networks as VCMP silent switches to prevent
the connected networks from being affected.
A VCMP client identifies the VCMP server by device ID. The VCMP client obtains the
device ID of the VCMP server from the first received VCMP packet, and synchronizes VLAN
information with only the VCMP server specified by the device ID. The device ID of the
VCMP server learned by a VCMP client remains unchanged unless the role of the VCMP
client changes. The VCMP server can receive and transmit VCMP packets and achieve
centralized management only when being configured with the device ID.
When an unauthorized switch is added to a VCMP domain, VCMP clients in this VCMP
domain may synchronize VLAN information of the unauthorized switch, affecting network
stability. To prevent unauthorized switches from joining a VCMP domain, configure an
authentication password on the VCMP server and clients in the VCMP domain.
Pre-configuration Tasks
Before configuring VCMP, complete the following tasks:
l Connect interfaces and set physical parameters of the interfaces to ensure that the
physical status of the interfaces is Up (for details about the configuration, see Ethernet
Interface Configuration in the S7700&S9700 Series Switches Configuration Guide -
Interface Management).
l Configure the link type of interfaces as trunk and hybrid so that the interfaces can
forward VCMP packets.
NOTE
l VCMP is often used with LNP to dynamically negotiate the link type, which simplifies use
configurations. For detailed LNP configuration, see steps 1 to 6 in 4.7.1.2 Configuring
Interface-based VLAN Assignment (LNP Dynamically Negotiates the Link Type).
l You can run the display lnp summary command to check whether LNP is configured on the
switch and check the link type of the interface. If LNP is not configured on the switch or the
link type of the interface is not trunk or hybrid, run the port link-type { hybrid | trunk }
command to configure the link type of the interface.
Procedure
Step 1 Run:
system-view
NOTE
Step 3 Perform the following operations based on the VCMP role of the switch.
l Perform the following operations on the VCMP server:
a. Run:
vcmp domain domain-name
Step 5 Run:
undo vcmp disable
NOTE
If an edge switch in a VCMP domain needs to be managed, configure the edge switch as a VCMP client.
To prevent VCMP packets in the local VCMP domain from being transmitted to other VCMP domains,
run the vcmp disable command to disable VCMP on the edge switch interface connected to other
VCMP domains.
To protect the switch against attacks of bogus VCMP servers, enable the VCMP trap function.
When receiving VCMP packets from bogus VCMP servers, the switch sends traps about the
multi-server event to the NMS.
----End
l Run the display vcmp status command to check the VCMP configuration, including the
VCMP domain name, VCMP role, device ID, configuration revision number, and VCMP
domain authentication password.
l Run the display vcmp interface brief command to check the VCMP status on Layer 2
Ethernet interfaces.
Context
If faults occur during VCMP running, you can view VCMP packet statistics or VLAN change
trace on the VCMP client to locate faults.
Procedure
l Run the display vcmp counters command in any view to view statistics on VCMP
packets.
l Run the display vcmp track command in any view to view the VLAN change trace on
the VCMP client.
----End
Context
The VCMP domain ID and device ID learned by a VCMP client remain unchanged. The
VCMP client needs to learn VCMP information again when the VCMP server in the local
VCMP domain is changed. Therefore, clear learned VCMP information before the VCMP
client learns VCMP information.
Before viewing the VLAN change trace on the VCMP client in a given period of time, clear
the existing VLAN change trace.
NOTICE
VCMP running information cannot be restored after being cleared. Therefore, exercise
caution when you run these clearing commands.
Procedure
l Run the reset vcmp command in the user view to clear learned VCMP information.
l Run the reset vcmp track command in the user view to clear the existing VLAN change
trace.
----End
Networking Requirements
As shown in Figure 13-5, the enterprise branch network is a Layer 2 network. The AGG is
the aggregation switch, ACC1 to ACC3 are access switches, and ACC1 is connected to
visitors. As the enterprise branch scale increases, the network administrator needs to
configure and maintain too much VLAN information. The workload is heavy and
configuration errors can easily occur. The administrator requires that the VLAN configuration
and maintenance workload be reduced and rights of visitors connected to the branch network
be limited. VLANs on ACC1 are required to be configured and maintained independently.
Internet
Router
GE1/0/1 GE1/0/3
Server
GE1/0/2 AGG
Configuration Roadmap
VCMP can be deployed on the enterprise branch network by configuring the AGG as the
VCMP server, ACC2 and ACC3 as VCMP clients, and ACC1 as a VCMP silent switch. In
this way, the network administrator only needs to modify VLAN information on the AGG.
The AGG sends the modified VLAN information to ACC1, ACC2, and ACC3 on the
enterprise branch network. ACC2 and ACC3 synchronize VLAN information with the AGG,
whereas ACC1 does not. VCMP reduces the workload on modifying the same VLAN
information on multiple switches and allows the independent VLAN configuration on ACC1.
To relieve the network administrator from setting the link type, configure LNP to
automatically negotiate the link type.
1. Configure LNP to automatically negotiate the link type, which simplifies use
configurations.
2. Specify VCMP roles for switches to determine the VCMP management scope,
administrative switch, and managed switches.
3. Set VCMP parameters such as the authentication password and device ID on the VCMP
server and clients to ensure secure communication and identity identification between
the VCMP server and clients.
4. Enable VCMP.
Procedure
Step 1 Configure LNP to automatically negotiate the link type.
By default, LNP is enabled globally and on all interfaces. That is, the link type of the
interfaces will be automatically negotiated through LNP.
You can run the display lnp summary command to check whether LNP is enabled globally
and on an interface (Global LNP and link-type(C) fields) and check the link type of the
interface (link-type(N)).
l If LNP is not enabled globally or on an interface, perform the following operations:
# Enable global LNP. The configurations of ACC1, ACC2, and ACC3 are similar to the
configuration of the AGG, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname AGG
[AGG] undo lnp disable
# Enable LNP on interfaces. The configurations of ACC1, ACC2, and ACC3 are similar
to the configuration of the AGG, and are not mentioned here.
[AGG] interface GigabitEthernet 1/0/1
[AGG-GigabitEthernet1/0/1] undo port negotiation disable
[AGG-GigabitEthernet1/0/1] port link-type negotiation-desirable
[AGG-GigabitEthernet1/0/1] quit
[AGG] interface GigabitEthernet 1/0/2
[AGG-GigabitEthernet1/0/2] undo port negotiation disable
[AGG-GigabitEthernet1/0/2] port link-type negotiation-desirable
[AGG-GigabitEthernet1/0/2] quit
[AGG] interface GigabitEthernet 1/0/3
[AGG-GigabitEthernet1/0/3] undo port negotiation disable
[AGG-GigabitEthernet1/0/3] port link-type negotiation-desirable
[AGG-GigabitEthernet1/0/3] quit
l If LNP is enabled globally and on an interface but the link type of the interface
connecting switches is Access, run the port link-type { trunk | hybrid } command to
specify the link type of the interface so that VCMP can work properly.
# On the AGG, configure the VCMP domain, device ID, and authentication password.
[AGG] vcmp domain vd1
[AGG] vcmp device-id server
[AGG] vcmp authentication sha2-256 password Hello
On the AGG, run the vlan vlan-id command to create VLAN 10, and run the display vlan
summary command on ACC1, ACC2, and ACC3 respectively to view VLAN information.
The command output shows that ACC2 and ACC3 have synchronized VLAN information
with that on the AGG, whereas ACC1 has not.
[AGG] vlan 10
[AGG-vlan10] quit
[AGG] display vlan summary
Static vlan:
Total 2 static vlan.
1 10
Dynamic vlan:
Total 0 dynamic vlan.
Reserved vlan:
Total 0 reserved vlan.
[ACC1] display vlan summary
Static vlan:
Total 1 static vlan.
1
Dynamic vlan:
Total 0 dynamic vlan.
Reserved vlan:
Total 0 reserved vlan.
[ACC2] display vlan summary
Static vlan:
Total 2 static vlan.
1 10
Dynamic vlan:
Reserved vlan:
Total 0 reserved vlan.
[ACC3] display vlan summary
Static vlan:
Total 2 static vlan.
1 10
Dynamic vlan:
Total 0 dynamic vlan.
Reserved vlan:
Total 0 reserved vlan.
----End
Configuration Files
l AGG configuration file
#
sysname AGG
#
vcmp role server
vcmp domain vd1
vcmp device-id server
vcmp authentication sha2-256 password %^%#6dD+>}ffA7*[j2#]0%
%GfN#;I}#.lQ2Yfb2b1y"0%^%#
#
vlan batch 10
#
return
#
return
14 STP/RSTP Configuration
This chapter describes how to configure the Spanning Tree Protocol (STP) and Rapid
Spanning Tree Protocol (RSTP).
Definition
Redundant links are used on an Ethernet switching network to implement link backup and
enhance network reliability. The use of redundant links, however, may produce loops, causing
broadcast storms and making the MAC address table unstable. As a result, network
communication may encounter quality deterioration or even be interrupted. STP solves this
problem.
Devices running STP exchange STP bridge protocol data units (BPDUs) to discover loops on
the network and block some ports. This ensures a loop-free tree network and that the packet
processing capabilities of switches is not impacted.
The STP network convergence speed is slow, so IEEE introduced RSTP (802.1w) in 2001 to
improve the network convergence speed of STP.
Purpose
After a spanning tree protocol is configured on an Ethernet switching network, the protocol
calculates the network topology to implement the following functions:
l Loop prevention: The spanning tree protocol blocks redundant links to prevent potential
loops on the network.
l Link redundancy: If an active link fails and a redundant link exists, the spanning tree
protocol activates the redundant link to ensure network connectivity.
14.2 Principles
14.2.1 Background
STP prevents loops on a local area network (LAN). Switching devices running STP exchange
information with one another to discover loops on the network and then block certain ports to
eliminate loops. As the scale of LANs continues to grow, STP has become an increasingly
important protocol.
Host A
port1 port1
S1 S2
port2 port2
Host B
Data flow
On the network shown in Figure 14-1, the following situations may occur:
l Broadcast storms cause a breakdown of the network.
If a loop exists on the network, broadcast storms may occur. In Figure 14-1, STP is not
enabled on the switching devices. If Host A sends a broadcast request, both S1 and S2
receive the request on port 1 and forward the request through their port 2. Then, S1 and
S2 receive the request forwarded by each other on port 2 and forward the request through
port 1. As this process repeats, resources on the entire network are eventually exhausted,
and the network breaks down.
l MAC address flapping causes unstable MAC address entries.
Even unicast packets can cause MAC address flapping on switching devices.
HostA sends a unicast packet to HostB. If HostB is temporarily removed from the
network at this time, the MAC address entry for HostB will be deleted on S1 and S2.
When the unicast packet sent by HostA to HostB is received by port 1 on S1, no
matching MAC address entry is found, so the unicast packet is forwarded to port 2.
Port 2 on S2 receives the unicast packet from port 2 on S1 and sends it out through port
1. Port 1 on S2 also receives the unicast packet sent by HostA to HostB, and sends it out
through port 2. These transmissions repeat and port 1 and port 2 on S1 and S2
continuously receive unicast packets from HostA. S1 and S2 modify their MAC address
entries each time, causing the MAC address table to flap. As a result, MAC address
entries are unstable.
Root Bridge
As defined in STP, the device that functions as the root of a tree network is called the root
bridge.
There is only one root bridge on the entire STP network. The root bridge is the logical center,
but not necessarily the physical center, of the network. The root bridge changes dynamically
with the network topology.
After network convergence is completed, the root bridge generates and sends configuration
BPDUs to other devices at specific intervals. Other devices process and forward the
configuration BPDUs to communicate the topology changes to downstream devices.
The port priority affects the role of a port in a spanning tree instance. For details, see 14.2.4 STP
Topology Calculation.
l Path cost
The path cost is a port variable used for link selection. STP calculates path costs to select
effective links, block redundant links, and trim the network into a loop-free tree
topology.
On an STP network, a port's path cost to the root bridge is the sum of the path costs of all
ports between the port and the root bridge. This path cost is called the root path cost.
A B
PC=100;RPC=100 PC=99;RPC=199
B A
S3 PC=200;RPC=100 PC=200;RPC=300 S4
l Root bridge
The root bridge is the bridge with the smallest BID as determined by exchanging
configuration BPDUs.
l Root port
The root port on an STP device is the port with the smallest path cost to the root bridge
and is responsible for forwarding data to the root bridge. An STP device has only one
root port, and there is no root port on the root bridge.
l Designated port
Table 14-1 explains the designated bridge and designated port.
In Figure 14-3, AP1 and AP2 are ports of S1; BP1 and BP2 are ports of S2; CP1 and
CP2 are ports of S3.
S1
AP1 AP2
BP1 CP1
S2 S3
BP2 CP2
LAN
After the root bridge, root ports, and designated ports are selected successfully, a tree
topology is set up on the entire network. When the topology is stable, only the root port and
designated ports forward traffic. The other ports are in Blocking state; they only receive STP
BPDUs and do not forward user traffic.
Comparison Principles
During role election, STP devices compare the four fields of a BPDU priority vector {root ID,
root path cost, sender BID, PID}.
Field Description
Root path cost Path cost to the root bridge. It is determined by the
distance between the port sending the configuration
BPDU and the root bridge.
Sender BID BID of the device that sends the configuration BPDU.
After a device on the STP network receives a configuration BPDU, it compares the fields
listed in Table 14-2 with its own values. The four comparison principles are as follows:
l Smallest BID: used to select the root bridge. Devices on an STP network select the
device with the smallest BID based on the root ID field in Table 14-2.
l Smallest root path cost: used to select the root port on a non-root bridge. On the root
bridge, the path cost of each port is 0.
l Smallest sender BID: used to select the root port from ports with the same root path cost.
The port with the smallest BID is selected as the root port in STP calculation. For
example, S2 has a smaller BID than S3 in Figure 14-2. If the BPDUs received on port A
and port B of S4 contain the same root path cost, port B becomes the root port on S4
because the BPDU received on port B has a smaller sender BID.
l Smallest PID: used to determine which port should be blocked when multiple ports have
the same root path cost. The port with the greatest PID is blocked. A scenario where
PIDs are compared is shown in Figure 14-4. The BPDUs received on ports A and B of
S1 both contain the same root path cost and sender BID, but Port A has a smaller PID
than port B. Therefore, port B is blocked to prevent loops.
S1 S2
A B
designated port
blocked port
Port States
Table 14-3 describes the possible states of ports on an STP device.
Forwardi A port in Forwarding state can Only the root port and designated port
ng forward user traffic and process can enter the Forwarding state.
BPDUs.
Learning When a port is in Learning state, the This is a transitional state, which is
device creates MAC address entries designed to prevent temporary loops.
based on user traffic received on the
port but does not forward user traffic
through the port.
Listening All ports are in Listening state before This is a transitional state.
the root bridge, root port, and
designated port are selected.
Blocking A port in Blocking state receives and This is the final state of a blocked
forwards only BPDUs, and does not port.
forward user traffic.
Disabled or
Down
①
⑤
Blocking
②
④ ⑤
Listening
③
④ ⑤
Learning
③
④ ⑤
Forwarding
NOTE
By default, a Huawei network device uses MSTP mode. After a device transitions from MSTP mode to
STP mode, its STP ports support only those states defined in MSTP, which are Forwarding, Learning,
and Discarding. Table 14-4 describes the three port states.
Forwardi A port in Forwarding state can forward user traffic and process BPDUs.
ng
Learning This is a transitional state. When a port is in Learning state, it can send and
receive BPDUs, but does not forward user traffic. The device creates MAC
address entries based on user traffic received on the port but does not forward
user traffic through the port.
The following parameters affect the STP port states and convergence.
l Hello Time
The Hello Time specifies the interval at which an STP device sends configuration BPDU
packets to detect link failures.
When the Hello Time is changed, the new value takes effect only after a new root bridge
is elected. The new root bridge includes the new Hello Time value in BPDUs it sends to
non-root bridges. If the network topology changes, TCN BPDUs are immediately
transmitted regardless of the Hello Time.
l Forward Delay
The Forward Delay timer specifies the length of delay before a port state transition.
When a link fails, STP calculation is triggered and the spanning tree structure changes.
However, new configuration BPDUs cannot be immediately spread over the entire
network. If the new root port and designated port forward data immediately, transient
loops may occur. Therefore, STP defines a port state transition delay mechanism. The
newly selected root port and designated port must wait for two Forward Delay intervals
before transitioning to the Forwarding state. During this period, the new configuration
BPDUs can be transmitted over the network, preventing transient loops.
The default Forward Delay timer value is 15 seconds. This means that the port stays in
Listening state for 15 seconds and then stays in Learning state for another 15 seconds
before transitioning to the Forwarding state. The port is blocked when it is in Listening
or Learning state, effectively preventing transient loops.
l Max Age
The Max Age specifies the aging time of BPDUs. This parameter is configurable on the
root bridge.
The Max Age is spread to the entire network with configuration BPDUs. After a non-
root bridge receives a configuration BPDU, it compares the Message Age value with the
Max Age value in the received configuration BPDU.
– If the Message Age value is smaller than or equal to the Max Age value, the non-
root bridge forwards the configuration BPDU.
– If the Message Age value is greater than the Max Age value, the non-root bridge
discards the configuration BPDU. When this happens, the network size is
considered too large and the non-root bridge disconnects from the root bridge.
If the configuration BPDU is sent from the root bridge, the Message Age value is 0.
Otherwise, the Message Age value is the total time spent to transmit the BPDU from the
root bridge to the local bridge, including the transmission delay. The Message Age value
of a configuration BPDU increases by 1 each time the configuration BPDU passes
through a bridge.
Table 14-5 provides the timer values defined in IEEE 802.1D.
Configuration BPDU
Configuration BPDUs are the most common type of BPDU and are sent to exchange topology
information among STP devices.
Each bridge actively sends configuration BPDUs during initialization. After the network
topology becomes stable, only the root bridge actively sends configuration BPDUs. Other
bridges send configuration BPDUs only after receiving configuration BPDUs from upstream
devices.
A configuration BPDU is at least 35 bytes long and includes parameters such as the BID, root
path cost, and PID. A bridge processes a received configuration BPDU only if either the
sender BID or PID is different from that on the local bridge receive port. If both fields are the
same as those on the receive port, the bridge discards the configuration BPDU. Therefore, the
bridge does not need to process BPDUs with the same information as the local port.
A configuration BPDU is sent in one of the following scenarios:
l After STP is enabled on ports of a device, the designated port on the device sends
configuration BPDUs at Hello timer intervals.
l When the root port on a device receives a configuration BPDU, the device sends a copy
of the configuration BPDU to each of its designated ports.
l When a designated port receives an inferior configuration BPDU, the designated port
immediately sends its own configuration BPDU to the downstream device.
Table 14-6 describes fields in a BPDU.
BPDU Type 1 Indicates the type of a BPDU. The value is one of the
following:
l 0x00: configuration BPDU
l 0x80: TCN BPDU
Root Path Cost 4 Indicates the accumulated path cost from a port to the root
bridge.
Bridge Identifier 8 Indicates the BID of the bridge that sends the BPDU.
Port Identifier 2 Indicates the ID of the port that sends the BPDU.
Message Age 2 Records the time that has elapsed since the original BPDU
was generated on the root bridge.
If the configuration BPDU is sent from the root bridge, the
Message Age value is 0. Otherwise, the Message Age value
is the total time spent to transmit the BPDU from the root
bridge to the local bridge, including the transmission delay.
The Message Age value of a configuration BPDU increases
by 1 each time the configuration BPDU passes through a
bridge.
Forward Delay 2 Indicates the period during which a port stays in Listening
and Learning states.
Figure 14-7 shows the Flags field. Only the leftmost and rightmost bits are used in STP.
Reserved
Bit7 Bit0
TCN BPDU
A TCN BPDU contains only three fields: Protocol Identifier, Version, and Type, as shown in
Table 14-6. The Type field is four bytes long and is fixed at 0x80.
When the network topology changes, TCN BPDUs are transmitted upstream until they reach
the root bridge. A TCN BPDU is sent in either of the following scenarios:
l A port transitions to the Forwarding state.
l A designated port receives a TCN BPDU and sends a copy to the root bridge.
BPDU Exchange
Figure 14-8 shows the initial information exchange process. The four parameters in a pair of
brackets represent the root ID (S1_MAC and S2_MAC are the BIDs of the two devices), root
path cost, sender BID, and PID carried in configuration BPDUs. Configuration BPDUs are
sent at Hello timer intervals.
{S1_MAC,0,S1_MAC,A_PID}
A B
S1 {S2_MAC,0,S2_MAC,B_PID} S2
1 A non-bridge device selects the port that receives the optimal configuration
BPDU as the root port. Table 14-8 describes the process of selecting the optimal
configuration BPDU.
2 The device generates a configuration BPDU for each port and modifies the
following fields based on the configuration BPDU on the root port and path cost
of the root port:
l Replaces the root ID with the root ID in the configuration BPDU on the root
port.
l Replaces the root path cost with the sum of the root path cost in the
configuration BPDU on the root port and the path cost of the root port.
l Replaces the sender BID with the local BID.
l Replaces the PID with the local port ID.
Ste Process
p
3 The device compares the calculated configuration BPDU with the configuration
BPDU received on the port:
l If the calculated configuration BPDU is superior, the port is selected as the
designated port and periodically sends the calculated configuration BPDU.
l If the port's own configuration BPDU is superior, the configuration BPDU
on the port is not updated and the port is blocked. After that, the port only
receives BPDUs, and does not forward data or send BPDUs.
1 Each port compares the received configuration BPDU with its own
configuration BPDU:
l If the received configuration BPDU is inferior, the port discards the received
configuration BPDU and retains its own configuration BPDU.
l If the received configuration BPDU is superior, the port replaces its own
configuration BPDU with the received one.
2 The device compares configuration BPDUs on all the ports and selects the
optimal one.
DeviceA
Priority=0 DeviceA
Root
Bridge
Port A1 Port A2
STP Topology
Calculation
Pa
t=5
th
os
co
c
st=
th
Pa
10
Port B1 Port C1
Path cost=4
Port B2 Port C2
DeviceB DeviceC DeviceC
DeviceB
Priority=1 Priority=2
root port
designated port
blocked port
In Figure 14-9, DeviceA, DeviceB, and DeviceC are deployed on the network, with priorities
0, 1, and 2, respectively. The path costs between DeviceA and DeviceB, DeviceA and
DeviceC, and DeviceB and DeviceC are 5, 10, and 4, respectively.
Devi l Port A1 receives the configuration BPDU {1, l Port A1: {0, 0, 0, Port
ceA 0, 1, Port B1} from Port B1 and finds it A1}
inferior to its own configuration BPDU {0, 0, l Port A2: {0, 0, 0, Port
0, Port A1}, so Port A1 discards the received A2}
configuration BPDU.
l Port A2 receives the configuration BPDU {2,
0, 2, Port C1} from Port C1 and finds it
inferior to its own configuration BPDU {0, 0,
0, Port A2} superior, so Port A2 discards the
received configuration BPDU.
l DeviceA finds that the root bridge and
designated bridge specified in the
configuration BPDUs on its ports are on
itself. Therefore, DeviceA considers itself as
the root bridge and periodically sends
configuration BPDUs from each port without
modifying the BPDUs.
Devi l Port B1 receives the configuration BPDU {0, l Port B1: {0, 0, 0, Port
ceB 0, 0, Port A1} from Port A1 and finds it A1}
superior to its own configuration BPDU {0, l Port B2: {1, 0, 1, Port
0, 0, Port B1}, so Port B1 updates its B2}
configuration BPDU.
l Port B2 receives the configuration BPDU {2,
0, 2, Port C2} from Port C2 and finds it
inferior to its own configuration BPDU {1, 0,
1, Port B2}, so Port B2 discards the received
configuration BPDU.
Devi l Port C1 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
ceC 0, 0, Port A2} from Port A2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {1, 0, 1, Port
0, 0, Port C1}, so Port C1 updates its B2}
configuration BPDU.
l Port C2 receives the configuration BPDU {1,
0, 1, Port B2} from Port B2 and finds it
superior to its own configuration BPDU {1,
0, 1, Port C2}, so Port C2 updates its
configuration BPDU.
l Port C2 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
5, 1, Port B2} from Port B2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {0, 5, 1, Port
10, 2, Port C2}, so Port C2 updates its B2}
configuration BPDU.
l Port C1 receives the configuration BPDU {0,
0, 0, Port A2} from Port A2 and finds it the
same as its own configuration BPDU, so Port
C1 discards the received configuration
BPDU.
l The root path cost of Port C1 is 10 (root path l Blocked port (Port C1):
cost 0 in the received configuration BPDU {0, 0, 0, Port A2}
plus the link patch cost 10), and the root path l Root port (Port C2):
cost of Port C2 is 9 (root path cost 5 in the {0, 5, 1, Port B2}
received configuration BPDU plus the link
patch cost 4). DeviceC finds that Port C2 has
a smaller root path cost and therefore
considers the configuration BPDU of Port C2
superior to that of Port C1. DeviceC then
selects Port C2 as the root port and retains its
configuration BPDU.
l DeviceC calculates the configuration BPDU
{0, 9, 2, Port C1} for Port C1 based on the
configuration BPDU and path cost of the root
port, and finds the calculated configuration
BPDU inferior to the original configuration
BPDU {0, 0, 0, Port A2} on Port C2.
DeviceC blocks Port C1 and does not update
its configuration BPDU. Port C1 no longer
forwards data until STP recalculation is
triggered, for example, when the link between
DeviceB and DeviceC is down.
After the topology becomes stable, the root bridge still sends configuration BPDUs at Hello
timer intervals. Each non-root bridge forwards the received configuration BPDUs through its
designated port. When a non-root bridge receives a superior configuration BPDU on a port,
the non-root bridge replaces the configuration BPDU on the port with the received
configuration BPDU.
1. When the status of the interface at point T changes, a downstream device continuously
sends TCN BPDUs to the upstream device.
2. The upstream device processes only the TCN BPDUs received on the designated port
and discards TCN BPDUs received on other ports.
3. The upstream device sets the TCA bit of the Flags field in the configuration BPDUs to 1
and returns the configuration BPDUs to instruct the downstream device to stop sending
TCN BPDUs.
4. The upstream device sends a copy of the TCN BPDUs toward the root bridge.
5. Steps 1, 2, 3 and 4 are repeated until the root bridge receives the TCN BPDUs.
6. The root bridge sets the TC bit of the Flags field in the configuration BPDUs to 1 to
instruct the downstream devices to delete MAC address entries.
NOTE
l TCN BPDUs are used to inform the upstream device and root bridge of topology changes.
l Configuration BPDUs with the TCA bit set to 1 are used by the upstream device to inform the
downstream device that the topology changes are known and instruct the downstream device to stop
sending TCN BPDUs.
l Configuration BPDUs with the TC bit set to 1 are used by the upstream device to inform the
downstream device of topology changes and instruct the downstream device to delete MAC address
entries. This increases network convergence speed.
Disadvantages of STP
STP ensures a loop-free network but has a slow network topology convergence speed, leading
to service quality deterioration. If the network topology changes frequently, the STP network
will frequently lose connection and suffer service interruptions, significantly impacting user
experience.
l STP does not distinguish port states and port roles clearly.
– Ports in Listening, Learning, and Blocking states are the same to users because they
are all prevented from forwarding service traffic.
– From the perspective of port use and configuration, the essential differences
between ports lie in the port roles rather than port states.
Both root and designated ports can be in Listening or Forwarding state, so the ports
cannot be distinguished solely by their states.
l STP determines topology changes after the timer expires, which slows down network
convergence.
l STP requires that the root bridge send configuration BPDUs after the network topology
becomes stable and other devices process and spread the configuration BPDUs to the
entire network. This also slows down topology convergence.
S1
root bridge
B A
S2 S3
A A a
S1
root bridge
B A
S2 S3
A a
B A
b
root port
designated port
Alternate port
Backup port
l RSTP defines additional port roles to simplify the learning and deployment of the
protocol.
Figure 14-11 shows the four port roles defined in RSTP: root port, designated port,
alternate port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The alternate port and backup port are defined as follows:
– From the perspective of configuration BPDU transmission:
n An alternate port is blocked after learning a configuration BPDU sent from
another bridge.
n A backup port is blocked after learning a configuration BPDU sent from itself.
– From the perspective of user traffic:
n An alternate port acts as a backup of the root port and provides an alternate
path from the designated bridge to the root bridge.
n A backup port acts as a backup of the designated port and provides a backup
path from the root bridge to the related network segment.
After roles of all RSTP ports are determined, the topology convergence is
completed.
l RSTP redefines port states.
RSTP reduces the number of port states to 3. Depending on whether a port can forward
user traffic and learn MAC addresses, the port will be in one of the following states:
– If the port does not forward user traffic or learn MAC addresses, it is in the
Discarding state.
– If the port does not forward user traffic but learns MAC addresses, it is in the
Learning state.
– If the port forwards user traffic and learns MAC addresses, it is in the Forwarding
state.
Table 14-11 compares the port states defined in STP and RSTP. Port states are not
necessarily related to port roles. Table 14-11 lists possible states for different port roles.
Table 14-11 Comparison between port states defined in STP and RSTP
STP Port State RSTP Port State Port Role
Disabled Discarding -
l RSTP changes the configuration BPDU format and uses the Flags field to describe port
roles.
RSTP retains the basic configuration BPDU format defined in STP with minor changes:
– The value of the Type field is changed from 0 to 2. Devices running STP will
discard configuration BPDUs sent from devices running RSTP.
– The Flags field uses the six bits reserved in STP. This configuration BPDU is called
an RST BPDU. Figure 14-12 shows the Flags field in an RST BPDU.
If a root port fails, the best alternate port becomes the root port and enters the
Forwarding state. This is because the network segment connected to this alternate
port has a designated port connected to the root bridge.
When the port role changes, the network topology changes accordingly. For details,
see 14.2.6 RSTP Technology Details.
– Edge ports
In RSTP, a designated port on the network edge is called an edge port. An edge port
directly connects to a terminal and does not connect to any other switching devices.
An edge port does not participate in RSTP calculation. This port can transition from
Disabled state to Forwarding state immediately. An edge port becomes a common
STP port once it is connected to a switching device and receives a configuration
BPDU. The spanning tree needs to be recalculated, which leads to network
flapping.
l Protection functions
RSTP provides the following functions:
– BPDU protection
On a switching device, ports directly connected to a user terminal such as a PC or
file server are edge ports. Usually, no RST BPDUs are sent to edge ports. If a
switching device receives malicious RST BPDUs on an edge port, the switching
device automatically sets the edge port to a non-edge port and performs STP
calculation. This causes network flapping.
BPDU protection enables a switching device to set the state of an edge port to error-
down if the edge port receives an RST BPDU. In this case, the port remains the
edge port, and the switching device sends a notification to the NMS.
– Root protection
The root bridge on a network may receive superior RST BPDUs due to incorrect
configurations or malicious attacks. When this occurs, the root bridge can no longer
serve as the root bridge and the network topology will incorrectly change. As a
result, traffic may be switched from high-speed links to low-speed links, leading to
network congestion.
If root protection is enabled on a designated port, the port role cannot be changed.
When the designated port receives a superior RST BPDU, the port enters the
Discarding state and does not forward packets. If the port does not receive any
superior RST BPDUs within a specified period (two Forward Delay periods by
default), the port automatically enters the Forwarding state.
NOTE
period, the alternate port CP2 becomes the root port and CP1 becomes the
designated port. As a result, a loop occurs.
If the root port or alternate port does not receive BPDUs from the upstream device
for a specified period, a switch enabled with loop protection sends a notification to
the NMS. The root port enters the Discarding state and becomes the designated
port, whereas the alternate port remains blocked and becomes the designated port.
In this case, loops will not occur. After the link is no longer congested or
unidirectional link failures are rectified, the port receives BPDUs for negotiation
and restores its original role and status.
NOTE
Loop protection takes effect only on the root port and alternate ports.
– TC BPDU attack defense
A switching device deletes its MAC address entries and ARP entries after receiving
TC BPDUs. If an attacker sends a large number of malicious TC BPDUs to the
switching device within a short period, the device will constantly delete MAC
address entries and ARP entries. This increases the load on the switching device
and threatens network stability.
After enabling TC BPDU attack defense on a switching device, you can set the
number of TC BPDUs that the device can process within a specified period. If the
number of TC BPDUs that the switching device receives within a given time period
exceeds the specified threshold, the switching device processes only the specified
number of TC BPDUs. After the time period expires, the switching devices process
all the excess TC BPDUs together. This function prevents the switching device
from frequently deleting MAC entries and ARP entries.
p0 1 Proposal
3 Agreement
p1
S2
p2 E p4
p3
STP can select designated ports quickly; however, to prevent loops, all ports must wait at least
one Forward Delay interval before initiating data forwarding. RSTP blocks non-root ports to
prevent loops and uses the proposal/agreement mechanism to shorten the time that an
upstream port waits before transitioning to the Forwarding state.
NOTE
The proposal/agreement mechanism applies only to P2P full-duplex links between two switching
devices. When proposal/agreement fails, a designated port is elected after two Forward Delay intervals,
same as designated port election in STP mode.
After STP-capable devices are removed, Huawei RSTP-capable devices can be switched back
to the RSTP mode.
14.3 Applications
STP Application
Loops often occur on a complex network, because multiple physical links are often deployed
between two devices to implement link redundancy. Loops may cause broadcast storms and
unstable MAC address entries on network devices.
Network
STP
CE1 CE2
PC1 PC2
Blocked port
In Figure 14-15, STP is deployed on the devices. The devices exchange information to
discover loops on the network and block ports. This ensures a loop-free tree network and that
the packet processing capabilities of switches is not impacted.
Setting STP parameters that STP cannot implement rapid 14.7.2 Setting STP
affect STP convergence convergence. However, you Parameters that Affect
can set STP parameters, STP Convergence
including the network
diameter, timeout interval,
Hello timer interval, Max
Age timer value, and
Forward Delay timer value
to speed up convergence.
Setting RSTP parameters RSTP supports link type and 14.7.3 Setting RSTP
that affect RSTP fast transition configuration Parameters that Affect
convergence on ports to implement rapid RSTP Convergence
convergence.
License Support
STP or RSTP is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
On a switch enabled with a spanning tree protocol, when a terminal connects to the switch,
spanning tree calculation is performed again. As a result, it takes a long period of time for the
terminal to obtain an IP address. In this case, disable the spanning tree protocol on the switch
port connected to the terminal or configure this switch port as the edge port.
Context
A switching device supports three working modes: STP, RSTP, and MSTP. The default
working mode is MSTP. Use the STP mode on a ring network running only STP, and use the
RSTP mode on a ring network running only RSTP.
Procedure
Step 1 Run:
system-view
----End
14.7.1.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge
Context
The root bridge of a spanning tree is automatically calculated. You can also manually specify
a root bridge or secondary root bridge.
l A spanning tree can have only one root bridge. When two or more devices are specified
as root bridges for a spanning tree, the device with the smallest MAC address is elected
as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root
bridge fails or is powered off, a secondary root bridge becomes the new root bridge
unless a new root bridge is specified. If there are multiple secondary root bridges, the
one with smallest MAC address becomes the root bridge of the spanning tree.
NOTE
It is recommended that you specify the root bridge and secondary root bridge when configuring STP/
RSTP.
Procedure
l Perform the following operations on the device you want to use as the root bridge.
a. Run:
system-view
Context
An STP/RSTP network can have only one root bridge, which is the logical center of the
spanning tree. The root bridge should be a high-performance switching device deployed at an
upper network layer; however, such a device may not have the highest priority on the
network. Therefore, you need to set a high priority for such a device to ensure that it can be
selected as the root bridge.
Low-performance devices at lower network layers are not suitable for root bridges, so you
need to set low priorities for these devices.
A smaller priority value indicates a higher priority of the switching device. The switching
device with a higher priority is more likely to be elected as the root bridge.
Procedure
Step 1 Run:
system-view
----End
Context
Path cost is the reference value used for link selection on an STP/RSTP network.
The path cost value range is determined by the calculation method. After the calculation
method is determined, it is recommended that you set smaller path cost values for the ports
with higher link rates.
In the Huawei calculation method, the link rate determines the recommended value for the
path cost. Table 14-14 lists the recommended path costs for ports with different link rates.
Table 14-14 Mappings between link rates and path cost values
Link Rate Recommended Recommended Allowable Path
Path Cost Path Cost Range Cost Range
10 Gbit/s 2 2 to 20 1 to 200000
If a network has loops, it is recommended that you set a large path cost for ports with low link
rates so that STP/RSTP blocks these ports.
Procedure
Step 1 Run:
system-view
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path costs.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:
interface interface-type interface-number
Step 4 Run:
stp cost cost
l When the Huawei calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
Context
In spanning tree calculation, priorities of the ports in a ring affect designated port election.
To block a port on a switching device, set a greater priority value than the default priority
value for the port.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
stp port priority priority
----End
Context
NOTICE
Spanning tree calculations begin immediately after STP/RSTP is enabled on a ring network.
Configurations on a switching device, such as the device priority and port priority, affect
spanning tree calculation. Any change to those configurations may cause network flapping.
To ensure rapid, stable spanning tree calculation, perform basic configurations on the
switching device and its ports before enabling STP/RSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp enable
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths for associated VLANs
are changed. Switching devices need to update the ARP entries corresponding to those
VLANs. STP/RSTP convergence mode can be set as fast or normal, which changes how the
switching device processes ARP entries.
Run the stp converge { fast | normal } command in the system view to configure the STP/
RSTP convergence mode.
The default and recommended mode for STP/RSTP convergence is normal. If the fast mode is
used, ARP entries will be frequently deleted, causing high CPU usage and network flapping.
Procedure
l Run the display stp [ interface interface-type interface-number | slot slot-id ] [ brief ]
command to view the spanning tree status and statistics.
----End
Pre-configuration Tasks
Before setting STP parameters that affect STP convergence, configure basic STP functions.
Context
Any two terminals on a switching network are connected through a specific path spanning
multiple devices. The network diameter is the maximum number of devices between any two
terminals. A larger network diameter indicates a larger network scale.
A network diameter that is too large may cause slow network convergence and affect
communication. Run the stp bridge-diameter command to set an appropriate network
diameter based on the network scale to speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 1 Run:
system-view
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. To help mitigate this, the network
diameter should not be set larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
interval, and Max Age timer value based on the configured network diameter.
----End
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval,
the device considers the upstream device to be down and triggers spanning tree recalculation.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout
interval because the upstream device is busy. In this case, recalculating the spanning tree will
waste network resources. Set a long timeout interval on a stable network to avoid this.
The timeout interval is calculated as follows:
Timeout interval = Hello Time x 3 x Timer Factor
Procedure
Step 1 Run:
system-view
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello Time value.
----End
Context
The following timers are used in spanning tree calculation:
l Forward Delay: specifies the delay before a state transition. After the topology of a ring
network changes, it takes some time to spread the new configuration BPDU throughout
the entire network. As a result, the original blocked port may be unblocked before a new
port is blocked. This creates a loop on the network. You can set the Forward Delay timer
to prevent loops. When the topology changes, all ports will be temporarily blocked
during the Forward Delay.
l Hello Time: specifies the interval at which Hello packets are sent. A switching device
sends configuration BPDUs at the specified interval to detect link failures. If the
switching device does not receive any BPDUs within a Hello timer interval, the
switching device triggers spanning tree recalculation.
l Max Age: determines when BPDUs expire. A switching device determines that a
received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values for Forward Delay, Hello Time, and Max
Age.
You are not advised to directly change the preceding three parameters as they are related to
the network scale; therefore, it is recommended that you set the network diameter so that the
spanning tree protocol automatically adjusts these timers. When the default network diameter
is used, the three timers also use their default values.
NOTICE
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and
Max Age timer values conform to the following formulas:
l 2 x (Forward Delay - 1 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1 second)
Procedure
Step 1 Run:
system-view
----End
Context
The path costs affect spanning tree calculation. Changes to path costs trigger spanning tree
recalculation. The path cost of an interface is affected by its bandwidth, so changes to the
interface bandwidth also affect spanning tree calculation.
In Figure 14-16, SwitchA and SwitchB are connected through two Eth-Trunk links. Eth-
Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces
in Up state. Each member link has the same bandwidth, and SwitchA is selected as the root
bridge.
l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1
on SwitchB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1,
the path cost of Eth-Trunk 1 becomes larger than the path cost of Eth-Trunk 2. Therefore,
the two devices perform spanning tree recalculation. Afterwards, Eth-Trunk 1 on
SwitchB becomes the alternate port and Eth-Trunk 2 becomes the root port.
SwitchA SwitchB
Before Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
SwitchA SwitchB
After Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
Alternate port
Root port
Designated port
The maximum number of connections affects only the path cost of an Eth-Trunk interface
participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-
Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active
member interfaces in the Eth-Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
max bandwidth-affected-linknumber link-number
----End
Procedure
l Run the display stp [ interface interface-type interface-number | slot slot-id ] [ brief ]
command to view the spanning tree status and statistics.
----End
Pre-configuration Tasks
Before setting RSTP parameters that affect RSTP convergence, configure basic RSTP
functions.
Context
Any two terminals on a switching network are connected through a specific path spanning
multiple devices. The network diameter is the maximum number of devices between any two
terminals. A larger network diameter indicates a larger network scale.
A network diameter that is too large may cause slow network convergence and affect
communication. Run the stp bridge-diameter command to set an appropriate network
diameter based on the network scale to speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 1 Run:
system-view
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. To help mitigate this, the network
diameter should not be set larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
interval, and Max Age timer value based on the configured network diameter.
----End
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval,
the device considers the upstream device to be down and triggers spanning tree recalculation.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout
interval because the upstream device is busy. In this case, recalculating the spanning tree will
waste network resources. Set a long timeout interval on a stable network to avoid this.
The timeout interval is calculated as follows:
Timeout interval = Hello Time x 3 x Timer Factor
Procedure
Step 1 Run:
system-view
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello Time value.
----End
Context
The following timers are used in spanning tree calculation:
l Forward Delay: specifies the delay before a state transition. After the topology of a ring
network changes, it takes some time to spread the new configuration BPDU throughout
the entire network. As a result, the original blocked port may be unblocked before a new
port is blocked. This creates a loop on the network. You can set the Forward Delay timer
to prevent loops. When the topology changes, all ports will be temporarily blocked
during the Forward Delay.
l Hello Time: specifies the interval at which Hello packets are sent. A switching device
sends configuration BPDUs at the specified interval to detect link failures. If the
switching device does not receive any BPDUs within a Hello timer interval, the
switching device triggers spanning tree recalculation.
l Max Age: determines when BPDUs expire. A switching device determines that a
received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values for Forward Delay, Hello Time, and Max
Age.
You are not advised to directly change the preceding three parameters as they are related to
the network scale; therefore, it is recommended that you set the network diameter so that the
spanning tree protocol automatically adjusts these timers. When the default network diameter
is used, the three timers also use their default values.
NOTICE
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and
Max Age timer values conform to the following formulas:
l 2 x (Forward Delay - 1 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1 second)
Procedure
Step 1 Run:
system-view
----End
Context
The path costs affect spanning tree calculation. Changes to path costs trigger spanning tree
recalculation. The path cost of an interface is affected by its bandwidth, so changes to the
interface bandwidth also affect spanning tree calculation.
In Figure 14-17, SwitchA and SwitchB are connected through two Eth-Trunk links. Eth-
Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces
in Up state. Each member link has the same bandwidth, and SwitchA is selected as the root
bridge.
l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1
on SwitchB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1,
the path cost of Eth-Trunk 1 becomes larger than the path cost of Eth-Trunk 2. Therefore,
the two devices perform spanning tree recalculation. Afterwards, Eth-Trunk 1 on
SwitchB becomes the alternate port and Eth-Trunk 2 becomes the root port.
SwitchA SwitchB
Before Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
SwitchA SwitchB
After Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
Alternate port
Root port
Designated port
The maximum number of connections affects only the path cost of an Eth-Trunk interface
participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-
Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active
member interfaces in the Eth-Trunk.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
max bandwidth-affected-linknumber link-number
----End
Context
P2P links can implement rapid convergence. If the two ports connected by a P2P link are root
or designated ports, they can transition to the Forwarding state quickly by sending Proposal
and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
stp point-to-point { auto | force-false | force-true }
l If the Ethernet interface works in full-duplex mode, the interface is connected to a P2P
link. In this case, force-true can be specified in the command to implement rapid
network convergence.
l If the Ethernet interface works in half-duplex mode, you can run the stp point-to-point
force-true command to forcibly set the link type to P2P.
----End
Context
If more BPDUs are sent from an interface within a Hello timer interval, more system
resources are consumed. Setting a proper transmission rate (packet-number) on an interface
prevents excess bandwidth usage when network flapping occurs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
stp transmit-limit packet-number
The maximum transmission rate of BPDUs in a specified period of time is set for the
interface.
By default, an interface sends a maximum of six BPDUs per second. If the same maximum
transmission rate of BPDUs needs to be set for each interface on a device, run the stp
transmit-limit (system view) command.
----End
Context
If an interface on an RSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the RSTP-enabled device, the
interface cannot automatically switch back to the RSTP mode. Run the stp mcheck command
to switch the interface to the RSTP mode.
You need to manually switch the interface to the RSTP mode in the following situations:
Procedure
l Switching to the RSTP mode in the interface view
a. Run:
system-view
----End
Context
A port that is located at the edge of a network and directly connected to a terminal device is
an edge port.
An edge port does not process configuration BPDUs or participate in RSTP calculation. It can
transition from the Disabled state to the Forwarding state without any delay.
Edge ports can still send BPDUs, but if the BPDUs are sent to another network then network
flapping may occur on that network. To prevent this problem, configure the BPDU filter
function on edge ports so that the edge ports do not process or send BPDUs.
NOTE
If all the ports are configured as both edge ports and BPDU filter ports in the system view, none of ports
on the local device can send BPDUs or negotiate STP states with directly connected ports on peer
devices. Additionally, all ports are in Forwarding state. This may cause loops on the network, leading to
broadcast storms. Exercise caution when deciding to perform this configuration.
After a specified port is configured as both an edge port and a BPDU filter port in the interface view, the
port does not process or send BPDUs and cannot negotiate the STP state with the directly connected port
on the peer device. Exercise caution when deciding to perform this configuration.
Procedure
l Configuring all ports as edge ports and BPDU filter ports
a. Run:
system-view
----End
Procedure
l Run the display stp [ interface interface-type interface-number | slot slot-id ] [ brief ]
command to view the spanning tree status and statistics.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp bpdu-protection
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the recovery delay. Note the following when
setting the recovery delay:
l The auto recovery function is disabled by default and does not have a default value for
the recovery delay. When you enable the auto recovery function, you must set a recovery
delay.
l A smaller interval-value indicates a shorter time before an edge port goes Up, and a
higher frequency of Up/Down state transitions on the port.
l A larger interval-value indicates a longer time before an edge port goes Up, and a longer
service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.
Context
If an attacker sends a large number of malicious TC BPDUs to a switching device within a
short period, the device will constantly delete MAC address entries and ARP entries. This
wastes resources on the device and threatens network stability.
To suppress TC BPDUs, enable TC protection on a switching device and set the maximum
number of TC BPDUs that the device can process within a given time period. If the number of
TC BPDUs that the switching device receives within a given time period exceeds the
specified threshold, the switching device processes only the specified number of TC BPDUs.
After the specified time period expires, the switching devices process all the excess TC
BPDUs together. This function prevents the switching device from frequently deleting MAC
entries and ARP entries.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp tc-protection interval interval-value
The time period during which the device processes the maximum number of TC BPDUs is
set.
By default, the time period is the same as the Hello timer interval.
Step 3 Run:
stp tc-protection threshold threshold
The maximum number of TC BPDUs the switching device can process within a specified
time period is set.
By default, the device processes only one TC BPDU within a specified time period.
The switch only processes TC BPDUs up to the maximum specified by the stp tc-protection
threshold command within the time period specified by the stp tc-protection interval
command. Other packets are processed after a delay, so spanning tree convergence speed is
slower. For example, if the time period is set to 10 seconds and the maximum of TC BPDUs
is set to 5, the switch processes only the first five TC BPDUs within 10 seconds. Subsequent
TC BPDUs are processed together after a 10 second delay.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
stp root-protection
By default, root protection is disabled on the interface. Root protection takes effect only on
designated ports. Root protection and loop protection cannot be configured on the same
interface.
----End
Context
On an RSTP network, a switching device maintains the states of the root port and blocked
ports based on BPDUs received from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream because of link congestion or unidirectional-link
failure, the switching device selects a new root port. The original root port becomes a
designated port, and the original blocked ports change to the Forwarding state, which may
cause loops on the network. To prevent this problem, configure loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a
specified period, a switch enabled with loop protection sends a notification to the NMS. If the
root port is used, the root port enters the Discarding state and becomes the designated port. If
the alternate port is used, the alternate port remains blocked and becomes the designated port.
In this case, loops will not occur. After the link is no longer congested or unidirectional link
failures are rectified, the port receives BPDUs for negotiation and restores its original role and
status.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
stp loop-protection
NOTE
An alternate port is a backup for a root port. If a switching device has an alternate port, configure loop
protection on both the root port and the alternate port.
Root protection and loop protection cannot be configured on the same port.
----End
Procedure
l Run the display stp [ interface interface-type interface-number | slot slot-id ] [ brief ]
command to view the spanning tree status and statistics.
----End
Context
A switching device supports the following Proposal/Agreement modes:
l Enhanced mode: The device determines the root port when it calculates the
synchronization flag bit.
a. An upstream device sends a Proposal message to a downstream device to request a
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
b. The upstream device sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the
Forwarding state.
c. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.
l Common mode: The device ignores the root port when it calculates the synchronization
flag bit.
a. An upstream device sends a Proposal message to a downstream device to request a
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
Then, the root port transitions to the Forwarding state.
b. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.
Pre-configuration Tasks
Before setting parameters for interoperation between Huawei and non-Huawei devices,
configure basic STP/RSTP functions.
Procedure
Step 1 Run:
system-view
----End
NOTICE
STP/RSTP statistics cannot be restored after being cleared. Exercise caution when deciding to
clear STP/RSTP statistics.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics command to clear statistics about error STP
packets.
----End
Context
The statistics about STP/RSTP topology changes can be viewed. If the number of network
topology changes increase, network flapping is occurring on that network.
Procedure
l Run the display stp topology-change command to view statistics about STP/RSTP
topology changes.
l Run the display stp [ interface interface-type interface-number | slot slot-id ] tc-bpdu
statistics command to view statistics about sent and received TC/TCN packets.
l Run the display stp [ interface interface-type interface-number | slot slot-id ] [ brief ]
command to view the spanning tree status and statistics.
----End
Network
GE1/0/3 GE1/0/3
Root
SwitchD GE1/0/1 GE1/0/1
Bridge
STP
GE1/0/3 GE1/0/3
SwitchC SwitchB
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
PC1 PC2
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the STP mode for the switches on the ring network.
2. Configure the primary and secondary root bridges.
3. Set a path cost for the ports to be blocked.
4. Enable STP to eliminate loops. Because ports connected to the PCs do not participate in
STP calculation, configure these ports as both edge ports.
Procedure
Step 1 Configure basic STP functions.
1. Configure the STP mode for the switches on the ring network.
# Configure the STP mode on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp mode stp
# On Switch B, set the path cost calculation method to the Huawei proprietary method.
[SwitchB] stp pathcost-standard legacy
# On SwitchD, set the path cost calculation method to the Huawei proprietary method.
[SwitchD] stp pathcost-standard legacy
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU protection
is enabled, the edge ports will be shut down and their attributes remain unchanged after they
receive BPDUs.
– Enable STP globally.
# Enable STP globally on SwitchA.
After SwitchA is configured as the root bridge, GigabitEthernet 1/0/2 connected to SwitchB
and GigabitEthernet 1/0/1connected to SwitchD are elected as designated ports through
spanning tree calculation.
# Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to view
status of GigabitEthernet 1/0/1. The following information is displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return
#
stp mode stp
stp bpdu-protection
stp pathcost-standard legacy
#
interface GigabitEthernet1/0/2
stp edged-port enable
#
return
Network
GE1/0/3 GE1/0/3
Root
SwitchD GE1/0/1 GE1/0/1
Bridge
RSTP
GE1/0/3 GE1/0/3
SwitchC SwitchB
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
PC1 PC2
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic RSTP functions.
a. Configure the RSTP mode for the switches on the ring network.
b. Configure the primary and secondary root bridges.
c. Set a path cost for the ports to be blocked.
d. Enable RSTP to eliminate loops. Because ports connected to the PCs do not
participate in RSTP calculation, configure these ports as both edge ports.
2. Configure RSTP protection functions. For example, configure root protection on
designated ports of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the RSTP mode for the switches on the ring network.
# Configure the RSTP mode on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp mode rstp
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] stp mode rstp
# On Switch B, set the path cost calculation method to the Huawei proprietary method.
[SwitchB] stp pathcost-standard legacy
# On SwitchD, set the path cost calculation method to the Huawei proprietary method.
[SwitchD] stp pathcost-standard legacy
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU protection
is enabled, the edge ports will be shut down and their attributes remain unchanged after they
receive BPDUs.
Step 2 Configure RSTP protection functions. For example, configure root protection on designated
ports of the root bridge.
After the preceding configuration is complete and the network becomes stable, perform the
following operations to verify the configuration:
# Run the display stp brief command on SwitchA to view the port roles and states. The
following information is displayed:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 GigabitEthernet1/0/2 DESI FORWARDING ROOT
# Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to view
the role and state of GigabitEthernet1/0/1. The following information is displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
# Run the display stp brief command on SwitchC to view the port roles and states. The
following information is displayed:
[SwitchC] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 GigabitEthernet1/0/2 DESI FORWARDING BPDU
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
stp mode rstp
stp instance 0 root primary
stp pathcost-standard legacy
#
interface GigabitEthernet1/0/1
stp root-protection
#
interface GigabitEthernet1/0/2
stp root-protection
#
return
14.10 FAQ
14.10.1 How to Prevent Low Convergence for STP Edge Ports that
Connect Terminals?
Terminal devices cannot participate in the STP calculation or respond to STP packets, causing
low convergence. You can prevent low convergence for STP edge switch ports for connecting
user terminals or servers as follows:
l On a port, run the stp edge-port enable command to configure the port as an STP edge
port, and run the stp bpdu-filter default command to enable the BPDU packet filtering
function and prevent the port from sending BPDU packets.
l Run the stp disable command on the port to disable the STP protocol and make the port
remain in forwarding state.
To ensure availability and security, you are advised to configure the port as an STP edge port.
This is because when a loop occurs on a terminal device connected to an edge port, the port
automatically switches to a non-edge port and enables the loop breaking function of STP.
Switches using RSTP and STP can be connected. STP protocols include the STP, RSTP, and
MSTP protocols. These protocols support forward compatibility and connection to a certain
extent. The following table describes the connection effects.
An RSTP device connects to RSTP connects to the STP port, and the mode
an MSTP device. automatically changes to STP to implement convergence
at a slow speed.
An RSTP device connects to The CIST can be connected. That is, instance 0 can be
an MSTP device. connected. The connection ports are inter-AS ports.
An MSTP device connects to MSTP connects to the STP port, and the mode
an STP device. automatically changes to STP to implement convergence
at a slow speed.
NOTE
When a port whose mode switches reconnects to another device, the original mode must be restored by
running the stp mcheck command.
In STP, the default interval for an STP switch to send BPDUs is 2 seconds. Each switch
receives and processes BPDUs for about 1 second each time, and supports a maximum of 20
hops.
In RSTP, packets are aged after three intervals (6 seconds) by default. If a hop takes 1 second
to process a packet, the packet times out after 6 hops. Therefore, the recommended value of
STP network radius is less than 7.
Additionally, there are also other considerations such as bandwidth usage, storm range, and
the maintainability and manageability of the network.
Forwarding state 30 seconds after it changes to the Up state. If an interface alternates between
Up and Down states, the terminal connected to the interface will fail to communicate with the
gateway or the time to obtain an IP address will increase.
To solve this problem, configure interfaces connected to terminals as edge ports or disable
STP on the interfaces.
To ensure availability and security, you are advised to configure the port as an STP edge port.
This is because when a loop occurs on a terminal device connected to an edge port, the port
automatically switches to a non-edge port and enables the loop breaking function of STP.
l If a non-Huawei device runs the standard STP or RSTP protocol, the switch can
interwork with it.
l If a non-Huawei device runs a non-standard STP or RSTP protocol, besides the Cisco
Per VLAN Spanning Tree (PVST) protocol, the switch can transparently transmit the
STP or RSTP packets from the device after the stp disable and bpdu enable commands
are run on the interface.
l If a non-Huawei device is a Cisco device that runs PVST, the Huawei switch running a
version earlier than V200R005 cannot negotiate with the device, but can transparently
transmit the packets from the non-Huawei device. Huawei switches running V200R005
and later versions support the VLAN-based Spanning Tree (VBST) protocol that can
interwork with PVST.
14.11 References
The following table lists the references for STP/RSTP.
15 MSTP Configuration
This chapter how to configure the Multiple Spanning Tree Protocol (MSTP).
Definition
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result, the
communication quality deteriorates, and the communication service may even be interrupted.
The Spanning Tree Protocol (STP) is introduced to solve this problem.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP) defined
in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 15-1
shows the comparison between STP, RSTP, and MSTP.
Purpose
After a spanning tree protocol is configured on an Ethernet switching network, it calculates
the network topology and implements the following functions to remove network loops:
l Loop cut-off: The potential loops on the network are cut off by blocking redundant links.
l Link redundancy: When an active path becomes faulty, a redundant link can be activated
to ensure network connectivity.
S1 S4
VLAN3 VLAN2 VLAN3 VLAN2
HostC HostA
(VLAN3) VLAN3 VLAN2 (VLAN2)
VLAN2 VLAN3
S2 S5
VLAN2 VLAN2
HostB HostD
VLAN3 VLAN3
(VLAN2) (VLAN3)
VLAN3
VLAN2 VLAN3
S3 S6
spanning tree(root bridge:S6)
On the network shown in Figure 15-1, STP or RSTP is enabled. The broken line shows the
spanning tree. S6 is the root switching device. The links between S1 and S4 and between S2
and S5 are blocked. VLAN packets are transmitted by using the corresponding links marked
with "VLAN2" or "VLAN3."
Host A and Host B belong to VLAN 2 but they cannot communicate with each other because
the link between S2 and S5 is blocked and the link between S3 and S6 denies packets from
VLAN 2.
To fix the defect of STP and RSTP, the IEEE released 802.1s in 2002, defining the Multiple
Spanning Tree Protocol (MSTP). MSTP implements fast convergence and provides multiple
paths to load balance VLAN traffic.
MSTP divides a switching network into multiple regions, each of which has multiple
spanning trees that are independent of each other. Each spanning tree is called a Multiple
Spanning Tree Instance (MSTI) and each region is call a Multiple Spanning Tree (MST)
region.
NOTE
S1 S4
VLAN3 VLAN2 VLAN3 VLAN2
HostC HostA
(VLAN3) VLAN3 VLAN2 (VLAN2)
VLAN2
S2 S5
S3 S6
spanning tree(root bridge:S4)
spanning tree(root bridge:S6)
As shown in Figure 15-2, MSTP maps VLANs to MSTIs in the VLAN mapping table. Each
VLAN can be mapped to only one MSTI. This means that traffic of a VLAN can be
transmitted in only one MSTI. An MSTI, however, can correspond to multiple VLANs.
Two spanning trees are calculated:
l MSTI 1 uses S4 as the root switching device to forward packets of VLAN 2.
l MSTI 2 uses S6 as the root switching device to forward packets of VLAN 3.
In this manner, devices within the same VLAN can communicate with each other; packets of
different VLANs are load balanced along different paths.
MSTP Network
MSTI1 MSTI1
MSTI1
MSTI2 MSTI0
MST Region
MST Region
An MST region contains multiple switching devices and network segments between them.
The switching devices of one MST region have the following characteristics:
l MSTP-enabled
l Same region name
l Same VLAN-MSTI mappings
l Same MSTP revision level
A LAN can comprise several MST regions that are directly or indirectly connected. Multiple
switching devices can be grouped into an MST region by using MSTP configuration
commands.
As shown in Figure 15-4, the MST region D0 contains the switching devices S1, S2, S3, and
S4, and has three MSTIs.
AP1
D0 S1
MSTI1
Master Bridge
root switch:S3
MSTI2
root switch:S2
MSTI0 (IST)
S2 S3 root switch:S1
VLAN1 MSTI1
VLAN2,VLAN3 MSTI2
S4 other VLANs MSTI0
Regional Root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 15-6, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI regional
root is the root of the MSTI. On the network shown in Figure 15-5, each MSTI has its own
regional root.
MST Region
VLAN VLA
N10
10&20&30 &20
VLAN 20&30
30
VLAN VLAN VLAN
10&30 VLAN 10&30
20
VLAN 10
Root
Root
MSTI links
MSTI links blocked by the protocol
MSTIs are independent of each other. an MSTI can correspond to one or more VLANs, but a
VLAN can be mapped to only one MSTI.
Master Bridge
The master bridge is the IST master, which is the switching device closest to the CIST root in
a region, for example, S1 shown in Figure 15-4.
If the CIST root is in an MST region, the CIST root is the master bridge of the region.
CIST Root
A0
CIST Root
D0 Region Root B0
Region Root
C0
Region Root
IST
CST
On the network shown in Figure 15-6, the CIST root is the root bridge of the CIST. The CIST
root is a device in A0.
CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
If each MST region is considered a node, the CST is calculated by using STP or RSTP based
on all the nodes.
As shown in Figure 15-6, the MST regions are connected to form a CST.
IST
An IST resides within an MST region.
An IST is a special MSTI with the MSTI ID being 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 15-6, the switching devices in an MST region are connected to form an
IST.
CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 15-6, the ISTs and the CST form a complete spanning tree, the CIST.
SST
A Single Spanning Tree (SST) is formed in either of the following situations:
l A switching device running STP or RSTP belongs to only one spanning tree.
l An MST region has only one switching device.
Port Role
Based on RSTP, MSTP has two additional port types. MSTP ports can be root ports,
designated ports, alternate ports, backup ports, edge ports, master ports, and regional edge
port.
The functions of root ports, designated ports, alternate ports, and backup ports have been
defined in RSTP. Table 15-2 lists all port roles in MSTP.
NOTE
Port Description
Role
Root port A root port is the non-root bridge port closest to the root bridge. Root bridges
do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in Figure 15-7, S1 is the root; CP1 is the root port on S3; BP1 is the
root port on S2.
Designate The designated port on a switching device forwards BPDUs to the downstream
d port switching device.
As shown in Figure 15-7, AP2 and AP3 are designated ports on S1; CP2 is a
designated port on S3.
Alternate l From the perspective of sending BPDUs, an alternate port is blocked after a
port BPDU sent by another bridge is received.
l From the perspective of user traffic, an alternate port provides an alternate
path to the root bridge. This path is different than using the root port.
As shown in Figure 15-7, BP2 is an alternate port.
Port Description
Role
Backup l From the perspective of sending BPDUs, a backup port is blocked after a
port BPDU sent by itself is received.
l From the perspective of user traffic, a backup port provides a backup/
redundant path to a segment where a designated port already connects.
As shown in Figure 15-7, CP3 is a backup port.
Master A master port is on the shortest path connecting MST regions to the CIST root.
port BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on ISTs
or CISTs and master ports in instances.
As shown in Figure 15-8, S1, S2, S3, and S4 form an MST region. AP1 on S1,
being the nearest port in the region to the CIST root, is the master port.
Regional A regional edge port is located at the edge of an MST region and connects to
edge port another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port in
the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 15-8, AP1, DP1, and DP2 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of the
MST region.
Edge port An edge port is located at the edge of an MST region and does not connect to
any switching device.
Generally, edge ports are directly connected to terminals.
After MSTP is enabled on a port, edge-port detecting is started automatically.
If the port fails to receive BPDU packets within (2 x Hello Timer + 1) seconds,
the port is set to an edge port. Otherwise, the port is set to a non-edge port.
Figure 15-7 Root port, designated port, alternate port, and backup port
S1
Root
AP2 AP3
CP1 BP1
S3 S2
root port
designated port
Alternate port
Backup port
AP1
Master
S1
S2 S3
S4
Port Description
Status
Forwardi A port in the Forwarding state can send and receive BPDUs as well as forward
ng user traffic.
Learning A port in the Learning state learns MAC addresses from user traffic to
construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but not forward
user traffic.
There is no necessary link between the port status and the port role. Table 15-4 lists the
relationships between port roles and port status.
Yes: The port supports this status. No: The port does not support this status.
Table 15-5 shows differences between TCN BPDUs, configuration BPDUs defined by STP,
RST BPDUs defined by RSTP, and MST BPDUs defined by MSTP.
The first 36 bytes of an intra-region or inter-region MST BPDU are the same as those of an
RST BPDU.
Fields from the 37th byte of an MST BPDU are MSTP-specific. The field MSTI
Configuration Messages consists of configuration messages of multiple MSTIs.
Table 15-6 lists the major information carried in an MST BPDU.
CIST External 4 Indicates the total path costs from the MST region
Path Cost where the switching device resides to the MST region
where the CIST root switching device resides. This
value is calculated based on link bandwidth.
Hello Time 2 Indicates the Hello timer value. The default value is 2
seconds.
Forward Delay 2 Indicates the forwarding delay timer. The default value
is 15 seconds.
CIST Internal 4 Indicates the total path costs from the local port to the
Root Path Cost IST master. This value is calculated based on link
bandwidth.
The greater the Hello Time value, the more BPDUs sent at a Hello interval. Setting the Hello
Time to a proper value limits the number of BPDUs sent by a port at a Hello interval. This
helps prevent network topology flapping and avoid excessive use of bandwidth resources by
BPDUs.
MSTP Principle
MSTP can divide the entire Layer 2 network into multiple MST regions, and the CST is
generated through calculation. In an MST region, multiple spanning trees are calculated, each
of which is called an MSTI. Among these MSTIs, MSTI 0 is also known as the internal
spanning tree (IST). Like STP, MSTP uses configuration messages to calculate spanning
trees, but the configuration messages are MSTP-specific.
Vectors
Both MSTIs and the CIST are calculated based on vectors, which are carried in MST BPDUs.
Therefore, switching devices exchange MST BPDUs to calculate MSTIs and the CIST.
Root ID Identifies the root switching device for the CIST. The root
identifier consists of the priority value (16 bits) and MAC address
(48 bits).
The priority value is the priority of MSTI 0.
External root path Indicates the path cost from a CIST regional root to the root.
cost (ERPC) ERPCs saved on all switching devices in an MST region are the
same. If the CIST root is in an MST region, ERPCs saved on all
switching devices in the MST region are 0s.
Regional root ID Identifies the MSTI regional root. The regional root ID consists
of the priority value (16 bits) and MAC address (48 bits).
The priority value is the priority of MSTI 0.
Internal root path Indicates the path cost from the local bridge to the regional root.
cost (IRPC) The IRPC saved on a regional edge port is greater than the IRPC
saved on a non-regional edge port.
Designated Identifies the nearest upstream bridge on the path from the local
switching device bridge to the regional root. If the local bridge is the root or the
ID regional root, this ID is the local bridge ID.
Designated port Identifies the port on the designated switching device connected
ID to the root port on the local bridge. The port ID consists of the
priority value (4 bits) and port number (12 bits). The priority
value must be a multiple of 16.
Receiving port ID Identifies the port receiving the BPDU. The port ID consists of
the priority value (4 bits) and port number (12 bits). The priority
value must be a multiple of 16.
CIST Calculation
After completing the configuration message comparison, the switching device with the
highest priority on the entire network is selected as the CIST root. MSTP calculates an IST
for each MST region, and computes a CST to interconnect MST regions. On the CST, each
MST region is considered a switching device. The CST and ISTs constitute a CIST for the
entire network.
MSTI Calculation
In an MST region, MSTP calculates an MSTI for each VLAN based on mappings between
VLANs and MSTIs. Each MSTI is calculated independently. The calculation process is
similar to the process for STP to calculate a spanning tree. For details, see 14.2.4 STP
Topology Calculation.
MSTIs have the following characteristics:
l The spanning tree is calculated independently for each MSTI, and spanning trees of
MSTIs are independent of each other.
l MSTP calculates the spanning tree for an MSTI in the manner similar to STP.
l Spanning trees of MSTIs can have different roots and topologies.
l Each MSTI sends BPDUs in its spanning tree.
l The topology of each MSTI is configured by using commands.
l A port can be configured with different parameters for different MSTIs.
l A port can play different roles or have different status in different MSTIs.
On an MSTP-aware network, a VLAN packet is forwarded along the following paths:
l MSTI in an MST region
l CST among MST regions
Upstream Downstream
device device
Send a proposal so
that the port can
rapidly enter the
Forwarding state Configure the root port
and block non-edge ports
Send an agreement
The root port
The designated enters the
port enters the Send an agreement Forwarding state
Forwarding state
Root port
Designated port
a. The upstream device sends a proposal to the downstream device, indicating that the
port connecting to the downstream device wants to enter the Forwarding state as
soon as possible. After receiving this BPDU, the downstream device sets its port
connecting to the upstream device to the root port, and blocks all non-edge ports.
b. The upstream device continues to send an agreement. After receiving this BPDU,
the root port enters the Forwarding state.
c. The downstream device replies with an agreement. After receiving this BPDU, the
upstream device sets its port connecting to the downstream device to the designated
port, and the port enters the Forwarding state.
By default, Huawei datacom devices use the fast transition mechanism in enhanced mode. To
enable a Huawei datacom device to communicate with a third-party device that use the fast
transition mechanism in common mode, configure the Proposal/Agreement mechanism on the
Huawei datacom device so that the Huawei datacom device works in common mode.
Core
MPLS/IP Core
UPE3
UPE4
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S1
Access
S4
S2 S3
On the network shown in Figure 15-11, switching devices and UPEs construct multiple Layer
2 rings. STP must be enabled on these rings to prevent loops. UPE1 and UPE2 are connected
to multiple access rings that are independent of each other. The spanning tree protocol cannot
calculate a single spanning tree for all switching devices. Instead, the spanning tree protocol
must be enabled on each ring to calculate a separate spanning tree.
MSTP supports MSTIs, but these MSTIs must belong to one MST region and devices in the
region must have the same configurations. If the devices belong to different regions, MSTP
calculates the spanning tree based on only one instance. Assume that devices on the network
belong to different regions, and only one spanning tree is calculated in one instance. In this
case, the status change of any device on the network affects the stability of the entire network.
On the network shown in Figure 15-11, the switching devices connected to UPEs support
only STP or RSTP but not MSTP. When MSTP-enabled UPEs receive RSTP BPDUs from the
switching devices, the UPEs consider that they and switching devices belong to different
regions. As a result, only one spanning tree is calculated for the rings composed of UPEs and
switching devices, and the rings affect each other.
processes. In this manner, only ports that are bound to a process participate in the MSTP
calculation for this process. With the MSTP multi-process mechanism, spanning trees of
different processes are calculated independently and do not affect each other. The network
shown in Figure 15-11 can be divided into multiple MSTP processes by using MSTP multi-
process. Each process takes charge of a ring composed of switching devices. The MSTP
processes have the same functions and support MSTIs. The MSTP calculation for one process
does not affect the MSTP calculation for another process.
NOTE
Purpose
On the network shown in Figure 15-11, MSTP multi-process is configured to implement the
following:
l Greatly improves applicability of STP to different networking conditions.
To help a network running different spanning tree protocols run properly, you can bind
the devices running different spanning tree protocols to different processes. In this
manner, every process calculates a separate spanning tree.
l Improves the networking reliability. For a network composed of many Layer 2 access
devices, using MSTP multi-process reduces the adverse effect of a single node failure on
the entire network.
The topology is calculated for each process. If a device fails, only the topology
corresponding to the process to which the device belongs changes.
l Reduces the network administrator workload during network expansion, facilitating
operation and maintenance.
To expand a network, you only need to configure new processes, connect the processes
to the existing network, and keep the existing MSTP processes unchanged. If device
expansion is performed in a process, only this process needs to be modified.
l Implements separate Layer 2 port management
An MSTP process manages parts of ports on a device. Layer 2 ports on a device are
separately managed by multiple MSTP processes.
Principle
l Public link status
As shown in Figure 15-11, the public link between UPE1 and UPE2 is a Layer 2 link
running MSTP. The public link between UPE1 and UPE2 is different from the links
connecting switching devices to UPEs. The ports on the public link need to participate in
the calculation for multiple access rings and MSTP processes. Therefore, the UPEs must
identify the process from which MST BPDUs are sent.
In addition, a port on the public link participates in the calculation for multiple MSTP
processes, and obtains different status. As a result, the port cannot determine its status.
To prevent this situation, it is defined that a port on a public link always adopts its status
in MSTP process 0 when participating in the calculation for multiple MSTP processes.
NOTE
After a device normally starts, MSTP process 0 exists by default, and MSTP configurations in the
system view and interface view belong to this process.
l Reliability
On the network shown in Figure 15-12, after the topology of a ring changes, the MSTP
multi-process mechanism helps UPEs flood a TC packet to all devices on the ring and
prevent the TC packet from being flooded to devices on the other ring. UPE1 and UPE2
update MAC and ARP entries on the ports corresponding to the changed spanning tree.
MPLS/IP Core
Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S1
Access
S4
S2 S3
topology change
On the network shown in Figure 15-13, if the public link between UPE1 and UPE2 fails,
multiple switching devices that are connected to the UPEs will unblock their blocked
ports.
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S2
S4 Access
S1 S3
Assume that UPE1 is configured with the highest priority, UPE2 with the second highest
priority, and switching devices with default or lower priorities. After the link between
UPE1 and UPE2 fails, the blocked ports (replacing the root ports) on switching devices
no longer receive packets with higher priorities and re-performs state machine
calculation. If the calculation changes the blocked ports to designated ports, a permanent
loop occurs, as shown in Figure 15-14.
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
Access
S2 S4
S1 S3
l Solutions
To prevent a loop between access rings, use either of the following solutions:
– Configure an inter-board Eth-Trunk link between UPE1 and UPE2.
An inter-board Eth-Trunk link is used as the public link between UPE1 and UPE2
to improve link reliability, as shown in Figure 15-15.
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
Eth-Trunk
STP/RSTP
Access
S2 S4
S1 S3
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
Root
protection
S2
S4
Access
STP/RSTP
S1 S3
Use the blue ring shown in Figure 15-16 as an example. UPE1 is configured with
the highest priority, UPE2 with the second highest priority, and switching devices
on the blue ring with default or lower priorities. In addition, root protection is
enabled on UPE2.
Assume that a port on S1 is blocked. When the public link between UPE1 and
UPE2 fails, the blocked port on S1 begins to calculate the state machine because it
no longer receives BPDUs of higher priorities. After the calculation, the blocked
port becomes the designated port and performs P/A negotiation with the
downstream device.
After S1, which is directly connected to UPE2, sends BPDUs of higher priorities to
the UPE2 port enabled with root protection, the port is blocked. From then on, the
port remains blocked because it continues receiving BPDUs of higher priorities. In
this manner, no loop will occur.
Application of MSTP
S1
MST Region S2
all VLAN
VLAN
VLAN VLAN
10&20 VLAN
20&30 20&30
10&20
VLAN
S3 20&40 S4
MSTP allows packets in different VLANs to be forwarded by using different spanning tree
instances, as shown in Figure 15-17. The configurations are as follows:
l All devices on the network belong to the same MST region.
l VLAN 10 packets are forwarded within MSTI 1; VLAN 30 packets are forwarded within
MSTI 3; VLAN 40 packets are forwarded within MSTI 4; VLAN 20 packets are
forwarded within MSTI 0.
In Figure 15-17, S1 and S2 are devices at the aggregation layer; S3 and S4 are devices at the
access layer. Traffic from VLAN 10 and VLAN 30 is terminated by aggregation devices, and
traffic from VLAN 40 is terminated by the access device. Therefore, S1 and S2 can be
configured as the roots of MSTI 1 and MSTI 3, and S3 can be configured as the root of MSTI
4.
Core
MPLS/IP Core
UPE3
UPE4
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S1
Access
S4
S2 S3
License Support
MSTP is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
l MSTP BPDUs may be discarded in a scenario wherein there are many MSTIs and MSTP
multi-process is configured. This is due to the default CIR of STP being insufficient.
(The default CIR of STP is insufficient because the length of MSTP BPDUs increases as
the number of MSTIs increases, and the number of outgoing MSTP BPDUs increases
when MSTP multi-process is configured.) To avoid this situation, increase the CIR of
STP.
If the CPCAR values are adjusted improperly, network services are affected. To adjust
the CPCAR values of STP BPDUs, contact technical support personnel.
l Enabling MSTP on a ring network immediately triggers spanning tree calculation. If
basic configurations are not performed on switches and interfaces before MSTP is
enabled, network flapping may occur upon changes to parameters such as device priority
and interface priority.
Context
MSTP is commonly configured on switching devices to trim a ring network to a loop-free
network. Devices start spanning tree calculation after the working mode is set and MSTP is
enabled. Use any of the following methods if you need to intervene in the spanning tree
calculation:
l Manually configure the root bridge and secondary root bridge.
l Set a priority for a switching device in an MSTI: The lower the numerical value, the
higher the priority of the switching device and the more likely the switching device
becomes a root bridge; the higher the numerical value, the lower the priority of the
switching device and the less likely that the switching device becomes a root bridge.
l Set a path cost for a port in an MSTI: With the same calculation method, the lower the
numerical value, the smaller the cost of the path from the port to the root bridge and the
more likely the port becomes a root port; the higher the numerical value, the larger the
cost of the path from the port to the root bridge and the less likely that the port becomes
a root port.
l Set a priority for a port in an MSTI: The lower the numerical value, the more likely the
port becomes a designated port; the higher the numerical value, the less likely that the
port becomes a designated port.
Context
Before configuring basic MSTP functions, set the working mode of a switching device to
MSTP. MSTP is compatible with STP and RSTP.
Procedure
Step 1 Run:
system-view
The working mode of the switching device is set to MSTP. By default, the working mode is
MSTP.
STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an
MSTP-enabled switching device is connected to switching devices running STP, interfaces of
the MSTP-enabled switching device connected to devices running STP automatically
transition to STP mode, and other interfaces still work in MSTP mode. This enables devices
running different spanning tree protocols to interwork with each other.
----End
Context
An MST region contains multiple switching devices and network segments. These switching
devices are directly connected and have the same region name, same VLAN-to-instance
mapping, and the same configuration revision number after MSTP is enabled. One switching
network can have multiple MST regions. You can use MSTP commands to group multiple
switching devices into one MST region.
NOTE
Two switching devices belong to the same MST region when they have the same:
l Name of the MST region
l Mapping between VLANs and MSTIs
l Revision level of the MST region
Perform the following steps on a switching device that needs to join an MST region.
Procedure
Step 1 Run:
system-view
stp region-configuration
NOTE
Changing MST region configurations (especially change of the VLAN mapping table) triggers spanning
tree recalculation and causes route flapping. Therefore:
l After configuring an MST region name, VLAN-to-instance mappings, and an MSTP revision
number, run the check region-configuration command in the MST region view to verify the
configuration. After confirming the region configurations, run the active region-configuration
command to activate MST region configurations.
l You are advised not to modify MST region parameters after the MST region is activated.
Step 6 Run:
active region-configuration
MST region configurations are activated so that the configured region name, VLAN-to-
instance mappings, and revision number can take effect.
If this step is not done, the preceding configurations cannot take effect.
If you have changed MST region configurations on the switching device after MSTP starts,
run the active region-configuration command to activate the MST region so that the changed
configurations can take effect.
Before using the active region-configuration command to activate the modified MST region
parameters, run the check region-configuration command to check whether parameters are
correct. After the active region-configuration command is executed, check whether a
message indicating an activation failure is displayed. If such a message is displayed,
reconfigure MSTP parameters.
----End
15.7.1.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge
Context
The root bridge can be calculated through calculation. You can also manually configure the
root bridge or secondary root bridge.
l A switching device plays different roles in different spanning trees. The switching device
can function as the root switch or secondary root switch of a spanning tree and the root
switch or secondary root switch of another spanning tree. The switching device can
function as only the root switch or secondary root switch of the same spanning tree.
l In a spanning tree, only one root bridge takes effect. When two or more than two devices
are specified as root bridges of a spanning tree, the device with the smallest MAC
address is used as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root
bridge fails or is powered off, the secondary root bridge becomes the new root bridge. If
a new root bridge is specified, the secondary root bridge will not become the root bridge.
If multiple secondary root bridges are configured, the secondary root bridge with
smallest MAC address will become the root bridge of the spanning tree.
NOTE
It is recommended that the root bridge and secondary root bridge be configured manually.
Procedure
l Perform the following operations on the device to be used as the root bridge.
a. Run:
system-view
By default, a switching device does not function as the root bridge. After the
configuration is complete, the BID of the device is 0 and cannot be changed.
a. Run:
system-view
By default, a switching device does not function as the secondary root bridge. After
the configuration is complete, the BID of the device is 4096 and cannot be changed.
----End
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be
selected as the root bridge; however, the priority of such a device may not be the highest on
the network. It is therefore necessary to set a high priority for the switching device to ensure
that the device functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge.
Therefore, set low priorities for these devices.
A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp [ instance instance-id ] priority priority
If the instance-id is not designated, a priority is set for the switching device in MSTI0.
NOTE
If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary
command has been executed to configure the device as the root bridge or secondary root bridge, to
change the device priority, run the undo stp [ instance instance-id ] root command to disable the root
bridge or secondary root bridge function and run the stp [ instance instance-id ] priority priority
command to set a priority.
----End
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different
path costs for a port in different MSTIs, VLAN traffic can be transmitted along different
physical links for load balancing.
The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
If a network has loops, it is recommended that you set a relatively large path cost for ports
with low link rates.
Procedure
Step 1 Run:
system-view
----End
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected
as designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the
default value. This port will be blocked during designated port selection.
Procedure
Step 1 Run:
system-view
----End
Context
After configuring basic MSTP functions on a switching device, enable MSTP function.
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and
port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation,
perform basic configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view
NOTE
If you specify a VLANIF interface of a VLAN as the management network interface for an MSTP-
enabled device, you can run the ethernet-loop-protection ignored-vlan command to specify this
VLAN as an ignored VLAN. Through MSTP calculation, the interface on which the ignored VLAN is
configured does not enter the congested state but stays in the forwarding state. Therefore, services are
not interrupted.
After MSTP is enabled on a port, edge-port detecting is started automatically. If the port fails to receive
BPDU packets within (2 x Hello Timer + 1) seconds, the port is set to an edge port. Otherwise, the port
is set to a non-edge port.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on device to reach 100%. As a result, network flapping will frequently occur.
Procedure
l Run the display stp [ instance instance-id ] [ interface interface-type interface-number |
slot slot-id ] [ brief ] command to view spanning-tree status and statistics.
l Run the display stp region-configuration command to view configurations of activated
MST regions.
l Run the display stp region-configuration digest command to view the digest
configurations of activated MST regions.
----End
Pre-configuration Tasks
MSTP ensures that spanning trees in rings are calculated independently. After MSTP multi-
process is enabled, each MSTP process can manage some ports on a device. Layer 2
interfaces are managed by multiple MSTP processes, each of which runs the standard MSTP.
Before configuring MSTP multi-process, complete and activate the MST region
configuration.
Context
A process ID uniquely identifies an MSTP multi-process. After an MSTP device binds its
ports to different processes, the MSTP device performs the MSTP calculation based on
processes, and only relevant ports in each process take part in MSTP calculation. Do as
follows on the devices connected to access rings:
Procedure
Step 1 Run:
system-view
NOTE
l After a device starts, there is a default MSTP process with the ID 0. MSTP configurations in the
system view and interface view belong to this process. The default working mode of this process is
MSTP.
l To add an interface to an MSTP process with the ID of non-zero, run the stp process command and
then the stp binding process command.
----End
Context
After being added to MSTP processes, interfaces can participate in MSTP calculation:
l The links connecting MSTP devices and access rings are called access links.
l The link shared by multiple access rings are called a share link. The interfaces on the
share link need to participate in MSTP calculation in multiple access rings in different
MSTP processes.
Procedure
l Adding a port to an MSTP process-access link
a. Run:
system-view
The interface specified in this command must be the interface that connects the
device and the access ring.
c. Run:
stp binding process process-id
NOTE
if an interface joining the MSTP process has sub-interfaces configured with other features
such as VPLS, run the stp vpls-subinterface enable command. The main interface can then
notify its sub-interfaces to update MAC address entries and ARP entries after receiving a
TC-BPDU. This prevents service interruption. In addition, root protection needs to be
configured on the main interface. Switch XGE interfaces connected to the ACU2,
ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01 or ET1D2FW00S02 card do not
support the notification function.
A port on an access link can join only one MSTP process. If you run this command multiple
times, only the latest configuration takes effect.
l Adding a port to an MSTP process in link-share mode
a. Run:
system-view
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
The interface specified in this command must be an interface on the share link
between the devices configured with MSTP multi-process but not the interfaces that
connect an access ring and a device.
c. Run:
stp binding process process-id1 [ to process-id2 ] link-share
NOTE
In an MSTP process where there are multiple share links, run the stp enable command in the
MSTP multi-instance view. On an interface that is added to an MSTP process in link-share
mode, run the stp enable command in the interface view.
----End
15.7.2.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge
Context
The root bridge can be calculated through calculation. You can also manually configure the
root bridge or secondary root bridge.
l A switching device plays different roles in different spanning trees. The switching device
can function as the root switch or secondary root switch of a spanning tree and the root
switch or secondary root switch of another spanning tree. The switching device can
function as only the root switch or secondary root switch of the same spanning tree.
l In a spanning tree, only one root bridge takes effect. When two or more than two devices
are specified as root bridges of a spanning tree, the device with the smallest MAC
address is used as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root
bridge fails or is powered off, the secondary root bridge becomes the new root bridge. If
a new root bridge is specified, the secondary root bridge will not become the root bridge.
If multiple secondary root bridges are configured, the secondary root bridge with
smallest MAC address will become the root bridge of the spanning tree.
NOTE
It is recommended that the root bridge and secondary root bridge be configured manually.
Procedure
l Perform the following operations on the device to be used as the root bridge.
a. Run:
system-view
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be
selected as the root bridge; however, the priority of such a device may not be the highest on
the network. It is therefore necessary to set a high priority for the switching device to ensure
that the device functions as a root bridge.
A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Low-performance devices at lower network layers are not fit to serve as a root bridge.
Therefore, set low priorities for these devices.
Procedure
Step 1 Run:
system-view
NOTE
l To configure a switching device as the primary root bridge, run the stp [ instance instance-id ] root
primary command directly. The priority value of this switching device is 0.
l To configure a switching device as the secondary root bridge, run the stp [ instance instance-id ]
root secondary command. The priority value of this switching device is 4096.
In an MSTI, a switching device cannot act as the primary root bridge and secondary root bridge at
the same time.
l If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary
command has been executed to configure the device as the root bridge or secondary root bridge, to
change the device priority, run the undo stp [ instance instance-id ] root command to disable the
root bridge or secondary root bridge function and run the stp [ instance instance-id ] priority
priority command to set a priority.
----End
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different
path costs for a port in different MSTIs, VLAN traffic can be transmitted along different
physical links for load balancing.
The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
If a network has loops, it is recommended that you set a relatively large path cost for ports
with low link rates. MSTP then blocks these ports.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run:
interface interface-type interface-number
Step 4 Run:
stp binding process process-id
Step 5 Run:
stp [ process process-id ] instance instance-id cost cost
----End
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected
as designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the
default value. This port will be blocked during designated port selection.
Procedure
Step 1 Run:
system-view
----End
Context
After the TC notification function is configured for MSTP multi-process, the current MSTP
process can notify the MSTIs in other specified MSTP processes to refresh MAC address
entries and ARP entries after receiving a TC-BPDU. Nonstop services are ensured. Do as
follows on the devices connected to access rings:
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp process process-id
Step 3 Run:
stp tc-notify process 0
After the stp tc-notify process 0 command is run, the current MSTP process notifies the
MSTIs in MSTP process 0 to update MAC entries and ARP entries after receiving a TC-
BPDU. This prevents services from being interrupted.
----End
Context
After MSTP multi-process is enabled on the switching device, you must enable MSTP in the
MSTP process view so that the MSTP configuration can take effect in the MSTP process.
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and
port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation,
perform basic configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp process process-id
Step 3 Run:
stp enable
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
l In fast mode, ARP entries to be updated are directly deleted.
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0. The switching device
rapidly processes these aged entries. If the number of ARP aging probe attempts is not
set to 0, ARP implements aging probe for these ARP entries.
In either fast or normal mode, MAC entries are directly deleted.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the normal MSTP convergence mode is used.
NOTICE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently
deleted, causing the CPU usage on the MPU and LPU to reach 100%. As a result, network
flapping will frequently occur.
Procedure
l Run the display stp process process-id [ instance instance-id ] [ interface interface-
type interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and
statistics.
----End
Pre-configuration Tasks
Before configuring MSTP parameters that affect route convergence, configure MSTP or
MSTP multi-process.
Context
Any two terminals on a switching network are connected through a specific path spanning
multiple devices. The network diameter is the maximum number of devices between any two
terminals. A larger network diameter indicates a larger network scale.
A network diameter that is too large may cause slow network convergence and affect
communication. Run the stp bridge-diameter command to set an appropriate network
diameter based on the network scale to speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 1 Run:
system-view
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If
you perform configurations in the MSTP process 0, skip this step.
Step 3 Run:
stp bridge-diameter diameter
----End
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval,
the device considers the upstream device to be down and triggers spanning tree recalculation.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout
interval because the upstream device is busy. In this case, recalculating the spanning tree will
waste network resources. Set a long timeout interval on a stable network to avoid this.
The timeout interval is calculated as follows:
Timeout interval = Hello Time x 3 x Timer Factor
Procedure
Step 1 Run:
system-view
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If
you perform configurations in the MSTP process 0, skip this step.
Step 3 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
----End
Context
The following timers are used in spanning tree calculation:
l Forward Delay: specifies the delay before a state transition. After the topology of a ring
network changes, it takes some time to spread the new configuration BPDU throughout
the entire network. As a result, the original blocked port may be unblocked before a new
port is blocked. This creates a loop on the network. You can set the Forward Delay timer
to prevent loops. When the topology changes, all ports will be temporarily blocked
during the Forward Delay.
l Hello Time: specifies the interval at which Hello packets are sent. A switching device
sends configuration BPDUs at the specified interval to detect link failures. If the
switching device does not receive any BPDUs within a Hello timer interval, the
switching device triggers spanning tree recalculation.
l Max Age: determines when BPDUs expire. A switching device determines that a
received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values for Forward Delay, Hello Time, and Max
Age.
You are not advised to directly change the preceding three parameters as they are related to
the network scale; therefore, it is recommended that you set the network diameter so that the
spanning tree protocol automatically adjusts these timers. When the default network diameter
is used, the three timers also use their default values.
NOTICE
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and
Max Age timer values conform to the following formulas:
l 2 x (Forward Delay - 1 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1 second)
Procedure
Step 1 Run:
system-view
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If
you perform configurations in the MSTP process 0, skip this step.
----End
Context
The path costs affect spanning tree calculation. Changes to path costs trigger spanning tree
recalculation. The path cost of an interface is affected by its bandwidth, so changes to the
interface bandwidth also affect spanning tree calculation.
In Figure 15-19, SwitchA and SwitchB are connected through two Eth-Trunk links. Eth-
Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces
in Up state. Each member link has the same bandwidth, and SwitchA is selected as the root
bridge.
l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1
on SwitchB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1,
the path cost of Eth-Trunk 1 becomes larger than the path cost of Eth-Trunk 2. Therefore,
Root Bridge
SwitchA SwitchB
After Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
Alternate port
Root port
Designated port
The maximum number of connections affects only the path cost of an Eth-Trunk interface
participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-
Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active
member interfaces in the Eth-Trunk.
Procedure
Step 1 Run:
system-view
----End
Context
It is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P
link are root or designated ports, the ports can transit to the forwarding state quickly by
sending Proposal and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run:
system-view
----End
Context
.A larger value of packet-number indicates more BPDUs sent in a hello interval and
therefore more system resources occupied. Setting the proper value of packet-number
prevents excess bandwidth usage when route flapping occurs.
Procedure
Step 1 Run:
system-view
By default, the maximum number of BPDUs that a port sends is 6 per second.
----End
Context
If an interface on an MSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the MSTP-enabled device, the
interface cannot switch to the MSTP mode. In this case, you can switch the interface to the
MSTP mode by using the stp mcheck command.
In the following cases, you need to manually switch the interface back to the MSTP mode
manually:
Procedure
l Switching to the MSTP mode in the interface view
a. Run:
system-view
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
c. Run:
stp mcheck
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-
zero ID. If you perform configurations in the MSTP process 0, skip this step.
c. Run:
stp mcheck
Context
If a designated port is located at the edge of a network and is directly connected to terminal
devices, this port is called edge port.
An edge port does not receive or process configuration BPDUs, or MSTP calculation. It can
transit from Disable to Forwarding without any delay.
After a designated port is configured as an edge port, the port can still send BPDUs. Then
BPDUs are sent to other networks, causing flapping of other networks. You can configure a
port as an edge port and BPDU filter port so that the port does not process or send BPDUs.
NOTICE
After all ports are configured as edge ports and BPDU filter ports in the system view, none of
ports on the device send BPDUs or negotiate the STP status with directly connected ports on
the peer device. All ports are in forwarding state. This may cause loops on the network,
leading to broadcast storms. Exercise caution when you configure a port as an edge port and
BPDU filter port.
After a port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs. The port cannot negotiate the STP status with the directly
connected port on the peer device. Exercise caution when you configure a port as an edge port
and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run:
system-view
l Configuring a port as an edge port and BPDU filter port in the interface view
a. Run:
system-view
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
c. (Optional) Run:
stp edged-port enable
Context
Switching devices on a Layer 2 network running MSTP communicate with each other by
exchanging MST BPDUs. An MST BPDU has a field that indicates the number of remaining
hops.
l The number of remaining hops in a BPDU sent by the root switching device equals the
maximum number of hops.
l The number of remaining hops in a BPDU sent by a non-root switching device equals
the maximum number of hops minus the number of hops from the non-root switching
device to the root switching device.
l If a switching device receives a BPDU in which the number of remaining hops is 0, the
switching device will discard the BPDU.
Therefore, the maximum number of hops of a spanning tree in an MST region determines the
network scale. The stp max-hops command can be used to set the maximum number of hops
in an MST domain so that the network scale of a spanning tree can be controlled.
Procedure
Step 1 Run:
system-view
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If
you perform configurations in the MSTP process 0, skip this step.
Step 3 Run:
stp max-hops hop
----End
Procedure
l Run the display stp [ process process-id ] [ instance instance-id ] [ interface interface-
type interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and
statistics.
----End
Pre-configuration Tasks
Before configuring MSTP protection functions, configure MSTP or MSTP multi-process.
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
Perform the following procedure on all switching devices that have edge ports.
Procedure
Step 1 Run:
system-view
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If
you perform configurations in the MSTP process 0, skip this step.
Step 3 Run:
stp bpdu-protection
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the recovery delay. Note the following when
setting the recovery delay:
l The auto recovery function is disabled by default and does not have a default value for
the recovery delay. When you enable the auto recovery function, you must set a recovery
delay.
l A smaller interval-value indicates a shorter time before an edge port goes Up, and a
higher frequency of Up/Down state transitions on the port.
l A larger interval-value indicates a longer time before an edge port goes Up, and a longer
service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.
Context
If attackers forge TC-BPDUs to attack the switching device, the switching device receives a
large number of TC BPDUs within a short time. If MAC address entries and ARP entries are
deleted frequently, the switching device is heavily burdened, causing potential risks to the
network.
TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are
processed by a switching device within a given time period is configurable. If the number of
TC BPDUs that the switching device receives within a given time exceeds the specified
threshold, the switching device handles TC BPDUs only for the specified number of times.
Excess TC BPDUs are processed by the switching device as a whole for once after the
specified time period expires. This protects the switching device from frequently deleting
MAC entries and ARP entries, therefore avoiding overburden.
Procedure
Step 1 Run:
system-view
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If
you perform configurations in the MSTP process 0, skip this step.
Step 3 Run:
stp tc-protection interval interval-value
The time taken by the device to process the maximum number of TC BPDUs is set.
By default, the device processes the maximum number of TC BPDUs at an interval of the
Hello time.
Step 4 Run:
stp tc-protection threshold threshold
The number of times the MSTP process handles the received TC BPDUs and updates
forwarding entries within a given time is set.
NOTE
Within the time specified by stp tc-protection interval, the switch processes TC BPDUs of a number
specified by stp tc-protection threshold. Other packets are delayed, so spanning tree convergence may
be affected. For example, the period is set to 10s and the threshold is set to 5. After receiving TC
BPDUs, the device processes the first five TC BPDUs within 10s. After 10s, the device processes
subsequent TC BPDUs.
----End
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to
serve as the root bridge and the network topology is changed, triggering spanning tree
recalculation. This also may cause the traffic that should be transmitted over high-speed links
to be transmitted over low-speed links, leading to network congestion. The root protection
function on a switching device is used to protect the root bridge by preserving the role of the
designated port.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
NOTE
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero
ID. If the interface belongs to process 0, skip this step.
Step 4 Run:
stp root-protection
----End
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching
device cannot receive BPDUs from the upstream device because of link congestion or
unidirectional-link failure, the switching device re-selects a root port. The original root port
becomes a designated port and the original blocked ports change to the Forwarding state. This
switching may cause network loops, which can be mitigated by configuring loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a long
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switching device in an
MST region.
Procedure
Step 1 Run:
system-view
NOTE
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero
ID. If the interface belongs to process 0, skip this step.
Step 4 Run:
stp loop-protection
Loop protection for the root port is configured on the switching device.
----End
Context
Share-link protection is used in the scenario where a switching device is dual homed to a
network.
When a share link fails, share-link protection forcibly changes the working mode of a local
switching device to RSTP. This function can also be used together with root protection to
avoid network loops.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp process process-id
NOTE
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If
you perform configurations in the MSTP process 0, skip this step.
Step 3 Run:
stp link-share-protection
----End
Procedure
l Run the display stp [ process process-id ] [ instance instance-id ] [ interface interface-
type interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and
statistics.
----End
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All
switching devices support the following modes:
l Enhanced mode: The current interface counts the root port calculation when it computes
the synchronization flag bit.
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
– The upstream device then sends an Agreement message to the downstream device.
After the downstream device receives the message, the root port transitions to the
Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port, and the designated port transitions to
the Forwarding state.
l Common mode: The current interface ignores the root port when it computes the
synchronization flag bit.
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
The root port then transitions to the Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port. The designated port then transitions
to the Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that
used on non-Huawei devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
stp no-agreement-check
----End
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets).
You can specify the packet format and use the auto mode. In auto mode, the switching device
switches the MSTP protocol packet format based on the received MSTP protocol packet
format so that the switching device can communicate with the peer device.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
stp compliance { auto | dot1s | legacy }
NOTE
The negotiation will fail if the format of MSTP packets is set to dot1s at one end and legacy at the other
end.
----End
Context
Interconnected Huawei and non-Huawei devices cannot communicate with each other if they
have the same region name, revision number, and VLAN-to-instance mappings but different
BPDU keys. To address this problem, enable the digest snooping function on the Huawei
device.
Perform the following steps on a switching device in an MST region to enable the digest
snooping function.
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display stp [ process process-id ] [ instance instance-id ] [ interface interface-
type interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and
statistics.
----End
NOTICE
MSTP statistics cannot be restored after being cleared.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics to clears the statistics of error STP packets.
----End
Network
RG1
SwitchA Eth-Trunk1 SwitchB
GE1/0/3 GE1/0/3
GE1/0/2
SwitchC SwitchD
GE1/0/2
GE1/0/1 GE1/0/1
MSTI 1:
Root Switch:SwitchA
Blocked port
MSTI 2:
Root Switch:SwitchB
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic MSTP functions on the switch on the ring network. Because ports
connected to the PCs do not participate in MSTP calculation, configure these ports as
edge ports.
2. Configure protection functions to protect devices or links. You can configure root
protection on the designated port of the root bridge.
NOTE
When the link between the root bridge and secondary root bridge goes Down, the port enabled with root
protection becomes Discarding because root protection takes effect.
To improve the reliability, you are advised to bind the link between the root bridge and secondary root
bridge to an Eth-Trunk.
3. Configure Layer 2 forwarding.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD in the same MST region named
RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switching devices belong to the same MST region when they have the same:
– Name of the MST region
– Mapping between VLANs and MSTIs
– Revision level of the MST region
# Configure an MST region on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 2 to 10
[SwitchA-mst-region] instance 2 vlan 11 to 20
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
2. In the MST region RG1, configure the root bridge and secondary root bridge in MSTI 1
and MSTI 2.
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be greater than the
default value.
NOTE
– The path cost values depend on path cost calculation methods. This example uses the Huawei
calculation method as an example to set the path cost to 20000 for the ports to be blocked.
– All switches on a network must use the same path cost calculation method.
# Configure SwitchA to use Huawei calculation method to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
# Configure SwitchB to use Huawei calculation method to calculate the path cost.
[SwitchB] stp pathcost-standard legacy
# Configure SwitchC to use Huawei calculation method to calculate the path cost, and
set the path cost of GE1/0/2 in MSTI 2 to 20000.
[SwitchC] stp pathcost-standard legacy
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] stp instance 2 cost 20000
[SwitchC-GigabitEthernet1/0/2] quit
# Configure SwitchD to use Huawei calculation method to calculate the path cost, and
set the path cost of GE1/0/2 in MSTI 1 to 20000.
[SwitchD] stp pathcost-standard legacy
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] stp instance 1 cost 20000
[SwitchD-GigabitEthernet1/0/2] quit
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU protection
is enabled, the edge ports will be shut down and their attributes remain unchanged after they
receive BPDUs.
Step 2 Configure root protection on the designated port of the root bridge.
# Enable root protection on GE1/0/1 of SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp root-protection
[SwitchA-GigabitEthernet1/0/1] quit
NOTE
MSTI 1 and MSTI 2 are used as examples. You do not need to check the interface status in MSTI 0.
# Run the display stp brief command on SwitchA to view the status and protection mode on
the ports. Output similar to the following is displayed:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 Eth-Trunk1 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING ROOT
1 Eth-Trunk1 DESI FORWARDING NONE
2 GigabitEthernet1/0/1 DESI FORWARDING ROOT
2 Eth-Trunk1 ROOT FORWARDING NONE
In MSTI 1, GE1/0/1 and Eth-Trunk1 are designated ports because SwitchA is the root bridge.
In MSTI 2, Eth-Trunk1 are designated ports because SwitchA is the root bridge. In MSTI 2,
GE1/0/1 on SwitchA is the designated port and Eth-Trunk1 is the root port.
# Run the display stp brief command on SwitchB. Output similar to the following is
displayed:
[SwitchB] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 Eth-Trunk1 ROOT FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING ROOT
1 Eth-Trunk1 ROOT FORWARDING NONE
2 GigabitEthernet1/0/1 DESI FORWARDING ROOT
2 Eth-Trunk1 DESI FORWARDING NONE
In MSTI 2, GE1/0/1 and Eth-Trunk1 are designated ports because SwitchB is the root bridge.
In MSTI 1, GE1/0/1 on SwitchB is the designated port and Eth-Trunk1 is the root port.
# Run the display stp interface brief commands on SwitchC. Output similar to the following
is displayed:
[SwitchC] display stp interface gigabitethernet 1/0/3 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 GigabitEthernet1/0/3 ROOT FORWARDING NONE
2 GigabitEthernet1/0/3 ROOT FORWARDING NONE
[SwitchC] display stp interface gigabitethernet 1/0/2 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
1 GigabitEthernet1/0/2 DESI FORWARDING NONE
2 GigabitEthernet1/0/2 ALTE DISCARDING NONE
GE1/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchC is the
designated port in MSTI 1 but is blocked in MSTI 2.
# Run the display stp interface brief commands on SwitchD. Output similar to the following
is displayed:
[SwitchD] display stp interface gigabitethernet 1/0/3 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 GigabitEthernet1/0/3 ROOT FORWARDING NONE
2 GigabitEthernet1/0/3 ROOT FORWARDING NONE
[SwitchD] display stp interface gigabitethernet 1/0/2 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
1 GigabitEthernet1/0/2 ALTE DISCARDING NONE
2 GigabitEthernet1/0/2 DESI FORWARDING NONE
GE1/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchD is the
blocked port in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp instance 1 root primary
stp instance 2 root secondary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 2 to 20
#
stp instance 1 root secondary
stp instance 2 root primary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type access
Networking Requirements
As shown in Figure 15-21, hosts connect to SwitchC, and SwitchC connects to the Internet
through SwitchA and SwitchB. To improve access reliability, the user configures redundant
links. The redundant links causes a network loop, which leads to broadcast storm and destroy
MAC address entries.
It is required that the network loop be prevented when redundant links are deployed, traffic be
switched to another link when one link is broken, and network bandwidth be effectively used.
MSTP can be configured on the network to prevent loops. MSTP blocks redundant links and
prunes a network into a tree topology free from loops. In addition, VRRP needs to be
configured on SwitchA and SwitchB. HostA connects to the Internet by using SwitchA as the
default gateway and SwitchB as the secondary gateway. HostB connects to the Internet by
using SwitchB as the default gateway and SwitchA as the secondary gateway. Traffic is thus
load balanced and communication reliability is improved.
GE1/0/2
1/0 /1
/2 1/0
GE
SwitchC MSTP Internet
GE1/0/2
GE
/ 0/3 1/0
G E1 SwitchC /4
GE RouterB
HostB 1/0 /0 /3
/1 GE1
VLAN3
10.1.3.101/24 SwitchB
VRID 1:Backup
VRRP VRID 2 VRID 2:Master
Virtual IP Address:
10.1.3.100
MSTI1: MSTI2:
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic MSTP on the switches, including:
a. Configure MST and create multi-instance, map VLAN 2 to MSTI1, and map
VLAN 3 to MSTI2 to load balance traffic.
b. Configure the root bridge and backup bridge in the MST region.
c. Configure the path cost on an interface so that the interface can be blocked.
d. Enable MSTP to prevent loops:
n Enable MSTP globally.
n Enable MSTP on all interfaces except the interfaces connecting to hosts.
NOTE
Because the interfaces connecting to hosts do not participate in MSTP calculation, configure
these ports as edge ports.
2. Enable the protection function to protect devices or links. For example, enable the
protection function on the root bridge of each instance to protect roots.
3. Configure Layer 2 forwarding.
4. Assign an IP address to each interface and configure the routing protocol on each device
to ensure network connectivity.
5. Create VRRP group 1 and VRRP group 2 on SwitchA and SwitchB. Configure SwitchA
as the master device and SwitchB as the backup device of VRRP group 1. Configure
SwitchB as the master device and SwitchA as the backup device of VRRP group 2.
Procedure
Step 1 Configure basic MSTP functions.
1. Add SwitchA, SwitchB, and SwitchC to region RG1, and create instances MSTI1 and
MSTI2.
# Configure an MST region on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 2
[SwitchA-mst-region] instance 2 vlan 3
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
2. Configure the root bridges and backup bridges for MSTI1 and MSTI2 in RG1.
– Configure the root bridge and backup bridge for MSTI1.
# Set SwitchA as the root bridge of MSTI1.
[SwitchA] stp instance 1 root primary
3. Set the path costs of the interfaces that you want to block on MSTI1 and MSTI2 to be
greater than the default value.
NOTE
– The path cost range is decided by the calculation method. The Huawei calculation method is
used as an example. Set the path costs of the interfaces to 20000.
– The switches on the same network must use the same calculation method to calculate path
costs.
# Set the path cost calculation method on SwitchA to Huawei calculation method.
[SwitchA] stp pathcost-standard legacy
# Set the path cost calculation method on SwitchB to Huawei calculation method.
[SwitchB] stp pathcost-standard legacy
# Set the path cost calculation method on SwitchC to Huawei calculation method. Set the
path cost of GE1/0/1 in MSTI2 to 20000; set the path cost of GE1/0/4 in MSTI1 to
20000.
[SwitchC] stp pathcost-standard legacy
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] stp instance 2 cost 20000
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet 1/0/4
[SwitchC-GigabitEthernet1/0/4] stp instance 1 cost 20000
[SwitchC-GigabitEthernet1/0/4] quit
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU protection
is enabled, the edge ports will be shut down and their attributes remain unchanged after they
receive BPDUs.
Step 2 Enable the protection function on the designated interfaces of each root bridge.
# Enable root protection on GE1/0/1 of SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp root-protection
[SwitchA-GigabitEthernet1/0/1] quit
NOTE
MSTI 1 and MSTI 2 are used as examples. You do not need to focus on the interface status in MSTI 0.
# Run the display stp brief command on SwitchA to view the status and protection type on
interfaces. The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING ROOT
1 GigabitEthernet1/0/2 DESI FORWARDING NONE
2 GigabitEthernet1/0/1 DESI FORWARDING ROOT
2 GigabitEthernet1/0/2 ROOT FORWARDING NONE
In MSTI1, GE1/0/2 and GE1/0/1 of SwitchA are set as designated interfaces because SwitchA
is the root bridge of MSTI1. In MSTI2, GE1/0/1 of SwitchA is set as the designated interface
and GE1/0/2 is set as the root interface.
# Run the display stp brief command on SwitchB. The displayed information is as follows:
[SwitchB] display stp brief
MSTID Port Role STP State Protection
In MSTI2, GE1/0/1 and GE1/0/2 of SwitchB are set as designated interfaces because SwitchB
is the root bridge of MSTI2. In MSTI1, GE1/0/1 of SwitchB is set as the designated interface
and GE1/0/2 is set as the root interface.
# Run the display stp interface brief command on SwitchC. The displayed information is as
follows:
[SwitchC] display stp interface gigabitethernet 1/0/1 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 GigabitEthernet1/0/1 ROOT FORWARDING NONE
2 GigabitEthernet1/0/1 ALTE DISCARDING NONE
[SwitchC] display stp interface gigabitethernet 1/0/4 brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/4 ALTE DISCARDING NONE
1 GigabitEthernet1/0/4 ALTE DISCARDING NONE
2 GigabitEthernet1/0/4 ROOT FORWARDING NONE
GE1/0/1 of SwitchC is the root interface of MSTI1, and is blocked in MSTI2. GE1/0/4 of
SwitchC is the root interface of MSTI2, and is blocked in MSTI1.
Step 5 Connect devices.
# Assign an IP address to each interface, for example, the interfaces on SwitchA. The
configurations on SwitchB are similar to the configurations on SwitchA. For details, see the
configuration file.
[SwitchA] vlan batch 4
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 4
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.1.2.102 24
[SwitchA-Vlanif2] quit
[SwitchA] interface vlanif 3
[SwitchA-Vlanif3] ip address 10.1.3.102 24
[SwitchA-Vlanif3] quit
[SwitchA] interface vlanif 4
[SwitchA-Vlanif4] ip address 10.1.4.102 24
[SwitchA-Vlanif4] quit
# Run OSPF on SwitchA, SwitchB, and routers. The configurations on SwitchA are used as
an example. The configurations on SwitchB are similar to the configurations on SwitchA. For
details, see the configuration file.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# Create VRRP group 2 on SwitchA and SwitchB. Set SwitchB as the master device, priority
to 120, and preemption delay to 20 seconds. Set SwitchA as the backup device and retain the
default priority.
[SwitchB] interface vlanif 3
[SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[SwitchB-Vlanif3] vrrp vrid 2 priority 120
[SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20
[SwitchB-Vlanif3] quit
[SwitchA] interface vlanif 3
[SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[SwitchA-Vlanif3] quit
# Set the virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of Host A,
and the virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway of Host B.
Step 7 Verify the configuration.
# After completing the preceding configurations, run the display vrrp command on SwitchA.
SwitchA's VRRP status is master in VRRP group 1 and backup in VRRP group 2.
[SwitchA] display vrrp
Vlanif2 | Virtual Router 1
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the display vrrp command on SwitchB. SwitchB's VRRP status is backup in VRRP
group 1 and master in VRRP group 2.
----End
Configuration File
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 4
#
stp instance 1 root primary
stp instance 2 root secondary
stp bpdu-protection
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.3.100
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
stp root-protection
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 4
stp edged-port enable
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 2 to 3 5
#
stp instance 1 root secondary
stp instance 2 root primary
stp bpdu-protection
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.3.100
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 20
#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
stp root-protection
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 5
stp edged-port enable
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return
The switch XGE interface connected to the ACU2 does not support this configuration.
The switch XGE interface connected to the ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01 or
ET1D2FW00S02 does not support this configuration.
As shown in Figure 15-22, each CE is dual-homed to PEs. The PEs establish a VPLS full
mesh. The CEs and PEs run the MSTP protocol. Generally, traffic is forwarded through the
primary link. When the primary link fails, traffic is switched to the secondary link.
Figure 15-22 Network diagram for connecting CEs to the VPLS in dual-homing mode
1.1.1.1/32 2.2.2.2/32
PE1 PE2
GE1/0/0 GE2/0/0 GE2/0/0 GE1/0/0
GE1/0/0 GE3/0/0 GE3/0/0 GE1/0/0
GE2/0/0 VPLS GE2/0/0
CE1 GE3/0/0 GE2/0/0 CE2
PC1 GE1/0/1 GE2/0/0 GE3/0/0 GE1/0/1 PC2
10.1.1.1/24 GE1/0/0 GE1/0/0 10.1.1.2/24
PE4 PE3
4.4.4.4/32 3.3.3.3/32
Loopback1 - 1.1.1.1/32
Loopback1 - 2.2.2.2/32
Loopback1 - 3.3.3.3/32
Loopback1 - 4.4.4.4/32
CE1 GigabitEthernet1/0/ - -
0
GigabitEthernet1/0/ - -
1
GigabitEthernet2/0/ - -
0
CE2 GigabitEthernet1/0/ - -
0
GigabitEthernet1/0/ - -
1
GigabitEthernet2/0/ - -
0
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the routing protocol on the backbone network to implement interworking.
2. Set up a remote LDP session between the PEs.
3. Establish a VPLS full mesh between PEs.
4. Configure MSTP. Configure PE1 and PE2 as the primary roots, and configure PE3 and
PE4 as the secondary roots.
Procedure
Step 1 Specify the VLANs that device interfaces belong to and set the IP addresses of the
corresponding VLANIF interfaces according to Figure 15-22.
NOTE
l The AC-side and PW-side physical interfaces of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
l Packets sent from CEs to PEs must contain VLAN tags.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan batch 100
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] port link-type trunk
[CE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[CE1-GigabitEthernet1/0/1] quit
[CE1] interface gigabitethernet 2/0/0
[CE1-GigabitEthernet2/0/0] port link-type access
[CE1-GigabitEthernet2/0/0] port default vlan 100
[CE1-GigabitEthernet2/0/0] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan batch 100
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type trunk
[CE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 100
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface gigabitethernet 1/0/1
[CE2-GigabitEthernet1/0/1] port link-type trunk
[CE2-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[CE2-GigabitEthernet1/0/1] quit
[CE2] interface gigabitethernet 2/0/0
[CE2-GigabitEthernet2/0/0] port link-type access
[CE2-GigabitEthernet2/0/0] port default vlan 100
[CE2-GigabitEthernet2/0/0] quit
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan batch 10 40
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] port link-type trunk
[PE1-GigabitEthernet2/0/0] port trunk allow-pass vlan 10
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] port link-type trunk
[PE1-GigabitEthernet3/0/0] port trunk allow-pass vlan 40
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 10
[PE1-Vlanif10] ip address 172.16.1.1 24
[PE1-Vlanif10] quit
[PE1] interface vlanif 40
[PE1-Vlanif40] ip address 172.19.1.2 24
[PE1-Vlanif40] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan batch 10 20
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] port link-type trunk
[PE2-GigabitEthernet2/0/0] port trunk allow-pass vlan 10
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] port link-type trunk
[PE2-GigabitEthernet3/0/0] port trunk allow-pass vlan 20
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] ip address 172.16.1.2 24
[PE2-Vlanif10] quit
[PE2] interface vlanif 20
[PE2-Vlanif20] ip address 172.17.1.1 24
[PE2-Vlanif20] quit
# Configure PE3.
<HUAWEI> system-view
[HUAWEI] sysname PE3
[PE3] vlan batch 20 30
# Configure PE4.
<HUAWEI> system-view
[HUAWEI] sysname PE4
[PE4] vlan batch 30 40
[PE4] interface gigabitethernet 2/0/0
[PE4-GigabitEthernet2/0/0] port link-type trunk
[PE4-GigabitEthernet2/0/0] port trunk allow-pass vlan 30
[PE4-GigabitEthernet2/0/0] quit
[PE4] interface gigabitethernet 3/0/0
[PE4-GigabitEthernet3/0/0] port link-type trunk
[PE4-GigabitEthernet3/0/0] port trunk allow-pass vlan 40
[PE4-GigabitEthernet3/0/0] quit
[PE4] interface vlanif 30
[PE4-Vlanif30] ip address 172.18.1.2 24
[PE4-Vlanif30] quit
[PE4] interface vlanif 40
[PE4-Vlanif40] ip address 172.19.1.1 24
[PE4-Vlanif40] quit
# Configure PE2.
[PE2] router id 2.2.2.2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 2.2.2.2 32
[PE2-LoopBack1] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 172.17.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# Configure PE3.
[PE3] router id 3.3.3.3
[PE3] interface loopback 1
[PE3-LoopBack1] ip address 3.3.3.3 32
[PE3-LoopBack1] quit
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE3-ospf-1-area-0.0.0.0] network 172.17.1.0 0.0.0.255
[PE3-ospf-1-area-0.0.0.0] network 172.18.1.0 0.0.0.255
[PE3-ospf-1-area-0.0.0.0] quit
[PE3-ospf-1] quit
# Configure PE4.
[PE4] router id 4.4.4.4
[PE4] interface loopback 1
[PE4-LoopBack1] ip address 4.4.4.4 32
[PE4-LoopBack1] quit
[PE4] ospf 1
[PE4-ospf-1] area 0
[PE4-ospf-1-area-0.0.0.0] network 4.4.4.4 0.0.0.0
[PE4-ospf-1-area-0.0.0.0] network 172.18.1.0 0.0.0.255
[PE4-ospf-1-area-0.0.0.0] network 172.19.1.0 0.0.0.255
[PE4-ospf-1-area-0.0.0.0] quit
[PE4-ospf-1] quit
# Wait for 40s and run the display ip routing-table command on PE1, PE2, and PE3. You
can see that the PEs have learned the routes to one another. The display on PE1 is used as an
example.
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 13
# Configure PE2.
[PE2] mpls lsr-id 2.2.2.2
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 10
[PE2-Vlanif10] mpls
[PE2-Vlanif10] mpls ldp
[PE2-Vlanif10] quit
[PE2] interface vlanif 20
[PE2-Vlanif20] mpls
[PE2-Vlanif20] mpls ldp
[PE2-Vlanif20] quit
# Configure PE3.
[PE3] mpls lsr-id 3.3.3.3
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3] interface vlanif 20
[PE3-Vlanif20] mpls
[PE3-Vlanif20] mpls ldp
[PE3-Vlanif20] quit
[PE3] interface vlanif 30
[PE3-Vlanif30] mpls
[PE3-Vlanif30] mpls ldp
[PE3-Vlanif30] quit
# Configure PE4.
[PE4] mpls lsr-id 4.4.4.4
[PE4] mpls
[PE4-mpls] quit
[PE4] mpls ldp
[PE4-mpls-ldp] quit
[PE4] interface vlanif 30
[PE4-Vlanif30] mpls
[PE4-Vlanif30] mpls ldp
[PE4-Vlanif30] quit
[PE4] interface vlanif 40
[PE4-Vlanif40] mpls
[PE4-Vlanif40] mpls ldp
[PE4-Vlanif40] quit
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 4.4.4.4
[PE2-mpls-ldp-remote-4.4.4.4] remote-ip 4.4.4.4
[PE2-mpls-ldp-remote-4.4.4.4] quit
# Configure PE3.
[PE3] mpls ldp remote-peer 1.1.1.1
[PE3-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE3-mpls-ldp-remote-1.1.1.1] quit
# Configure PE4.
[PE4] mpls ldp remote-peer 2.2.2.2
[PE4-mpls-ldp-remote-2.2.2.2] remote-ip 2.2.2.2
[PE4-mpls-ldp-remote-2.2.2.2] quit
After the configuration is complete, run the display mpls ldp session command on the PEs.
The command output shows that the status of the remote LDP peer relationship is
Operational, indicating that remote LDP sessions have been set up. The output on PE1 is used
as an example:
[PE1] display mpls ldp session
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
# Configure PE4.
[PE4] mpls l2vpn
[PE4-l2vpn] quit
# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] pwsignal ldp
[PE1-vsi-a2-ldp] vsi-id 2
[PE1-vsi-a2-ldp] peer 2.2.2.2
[PE1-vsi-a2-ldp] peer 3.3.3.3
[PE1-vsi-a2-ldp] peer 4.4.4.4
[PE1-vsi-a2-ldp] quit
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.1
[PE2-vsi-a2-ldp] peer 3.3.3.3
[PE2-vsi-a2-ldp] peer 4.4.4.4
[PE2-vsi-a2-ldp] quit
[PE2-vsi-a2] quit
NOTE
Before configuring the termination sub-interface, run the display vcmp status command to view the VCMP
role. If the value of the Role field is Client, run the vcmp role { silent | transparent } command to change
the VCMP role to silent or transparent.
# Configure PE1.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type hybrid
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 100
[PE1-GigabitEthernet1/0/0.1] l2 binding vsi a2
[PE1-GigabitEthernet1/0/0.1] quit
# Configure PE2.
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] dot1q termination vid 100
[PE2-GigabitEthernet1/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet1/0/0.1] quit
# Configure PE3.
[PE3] interface gigabitethernet 1/0/0
[PE3-GigabitEthernet1/0/0] port link-type hybrid
[PE3-GigabitEthernet1/0/0] quit
[PE3] interface gigabitethernet 1/0/0.1
[PE3-GigabitEthernet1/0/0.1] dot1q termination vid 100
[PE3-GigabitEthernet1/0/0.1] l2 binding vsi a2
[PE3-GigabitEthernet1/0/0.1] quit
# Configure PE4.
[PE4] interface gigabitethernet 1/0/0
[PE4-GigabitEthernet1/0/0] port link-type hybrid
[PE4-GigabitEthernet1/0/0] quit
[PE4] interface gigabitethernet 1/0/0.1
[PE4-GigabitEthernet1/0/0.1] dot1q termination vid 100
[PE4-GigabitEthernet1/0/0.1] l2 binding vsi a2
[PE4-GigabitEthernet1/0/0.1] quit
# Configure PE4.
[PE4] stp region-configuration
[PE4-mst-region] region-name RG1
[PE4-mst-region] active region-configuration
[PE4-mst-region] quit
# Configure CE1.
[CE1] stp region-configuration
[CE1-mst-region] region-name RG1
[CE1-mst-region] active region-configuration
[CE1-mst-region] quit
# Configure PE2.
# Configure PE3.
[PE3] stp region-configuration
[PE3-mst-region] region-name RG1
[PE3-mst-region] active region-configuration
[PE3-mst-region] quit
# Configure CE2.
[CE2] stp region-configuration
[CE2-mst-region] region-name RG1
[CE2-mst-region] active region-configuration
[CE2-mst-region] quit
2. Configure the priorities of the PEs to make PE1 and PE2 the primary roots and PE3 and
PE4 the secondary roots.
# Configure PE1.
[PE1] stp instance 0 priority 0
# Configure PE2.
[PE2] stp instance 0 priority 0
# Configure PE3.
[PE3] stp instance 0 priority 4096
# Configure PE4.
[PE4] stp instance 0 priority 4096
3. Enable association between MSTP and VPLS on the CEs and PEs, and configure root
protection on the secondary roots.
# Configure CE1.
[CE1] stp enable
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] stp enable
[CE1-GigabitEthernet1/0/1] quit
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] stp enable
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface gigabitethernet 2/0/0
[CE1-GigabitEthernet2/0/0] stp edged-port enable
[CE1-GigabitEthernet2/0/0] stp bpdu-filter enable
[CE1-GigabitEthernet2/0/0] quit
# Configure CE2.
[CE2] stp enable
[CE2] interface gigabitethernet 1/0/1
[CE2-GigabitEthernet1/0/1] stp enable
[CE2-GigabitEthernet1/0/1] quit
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] stp enable
[CE2-GigabitEthernet1/0/0] quit
[CE2] interface gigabitethernet 2/0/0
[CE2-GigabitEthernet2/0/0] stp edged-port enable
[CE2-GigabitEthernet2/0/0] stp bpdu-filter enable
[CE2-GigabitEthernet2/0/0] quit
# Configure PE1.
[PE1] stp enable
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] stp vpls-subinterface enable
[PE1-GigabitEthernet1/0/0] stp enable
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] stp disable
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] stp disable
[PE1-GigabitEthernet3/0/0] quit
# Configure PE2.
[PE2] stp enable
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] stp vpls-subinterface enable
[PE2-GigabitEthernet1/0/0] stp enable
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] stp disable
[PE2-GigabitEthernet2/0/0] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] stp disable
[PE2-GigabitEthernet3/0/0] quit
# Configure PE3.
[PE3] stp enable
[PE3] interface gigabitethernet 1/0/0
[PE3-GigabitEthernet1/0/0] stp vpls-subinterface enable
[PE3-GigabitEthernet1/0/0] stp root-protection
[PE3-GigabitEthernet1/0/0] stp enable
[PE3-GigabitEthernet1/0/0] quit
[PE3] interface gigabitethernet 2/0/0
[PE3-GigabitEthernet2/0/0] stp disable
[PE3-GigabitEthernet2/0/0] quit
[PE3] interface gigabitethernet 3/0/0
[PE3-GigabitEthernet3/0/0] stp disable
[PE3-GigabitEthernet3/0/0] quit
# Configure PE4.
[PE4] stp enable
[PE4] interface gigabitethernet 1/0/0
[PE4-GigabitEthernet1/0/0] stp vpls-subinterface enable
[PE4-GigabitEthernet1/0/0] stp root-protection
[PE4-GigabitEthernet1/0/0] stp enable
[PE4-GigabitEthernet1/0/0] quit
[PE4] interface gigabitethernet 2/0/0
[PE4-GigabitEthernet2/0/0] stp disable
[PE4-GigabitEthernet2/0/0] quit
[PE4] interface gigabitethernet 3/0/0
[PE4-GigabitEthernet3/0/0] stp disable
[PE4-GigabitEthernet3/0/0] quit
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 20 hours, 29 minutes, 54 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 2.2.2.2
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 4099
Peer Type : dynamic
Session : up
Tunnel ID : 0xd
Broadcast Tunnel ID : 0xd
Broad BackupTunnel ID : 0x0
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
Control Word : disable
*Peer Router ID : 3.3.3.3
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 4100
Peer Type : dynamic
Session : up
Tunnel ID : 0xf
Broadcast Tunnel ID : 0xf
Broad BackupTunnel ID : 0x0
CKey : 4
NKey : 3
Stp Enable : 0
PwIndex : 0
Control Word : disable
*Peer Router ID : 4.4.4.4
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 4101
Peer Type : dynamic
Session : up
Tunnel ID : 0xb
Broadcast Tunnel ID : 0xb
Broad BackupTunnel ID : 0x0
CKey : 6
NKey : 5
Stp Enable : 0
PwIndex : 0
Control Word : disable
**PW Information:
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 100
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet2/0/0
port link-type
access
port default vlan 100
stp bpdu-filter
enable
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 2.2.2.2
peer 3.3.3.3
peer 4.4.4.4
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif10
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 172.19.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
stp vpls-subinterface enable
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 100
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 10
stp disable
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 40
stp disable
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.19.1.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
router id 2.2.2.2
#
vlan batch 10 20
#
stp instance 0 priority 0
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
active region-
configuration
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
peer 4.4.4.4
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif20
ip address 172.17.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 172.18.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
stp root-protection
stp vpls-subinterface enable
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 100
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
stp disable
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 30
stp disable
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.17.1.0 0.0.0.255
network 172.18.1.0 0.0.0.255
#
return
l PE4 configuration file
#
sysname PE4
#
router id 4.4.4.4
#
vlan batch 30 40
#
stp instance 0 priority 4096
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 4.4.4.4
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
peer 3.3.3.3
#
mpls ldp
#
mpls ldp remote-peer 2.2.2.2
remote-ip 2.2.2.2
#
interface Vlanif30
ip address 172.18.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 172.19.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type hybrid
stp root-protection
stp vpls-subinterface enable
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 100
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 30
stp disable
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 40
stp disable
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 172.18.1.0 0.0.0.255
network 172.19.1.0 0.0.0.255
#
return
Networking Requirements
On the network with both Layer 2 single-access rings and multi-access rings deployed,
switching devices transmit both Layer 2 and Layer 3 services. To enable different rings to
transmit different services, configure MSTP multi-process. Spanning trees of different
processes are calculated independently.
As shown in Figure 15-23, both Layer 2 single-access rings and dual-access rings are
deployed and switches A and B carry both Layer 2 and Layer 3 services. In this networking,
switches A and B connected to dual-access rings are also connected to a single-access ring.
NOTE
In the ring where MSTP multi-process is configured, you are advised not to block the interface directly
connected to the root protection-enabled designated port.
Figure 15-23 MSTP multi-process for Layer 2 single-access rings and multi-access rings
Network
SwitchC
GE1/0/5 GE1/0/5
Region name:RG1
PE2
PE1 SwitchB
SwitchA
CE CE
GE1/0/4 GE1/0/1 GE1/0/4
GE1/0/1
GE1/0/3 GE1/0/3
GE1/0/2 GE1/0/2
CE
CE
Instance1:VLAN2~100 Instance3:VLAN201~300
Process 1 Process 3
CE CE
Instance2:VLAN101~200
Process 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic MSTP functions, add devices to MST regions, and create MSTIs.
NOTE
Procedure
Step 1 Configure basic MSTP functions, add devices to an MST region, and create MSTIs.
1. Configure MST regions and create MSTIs.
# Configure an MST region and create MSTIs on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 2 to 100
[SwitchA-mst-region] instance 2 vlan 101 to 200
[SwitchA-mst-region] instance 3 vlan 201 to 300
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
2. Enable MSTP.
# Configure SwitchA.
[SwitchA] stp enable
# Configure SwitchB.
[SwitchB] stp enable
# Add GE 1/0/3 and GE 1/0/4 on SwitchA to MSTP process 1 and GE 1/0/2 to MSTP
process 2.
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] stp binding process 1
[SwitchA-GigabitEthernet1/0/4] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] stp binding process 1
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] stp binding process 2
[SwitchA-GigabitEthernet1/0/2] quit
# Add GE 1/0/3 and GE 1/0/4 on SwitchB to MSTP process 3 and GE 1/0/2 to MSTP
process 2.
[SwitchB] interface gigabitethernet 1/0/4
[SwitchB-GigabitEthernet1/0/4] stp binding process 3
[SwitchB-GigabitEthernet1/0/4] quit
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] stp binding process 3
[SwitchB-GigabitEthernet1/0/3] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] stp binding process 2
[SwitchB-GigabitEthernet1/0/2] quit
# Configure SwitchB.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] stp binding process 2 link-share
[SwitchB-GigabitEthernet1/0/1] quit
# Configure SwitchB.
[SwitchB] stp process 3
[SwitchB-mst-process-3] stp enable
[SwitchB-mst-process-3] quit
[SwitchB] stp process 2
[SwitchB-mst-process-2] stp enable
[SwitchB-mst-process-2] quit
[SwitchA-mst-process-2] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] stp root-protection
[SwitchA-GigabitEthernet1/0/2] quit
# Configure SwitchB.
[SwitchB] stp process 3
[SwitchB-mst-process-3] stp instance 0 root primary
[SwitchB-mst-process-3] stp instance 3 root primary
[SwitchB-mst-process-3] quit
[SwitchB] stp process 2
[SwitchB-mst-process-2] stp instance 0 root secondary
[SwitchB-mst-process-2] stp instance 2 root secondary
[SwitchB-mst-process-2] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] stp root-protection
[SwitchB-GigabitEthernet1/0/2] quit
NOTE
– In each ring, the priority of the MSTP process on the downstream CE must be lower than the
priority of the MSTP process on the switching device.
– For switches A and B on the dual-access ring, you are recommended to configure them as the
primary root bridges of different MSTIs.
l Configure shared link protection.
# Configure SwitchA.
[SwitchA] stp process 2
[SwitchA-mst-process-2] stp link-share-protection
[SwitchA-mst-process-2] quit
# Configure SwitchB.
[SwitchB] stp process 2
[SwitchB-mst-process-2] stp link-share-protection
[SwitchB-mst-process-2] quit
# Create VLANs 101 to 300 on SwitchB. Add GE 1/0/3 and GE 1/0/4 to VLANs 201 to 300,
and add GE 1/0/1 and GE 1/0/2 to VLANs 101 to 200.
[SwitchB] vlan batch 101 to 300
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] port link-type trunk
[SwitchB-GigabitEthernet1/0/3] port trunk allow-pass vlan 201 to 300
[SwitchB-GigabitEthernet1/0/3] quit
[SwitchB] interface gigabitethernet 1/0/4
----End
Configuration Files
Only the MSTP-related configuration files are provided.
l SwitchA configuration file
#
sysname
SwitchA
#
vlan batch 2 to
200
stp region-
configuration
region-name
RG1
instance 1 vlan 2 to
100
instance 2 vlan 101 to
200
stp process
1
stp instance 0 root
primary
stp instance 1 root
primary
stp
enable
stp process
2
stp instance 0 root
primary
stp instance 2 root
primary
stp link-share-
protection
stp
enable
#
interface
GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 101 to
200
stp binding process 2 link-
share
#
interface
GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 101 to
200
stp binding process
2
stp root-
protection
#
interface
GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 2 to
100
stp binding process
1
#
interface
GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 2 to
100
stp binding process 1
#
return
l SwitchB configuration file
#
sysname
SwitchB
#
stp region-
configuration
region-name
RG1
instance 1 vlan 2 to
100
instance 2 vlan 101 to
200
instance 3 vlan 201 to
300
active region-
configuration
#
stp process
2
stp instance 0 root
secondary
stp instance 2 root
secondary
stp link-share-
protection
stp
enable
stp process
3
stp instance 0 root
primary
stp instance 3 root
primary
stp
enable
#
interface
GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 101 to
200
stp binding process 2 link-
share
#
interface
GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 101 to
200
stp binding process
2
stp root-
protection
#
interface
GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 201 to
300
stp binding process
3
#
interface
GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 201 to
300
stp binding process
3
#
return
15.10 FAQ
l Format selector: The default value is 0 and cannot be set through the command.
l Region name: It is the bridge MAC address by default.
l Revision level: The default value is 0.
l Instance/Vlans Mapped: Mapping between instances and VLANs. By default, all
VLANs are mapped to instance 0.
To query information about an instance with a non-zero ID, run the stp mode mstp command
to set the STP working mode to MSTP.
15.10.4 How to Prevent Low Convergence for STP Edge Ports that
Connect Terminals?
Terminal devices cannot participate in the STP calculation or respond to STP packets, causing
low convergence. You can prevent low convergence for STP edge switch ports for connecting
user terminals or servers as follows:
l On a port, run the stp edge-port enable command to configure the port as an STP edge
port, and run the stp bpdu-filter default command to enable the BPDU packet filtering
function and prevent the port from sending BPDU packets.
l Run the stp disable command on the port to disable the STP protocol and make the port
remain in forwarding state.
To ensure availability and security, you are advised to configure the port as an STP edge port.
This is because when a loop occurs on a terminal device connected to an edge port, the port
automatically switches to a non-edge port and enables the loop breaking function of STP.
l On a port, run the stp edge-port enable command to configure the port as an STP edge
port, and run the stp bpdu-filter default command to enable the BPDU packet filtering
function and prevent the port from sending BPDU packets.
l Run the stp disable command on the port to disable the STP protocol and make the port
remain in forwarding state.
To ensure availability and security, you are advised to configure the port as an STP edge port.
This is because when a loop occurs on a terminal device connected to an edge port, the port
automatically switches to a non-edge port and enables the loop breaking function of STP.
To solve this problem, configure interfaces connected to terminals as edge ports or disable
STP on the interfaces.
To ensure availability and security, you are advised to configure the port as an STP edge port.
This is because when a loop occurs on a terminal device connected to an edge port, the port
automatically switches to a non-edge port and enables the loop breaking function of STP.
15.11 References
The following table lists the references of MSTP.
16 VBST Configuration
This chapter describes how to configure VLAN-based Spanning Tree (VBST). VBST is a
spanning tree protocol developed by Huawei. It constructs a spanning tree in each VLAN to
load balance traffic from different VLANs, improving link use efficiency.
Definition
VBST, a Huawei spanning tree protocol, constructs a spanning tree in each VLAN so that
traffic from different VLANs is forwarded through different spanning trees. VBST is
equivalent to STP or RSTP running in each VLAN. Spanning trees in different VLANs are
independent of each other.
Purpose
Currently, there are three standard spanning tree protocols: Spanning Tree Protocol (STP),
Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). STP
and RSTP cannot implement VLAN-based load balancing, because all the VLANs on a LAN
share a spanning tree and packets in all VLANs are forwarded along this spanning tree. In
addition, the blocked link does not carry any traffic, which wastes bandwidth and may cause a
failure to forward packets from some VLANs. In real-world situations, MSTP is preferred
because it is compatible with STP and RSTP, ensures fast convergence, and provides multiple
paths to load balance traffic.
On enterprise networks, enterprise users need functions that are easy to use and maintain,
whereas the configuration of MSTP multi-instance and multi-process are complex and has
high requirements for engineers' skills.
To address this issue, Huawei develops VBST. VBST constructs a spanning tree in each
VLAN so that traffic from different VLANs is load balanced along different spanning trees. In
addition, VBST is easy to configure and maintain.
Benefits
VBST brings in the following benefits:
l Eliminates loops.
l Implements link multiplexing and load balancing, and therefore improves link use
efficiency.
l Reduces configuration and maintenance costs.
16.2 Principles
VBST is equivalent to running STP or RSTP in each VLAN so that spanning trees in different
VLANs are independent of each other. Though VBST does not provide multi-instance, VBST
implements load balancing of traffic from different VLANs.
VBST inherits the following concepts of STP/RSTP:
l One root bridge
l Two measurements: ID and path cost
l Three port statuses: Discarding, Learning, and Forwarding
l Five port roles: root port, alternate port, backup port, designated port, and edge port
l Three timers: Hello Time, Forward Delay, and Max Age
Unlink STP/RSTP, VBST transmits VBST BPDUs in VLANs to determine the network
topology. VBST BPDUs are based on STP/RSTP BPDUs and a 4-byte 802.1q tag is added
between the source MAC address and protocol length. Figure 16-1 shows the comparisons
between the STP/RSTP BPDU and VBST BPDU.
Figure 16-1 Comparisons between the formats of the STP/RSTP BPDU and VBST BPDU
6 bytes 6 bytes 2 bytes 38-1492 bytes 4 bytes
STP/RSTP BPDU
encapsulation DMAC SMAC Length LLC Data CRC
format
The DMAC identifies the destination MAC address of packets. The DMAC in a VBST BPDU
is 0100-0CCC-CCCD; the Data field in a standard RSTP/STP BPDU is used as the Data field
in a VBST BPDU. By default, the Data field in a standard RSTP BPDU is used as the Data
field in a VBST BPDU.
VBST implements VLAN-based spanning tree calculation, topology convergence, and
interworking with spanning tree protocols of other vendors.
STP Topology Calculation. Different root bridges can be selected in VLANs. Figure 16-2
shows the topology calculation results of STP/RSTP and VBST.
HostC HostA
(VLAN 3) VLAN 3 VLAN 2 (VLAN 2)
VLAN 2
S2 S5
S3 S6
HostC HostA
(VLAN 3) VLAN 3 VLAN 2 (VLAN 2)
VLAN 2
S2 S5
S3 S6
In Figure 16-2:
l Through topology calculation, STP/RSTP generates a spanning tree with the root bridge
as S6. The links between S2 and S5 and between S1 and S4 are blocked. HostA and
HostB belong to VLAN 2. The link between S2 and S5 does not permit packets of
VLAN 2 to pass through because the link between S2 and S5 is blocked. Therefore,
HostA fails to communicate with HostB.
l Through topology calculation, VBST generates spanning trees VLAN 2 and VLAN 3
with root bridges as S4 and S6 respectively. Traffic in VLAN 2 and VLAN3 is forwarded
through their respective spanning trees so that traffic is load balanced between paths S2-
S5 and S3-S6.
STP/RSTP STP/RSTP
VLAN1, 10
VLAN1, 10 VLAN1, 10
VLAN1, 10
VBST VBST
S3 S4
Root bridge
Unblocked link
Blocked link
Blocked port
An STP/RSTP-enabled device can only send and receive STP/RSTP BPDUs, and
transparently transmit VBST BPDUs, so a spanning tree is formed in VLAN 1 as defined
by STP/RSTP.
Assume that the congestion point of the spanning tree in VLAN 1 is on S4. Because
VBST runs on S4, so the congestion point exists in VLAN 1. S4 can still receive and
forward VBST BPDUs in VLAN 10. Loops occur in VLAN 10, so spanning tree
calculation in VLAN 10 is triggered. S1 and S2 transparently transmit VBST BPDUs in
VLAN 10, so only four interfaces on S3 and S4 participate in spanning tree calculation
in VLAN 10. Then the spanning trees in VLAN 1 and VLAN 10 are formed, as shown in
Figure 16-3.
Assume that the blocking point of the spanning tree in VLAN 1 is on S2. STP/RSTP
runs on S2, so the blocking port exists on S2. S2 cannot forward VBST BPDUs from
VLAN 10 and no loop occurs in VLAN 10, so spanning tree calculation in VLAN 10 is
not triggered. VBST BPDUs from VLAN 10 can be forwarded along the spanning tree in
VLAN 1, that is, VLAN 10 and VLAN 1 share the spanning tree. as shown in Figure
16-3.
l On an access interface, a VBST-enabled device uses standard STP or RSTP BPDUs to
exchange with the remote end according to the VLAN that the access interface belongs
to. Topology calculation is performed as defined by STP/RSTP. Because STP/RSTP does
not differentiate VLANs, a spanning tree shared by VLANs is formed.
l Trunk interface
– When a VBST-enabled device connects to a device enabled with Rapid PVST+, the
VBST-enabled device sends standard RSTP BPDUs (or VBST BPDUs with the
Data field of RSTP BPDUs) and VBST BPDUs with the Data field of RSTP
BPDUs in other VLANs to exchange with the device enabled with Rapid PVST+.
– When a VBST-enabled device connects to a device enabled with PVST+, the
VBST-enabled device sends standard STP BPDUs (or VBST BPDUs with the Data
field of STP BPDUs) and VBST BPDUs with the Data field of STP BPDUs in
other VLANs to exchange with the device enabled with PVST+.
– When a VBST-enabled device connects to a PVST-enabled device, packet exchange
is similar to that in the scenario where a VBST-enabled device connects to a device
enabled with PVST+. The difference is that the VBST-enabled device and PVST-
enabled device send only VBST BPDUs with the Data field of STP BPDUs in
VLAN 1.
The two devices can identify the BPDUs carrying VLAN information, so a VLAN-based
spanning tree is formed. The connection between a VBST-enabled device and a device
enabled with PVST/PVST+/Rapid PVST+ through a trunk interface is similar to the
connection between two VBST-enabled devices.
l Access interface
A VBST-enabled device uses standard STP BPDUs to exchange with the device enabled
with PVST/PVST+ or RSTP BPDUs to exchange with the device enabled with Rapid
PVST+ according to the VLAN that the access interface belongs to. Topology
calculation is performed as defined by STP/RSTP. Because STP/RSTP does not
differentiate VLANs, a spanning tree shared by VLANs is formed.
Deploying MSTP can eliminate loops and load balance traffic from different VLANs,
whereas it is difficult to configure and maintain MSTP multi-instance and multi-process.
You can deploy VBST. VBST constructs a spanning tree in each VLAN so that traffic from
different VLANs is forwarded through different spanning trees. This eliminates loops and
implements load balancing of traffic. In addition, VBST is easy to configure and maintain.
Core Network
SwitchA SwitchB
Aggregation
VLAN 10, 20, 30 switch
As shown in Figure 16-4, SwitchC and SwitchD are access switches; SwitchA and SwitchB
are aggregation switches. SwitchC and SwitchD are dual-homed to SwitchA and SwitchB. To
eliminate loops and load balance traffic from different VLANs, deploy VBST on SwitchA,
SwitchB, SwitchC, and SwitchD. Configure SwitchA as the root bridge of VLAN 10 and
VLAN 20 and SwitchB as the root bridge of VLAN 30.
Loops are eliminated based on VLANs. Figure 16-4 shows the formed spanning trees and
forwarding paths. In Figure 16-4, traffic from VLAN 10, VLAN 20, and VLAN 30 is
forwarded through their respective spanning trees. In this manner, traffic from VLAN 10,
VLAN 20, and VLAN 30 is load balanced on paths SwitchC<->SwitchA, SwitchD<-
>SwitchA, and SwitchD<->SwitchB.
Table 16-2 describes the VBST configuration tasks. VBST blocks redundant links and prunes
a network into a tree topology to eliminate loops and implement load balancing. You can
perform the following configurations to meet requirements in special scenarios:
l Setting VBST parameters that affect VBST convergence
l Configuring protection functions
l Setting parameters for interworking between a Huawei datacom device and a non-
Huawei device
License Support
VBST is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Item Specification
l When HVRP is enabled on the switch, do not change the STP mode to VBST.
l When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the device priority and port priority affect spanning tree
calculation, and the change of these parameters may cause network flapping. To ensure
fast and stable spanning tree calculation, perform basic configurations on the switch and
interfaces before enabling VBST.
l If the protected instance has been configured in a SEP segment or ERPS ring but the
mapping between protected instances and VLANs is not configured, VBST cannot be
enabled.
l VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS, RRPP,
SEP, or Smart Link.
l If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the switch,
delete the mapping before changing the STP working mode to VBST.
l If the stp vpls-subinterface enable command has been configured on a switch, run the
undo stp vpls-subinterface enable command on an interface before changing the STP
working mode to VBST.
l If the device has been configured as the root bridge or secondary root bridge, run the
undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to disable the root
bridge or secondary root bridge function and run the stp vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> priority priority command to change the device priority.
l When more than 128 MSTIs are dynamically specified, STP is disabled in a created
VLAN in the configuration file, for example, stp vlan 100 disable.
l To prevent frequent network flapping, ensure that the values of Hello time, Forward
Delay, and Max Age conform to the following formulas:
– 2 x (Forward Delay - 1.0 second) ≥ Max Age
– Max Age ≥ 2 x (Hello Time + 1.0 second)
l It is recommended that fast convergence in normal mode be used. If fast is used,
frequently deleting ARP entries may result in 100% CPU usage of the MPU and LPU.
As a result, packet processing expires and network flapping occurs.
l After all ports are configured as edge ports and BPDU filter ports in the system view,
none of ports on the switch send BPDUs or negotiate the VBST status with directly
connected ports on the remote device. All ports are in forwarding state. This may cause
loops on the network, leading to broadcast storms. Exercise caution when you configure
a port as an edge port and BPDU filter port.
l After a port is configured as an edge port and BPDU filter port in the interface view, the
port does not process or send BPDUs. The port cannot negotiate the VBST status with
the directly connected port on the peer device. Exercise caution when you configure a
port as an edge port and BPDU filter port.
l Root protection takes effect only on designated ports.
l An alternate port is the backup of the root port. If a switch has an alternate port,
configure loop protection on both the root port and alternate port.
Pre-configuration Tasks
Before configuring basic VBST functions, connect ports and set physical parameters of each
interface to make the physical layer in Up state (see Basic Configuration for Interfaces and
Ethernet Interface Configuration in S7700&S9700 Series Switches Configuration Guide -
Interface Management).
Context
The device priority is used in spanning tree calculation, and determines whether the device
can be configured as a root bridge of a spanning tree. A smaller value indicates a higher
priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> priority priority
NOTE
If the device has been configured as the root bridge or secondary root bridge, to change the device
priority, run the undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to disable the root
bridge or secondary root bridge function and run the stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
priority priority command to set the device priority.
----End
Context
A path cost is port-specific and is used by VBST to select a link. A port in different VLANs
may have different path costs on a network running VBST. Traffic from different VLANs is
forwarded through different physical links by setting a proper path cost enable, therefore
implementing VLAN-based load balancing.
The path cost value range is determined by the calculation method. The following calculation
methods are used:
l dot1d-1998: IEEE 802.1d standard is used to calculate the path cost.
l dot1t: IEEE 802.1T standard is used to calculate the path cost.
l legacy: Huawei calculation method is used to calculate the path cost.
After the calculation method is determined, the path cost of a port can be set. Generally, a
higher path cost indicates higher probability of a port to be blocked. If the link rate of a port is
small, you are advised to set a large path cost so that the port is selected as the blocking port
during spanning tree calculation and its link is blocked.
The default path cost varies according to the interface rate. Huawei calculation method is used
as an example. Table 16-5 shows the mapping between link rates and path costs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
The view of the Ethernet interface that participates in spanning tree calculation is displayed.
Step 4 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> cost cost
----End
Context
In VBST spanning tree calculation, the port path cost, bridge ID of the sending switch, and
port priority determine whether the port can be selected as the designated port. A smaller
priority value indicates higher probability of becoming the designated port, and a larger
priority value indicates higher probability of becoming the blocking port.
On a network running VBST, a port can function as different roles in different spanning trees
so that traffic from different VLANs is forwarded through different physical paths.
Procedure
Step 1 Run:
system-view
The view of the Ethernet interface that participates in spanning tree calculation is displayed.
Step 3 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> port priority priority
----End
Context
Based on the mappings between MSTIs and VLANs of MSTP, VBST maps each MSTI to a
VLAN to establish 1:1 mapping. The 1:1 mapping between MSTIs and VLANs are used only
by the switch to determine the VBST forwarding status. This does not mean that VBST
supports multi-instance.
The mapping between MSTIs and VLANs can be manually configured or dynamically
specified.
l You can manually configure the mapping between MSTIs and VLANs on the switch. If a
static mapping is also configured for a VLAN, the static mapping takes effect.
l After VBST is enabled, the system dynamically allocates instance IDs to existing or new
VLANs in ascending order. The dynamically specified mapping cannot be changed
manually. After a VLAN is deleted or STP is disabled globally, its mapping is
automatically deleted.
NOTE
When more than 128 MSTIs are dynamically specified, if a VLAN is created, in the configuration
file, STP is disabled, for example, stp vlan 100 disable.
The following steps are performed to manually configure the mapping between MSTIs and
VLANs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp region-configuration
Step 3 Run:
instance instance-id vlan vlan-id
NOTE
After this step is performed, the dynamic mapping between MSTIs and VLANs cannot be canceled even
if VLANs are deleted or STP is disabled globally.
Step 4 Run:
active region-configuration
NOTICE
The change of 1:1 mapping between MSTIs and VLANs causes VBST recalculation and
network flapping. Therefore, it is recommended that you run the check region-configuration
command in the MST region view to check whether the parameters of the MST region are set
correctly before activating the configuration of the MST region. When determining that
parameters of the MST region are set correctly, run the active region-configuration
command to activate 1:1 mapping between MSTIs and VLANs.
----End
Context
The VBST configuration takes effect only when VBST is enabled.
NOTICE
When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the switch priority and port priority affect spanning tree
calculation, and change of these parameters may cause network flapping. To ensure fast and
stable spanning tree calculation, perform basic configurations on the switch and ports before
enabling VBST.
The PV quantity is the number of VBST-enabled interfaces multiplied by the number of
VLANs. If the PV quantity exceeds the specifications, the CPU usage may exceed the
threshold. As a result, the switch cannot process tasks in a timely manner, protocol calculation
is affected, and even the device cannot be managed by the NMS. The PV quantity supported
by the device is as follows:
l The CPU usage of VBST is in direct proportion to the PV quantity.
l EE, and X1E cards, ES1D2X08SED4/ES1D2X08SED5 and ES1D2L02QFC0 cards of the
S7700, and EH1D2X08SED4/EH1D2X08SED5, EH1D2L02QFC0, EH1D2L08QFC0,
and EH1D2X48SEC0 cards of the S9700 support up to 1200 PVs, and other cards support
up to 300 PVs.
l The number of PVs supported by the switch is the total number of PVs supported by
running cards of the switch.
l For an Eth-Trunk, the device supports up to 300 PVs.
Procedure
Step 1 Run:
system-view
NOTE
Step 3 Run:
stp enable
Step 4 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> enable
NOTE
VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS, RRPP, SEP, or Smart
Link.
If VLAN mapping or VLAN stacking is configured on an interface corresponding to the VLAN, VBST
negotiation for this VLAN will fail.
Step 5 Run:
interface interface-type interface-number
Step 6 Run:
stp enable
NOTE
STP cannot be used with SEP or Smart Link. An STP-enabled interface cannot join a SEP segment or
Smart Link group. Similarly, the interface that has joined the SEP segment or Smart Link group cannot
be enabled with STP.
----End
Procedure
l Run the display stp [ vlan vlan-id ] [ interface interface-type interface-number | slot
slot-id ] [ brief ] command to check the spanning tree status and statistics.
l Run the display stp [ vlan vlan-id ] active command to check details of and statistics on
spanning trees of all ports in Up state.
l Run the display stp [ vlan vlan-id ] bridge { root | local } command to check the
spanning tree status of the local bridge and root bridge.
l Run the display stp global command to check the summary of the spanning tree
protocol.
l Run the display stp region-configuration [ digest ] command to check the mapping
between instances and VLANs.
----End
Background
All steps in this configuration task are optional. You can perform the steps as needed.
Pre-configuration Tasks
Before configuring VBST parameters that affect VBST convergence, perform the task of
Configuring Basic VBST Functions.
Context
Any two terminals on a switching network are connected through a specific path along which
multiple devices are located. The network diameter is the maximum number of devices
between any two terminals. A larger network diameter indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect
communication. Setting a proper network diameter according to the network scale helps speed
up network convergence.
The switch calculates the Forward Delay, Hello time, and Max-Age based on the configured
network diameter. It is recommended that you set the network diameter to configure timers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> bridge-diameter diameter
l Rapid Spanning Tree Protocol (RSTP) uses a single spanning tree instance on the entire
network. As a result, performance deteriorate when the network scale grows. Therefore,
the network diameter cannot be larger than 7.
l It is recommended that all devices on a ring network use the same network diameter.
----End
Context
VBST uses the following parameters in spanning tree calculation:
l Forward Delay: determines the interval for port status transition. On a network where a
spanning tree algorithm is used, when the network topology changes, new BPDUs are
transmitted throughout the network after a given period of time. During the period, the
port that should enter the blocking state may be not blocked and the originally blocked
port may be unblocked, causing temporary loops. To address this problem, set the
Forward Delay during which all ports are blocked temporarily.
l Hello time: is the interval at which Hello packets are sent. The switch sends BPDUs to
neighboring devices at an interval of the Hello time to check whether links are faulty. If
the switch does not receive any BPDU at an interval of Hello time, the switch
recalculates the spanning tree due to BPDU timeout.
l Max Age: determines whether BPDUs expire. The switch determines whether the
received BPDU expires based on this value. If the received BPDU expires, the spanning
tree needs to be recalculated.
Devices on a ring network must use the same values of Forward Delay, Hello time, and Max
Age.
Generally, you are not advised to adjust values of the three parameters. This is because the
three parameters are relevant to the network scale. It is recommended that the network
diameter be adjusted so that the spanning tree protocol automatically adjusts the three
parameters. When the default network diameter is used, the default values of the three
parameters are used.
NOTICE
To prevent frequent network flapping, ensure that the values of Hello time, Forward Delay,
and Max Age conform to the following formulas:
l 2 x (Forward Delay - 1.0 second) ≥ Max Age
l Max Age ≥ 2 x (Hello time + 1.0 second)
Procedure
Step 1 Run:
system-view
----End
Context
The timeout interval of the switch is calculated through the following formula:
l Timeout interval = Hello time x 3 x Timer factor
On a network running VBST, when the network topology becomes stable, the non-root-bridge
switch forwards BPDUs sent by the root bridge to neighboring switches at an interval of
Hello time to check whether links are faulty. If the switch does not receive any BPDU from
the upstream device within the timeout interval, the switch considers that the upstream device
fails and recalculates the spanning tree.
Sometimes, the switch may not receive BPDUs in a long time from the upstream device
because the upstream device is very busy. In this case, the device should not recalculate its
spanning tree. Therefore, you can set a long timeout interval for the device on a stable
network to reduce waste of network resources.
Procedure
Step 1 Run:
system-view
The timeout interval for the switch to wait for BPDUs from the upstream device is set.
By default, the timeout interval is 9 times the value of Hello time.
----End
Context
Implementing fast convergence on a P2P link is easy. If the two ports connected to a P2P link
are root or designated ports, the ports can transit to the forwarding state quickly by sending
Proposal and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run:
system-view
The view of the interface that participates in spanning tree calculation is displayed.
Step 3 Run:
stp point-to-point { auto | force-false | force-true }
----End
Context
The maximum transmission rate of a port indicates the maximum number of BPDUs sent per
second. A larger value of the maximum transmission rate of a port indicates more BPDUs
sent at an interval of Hello time and therefore more system resources are occupied.
Setting the proper value of this parameter prevents excess bandwidth usage when route
flapping occurs. If network flapping occurs frequently, and the switch needs to detect
topology change in a timely manner and has sufficient bandwidth resources, set a large value
for this parameter.
Procedure
Step 1 Run:
system-view
The view of the interface that participates in spanning tree calculation is displayed.
Step 3 Run:
stp transmit-limit packet-number
The maximum number of BPDUs that the port can send at an interval of Hello time is set.
By default, a port sends a maximum of 6 BPDUs per second.
NOTE
If the maximum number of BPDUs needs to be set on all ports of the switch, run the stp transmit-limit
(system view) command.
----End
Context
When a port on a VBST-enabled switch is connected to an STP-enabled switch, the port
automatically switches to the STP mode.
In the following cases, you need to switch the port back to the VBST mode manually:
l The STP-enabled switch is shut down or disconnected.
l The STP-enabled switch is switched to the RSTP/MSTP mode.
When a VBST-enabled switch connects to an MSTP-enabled switch, the connected port of the
MSTP-enabled switch automatically switches to the RSTP mode through negotiation. When
the VBST-enabled switch switches to the MSTP mode, the connected ports of the two
switches may still work in RSTP mode due to the time sequence problem. You can perform
the following operations to manually switch the ports to the MSTP mode.
Procedure
l Switching a port to the VBST mode
a. Run:
system-view
The view of the interface that participates in spanning tree calculation is displayed.
c. Run:
stp mcheck
After the switch is switched to the VBST mode in the system view, all ports switch
to the VBST mode.
----End
Context
When the topology of an MSTI changes, the forwarding path of the VLAN mapping the
MSTI also changes. The MAC address entries and ARP entries relevant to the VLAN need to
be updated. VBST provides the following convergence modes:
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp converge { fast | normal }
NOTE
normal is recommended. If fast is used, frequently deleting ARP entries may result in 100% CPU usage
of the MPU and LPU. As a result, packets are not processed in a timely manner and network flapping
occurs.
----End
Context
If a designated port is located at the edge of a network and is directly connected to terminals,
this port is called edge port. The switch does not learn whether a port is directly connected to
terminals, the port needs to be manually configured as an edge port.
An edge port does not receive or process configuration BPDUs, or participate in VBST
calculation. It can transit from Disable to Forwarding without any delay to implement fast
convergence.
After a designated port is configured as an edge port, the port can still send BPDUs. Then
BPDUs are sent to other networks, causing flapping of other networks. You can configure a
port as an edge port and BPDU filter port so that the port does not process or send BPDUs.
NOTICE
l After all ports are configured as edge ports and BPDU filter ports in the system view, none
of ports on the switch send BPDUs or negotiate the VBST status with directly connected
ports on the peer device. All ports are in forwarding state. This may cause loops on the
network, leading to broadcast storms. Exercise caution when you configure a port as an
edge port and BPDU filter port.
l After a port is configured as an edge port and BPDU filter port in the interface view, the
port does not process or send BPDUs. The port cannot negotiate the VBST status with the
directly connected port on the peer device. Exercise caution when you configure a port as
an edge port and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run:
system-view
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
c. Run:
stp edged-port enable
Procedure
l Run the display stp [ vlan vlan-id ] [ interface interface-type interface-number | slot
slot-id ] [ brief ] command to check the spanning tree status and statistics.
l Run the display stp [ vlan vlan-id ] active command to check details of and statistics on
spanning trees of all ports in Up state.
l Run the display stp [ vlan vlan-id ] bridge { root | local } command to check the
spanning tree status of the local bridge and root bridge.
l Run the display stp global command to check the summary of the spanning tree
protocol.
----End
Pre-configuration Tasks
Before configuring protection functions of VBST, complete the following tasks:
l Perform the task of Configuring Basic VBST Functions.
l (Optional) Perform the task of Configuring an Edge Port before configuring BPDU
protection.
Context
Edge ports are directly connected to user terminals and will not receive BPDUs. If a switch is
attacked by bogus BPDUs, edge ports will receive these BPDUs. The switch then sets the
edge ports as non-edge ports and recalculates the spanning tree, resulting in network flapping.
BPDU protection can be used to protect the switch against malicious attacks. After BPDU
protection is enabled on the switch, the switch shuts down an edge port if the edge port
receives a BPDU.
Perform the following operations on the switch configured with an edge port.
Procedure
Step 1 Run:
system-view
----End
Follow-up Procedure
To configure a shutdown edge port to go Up automatically, run the error-down auto-
recovery cause bpdu-protection interval interval-value command in the system view to
configure the automatic recovery function and set the recovery delay. After the delay expires,
the port automatically goes Up. Note the following when setting interval interval-value:
l A smaller value indicates a shorter delay for the port to go Up automatically and a higher
frequency at which the port alternates between Up and Down states.
l A larger value indicates a longer delay for the port to go Up automatically and longer
traffic interruption.
Context
When malicious attackers send bogus TC BPDUs to attack the switch, the switch receives a
large number of TC BPDUs within a short time. If MAC address entries and ARP entries are
deleted frequently, the switch is heavily burdened, causing potential risks to the network.
TC protection is used to suppress TC BPDUs. You can set the number of times the switch
processes TC BPDUs within a given time period. If the number of TC BPDUs that the switch
receives within a given time exceeds the specified threshold, the switch processes TC BPDUs
only for the specified number of times. After the specified number of times is reached, the
switch processes excess TC BPDUs at one time only. For example, the period is set to 10s and
the threshold is set to 5. After the switch receives TC BPDUs, the switch processes the first
five TC BPDUs within 10s. After 10s, the switch processes subsequent TC BPDUs. In this
way, the switch does not need to frequently delete MAC entries and ARP entries.
Procedure
Step 1 Run:
system-view
The time taken by the switch to process the maximum of TC BPDUs is 10s.
By default, the time is the Hello timer length.
l Run:
10102
stp tc-protection threshold threshold
The maximum number of TC BPDUs processed by the switch in a given time is set.
By default, the default number of times that the switch handles the TC BPDUs and
updates forwarding entries is 1 within a unit time.
NOTE
Within the time specified by stp tc-protection interval, the switch processes TC BPDUs of a number
specified by stp tc-protection threshold. Other packets are delayed, so convergence may be affected.
----End
Context
Due to incorrect configurations or malicious attacks on a network, a valid root bridge may
receive BPDUs with a higher priority. Consequently, the valid root bridge is no longer able to
serve as the root bridge and the network topology is changed, triggering spanning tree
recalculation. As a result, traffic may be switched from high-speed links to low-speed links,
causing network congestion. To prevent network congestion, enable root protection on the
switch to protect the role of the root switch by retaining the role of the designated port.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
stp root-protection
----End
Context
On a network running VBST, the switch maintains the root port status and status of blocked
ports by receiving BPDUs from an upstream switch. If the switch cannot receive any BPDU
from the upstream switch because of link congestion or unidirectional link failures, the switch
selects a new root port. The original root port becomes a designated port and the original
blocked ports change to the Forwarding state. This switching may cause network loops, which
can be mitigated by configuring loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a long
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
NOTE
An alternate port is the backup of the root port. If a switch has an alternate port, you need to configure
loop protection on both the root port and alternate port.
Perform the following operations on the root port and alternate port of the switch.
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display stp [ vlan vlan-id ] [ interface interface-type interface-number | slot
slot-id ] [ brief ] command to check the spanning tree status, including the root
protection status and information about other protection functions.
l Run the display stp [ vlan vlan-id ] active command to check details of and statistics on
spanning trees of all ports in Up state, including the root protection status and
information about other protection functions.
l Run the display stp global command to check the summary of the spanning tree
protocol.
----End
Context
The switch supports the following modes on the Proposal/Agreement mechanism:
l Enhanced mode: The port participates in calculation of the root port when calculating the
synchronization flag bit.
a. An upstream device sends a Proposal message to a downstream device, requesting
fast transition. After receiving the message, the downstream device sets the port
connected to the upstream device as a root port and blocks all non-edge ports.
b. The upstream device then sends an Agreement message to the downstream device.
After the downstream device receives the message, the root port transitions to the
Forwarding state.
c. The downstream device sends an Agreement message to the upstream device. After
receiving the Agreement message, the upstream device sets the port connected to
the downstream device as a designated port, and the designated port transitions to
the Forwarding state.
l Common mode: The port ignores the root port when calculating the synchronization flag
bit.
a. An upstream device sends a Proposal message to a downstream device, requesting
fast transition. After receiving the Proposal message, the downstream device sets
the port connected to the upstream device as a root port and blocks all non-edge
ports. The root port then transitions to the Forwarding state.
b. The downstream device sends an Agreement message to the upstream device. After
receiving the Agreement message, the upstream device sets the port connected to
the downstream device as a designated port, and the designated port transitions to
the Forwarding state.
On a network running VBST protocol, a Huawei datacom device and the connected non-
Huawei device may fail to communicate if they use different Proposal/Agreement modes. The
Huawei datacom device can select the same mode as that on the non-Huawei device to
implement interworking.
If Huawei datacom device and Handremanet switch are deployed on the VBST network, non-
standard STP/RSTP packets sent by the Handremanet switch may cause temporary loops.
Therefore, the Huawei datacom device interface needs to be configured to discard non-
standard STP/RSTP packets to prevent temporary loops.
Pre-configuration Tasks
Before setting parameters for interworking between a Huawei datacom device and a non-
Huawei device, perform the task of Configuring Basic VBST Functions.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
The view of the interface that participates in spanning tree calculation is displayed.
Step 3 Run:
stp no-agreement-check
By default, Huawei datacom device interface does not discard non-standard STP/RSTP
packets sent by the Handremanet switch.
----End
Context
You can view the VBST running information and statistics on VBST BPDUs. If the number
of topology change times increases, network flapping occurs.
Procedure
l Run the display stp [ vlan vlan-id ] topology-change command to check VBST
topology change statistics.
l Run the display stp error packet command to check the number of received error
packets and the content of recently received error packets.
l Run the display vbst [ vlan vlan-id ] [ interface interface-type interface-number | slot
slot-id ] bpdu-statistics command to check BPDU statistics.
l Run the display stp [ vlan vlan-id ] [ interface interface-type interface-number | slot
slot-id ] tc-bpdu statistics command to check statistics on TC or TCN BPDUs on the
VBST-enabled port.
----End
Context
Before recollecting statistics on VBST BPDUs in a certain period, clear existing statistics on
VBST BPDUs.
NOTICE
Cleared statistics on VBST BPDUs cannot be restored. Exercise caution when you run the
reset vbst command.
Procedure
l Run the reset vbst [ interface interface-type interface-number | slot slot-id ] bpdu-
statistics command in the user view to clear statistics on VBST BPDUs.
----End
Networking Requirements
As shown in Figure 16-5, SwitchC and SwitchD (access switches) are dual-homed to
SwitchA and SwitchB (aggregation switches) respectively. SwitchC transmits traffic from
VLAN 10 and VLAN 20, and SwitchD transmits traffic from VLAN 20 and VLAN 30. A
ring network is formed between the access layer and aggregation layer. The enterprise
requires that service traffic in each VLAN be correctly forwarded and service traffic from
different VLANs be load balanced to improve link use efficiency.
Core Network
SwitchA SwitchB
GE1/0/1 GE1/0/1
VLAN10, 20, 30
GE1/0/3 GE1/0/2 GE1/0/2 GE1/0/3
VLAN10, 20 VLAN20, 30
20 VL
1 0, AN
AN 20
,3
VL 0
GE1/0/3 GE1/0/3
GE1/0/2 GE1/0/2
SwitchC SwitchD
Root bridge
Unblocked link
Blocked link
Blocked port
wozh
Configuration Roadmap
VBST can be used to eliminate loops between the access layer and aggregation layer and
ensures that service traffic in each VLAN is correctly forwarded. In addition, traffic from
different VLANs can be load balanced. The configuration roadmap is as follows:
1. Configure Layer 2 forwarding on access and aggregation switches.
2. Configure basic VBST functions on SwitchA, SwitchB, SwitchC, and SwitchD. Perform
the following operations so that a spanning tree shown in Figure 16-5 is formed through
calculation:
– Configure the root bridge and secondary root bridge of VLAN 10 as SwitchA and
SwitchB respectively, configure the root bridge and secondary root bridge of VLAN
20 as SwitchA and SwitchB respectively, and configure the root bridge and
secondary root bridge of VLAN 30 as SwitchB and SwitchA respectively, to ensure
root bridge reliability.
– Set a larger path cost for GE1/0/2 on SwitchC in VLAN 10 and VLAN 20 so that
GE1/0/2 is blocked in spanning trees of VLAN 10 and VLAN 20 accordingly, set a
larger path cost for GE1/0/2 on SwitchD in VLAN 20 and VLAN 30 so that
GE1/0/2 is blocked in the spanning tree of VLAN 20 and VLAN 30 accordingly.
3. Configure ports on SwitchC and SwitchD connected to terminals as edge ports to reduce
VBST topology calculation and improve topology convergence.
Procedure
Step 1 Configure Layer 2 forwarding on switches on the ring network.
l Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA, SwitchB, SwitchC, and
SwitchD.
# Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20 30
# Add GE1/0/1 on SwitchB to VLAN 10, VLAN 20, and VLAN 30.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30
[SwitchB-GigabitEthernet1/0/1] quit
– Configure the root bridge and secondary root bridge in VLAN 20.
# Configure SwitchA as the root bridge in VLAN 20.
[SwitchA] stp vlan 20 root primary
– Configure the root bridge and secondary root bridge in VLAN 30.
# Configure SwitchB as the root bridge in VLAN 30.
[SwitchB] stp vlan 30 root primary
3. Configure the path cost for a port so that the port can be blocked.
NOTE
– The path cost range depends on the algorithm. IEEE 802.1t standard is used as an example. Set
the path costs of the ports to be blocked to 2000000.
– All switches on the same network must use the same path cost calculation method.
# Set the path cost of GE1/0/2 on SwitchC to 2000000 in VLAN 10 and VLAN 20.
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] stp vlan 10 cost 2000000
[SwitchC-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchC-GigabitEthernet1/0/2] quit
# Set the path cost of GE1/0/2 on SwitchD to 2000000 in VLAN 20 and VLAN 30.
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchD-GigabitEthernet1/0/2] stp vlan 30 cost 2000000
[SwitchD-GigabitEthernet1/0/2] quit
By default, all interfaces join VLAN 1 and VBST in VLAN 1 is enabled. In this example, to
reduce spanning tree calculation, VBST is disabled in VLAN 1. To prevent loops in VLAN 1
after VBST is disabled, delete interfaces from VLAN 1.
# Disable VBST in VLAN 1 on SwitchA. The configurations on SwitchB, SwitchC,
and SwitchD are similar to the configuration of SwitchA, and are not mentioned
here.
[SwitchA] stp vlan 1 disable
The preceding information shows that SwitchA participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30. For example, SwitchA is the root bridge in VLAN 10
and VLAN 20, so GE1/0/1 and GE1/0/3 in VLAN 10 are selected as designated ports.
GE1/0/1, GE1/0/2, and GE1/0/3 in VLAN 20 are selected as designated ports. SwitchA is the
secondary root bridge in VLAN 30, so GE1/0/1 is selected as the root port and GE1/0/2 is
selected as the designated port in VLAN 30.
# Run the display stp vlan 10 command on SwitchA to view detailed information about
VLAN 10.
[SwitchA] display stp vlan 10
-------[VLAN 10 Global Info]-------
Bridge ID :0 .0200-0000-6703
Config Times :Hello 2s MaxAge 20s FwDly 15s
Active Times :Hello 2s MaxAge 20s FwDly 15s
Root ID / RPC :0 .0200-0000-6703 / 0 (This bridge is the root)
RootPortId :0.0
Root Type :Primary
----[Port4093(GigabitEthernet1/0/1)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=20000
Desg. Bridge/Port :0 .0200-0000-6703 / 128.4093
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
----[Port4092(GigabitEthernet1/0/3)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=199999
Desg. Bridge/Port :0 .0200-0000-6703 / 128.4092
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
The preceding information shows that SwitchA is selected as the root bridge in VLAN 10 and
GE1/0/1 and GE1/0/3 are selected as designated ports in Forwarding state.
# Run the display stp brief command on SwitchB, SwitchC, and SwitchD to view the port
status.
[SwitchB] display stp brief
VLAN-ID Port Role STP State Protection
10 GigabitEthernet1/0/1 ROOT FORWARDING NONE
10 GigabitEthernet1/0/2 DESI FORWARDING NONE
20 GigabitEthernet1/0/1 ROOT FORWARDING NONE
20 GigabitEthernet1/0/2 DESI FORWARDING NONE
20 GigabitEthernet1/0/3 DESI FORWARDING NONE
30 GigabitEthernet1/0/1 DESI FORWARDING NONE
30 GigabitEthernet1/0/3 DESI FORWARDING NONE
[SwitchC] display stp brief
VLAN-ID Port Role STP State Protection
10 GigabitEthernet1/0/2 ALTE DISCARDING NONE
10 GigabitEthernet1/0/3 ROOT FORWARDING NONE
10 GigabitEthernet1/0/4 DESI FORWARDING NONE
20 GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 GigabitEthernet1/0/3 ROOT FORWARDING NONE
20 GigabitEthernet1/0/5 DESI FORWARDING NONE
The preceding information shows that SwitchB participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30, SwitchC participates in spanning tree calculation in
VLAN 10 and VLAN 20, and SwitchD participates in spanning tree calculation in VLAN 20
and VLAN 30. After the calculation is complete, ports are selected as different roles to
eliminate loops.
Different spanning trees are formed in VLAN 10, VLAN 20, and VLAN 30, and traffic in
VLAN 10, VLAN 20, and VLAN 30 is forwarded along different spanning trees to implement
load balancing.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 30 root secondary
stp vlan 10 20 root primary
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 30
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
return
17 SEP Configuration
This chapter describes how to configure the Smart Ethernet Protection (SEP). SEP is a ring
network protocol specially used for the Ethernet link layer. It blocks redundant links to
prevent logical loops on a ring network.
Definition
The Smart Ethernet Protection (SEP) protocol is a ring network protocol specially used for the
Ethernet link layer. A SEP segment consists of interconnected Layer 2 switching devices
configured with the same SEP segment ID and control VLAN ID. A SEP segment is the basic
unit for SEP.
Purpose
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result,
communication quality deteriorates, and services may even be interrupted. To solve the loop
problem, Huawei datacom devices support the following ring network protocols:
l STP/RSTP/MSTP
STP, RSTP, and MSTP are standard protocols for breaking loops on Ethernet networks.
They are mature and widely used. Huawei devices running STP, RSTP, or MSTP can
communicate with non-Huawei devices. Networks running these protocols converge
slowly (in seconds), failing to meet transmission requirements of some real-time
services. The convergence time is affected by the network topology.
l RRPP
RRPP is a Huawei-proprietary protocol. It provides fast convergence (less than 50 ms).
However, its configuration is complex. A Huawei device running RRPP cannot
communicate with any non-Huawei device. RRPP requires a physical topology to be
divided into logical topologies so that major rings and sub-rings can be differentiated.
Therefore, RRPP does not apply to complex networks.
Huawei developed SEP to overcome the disadvantages of the preceding ring network
protocols. Compared with RRPP, SEP has the following advantages:
l Applies to diverse complex networks and supports all topologies and network topology
query. For example, a network running SEP can connect to a network running STP,
RSTP, MSTP, or RRPP.
Network topology display helps locate blocked interfaces quickly. When a fault occurs,
SEP can quickly locate the fault, improving network maintainability.
l Allows selectively interface blocking, which effectively implements traffic load
balancing.
l Prevents traffic from being switched back after link recovery, which improves network
stability.
17.2 Principles
NPE1 IP/MPLS
VRRP+peer BFD Core
NPE2
CE1
LSW5
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is
blocked, all service data is transmitted only along the path where the primary edge interface is
located. The path where the secondary edge interface is located remains idle, wasting
bandwidth.
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing. SEP multi-instance allows two SEP segments to be configured on a physical ring.
Each SEP segment independently detects the completeness of the physical ring, blocks or
unblocks interfaces without affecting the other.
For details about SEP multi-instance, see 17.2.3 SEP Implementation Mechanisms.
Network Network
LSW5
SEP SEP
Segment Segment
LSW3 LSW3
CE CE
No-Neighbor Primary Edge Port
No-Neighbor Secondary Edge Port
Primary Edge Port
Secondary Edge Port
Block Port
l SEP segment
A SEP segment consists of interconnected Layer 2 switching devices configured with the
same SEP segment ID and control VLAN ID. A SEP segment is the basic unit for SEP.
A SEP segment is a ring or linear Ethernet topology. Each SEP segment has a control
VLAN, edge interfaces, and common interfaces.
l Control VLAN
In a SEP segment, the control VLAN is used to transmit only SEP packets.
Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
Different SEP segments can use the same control VLAN.
Different from a control VLAN, a data VLAN is used to transmit data packets.
l Node
Each Layer 2 switching device in a SEP segment is a node. Each node can have at most
two interfaces added to the same SEP segment.
l Interface role
As defined in SEP, there are two interface roles: common interfaces and edge interfaces.
As shown in Table 17-1, edge interfaces are further classified into primary edge
interfaces, secondary edge interfaces, no-neighbor primary edge interfaces, and no-
neighbor secondary edge interfaces.
NOTE
Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
Edge interface Primary edge A SEP segment has only one primary
interface edge interface, which is determined by
the configuration and election.
The primary edge interface initiates
blocked interface preemption, terminates
packets, and sends topology change
notification messages to other networks.
l Blocked interface
In a SEP segment, some interfaces are blocked to prevent loops.
Any interface in a SEP segment may be blocked if no interface is specified for blocking.
A complete SEP segment has only one blocked interface.
l Status of a SEP interface
In a SEP segment, a SEP interface has two working states: Forwarding and Discarding,
as shown in Table 17-2.
Forwarding The interface can forward user traffic, receive and send SEP packets.
Discarding The interface can receive and send SEP packets but cannot forward user
traffic.
SEP Packet
Table 17-3 shows the types of SEP packets.
LSA LSA request After an interface has SEP enabled, the interface
packet periodically sends LSAs to its neighbor. After the
state machine of the neighbor goes Up, the two
LSA ACK packet interfaces update their LSA databases, that is, all
topology information.
Neighbor negotiations provide information required to obtain the SEP segment topology.
Interfaces establish neighbor relationships through neighbor negotiations, forming a complete
SEP segment. Therefore, the SEP segment topology can be obtained.
the other devices. After receiving LSA request packets from the device, neighboring
interfaces reply with LSA ACK packets that contain the latest link state information.
l SEP segment topology display
The topology display function allows you to view the topology with the highest network
connectivity on any device in a SEP segment. Link state synchronization ensures that all
devices in a SEP segment display the same topology.
Table 17-4 shows the types of SEP segment topologies.
Linear topology All topologies except ring For interfaces at both ends
topologies are linear of a link:
topologies. l If one interface
functions as the
primary edge interface,
the primary edge
interface is listed first
in the topology
information displayed
on each interface.
l If the primary edge
interface is not elected
but the secondary edge
interface is elected, the
secondary edge
interface is listed first
in the topology
information displayed
on each interface.
NOTE
The constraints listed in Table 17-4 ensure that each node in a ring or linear topology displays the
same topology information.
NOTE
If only one interface on a node has SEP enabled, you must set the role of the interface to edge so that the
interface can function as an edge interface.
As shown in Figure 17-3, if there is no faulty link on the network and SEP is enabled on the
interfaces, the following situations occur:
l Common interfaces do not participate in primary edge interface election. Only P1 on
LSW1 and P1 on LSW5 participate in primary edge interface election.
l If P1 on LSW1 and P1 on LSW5 have the same role, P1 with a higher MAC address is
elected as the primary edge interface.
After the primary edge interface is selected, it periodically sends primary edge interface
election packets without waiting for the success of neighbor negotiations. A primary edge
interface election packet contains the interface role (primary edge interface, secondary edge
interface, or common interface), bridge MAC address of the interface, interface ID, and
integrity of the topology database.
Network Network
LSW1 LSW5 LSW1 LSW5
P1 P1 P1 P1
SEP SEP
Segment Segment
As shown in Figure 17-3, if a link fault occurs in the SEP segment, P1 on LSW1 and P1 on
LSW5 receive fault notification packets or P1 on LSW5 does not receive primary edge
interface election packets within a specified period. Then P1 on LSW1 becomes the
secondary edge interface. Consequently, two secondary edge interfaces exist in the SEP
segment and periodically send primary edge interface election packets.
When all link faults in the SEP segment are rectified, the two secondary edge interfaces can
receive primary edge interface election packets and elect a new primary edge interface within
a configured interval (1s by default).
Specify a blocked interface SEP sets the hop count of the primary edge interface
based on the configured hop to 1 and the hop count of the neighboring interface of
count. the primary interface to 2. Hop counts of other
interfaces increase by steps of 1 in the downstream
direction of the primary edge interface.
l Preemption
After the interface blocking mode is specified, whether a specified interface will be
blocked is determined by the preemption mode. Table 17-6 lists the preemption modes.
Non-preemption mode When all link faults are rectified or the last two
interfaces enabled with SEP complete neighbor
negotiations, interfaces send blocking status packets to
each other. The interface with the highest priority is
then blocked, and the other interfaces enter the
Forwarding state.
An interface fault occurs. Figure 17-4 shows an interface fault in a SEP segment.
An interface fault can be a link fault or neighboring
interface fault.
If a device having an interface in Forwarding state in the
SEP segment receives a fault advertisement packet, the
device needs to send a Flush-Forwarding Database
(Flush-FDB) packet through the interface to notify other
nodes in the SEP segment that there is a change in
topology.
The fault is rectified and the After faults occur in the SEP segment and the last faulty
preemption function takes interface recovers, the blocked interface is preempted
effect. and the topology is considered changed.
Preemption is triggered by the primary edge interface.
When an interface in a SEP segment receives a
preemption packet from the primary edge interface, the
interface needs to send Flush-FDB packets to notify
other nodes in the SEP segment that there is a change in
topology.
Network
LSW8
SEP SEP
LSW1 Segment1 Segment3 LSW13
LSW9 LSW10
NOTE
The topology change notification function is configured on devices that connect an upper-layer network
and a lower-layer network. If the topology of one network changes, devices affected inform the other
network of the change.
Table 17-8 lists the scenarios in which topology changes are reported.
IP/MPLS Core
CFM
PE-AGG1 PE-AGG2
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
Block Port
SEP associated with Ethernet CFM
As shown in Figure 17-5, association between SEP and CFM is configured on LSW1 in the
SEP segment. When CFM detects a fault on the network at the aggregation layer, LSW1
sends a CCM to notify the Operation, Administration, and Maintenance (OAM) module of the
fault. The SEP status of the interface associated with CFM then changes to Down.
The interface associated with CFM is in the SEP segment. If this interface goes Down, LSW2
needs to send a Flush-FDB packet to notify other nodes in the SEP segment of the topology
has changed. After LSW3 receives the Flush-FDB packet, the blocked interface on LSW3 is
unblocked and enters the Forwarding state. This interface then sends a Flush-FDB packet to
instruct other nodes in the SEP segment to update their MAC address forwarding tables and
ARP tables. The lower-layer network can then detect the faults on the upper-layer network,
ensuring reliable service transmission.
LSW9 LSW10
SEP
Segment 1
LSW7 LSW8
SEP
Segment2
LSW4 LSW6
LSW5
SEP
Segment3
LSW1 LSW3
LSW2
Sending a large number of TC notification packets reduces the CPU capability to quickly
process other types of packets. In addition, devices in SEP segments frequently update MAC
address entries, heavily consuming bandwidth resources. To solve such problems, the
following measures can be taken to suppress TC notification packets:
l Configure a device to process only one of the TC notification packets carrying the same
source address.
l Configure a device to process a specified number of TC notification packets within a
specified period. By default, three TC notification packets with different source
addresses are processed in 2s.
l Avoid the networking scenario having more than three SEP ring networks.
SEP Multi-Instance
In common SEP networking shown in Figure 17-7, a physical ring network can be configured
with only one SEP segment in which only one interface can be blocked.
If an interface in a complete SEP segment is blocked, all service data is transmitted only along
the path where the primary edge interface is located. The path where the secondary edge
interface is located remains idle, wasting bandwidth.
LSW2 LSW4
SEP
Segment1
LSW1 LSW3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance allows two SEP segments to be configured on a physical ring. Each SEP
segment independently detects the completeness of the physical ring, blocks or unblocks
interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be
configured with a protected instance, each protected instance indicating a VLAN range. The
topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between
protected instances and VLANs is set, a blocked interface is only valid for the VLANs
protected by the SEP segment where the blocked interface resides. Data traffic for different
VLANs can be transmitted along different paths. This implements traffic load balancing and
link backup.
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
Instance1: Instance2:
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 17-8, the SEP multi-instance ring network that consists of LSW1 to
LSW4 has two SEP segments. P1 is the blocked interface in SEP segment 1, and P2 is the
blocked interface in SEP segment 2.
l Protected instance 1 is configured in SEP segment 1 to protect the data from VLAN 100
to VLAN 200. The data is transmitted along path LSW1->LSW2. As the blocked
interface in SEP segment 2, P2 blocks only the data from VLAN 201 to VLAN 400.
l Protected instance 2 is configured in SEP segment 2 to protect the data from VLAN 201
to VLAN 400. The data is transmitted along path LSW3->LSW4. As the blocked
interface in SEP segment 1, P1 blocks only the data from VLAN 100 to VLAN 200.
When a node fault or link fault occurs, each SEP segment calculates its own topology
independently, and the nodes in each SEP segment update their own LSA databases.
As shown in Figure 17-9, a fault occurs on the link between LSW3 and LSW4. The link fault
does not affect the transmission path for the data from VLAN 100 to VLAN 200 in SEP
segment 1, but blocks the transmission path for the data from VLAN 201 to VLAN 400 in
SEP segment 2.
Figure 17-9 Networking diagram for a link fault on a SEP multi-instance network
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
Instance1: Instance2:
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
After the link between LSW3 and LSW4 becomes faulty, LSW3 starts to send LSAs to
instruct the other devices in SEP segment 2 to update their LSA databases, and the blocked
interface enters the Forwarding state. After the topology of SEP segment 2 is recalculated, the
data from VLAN 201 to VLAN 400 is transmitted along path LSW3->LSW1->LSW2.
After the link between LSW3 and LSW4 recovers, the devices in SEP segment 2 perform
delayed preemption. After the preemption delay expires, P1 becomes the blocked interface
again, and sends LSAs to instruct the other devices in SEP segment 2 to update their LSA
databases. After the topology of SEP segment 2 is recalculated, the data from VLAN 201 to
VLAN 400 is transmitted along path LSW3->LSW4.
17.3 Applications
Network
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
LSW2 LSW4
LSW3
Se
SE en
gm
P t3
t2
gm E P
SEP
en
Se S
LSW9
LSW6 Segment 4
LSW12
SEP
LSW8 Segment 5
LSW14
LSW7 LSW13
LSW10 LSW11
Block Port
PE3 PE4
MSTP
PE1 PE2
SEP
Segment
LSW1 LSW2
LSW3
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
Block Port
Figure 17-14 Networking diagram of hybrid rings running SEP and RRPP
PE3 PE4
RRPP
PE1 PE2
SEP
Segment
LSW1 LSW2
LSW3
Primary Edge Port
Secondary Edge Port
Block Port
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
Instance1: Instance2:
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
Figure 17-16 Networking diagram for association between SEP and VPLS
VPLS
LSW1 LSW5
SEP
Segment1
LSW2 LSW4
LSW3
CE1
Primary Edge Port
Secondary Edge Port
Block Port
IP/MPLS Core
CFM
PE-AGG1 PE-AGG2
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
Block Port
SEP associated with Ethernet CFM
As shown in Figure 17-17, LSW1 to LSW5 run SEP to implement redundancy protection
switching at the access layer and display the topology. Association between SEP and CFM is
configured on LSW1 in the SEP segment. When CFM detects a fault on the network at the
aggregation layer, LSW1 sends a CCM to notify the fault to the Operation, Administration,
and Maintenance (OAM) module. The SEP status of the interface associated with CFM then
changes to Down.
The interface associated with CFM is in the SEP segment. Therefore, when the SEP status of
the interface associated with CFM goes Down, LSW2 needs to send a Flush-FDB packet to
notify other nodes in the SEP segment of the topology changes. After LSW3 receives the
Flush-FDB packet, the blocked interface on LSW3 is unblocked and enters the Forwarding
state. Then, the interface sends a Flush-FDB packet to instruct the other nodes in the SEP
segment to update their MAC address forwarding tables and ARP tables. Therefore, the
lower-layer network can then detect the faults on the upper-layer network, ensuring reliable
service transmission.
Configuring Basic SEP After basic SEP functions 17.6.1 Configuring Basic
Functions are configured on devices, SEP Functions
the devices start SEP
negotiation. One of the two
interfaces that complete
neighbor negotiations last is
blocked to eliminate
redundant links.
NOTE
When logging in to nodes on a
SEP semi-ring through Telnet
to configure the nodes, note
the following points:
l VLANIF interfaces and
their IP addresses need to
be configured, because
these nodes are Layer 2
devices. The VLANs to
which these VLANIF
interfaces correspond must
be mapped to SEP
protected instances.
l Basic SEP functions need
to be configured from the
node at one end of the
semi-ring to the node at
the other end of the semi-
ring.
License Support
SEP is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
l On a SEP network where there are no-neighbor edge interfaces, a device that is not in a
SEP segment cannot be added to the control VLAN of the SEP segment. Otherwise, a
loop will occur on the network.
l SEP and VLAN stacking cannot be configured on an interface of an SA series card
simultaneously.
Pre-configuration Tasks
Before configuring basic SEP functions, complete the following tasks:
l Establish the ring network.
l Ensure that the devices are powered on correctly and operate properly.
Context
A SEP segment is the basic unit for SEP. A SEP segment consists of interconnected Layer 2
switching devices configured with the same SEP segment ID and control VLAN ID.
After SEP is configured on a device, you can run the description command to configure the
description of the SEP segment, including the SEP segment ID, to facilitate maintenance.
Procedure
Step 1 Run:
system-view
A SEP segment is created and the view of the SEP segment is displayed.
----End
Context
In a SEP segment, a control VLAN is used to transmit SEP packets but not service packets,
enhancing SEP security. Each SEP segment must be configured with a control VLAN. After
being added to a SEP segment configured with a control VLAN, an interface is added to the
control VLAN automatically.
NOTE
On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot be
added to the control VLAN of the SEP segment. Otherwise, a loop will occur on the network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
control-vlan vlan-id
A control VLAN is configured for the SEP segment to transmit SEP packets.
The control VLAN must be not created, and is not used by RRPP, dynamic instances of
VBST, VLAN mapping, and VLAN stacking. Additionally, no interface is added to the
control VLAN in trunk, access, hybrid, or qinq mode.
Each SEP segment must be configured with a control VLAN. After an interface is added
to a SEP segment configured with a control VLAN, the interface is automatically added
to the control VLAN.
– If the interface type is trunk, in the configuration file, the port trunk allow-pass
vlan command is displayed in the view of the interface added to the SEP segment.
– If the interface type is hybrid, in the configuration file, the port hybrid tagged vlan
command is displayed in the view of the interface added to the SEP segment.
----End
Context
Interfaces can be added to a SEP segment only after the SEP segment is configured with
protected instances.
Procedure
Step 1 Run:
system-view
If the stp mode vbst command sets the STP working mode to VBST, you must perform this step to
configure the mapping between MSTIs and VLANs. Otherwise, the protected instance in a SEP segment
cannot be configured.
1. Run:
stp region-configuration
A SEP segment is created and the view of the SEP segment is displayed.
Step 4 Run:
protected-instance { all | { instance-id1 [ to instance-id2 ] } &<1-10> }
NOTE
When the mapping between MSTIs and VLANs is not configured, the SEP protected instance is valid
for all VLANs.
----End
17.6.1.4 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for
the Interface
Context
To ensure that SEP packets are forwarded correctly in a SEP segment, add Layer 2 interfaces
to the SEP segment and configure different roles for the interfaces.
After an interface is added to a SEP segment, the interface sets its interface role to the primary
edge interface if the interface has the right to participate in primary edge interface election.
Then, the interface periodically sends a primary edge interface election packet without
waiting for the success of neighbor negotiations.
A primary edge interface election packet contains the interface role (primary edge interface,
secondary edge interface, or common interface), bridge MAC address of the interface,
interface ID, and integrity of the topology database.
Table 17-12 lists interface roles.
Edge interface Primary A SEP segment has only one Open-ring networking
edge primary edge interface, Closed-ring networking
interface which is determined by the
configuration and election. Multi-ring networking
NOTE
l Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
l Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the
interface (except that the interface is a no-neighbor edge interface).
l Before adding an interface to a SEP segment, disable Smart Link on the interface.
l Before adding an interface to a SEP segment, disable port security on the interface; otherwise, loops
cannot be prevented.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
port link-type { trunk | hybrid }
Step 5 Run:
sep segment segment-id [ edge [ no-neighbor ] { primary | secondary } ]
The Ethernet interface is added to a specified SEP segment and a role is configured for the
interface.
NOTE
----End
Procedure
l Run the display sep segment { segment-id | all } command to check the configurations
of SEP segments.
l Run the display sep interface [ interface-type interface-number | segment segment-id ]
[ verbose ] command to check information about interfaces that are added to a specified
SEP segment.
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
Context
In a SEP segment, some interfaces are blocked to prevent loops.
You can configure the interface blocking mode to specify a blocked interface. Table 17-13
lists interface blocking modes.
Specify the interface in This mode applies to a network where traffic is symmetrically
the middle of a SEP distributed.
segment as the blocked After fault recovery, the interface in the middle of a SEP
interface. segment becomes the blocked interface.
Perform the following operations on the device where the primary edge interface or no-
neighbor primary edge interface is located:
Procedure
Step 1 Run:
system-view
Step 2 Run:
sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
block port { optimal | middle | hop hop-id | sysname sysname interface
{ interface-type interface-number | interface-name } }
By default, one of the interfaces at two ends of the link that is set up last or recovers from a
fault last is blocked.
----End
Follow-up Procedure
If the interface with the highest priority is specified to block, run the sep segment segment-id
priority priority command in the view of the interface to be blocked to increase its priority.
When a fault is rectified, the specified interface is blocked.
The default priority of an interface added to a SEP segment is 64. The priority value of an
interface is an integer that ranges from 1 to 128. A larger priority value indicates a higher
priority.
Context
After the interface blocking mode is specified, whether a specified interface will be blocked is
determined by the preemption mode. Table 17-14 lists the preemption modes.
Preempt Delayed Each time a fault is l The delayed preemption mode needs
ion preempt rectified, the system to be specified in advance. There is no
mode ion automatically completes default delay in preemption, and the
preemption and ensures delay time needs to be configured
that the specified using a command.
interface is blocked. l After delayed preemption is
configured successfully, a fault needs
to be simulated to ensure that the
specified interface is blocked.
Perform the following operations on the Layer 2 switching device where the primary edge
interface or no-neighbor primary edge interface resides.
Procedure
Step 1 Run:
system-view
Step 2 Run:
sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
preempt { manual | delay seconds }
By default, no preemption mode is configured on the primary edge interface, that is, the non-
preemption mode is used.
----End
Procedure
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
Applicable Environment
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is
blocked, all service data is transmitted only along the path where the primary edge interface is
located. The path where the secondary edge interface is located remains idle, wasting
bandwidth.
IP/MPLS Core
Core
group 1:Master group 2:Master
group 2:Backup group 1:Backup
NPE1 NPE2
VRRP+peer BFD
Aggregation
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
Instance1: Instance2:
Access
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing and link backup. As shown in Figure 17-18, multiple instances are deployed in the
SEP segment, and protected instances are mapped to different VLANs. Data traffic for
different VLANs can then be transmitted along different paths.
NOTE
Currently, SEP multi-instance allows two SEP segments to be configured on a physical ring. Different
blocked interfaces and priorities need to be configured for the two SEP segments.
Pre-configuration Tasks
Before configuring SEP multi-instance, complete the following tasks:
l Configure basic SEP functions.
l Specify an interface to block.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stp region-configuration
Step 3 Run:
instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
The value of instance-id specified in this command must be the same as that of instance-id
specified in the protected-instance command.
Before you switch a VLAN from one SEP segment to another segment, shut down the
blocked port. If you do not shut down the blocked port, a routing loop may occur after the
VLAN switchover.
NOTE
To configure the mapping between the protected instance and MUX VLAN, you are advised to
configure the principal VLAN, and subordinate group VLANs and subordinate separate VLANs of the
MUX VLAN in the same protected instance. Otherwise, loops may occur.
Step 4 Run:
active region-configuration
After mappings between protected instances and VLANs take effect, topology changes of a
SEP segment affect only corresponding VLANs. This ensures reliable service data
transmission.
----End
Context
SEP runs on devices at the access layer. The topology change notification function enables
devices to detect topology changes on the upper and lower-layer networks.
If the upper-layer network fails to be notified of the topology change in a SEP segment, the
MAC address entries remain unchanged on the upper layer network and user traffic may be
interrupted. To ensure uninterrupted traffic forwarding, configure devices on the lower-layer
network to report topology changes to the upper-layer network and specify the devices on the
upper-layer network that will be notified of topology changes.
NOTE
Currently, topology changes in a SEP segment can be reported to other SEP segments, STP networks,
RRPP networks, VPLS networks, and SmartLink networks.
Switch XGE interfaces connected to the ACU2, ET1D2IPS0S00, ET1D2FW00S00, ET1D2FW00S01 or
ET1D2FW00S02 card do not support SEP topology change notification on the VPLS network.
After receiving a topology change notification from a lower-layer network, a device on the
upper-layer network sends TC packets to instruct other devices on the upper-layer network to
clear original MAC addresses and learn new MAC addresses after the topology of the lower-
layer network changes. This ensures uninterrupted traffic forwarding.
Procedure
Step 1 Run:
system-view
Step 2 Run:
sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp | rrpp |
smart-link send-packet vlan vlan-id | vpls }
The topology change of the specified SEP segment is reported to another SEP segment or a
network running other ring protocols such as STP or RRPP.
----End
Follow-up Procedure
In the networking scenario where three or more SEP ring networks exist, when a topology
change notification is sent through multiple links, the upper-layer network will receive it
multiple times. This reduces packet processing efficiency on the upper-layer network.
Therefore, topology change notifications need to be suppressed. Suppressing topology change
notifications frees the upper-layer network from processing multiple duplicate packets and
protects the devices in the SEP segment against topology change notification attacks.
Run the tc-protection interval interval-value command in the SEP segment view to set the
interval for suppressing topology change notifications.
By default, the interval for suppressing topology change notifications is 2s, and three
topology change notifications with different source addresses are processed within 2s.
NOTE
l In the networking scenario where three or more SEP ring networks exist, the tc-protection interval
interval-value command must be run. If this command is not run, the default interval for suppressing
topology change notifications is used.
l A longer interval ensures stable SEP operation but reduces convergence performance.
Context
When a host is connected to a SEP network using a Smart Link group, the host sends Smart
Link Flush packets to inform the remote device in the SEP segment if devices in the Smart
Link group experience an active/standby switchover. Therefore, devices in a SEP segment
must be able to process Smart Link Flush packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
deal smart-link-flush
The device in a SEP segment is configured to process Smart Link Flush packets.
By default, no device in a SEP segment is configured to process Smart Link Flush packets.
Step 4 Run:
quit
Step 5 Run:
interface interface-type interface-number
Step 6 Run:
smart-link flush receive control-vlan vlan-id [ password { simple | sha }
password ]
The control VLAN ID and password contained in Flush packets on both devices must be the
same.
----End
Context
SEP runs on devices at the access layer or aggregation layer. To enable devices running SEP
to detect the topology changes in an upper-layer network, you must configure on SEP and
CFM association the device connecting the lower-layer network to the upper-layer network.
When CFM detects a fault on the upper-layer network, the edge device sends a CFM packet to
notify the OAM module of the fault. Then the SEP status of the interface associated with
CFM on the edge device changes to Down.
The peer device (on the SEP segment) of the edge device notifies other nodes in the same SEP
segment of topology changes by sending Flush-FDB packets. After a device in the SEP
segment receives the Flush-FDB packet, the blocked interface on the device is unblocked,
enters the Forwarding state, and sends a Flush-FDB packet to instruct other nodes in the SEP
segment to refresh their MAC forwarding tables and ARP tables. Therefore, the lower-layer
network can then detect the faults on the upper-layer network, ensuring reliable service
transmission.
NOTE
IEEE 802.1ag, also known as Connectivity Fault Management (CFM), defines OAM functions, such as
continuity check (CC), link trace (LT) and loopback (LB), for Ethernet networks. CFM is network-level
OAM and applies to large-scale end-to-end networking.
Procedure
Step 1 Run:
system-view
----End
Procedure
l Run the display sep interface verbose command to check information about the
interfaces added to a SEP segment.
l Run the display this command in the OAM management view to check the
configuration of topology change notification on the upper-layer network topology.
----End
Context
NOTICE
SEP statistics cannot be restored after being cleared. Therefore, exercise caution when you
run reset commands.
Procedure
Step 1 Run the reset sep interface interface-type interface-number statistics command in the user
view to clear SEP packet statistics on a specified interface in a SEP segment.
----End
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-
layer network to provide link backup and enhance network reliability. The use of redundant
links, however, may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, communication quality deteriorates, and services may even be
interrupted. SEP can be deployed on the ring network to eliminate loops and restore
communication if a link fault occurs.
In the closed ring networking, CE1 is dual-homed to a Layer 2 network through multiple
Layer 2 switching devices. The two edge devices connected to the upper-layer Layer 2
network are directly connected to each other. The closed ring network is deployed at the
aggregation layer to transparently transmit Layer 2 unicast and multicast packets. SEP runs at
the aggregation layer to implement link redundancy.
As shown in Figure 17-19, Layer 2 switching devices LSW1 to LSW5 form a ring network.
SEP
Segment1
GE1/0/1 GE1/0/1
LSW2 LSW4
LSW3
GE1/0/2 GE1/0/2
GE1/0/1 GE1/0/2
GE1/0/3
GE1/0/1
Access
Configuration Roadmap
The configuration roadmap is as follows:
Set the highest priority for GE1/0/2 of LSW3 and retain the default priority of the
other interfaces so that GE1/0/2 of LSW3 will be blocked.
e. Configure delayed preemption on the device where the primary edge interface is
located.
2. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure LSW1.
<HUAWEI> system-view
[HUAWEI] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
<HUAWEI> system-view
[HUAWEI] sysname LSW2
[LSW2] sep segment 1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] protected-instance all
[LSW2-sep-segment1] quit
# Configure LSW3.
<HUAWEI> system-view
[HUAWEI] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] protected-instance all
[LSW3-sep-segment1] quit
# Configure LSW4.
<HUAWEI> system-view
[HUAWEI] sysname LSW4
[LSW4] sep segment 1
[LSW4-sep-segment1] control-vlan 10
[LSW4-sep-segment1] protected-instance all
[LSW4-sep-segment1] quit
# Configure LSW5.
<HUAWEI> system-view
[HUAWEI] sysname LSW5
[LSW5] sep segment 1
[LSW5-sep-segment1] control-vlan 10
[LSW5-sep-segment1] protected-instance all
[LSW5-sep-segment1] quit
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the configuration
file automatically displays the command for creating the VLAN.
– Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the
control VLAN.
2. Add all devices on the ring to SEP segment 1 and configure interface roles on the
devices.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On LSW1, configure GE1/0/1 as the primary edge interface and GE1/0/3 as the
secondary edge interface.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type hybrid
[LSW1-GigabitEthernet1/0/1] stp disable
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge primary
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/3
[LSW1-GigabitEthernet1/0/3] port link-type hybrid
[LSW1-GigabitEthernet1/0/3] stp disable
[LSW1-GigabitEthernet1/0/3] sep segment 1 edge secondary
[LSW1-GigabitEthernet1/0/3] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] port link-type hybrid
[LSW2-GigabitEthernet1/0/1] stp disable
[LSW2-GigabitEthernet1/0/1] sep segment 1
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] port link-type hybrid
[LSW2-GigabitEthernet1/0/2] stp disable
[LSW2-GigabitEthernet1/0/2] sep segment 1
[LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] port link-type hybrid
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment 1
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] port link-type hybrid
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment 1
[LSW3-GigabitEthernet1/0/2] quit
# Configure LSW4.
[LSW4] interface gigabitethernet 1/0/1
[LSW4-GigabitEthernet1/0/1] port link-type hybrid
[LSW4-GigabitEthernet1/0/1] stp disable
[LSW4-GigabitEthernet1/0/1] sep segment 1
[LSW4-GigabitEthernet1/0/1] quit
[LSW4] interface gigabitethernet 1/0/2
[LSW4-GigabitEthernet1/0/2] port link-type hybrid
[LSW4-GigabitEthernet1/0/2] stp disable
[LSW4-GigabitEthernet1/0/2] sep segment 1
[LSW4-GigabitEthernet1/0/2] quit
# Configure LSW5.
[LSW5] interface gigabitethernet 1/0/1
[LSW5-GigabitEthernet1/0/1] port link-type hybrid
[LSW5-GigabitEthernet1/0/1] stp disable
[LSW5-GigabitEthernet1/0/1] sep segment 1
[LSW5-GigabitEthernet1/0/1] quit
[LSW5] interface gigabitethernet 1/0/3
[LSW5-GigabitEthernet1/0/3] port link-type hybrid
[LSW5-GigabitEthernet1/0/3] stp disable
[LSW5-GigabitEthernet1/0/3] sep segment 1
[LSW5-GigabitEthernet1/0/3] quit
NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE1/0/1 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on GE1/0/2 to rectify the fault.
Step 2 Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
For details about the configuration, see the configuration files.
Step 3 Verify the configuration.
l Run the shutdown command on GE1/0/1 of LSW3 to simulate an interface fault, and
then run the display sep interface command on LSW3 to check whether GE1/0/2 of
LSW3 has switched from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
----End
Configuration Files
l LSW1 configuration file
#
sysname LSW1
#
vlan batch 10 100 200
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1 edge primary
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 200
port hybrid tagged vlan 100
control-vlan 10
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
return
l LSW5 configuration file
#
sysname LSW5
#
vlan batch 10 100 200
#
sep segment 1
control-vlan 10
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 200
port hybrid tagged vlan 100
port hybrid untagged vlan 200
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
#
return
l CE1 configuration file
#
sysname CE1
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
return
interrupted. SEP can be deployed on the ring network to eliminate loops and restore
communication if a link fault occurs.
In multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployed
at the access layer and aggregation layer. SEP runs at the access layer and aggregation layer to
implement link redundancy.
As shown in Figure 17-20, multiple Layer 2 switching devices form ring networks at the
access layer and aggregation layer.
SEP runs at the access layer and aggregation layer. When there is no faulty link on a ring
network, SEP can eliminate loops on the network. When a link fails on the ring network, SEP
can rapidly restore communication between nodes on the network.
SEP
GE1/0/1 Segment 1 GE1/0/3
LSW4
LSW2 G GE1/0/1
E1 GE1/0/2
GE1/0/2
0/ LSW3
/
3
GE1/0/4
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Se S
t2
gm EP
gm EP
en
Se S
GE1/0/1 GE1/0/1
CE2
CE1
VLAN VLAN
200 100
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as
their respective control VLANs, as shown in Figure 17-20.
# Configure LSW1.
<HUAWEI> system-view
[HUAWEI] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
<HUAWEI> system-view
[HUAWEI] sysname LSW2
[LSW2] sep segment 1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] protected-instance all
[LSW2-sep-segment1] quit
[LSW2] sep segment 2
[LSW2-sep-segment2] control-vlan 20
[LSW2-sep-segment2] protected-instance all
[LSW2-sep-segment2] quit
# Configure LSW3.
<HUAWEI> system-view
[HUAWEI] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] protected-instance all
[LSW3-sep-segment1] quit
[LSW3] sep segment 2
[LSW3-sep-segment2] control-vlan 20
[LSW3-sep-segment2] protected-instance all
[LSW3-sep-segment2] quit
[LSW3] sep segment 3
[LSW3-sep-segment3] control-vlan 30
[LSW3-sep-segment3] protected-instance all
[LSW3-sep-segment3] quit
# Configure LSW4.
<HUAWEI> system-view
[HUAWEI] sysname LSW4
[LSW4] sep segment 1
[LSW4-sep-segment1] control-vlan 10
[LSW4-sep-segment1] protected-instance all
[LSW4-sep-segment1] quit
[LSW4] sep segment 3
[LSW4-sep-segment3] control-vlan 30
[LSW4-sep-segment3] protected-instance all
[LSW4-sep-segment3] quit
# Configure LSW5.
<HUAWEI> system-view
[HUAWEI] sysname LSW5
[LSW5] sep segment 1
[LSW5-sep-segment1] control-vlan 10
[LSW5-sep-segment1] protected-instance all
[LSW5-sep-segment1] quit
– The control VLAN must be a VLAN that has not been created or used, but the configuration
file automatically displays the command for creating the VLAN.
– Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the
control VLAN.
2. Add devices on the rings to the SEP segments and configure interface roles according to
Figure 17-20.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On LSW1, configure GE1/0/1 as the primary edge interface and GE1/0/3 as the
secondary edge interface.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type hybrid
[LSW1-GigabitEthernet1/0/1] stp disable
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge primary
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/3
[LSW1-GigabitEthernet1/0/3] port link-type hybrid
[LSW1-GigabitEthernet1/0/3] stp disable
[LSW1-GigabitEthernet1/0/3] sep segment 1 edge secondary
[LSW1-GigabitEthernet1/0/3] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] port link-type hybrid
[LSW2-GigabitEthernet1/0/1] stp disable
[LSW2-GigabitEthernet1/0/1] sep segment 1
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/3
[LSW2-GigabitEthernet1/0/3] port link-type hybrid
[LSW2-GigabitEthernet1/0/3] stp disable
[LSW2-GigabitEthernet1/0/3] sep segment 1
[LSW2-GigabitEthernet1/0/3] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] port link-type hybrid
[LSW2-GigabitEthernet1/0/2] stp disable
[LSW2-GigabitEthernet1/0/2] sep segment 2 edge primary
[LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/3
[LSW3-GigabitEthernet1/0/3] port link-type hybrid
[LSW3-GigabitEthernet1/0/3] stp disable
[LSW3-GigabitEthernet1/0/3] sep segment 1
[LSW3-GigabitEthernet1/0/3] quit
[LSW3] interface gigabitethernet 1/0/4
[LSW3-GigabitEthernet1/0/4] port link-type hybrid
[LSW3-GigabitEthernet1/0/4] stp disable
[LSW3-GigabitEthernet1/0/4] sep segment 1
[LSW3-GigabitEthernet1/0/4] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] port link-type hybrid
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment 2 edge secondary
[LSW3-GigabitEthernet1/0/2] quit
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] port link-type hybrid
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment 3 edge secondary
[LSW3-GigabitEthernet1/0/1] quit
# Configure LSW4.
[LSW4] interface gigabitethernet 1/0/2
[LSW4-GigabitEthernet1/0/2] port link-type hybrid
[LSW4-GigabitEthernet1/0/2] stp disable
[LSW4-GigabitEthernet1/0/2] sep segment 1
[LSW4-GigabitEthernet1/0/2] quit
[LSW4] interface gigabitethernet 1/0/3
[LSW4-GigabitEthernet1/0/3] port link-type hybrid
[LSW4-GigabitEthernet1/0/3] stp disable
[LSW4-GigabitEthernet1/0/3] sep segment 1
[LSW4-GigabitEthernet1/0/3] quit
[LSW4] interface gigabitethernet 1/0/1
[LSW4-GigabitEthernet1/0/1] port link-type hybrid
[LSW4-GigabitEthernet1/0/1] stp disable
[LSW4-GigabitEthernet1/0/1] sep segment 3 edge primary
[LSW4-GigabitEthernet1/0/1] quit
# Configure LSW5.
[LSW5] interface gigabitethernet 1/0/1
[LSW5-GigabitEthernet1/0/1] port link-type hybrid
[LSW5-GigabitEthernet1/0/1] stp disable
[LSW5-GigabitEthernet1/0/1] sep segment 1
[LSW5-GigabitEthernet1/0/1] quit
[LSW5] interface gigabitethernet 1/0/3
[LSW5-GigabitEthernet1/0/3] port link-type hybrid
[LSW5-GigabitEthernet1/0/3] stp disable
[LSW5-GigabitEthernet1/0/3] sep segment 1
[LSW5-GigabitEthernet1/0/3] quit
# On LSW3, set the priority of GE1/0/4 to 128, which is the highest priority among the
interfaces so that GE1/0/4 will be blocked.
[LSW3] interface gigabitethernet 1/0/4
[LSW3-GigabitEthernet1/0/4] sep segment 1 priority 128
[LSW3-GigabitEthernet1/0/4] quit
# On LSW4 where the primary edge interface of SEP segment 3 is located, specify the
blocked interface based on the configured hop count.
[LSW4] sep segment 3
[LSW4-sep-segment3] block port hop 5
[LSW4-sep-segment3] quit
NOTE
SEP sets the hop count of the primary edge interface to 1 and the hop count of the secondary edge
interface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction of
the primary interface.
4. Configure the preemption mode.
# Configure delayed preemption on LSW1.
[LSW1] sep segment 1
[LSW1-sep-segment1] preempt delay 30
NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE1/0/1 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on GE1/0/2 to rectify the fault.
# Configure manual preemption on LSW2.
[LSW2] sep segment 2
[LSW2-sep-segment2] preempt manual
# Configure LSW3.
[LSW3] sep segment 2
[LSW3-sep-segment2] tc-notify segment 1
[LSW3-sep-segment2] quit
# Configure LSW4.
[LSW4] sep segment 3
[LSW4-sep-segment3] tc-notify segment 1
[LSW4-sep-segment3] quit
NOTE
The topology change notification function is configured on edge devices between SEP segments
so that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and LSW1 to LSW11.
For details about the configuration, see the configuration files.
Step 3 Verify the configuration.
After completing the preceding configurations, verify the configuration. LSW1 is used as an
example.
l Run the shutdown command on GE1/0/1 of LSW2 to simulate an interface fault, and
then run the display sep interface command on LSW3 to check whether GE1/0/4 of
LSW3 has switched from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/4
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/4 common up forwarding
----End
Configuration Files
l LSW1 configuration file
#
sysname LSW1
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1 edge primary
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid pvid vlan 300
port hybrid tagged vlan 100 200
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 10 100 200 300
stp disable
sep segment 1 edge secondary
#
return
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
#
return
l LSW3 configuration file
#
sysname LSW3
#
vlan batch 10 20 30 100 200
#
sep segment 1
control-vlan 10
protected-instance 0 to 48
sep segment 2
control-vlan 20
tc-notify segment 1
protected-instance 0 to 48
sep segment 3
control-vlan 30
tc-notify segment 1
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 30 100
stp disable
sep segment 3 edge secondary
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 20 200
stp disable
sep segment 2 edge secondary
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
#
interface GigabitEthernet1/0/4
port link-type hybrid
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
sep segment 1 priority 128
#
return
l LSW4 configuration file
#
sysname LSW4
#
vlan batch 10 30 100 200
#
sep segment 1
control-vlan 10
protected-instance 0 to 48
sep segment 3
control-vlan 30
block port hop 5
tc-notify segment 1
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
#
return
l LSW7 configuration file
#
sysname LSW7
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 200
#
return
l LSW8 configuration file
#
sysname LSW8
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
return
l LSW9 configuration file
#
sysname LSW9
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 30 100
stp disable
sep segment 3
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 30 100
stp disable
sep segment 3
#
return
l LSW10 configuration file
#
sysname LSW10
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 30 100
stp disable
sep segment 3
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 30 100
stp disable
sep segment 3
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 100
#
return
l LSW11 configuration file
#
sysname LSW11
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 30 100
stp disable
sep segment 3
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 30 100
stp disable
sep segment 3
#
return
l CE1 configuration file
#
sysname CE1
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
return
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
As shown in Figure 17-21, multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. The two devices where the
access layer and the aggregation layer are intersected do not support SEP. You can configure
SEP at the access layer to implement redundancy protection switching and configure the
topology change notification function on an edge device in a SEP segment. This function
enables an upper-layer network to detect topology changes in a lower-layer network in time.
l When there is no faulty link on the ring network, SEP can eliminate loops.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes.
l The topology change notification function must be configured on an edge device in a
SEP segment. This enables an upper-layer network to detect topology changes in a
lower-layer network in time.
After receiving a message indicating the topology change in a lower-layer network, a device
on an upper-layer network sends TC packets to instruct other devices to delete original MAC
addresses and learn new MAC addresses after the topology of the lower-layer network
changes. This ensures uninterrupted traffic forwarding.
GE1/0/2
GE1/0/3 GE1/0/3
GE1/0/2
Aggregation
PE3 PE4
GE1/0/1
GE1/0/1
MSTP
GE1/0/3
GE1/0/1 Do not Support SEP GE1/0/1
GE1/0/1 GE1/0/1
SEP
LSW1 Segment1 LSW2
GE1/0/2 GE1/0/2
GE1/0/2 GE1/0/1
Access
GE1/0/3LSW3
GE1/0/1
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
VLAN100
Block Port(SEP)
Block Port(MSTP)
Configuration Roadmap
The configuration roadmap is as follows:
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1 and LSW2
connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located, specify the
interface in the middle of the SEP segment as the interface to block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-layer network
running MSTP can be notified of topology changes in the SEP segment.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure LSW1.
<HUAWEI> system-view
[HUAWEI] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
<HUAWEI> system-view
[HUAWEI] sysname LSW2
[LSW2] sep segment 1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] protected-instance all
[LSW2-sep-segment1] quit
# Configure LSW3.
<HUAWEI> system-view
[HUAWEI] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] protected-instance all
[LSW3-sep-segment1] quit
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the configuration
file automatically displays the command for creating the VLAN.
– Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the
control VLAN.
2. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type hybrid
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/2
[LSW1-GigabitEthernet1/0/2] port link-type hybrid
[LSW1-GigabitEthernet1/0/2] stp disable
[LSW1-GigabitEthernet1/0/2] sep segment 1
[LSW1-GigabitEthernet1/0/2] quit
# Configure LSW2.
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] port link-type hybrid
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment 1
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] port link-type hybrid
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment 1
[LSW3-GigabitEthernet1/0/2] quit
# Configure LSW2.
[LSW2] sep segment 1
[LSW2-sep-segment1] tc-notify stp
[LSW2-sep-segment1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] stp region-configuration
[PE2-mst-region] region-name RG1
[PE2-mst-region] active region-configuration
[PE2-mst-region] quit
# Configure PE3.
<HUAWEI> system-view
[HUAWEI] sysname PE3
# Configure PE4.
<HUAWEI> system-view
[HUAWEI] sysname PE4
[PE4] stp region-configuration
[PE4-mst-region] region-name RG1
[PE4-mst-region] active region-configuration
[PE4-mst-region] quit
# Configure LSW1.
[LSW1] stp region-configuration
[LSW1-mst-region] region-name RG1
[LSW1-mst-region] active region-configuration
[LSW1-mst-region] quit
# Configure LSW2.
[LSW2] stp region-configuration
[LSW2-mst-region] region-name RG1
[LSW2-mst-region] active region-configuration
[LSW2-mst-region] quit
# On PE2, PE3, and PE4, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1. For
details about the configuration, see the configuration files.
# On LSW1 and LSW2, create VLAN 100 and add GE1/0/1 to VLAN 100. The
configurations of LSW1 and LSW2 are similar to the configuration of PE1. For details
about the configuration, see the configuration files.
3. Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
# Configure LSW1.
[LSW1] stp enable
# Configure LSW2.
[LSW2] stp enable
4. Configure PE3 as the root bridge and PE4 as the backup root bridge.
# Set the priority of PE3 to 0 in MSTI0 to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTI0 to ensure that PE4 functions as the backup
root bridge.
[PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.
For details about the configuration, see the configuration files.
Step 4 Verify the configuration.
After the configurations are complete and network becomes stable, run the following
commands to verify the configuration. LSW1 is used as an example.
l Run the shutdown command on GE1/0/1 of LSW2 to simulate an interface fault, and
then run the display sep interface command on LSW3 to check whether GE1/0/2 of
LSW3 has switched from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
----End
Configuration Files
l LSW1 configuration file
#
sysname LSW1
#
vlan batch 10 100
#
stp region-configuration
region-name RG1
active region-configuration
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor primary
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
return
#
sysname LSW2
#
vlan batch 10 100
#
stp region-configuration
region-name RG1
active region-configuration
#
sep segment 1
control-vlan 10
tc-notify stp
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor secondary
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
return
l LSW3 configuration file
#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan vlan 100
#
return
l PE1 configuration file
#
sysname PE1
#
vlan batch 100
#
stp region-configuration
region-name RG1
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
interface GigabitEthernet1/0/2
region-name RG1
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 100 200
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid pvid vlan 200
port hybrid tagged vlan 100
port hybrid untagged vlan 200
#
return
l CE configuration file
#
sysname CE
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
#
return
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-
layer network to provide link backup and enhance network reliability. The use of redundant
links, however, may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, communication quality deteriorates, and services may even be
interrupted. SEP can be deployed on the ring network to eliminate loops and restore
communication if a link fault occurs.
In this example, you can configure SEP at the access layer to implement redundancy
protection switching and configure the topology change notification function on an edge
device in a SEP segment. This enables an upper-layer network to detect topology changes in a
lower-layer network in time.
Network
NPE1 NPE2
GE1/0/2
GE1/0/3 GE1/0/3
GE1/0/2
Aggregation
PE3 PE4
GE1/0/1
GE1/0/1
RRPP
GE1/0/3
GE1/0/1 GE1/0/1
GE1/0/1 GE1/0/1
SEP
LSW1 Segment1 LSW2
GE1/0/2 GE1/0/2
GE1/0/2 GE1/0/1
Access
GE1/0/3LSW3
GE1/0/1
CE
Primary Edge Port
Secondary Edge Port
VLAN100
Block Port(SEP)
Block Port(RRPP)
As shown in Figure 17-22, multiple Layer 2 switching devices at the access layer and
aggregation layer form a ring network to access the core layer. RRPP has been configured at
the aggregation layer to eliminate loops. In this case, SEP needs to run at the access layer to
implement the following functions:
l Eliminates loops when there is no faulty link on the ring network.
l Rapidly restores communication between nodes when a link fault occurs on the ring
network.
l Provides the topology change notification function on an edge device in a SEP segment.
This function enables an upper-layer network to detect topology changes in a lower-layer
network in time.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic SEP functions.
a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN
10 as the control VLAN of SEP segment 1.
b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1, and configure interface
roles on edge devices (PE1 and PE2) of the SEP segment.
c. Set an interface blocking mode on the device where a primary edge interface is
located to specify an interface to block.
d. Configure the preemption mode to ensure that the specified interface is blocked
when a fault is rectified.
e. Configure the topology change notification function so that the topology change in
the local SEP segment can be notified to the upper-layer network where RRPP is
enabled.
2. Configure basic RRPP functions.
a. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and
configure a protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as transit nodes on the major
ring, and configure the primary and secondary interfaces of the major ring.
c. Create a VLAN on PE1 to PE4, and add the interfaces on the RRPP ring network to
the VLAN.
3. Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN 10 as
the control VLAN of SEP segment 1.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] sep segment 1
[PE1-sep-segment1] control-vlan 10
[PE1-sep-segment1] protected-instance all
[PE1-sep-segment1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] sep segment 1
[PE2-sep-segment1] control-vlan 10
[PE2-sep-segment1] protected-instance all
[PE2-sep-segment1] quit
# Configure LSW1.
<HUAWEI> system-view
# Configure LSW2.
<HUAWEI> system-view
[HUAWEI] sysname LSW2
[LSW2] sep segment 1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] protected-instance all
[LSW2-sep-segment1] quit
# Configure LSW3.
<HUAWEI> system-view
[HUAWEI] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] protected-instance all
[LSW3-sep-segment1] quit
2. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on an interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# Configure PE1.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] stp disable
[PE1-GigabitEthernet1/0/1] sep segment 1 edge primary
[PE1-GigabitEthernet1/0/1] quit
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type trunk
[LSW1-GigabitEthernet1/0/1] stp disable
[LSW1-GigabitEthernet1/0/1] sep segment 1
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/2
[LSW1-GigabitEthernet1/0/2] port link-type trunk
[LSW1-GigabitEthernet1/0/2] stp disable
[LSW1-GigabitEthernet1/0/2] sep segment 1
[LSW1-GigabitEthernet1/0/2] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] port link-type trunk
[LSW2-GigabitEthernet1/0/1] stp disable
[LSW2-GigabitEthernet1/0/1] sep segment 1
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] port link-type trunk
[LSW2-GigabitEthernet1/0/2] stp disable
[LSW2-GigabitEthernet1/0/2] sep segment 1
[LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] port link-type trunk
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment 1
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] port link-type trunk
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment 1
[LSW3-GigabitEthernet1/0/2] quit
# Configure PE2.
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type trunk
[PE2-GigabitEthernet1/0/1] stp disable
[PE2-GigabitEthernet1/0/1] sep segment 1 edge secondary
[PE2-GigabitEthernet1/0/1] quit
After completing the preceding configurations, run the display sep topology command
on PE1 to view the topology of the SEP segment. The command output shows that the
blocked interface is one of the two interfaces that complete neighbor negotiations last.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW1 GE1/0/1 common forwarding 2
LSW1 GE1/0/2 common forwarding 3
LSW3 GE1/0/2 common forwarding 4
LSW3 GE1/0/1 common forwarding 5
LSW2 GE1/0/2 common forwarding 6
LSW2 GE1/0/1 common forwarding 7
PE2 GE1/0/1 secondary discarding 8
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
[PE2-sep-segment1] quit
After the preceding configurations are successful, perform the following operations to verify
the configurations. PE1 is used as an example.
l Run the display sep topology command on PE1 to view the topology of the SEP
segment.
The command output shows that the status of GE 1/0/2 on LSW3 is discarding and the
status of the other interfaces is forwarding.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
l Run the display sep interface verbose command on PE1 to view detailed information
about the interfaces added to the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------
Interface :GE1/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - GE1/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
# Configure PE2.
[PE2] stp region-configuration
[PE2-mst-region] instance 1 vlan 5 6 100
[PE2-mst-region] active region-configuration
[PE2-mst-region] quit
[PE2] rrpp domain 1
[PE2-rrpp-domain-region1] control-vlan 5
[PE2-rrpp-domain-region1] protected-vlan reference-instance 1
# Configure PE3.
[PE3] stp region-configuration
[PE3-mst-region] instance 1 vlan 5 6 100
[PE3-mst-region] active region-configuration
[PE3-mst-region] quit
[PE3] rrpp domain 1
[PE3-rrpp-domain-region1] control-vlan 5
[PE3-rrpp-domain-region1] protected-vlan reference-instance 1
# Configure PE4.
[PE4] stp region-configuration
[PE4-mst-region] instance 1 vlan 5 6 100
[PE4-mst-region] active region-configuration
[PE4-mst-region] quit
[PE4] rrpp domain 1
[PE4-rrpp-domain-region1] control-vlan 5
2. Create a VLAN and add interfaces on the ring network to the VLAN.
# Create VLAN 100 on PE1, and add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] stp disable
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] stp disable
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] stp disable
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/3] quit
# Create VLAN 100 on PE2, and add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to VLAN 100.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] stp disable
[PE2-GigabitEthernet1/0/1] port link-type trunk
[PE2-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] stp disable
[PE2-GigabitEthernet1/0/2] port link-type trunk
[PE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE2-GigabitEthernet1/0/2] quit
[PE2] interface gigabitethernet 1/0/3
[PE2-GigabitEthernet1/0/3] stp disable
[PE2-GigabitEthernet1/0/3] port link-type trunk
[PE2-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE2-GigabitEthernet1/0/3] quit
# Create VLAN 100 on PE3, and add GE 1/0/1 and GE 1/0/2 to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit
[PE3] interface gigabitethernet 1/0/1
[PE3-GigabitEthernet1/0/1] stp disable
[PE3-GigabitEthernet1/0/1] port link-type trunk
[PE3-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE3-GigabitEthernet1/0/1] quit
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] stp disable
[PE3-GigabitEthernet1/0/2] port link-type trunk
[PE3-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE3-GigabitEthernet1/0/2] quit
# Create VLAN 100 on PE4, and add GE 1/0/1 and GE 1/0/2 to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit
[PE4] interface gigabitethernet 1/0/1
[PE4-GigabitEthernet1/0/1] stp disable
[PE4-GigabitEthernet1/0/1] port link-type trunk
[PE4-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE4-GigabitEthernet1/0/1] quit
[PE4] interface gigabitethernet 1/0/2
[PE4-GigabitEthernet1/0/2] stp disable
[PE4-GigabitEthernet1/0/2] port link-type trunk
[PE4-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE4-GigabitEthernet1/0/2] quit
3. Configure PE1 as the master node and PE2 to PE4 as transit nodes of the major ring, and
configure the primary and secondary interfaces of the major ring.
# Configure PE1.
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet1/0/2 secondary-port gigabitethernet1/0/3 level 0
[PE1-rrpp-domain-region1] ring 1 enable
# Configure PE2.
[PE2] rrpp domain 1
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet1/0/2 secondary-port gigabitethernet1/0/3 level 0
[PE2-rrpp-domain-region1] ring 1 enable
# Configure PE3.
[PE3] rrpp domain 1
[PE3-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet1/0/1 secondary-port gigabitethernet1/0/2 level 0
[PE3-rrpp-domain-region1] ring 1 enable
# Configure PE4.
[PE4] rrpp domain 1
[PE4-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet1/0/1 secondary-port gigabitethernet1/0/2 level 0
[PE4-rrpp-domain-region1] ring 1 enable
4. Enable RRPP.
# Configure PE1.
[PE1] rrpp enable
# Configure PE2.
[PE2] rrpp enable
# Configure PE3.
[PE3] rrpp enable
# Configure PE4.
[PE4] rrpp enable
After completing the preceding configurations, run the display rrpp brief or display rrpp
verbose domain command on PE1 to check the RRPP configuration.
[PE1] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 M GigabitEthernet1/0/2 GigabitEthernet1/0/3 Yes
The command output shows that RRPP is enabled on PE1. In domain 1, VLAN 5 is the major
control VLAN, VLAN 6 is the sub-control VLAN, Instance 1 is the protected VLAN, and
PE1 is the master node in major ring 1 with the primary and secondary interfaces as
GigabitEthernet1/0/2 and GigabitEthernet1/0/3 respectively.
[PE1] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/2 Port status: UP
Secondary port : GigabitEthernet1/0/3 Port status: BLOCKED
The command output shows that in domain 1, VLAN 5 is the major control VLAN, VLAN 6
is the sub-control VLAN, Instance 1 is the protected VLAN, PE1 is the master node in major
ring 1 with the primary and secondary interfaces as GigabitEthernet1/0/2 and
GigabitEthernet1/0/3 respectively, and the node status is Complete.
Step 3 Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
After the previous configurations, run the following commands to verify the configuration
when the network is stable. LSW1 is used as an example.
l Run the shutdown command on GE1/0/1 of LSW2 to simulate an interface fault, and
then run the display sep interface command on LSW3 to check whether the status of
GE1/0/2 changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
----End
Configuration Files
l LSW1 configuration file
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
return
ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1 edge primary
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
return
#
sysname PE3
#
vlan batch 5 to 6 100 200
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet 1/0/1 secondary-port
GigabitEthernet 1/0/2 level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
port default vlan 200
port trunk allow-pass vlan 5 to 6 100
#
return
l PE4 configuration file
#
sysname PE4
#
vlan batch 5 to 6 100 200
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet 1/0/1 secondary-port
GigabitEthernet 1/0/2 level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
port default vlan 200
port trunk allow-pass vlan 5 to 6 100
#
return
Networking Requirements
On a closed ring network, two SEP segments are configured to process different VLAN
services, implement load balancing, and provide link backup.
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is
blocked, all service data is transmitted only along the path where the primary edge interface is
located. The path where the secondary edge interface is located remains idle, wasting
bandwidth.
To improve bandwidth efficiency and implement traffic load balancing, Huawei develops SEP
multi-instance.
Network
/0 /3 GE1
/0/3
GE1/0/2 GE 1 GE1/0/2
LSW1
LSW4
GE1/0/1
GE1/0/1
Aggregation
P2 P1 GE1/0/1
GE1/0/1
LSW2 GE LSW3
1 /0 /0 /2
GE1/0/3 /2 GE 1 GE1/0/3
GE1/0/1 GE1/0/1
Access
CE1 CE2
Instance1: Instance2:
VLAN VLAN
100~300 301~500
SEP Segment1
SEP Segment2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 17-23, a ring network comprising Layer 2 switches (LSW1 to LSW5) is
connected to the network. SEP runs at the aggregation layer. SEP multi-instance is configured
on LSW1 to LSW4 to allow for two SEP segments to improve bandwidth efficiency,
implement load balancing, and provide link backup.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure basic SEP functions.
l Configure SEP segment 1 and control VLAN 10.
# Configure LSW1.
<HUAWEI> system-view
[HUAWEI] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] quit
# Configure LSW2.
<HUAWEI> system-view
[HUAWEI] sysname LSW2
[LSW2] sep segment1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] quit
# Configure LSW3.
<HUAWEI> system-view
[HUAWEI] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] quit
# Configure LSW4.
<HUAWEI> system-view
[HUAWEI] sysname LSW4
[LSW4] sep segment 1
[LSW4-sep-segment1] control-vlan 10
[LSW4-sep-segment1] quit
# Configure LSW2.
[LSW2] sep segment2
[LSW2-sep-segment2] control-vlan 10
[LSW2-sep-segment2] quit
# Configure LSW3.
[LSW3] sep segment 2
[LSW3-sep-segment2] control-vlan 10
[LSW3-sep-segment2] quit
# Configure LSW4.
NOTE
Step 2 Configure SEP protected instances, and configure mappings between SEP protected instances
and user VLANs.
# Configure LSW1.
[LSW1] vlan batch 100 to 500
[LSW1] sep segment 1
[LSW1-sep-segment1] protected-instance 1
[LSW1-sep-segment1] quit
[LSW1] sep segment 2
[LSW1-sep-segment2] protected-instance 2
[LSW1-sep-segment2] quit
[LSW1] stp region-configuration
[LSW1-mst-region] instance 1 vlan 100 to 300
[LSW1-mst-region] instance 2 vlan 301 to 500
[LSW1-mst-region] active region-configuration
[LSW1-mst-region] quit
The configurations of LSW2 to LSW4 are similar to that of LSW1, and are not mentioned
here. For details, see the configuration files.
Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# On LSW1, configure GE1/0/1 as the primary edge interface and GE1/0/3 as the secondary
edge interface.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type hybrid
[LSW1-GigabitEthernet1/0/1] stp disable
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge primary
[LSW1-GigabitEthernet1/0/1] sep segment 2 edge primary
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/3
[LSW1-GigabitEthernet1/0/3] port link-type hybrid
[LSW1-GigabitEthernet1/0/3] stp disable
[LSW1-GigabitEthernet1/0/3] sep segment 1 edge secondary
[LSW1-GigabitEthernet1/0/3] sep segment 2 edge secondary
[LSW1-GigabitEthernet1/0/3] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] port link-type hybrid
[LSW2-GigabitEthernet1/0/1] stp disable
[LSW2-GigabitEthernet1/0/1] sep segment 1
[LSW2-GigabitEthernet1/0/1] sep segment 2
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] port link-type hybrid
[LSW2-GigabitEthernet1/0/2] stp disable
[LSW2-GigabitEthernet1/0/2] sep segment 1
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] port link-type hybrid
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment 1
[LSW3-GigabitEthernet1/0/1] sep segment 2
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] port link-type hybrid
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment 1
[LSW3-GigabitEthernet1/0/2] sep segment 2
[LSW3-GigabitEthernet1/0/2] quit
# Configure LSW4.
[LSW4] interface gigabitethernet 1/0/1
[LSW4-GigabitEthernet1/0/1] port link-type hybrid
[LSW4-GigabitEthernet1/0/1] stp disable
[LSW4-GigabitEthernet1/0/1] sep segment 1
[LSW4-GigabitEthernet1/0/1] sep segment 2
[LSW4-GigabitEthernet1/0/1] quit
[LSW4] interface gigabitethernet 1/0/3
[LSW4-GigabitEthernet1/0/3] port link-type hybrid
[LSW4-GigabitEthernet1/0/3] stp disable
[LSW4-GigabitEthernet1/0/3] sep segment 1
[LSW4-GigabitEthernet1/0/3] sep segment 2
[LSW4-GigabitEthernet1/0/3] quit
# Configure delayed preemption and block an interface based on the device and interface
names on LSW1 where the primary edge interface is located.
[LSW1] sep segment 1
[LSW1-sep-segment1] block port sysname LSW3 interface gigabitethernet 1/0/1
[LSW1-sep-segment1] preempt delay 15
[LSW1-sep-segment1] quit
[LSW1] sep segment 2
[LSW1-sep-segment2] block port sysname LSW2 interface gigabitethernet 1/0/1
[LSW1-sep-segment2] preempt delay 15
[LSW1-sep-segment2] quit
NOTE
l In this configuration example, an interface fault needs to be simulated and then rectified to
implement delayed preemption. To ensure that delayed preemption takes effect on the two SEP
segments, simulate an interface fault in the two SEP segments. For example:
– In SEP segment 1, run the shutdown command on GE 1/0/1 of LSW2 to simulate an interface
fault. Then, run the undo shutdown command on GE1/0/1 to simulate interface fault recovery.
– In SEP segment 2, run the shutdown command on GE 1/0/1 of LSW3 to simulate an interface
fault. Then, run the undo shutdown command on GE1/0/1 to simulate interface fault recovery.
Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
The configuration details are not mentioned here. For details, see the configuration files.
Simulate a fault, and then check whether the status of the blocked interface changes from
blocked to forwarding.
Run the display sep interface command on LSW3 to check whether the status of GE1/0/1 in
SEP segment 1 changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 1/0/1
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/1 common up forwarding
SEP segment 2
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/1 common up forwarding
The preceding command output shows that the status of GE1/0/1 changes from blocked to
forwarding and the forwarding path change in SEP segment 1 does not affect the forwarding
path in SEP segment 2.
----End
Configuration Files
l LSW1 configuration file
#
sysname LSW1
#
vlan batch 10 100 to 500
#
stp region-configuration
instance 1 vlan 100 to 300
instance 2 vlan 301 to 500
active region-configuration
#
sep segment 1
control-vlan 10
block port sysname LSW3 interface GigabitEthernet1/0/1
preempt delay 15
protected-instance 1
sep segment 2
control-vlan 10
block port sysname LSW2 interface GigabitEthernet1/0/1
preempt delay 15
protected-instance 2
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1 edge primary
sep segment 2 edge primary
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1 edge secondary
sep segment 2 edge secondary
#
return
stp region-configuration
instance 1 vlan 100 to 300
instance 2 vlan 301 to 500
active region-configuration
#
sep segment 1
control-vlan 10
protected-instance 1
sep segment 2
control-vlan 10
protected-instance 2
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1
sep segment 2
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1
sep segment 2
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 100 to 300
#
return
Networking Requirements
As shown in Figure 17-24, CE1 is connected to a VPLS network through an open ring. SEP
is enabled on the open ring network to eliminate redundant links. When a link on the ring
network becomes faulty, SEP can immediately restore the communication between nodes on
the ring network. The traffic between CEs, however, is still interrupted.
To solve the problem, association between SEP and VPLS must be enabled on PE1 and PE2.
With association between SEP and VPLS, PE1 and PE2 can detect topology changes of the
SEP network immediately after a fault occurs on the SEP network. This ensures reliable
traffic transmission.
Figure 17-24 Networking diagram for configuring association between SEP and VPLS
PE3 CE2
GE1/0/3
GE1/0/2
GE1/0/1 GE1/0/2
GE1/0/1
GE1/0/2 GE1/0/2
LSW1 SEP LSW3
Segment1
GE1/0/1 GE1/0/1
GE1/0/1 GE1/0/2
LSW2 GE1/0/3
GE1/0/2
CE1
GE1/0/1
Table 17-15
Device Interface VLANIF Interface IP Address
GE1/0/2 VLANIF100 -
Loopback1 - 1.1.1.1 32
GE1/0/2 VLANIF100 -
Loopback1 - 2.2.2.2 32
GE1/0/3 VLANIF100 -
Loopback1 - 3.3.3.3 32
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic SEP functions.
a. Create a SEP segment and a control VLAN.
b. Add all the devices on the ring network to the SEP segment and configure a role for
each interface added to the SEP segment.
NOTE
When being added to multiple SEP segments, an interface must be configured with the same
role. Otherwise, SEP multi-instance fails to be configured.
c. Enable the function of specifying an interface to block on the device where the
primary edge interface resides.
d. Configure the SEP preemption mode to ensure that the specified blocked interface
takes effect when a fault is rectified.
2. Configure VPLS on PE1, PE2, and PE3.
3. Configure association between SEP and VPLS on the devices connecting the SEP
network and the VPLS network.
4. Configure the Layer 2 forwarding function on CE1, CE2, LSW1 to LSW3, and PE1 to
PE3.
Procedure
Step 1 Configure basic SEP functions.
1. Create a SEP segment and a control VLAN.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] sep segment 1
[PE1-sep-segment1] control-vlan 10
[PE1-sep-segment1] protected-instance all
[PE1-sep-segment1] quit
# Configure LSW1.
<HUAWEI> system-view
[HUAWEI] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
<HUAWEI> system-view
[HUAWEI] sysname LSW2
[LSW2] sep segment1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] protected-instance all
[LSW2-sep-segment1] quit
# Configure LSW3.
<HUAWEI> system-view
[HUAWEI] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] protected-instance all
[LSW3-sep-segment1] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] sep segment 1
[PE2-sep-segment1] control-vlan 10
[PE2-sep-segment1] protected-instance all
[PE2-sep-segment1] quit
NOTE
# Configure PE2.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type hybrid
[PE2-GigabitEthernet1/0/2] stp disable
[PE2-GigabitEthernet1/0/2] sep segment 1 edge secondary
[PE2-GigabitEthernet1/0/2] quit
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type trunk
[LSW1-GigabitEthernet1/0/1] stp disable
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] port link-type trunk
[LSW2-GigabitEthernet1/0/1] stp disable
[LSW2-GigabitEthernet1/0/1] sep segment 1
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] port link-type trunk
[LSW2-GigabitEthernet1/0/2] stp disable
[LSW2-GigabitEthernet1/0/2] sep segment 1
[LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] port link-type trunk
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment 1
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] port link-type trunk
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment 1
[LSW3-GigabitEthernet1/0/2] quit
After completing the preceding configurations, run the display sep topology command
on PE1 to view the topology of the SEP segment. You can see that the blocked interface
is the one of the last two interfaces that complete neighbor negotiation.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/2 primary forwarding 1
LSW1 GE1/0/2 common forwarding 2
LSW1 GE1/0/1 common forwarding 3
LSW2 GE1/0/1 common forwarding 4
LSW2 GE1/0/2 common forwarding 5
LSW3 GE1/0/1 common forwarding 6
LSW3 GE1/0/2 common forwarding 7
PE2 GE1/0/2 secondary discarding 8
# On LSW2, set the priority of GE 1/0/2 to 128 and allow the other interfaces to use
the default priority.
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] sep segment 1 priority 128
[LSW2-GigabitEthernet1/0/2] quit
NOTE
– The preemption delay has no default value. Therefore, you must run the related command to
set the preemption delay.
– When the last faulty edge interface recovers, it does not receive any fault advertisement
packet. If the primary edge interface does not receive any fault advertisement packet within
three seconds, it immediately starts the delay timer. After the delay timer expires, the nodes on
the SEP segment block a specified interface.
Therefore, in this example, an interface fault is simulated and then rectified to implement
delayed preemption. For example:
Run the shutdown command on GE 1/0/2 of LSW2 to simulate an interface fault. Then, run
the undo shutdown command on GE 1/0/2 to rectify the fault.
After completing the preceding operations, view the topology of the SEP segment. Use
the display on PE1 as an example.
Run the display sep topology command on PE1 to view the information about the
topology of the SEP segment.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/2 primary forwarding 1
LSW1 GE1/0/2 common forwarding 2
LSW1 GE1/0/1 common forwarding 3
LSW2 GE1/0/1 common forwarding 4
LSW2 GE1/0/2 common discarding 5
LSW3 GE1/0/1 common forwarding 6
LSW3 GE1/0/2 common forwarding 7
PE2 GE1/0/2 secondary forwarding 8
The preceding command output shows that the status of GE 1/0/2 is discarding and the
status of the other interfaces is forwarding on LSW2 in SEP segment 1.
Step 2 Configure a VPLS network.
1. Configure an IP address for each interface and an IGP on the VPLS backbone network.
In this example, IS-IS is used as an IGP.
Configure VPLS connections between the PEs (the VPLS connections use the LDP
signaling, and the VSI name is ldp1). The configuration details are not provided here.
For details, see the chapter "VPLS Configuration" in the S7700&S9700 Configuration
Guide - VPN or configuration files in this example.
After the preceding configurations are complete, the PEs ping each other successfully.
[PE3] ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=100 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=130 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=80 ms
2. Bind the VLANIF interfaces at the user side on the PEs to the same VSI.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port hybrid tagged vlan 100
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface Vlanif 100
[PE1-Vlanif100] l2 binding vsi ldp1
[PE1-Vlanif100] quit
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port hybrid tagged vlan 100
[PE2-GigabitEthernet1/0/2] quit
[PE2] interface Vlanif 100
[PE2-Vlanif100] l2 binding vsi ldp1
[PE2-Vlanif100] quit
# Configure PE3.
[PE3] vlan 100
[PE3-vlan100] quit
[PE3] interface Vlanif 100
[PE3-Vlanif100] l2 binding vsi ldp1
[PE3-Vlanif100] quit
After completing the preceding configurations, run the display vsi name ldp1 verbose
command on PE1. You can see that PE1 in a VSI named ldp1 in the Up state sets up a
PW to PE2 and another PW to PE3.
[PE1] display vsi name ldp1 verbose
VSI ID : 1
*Peer Router ID : 2.2.2.2
Negotiation-vc-id : 2
primary or secondary : primary
ignore-standby-state : no
VC Label : 1026
Peer Type : dynamic
Session : up
Tunnel ID : 0x5
Broadcast Tunnel ID : 0x5
Broad BackupTunnel ID : 0x0
CKey : 2
NKey : 1
StpEnable : 0
PwIndex : 0
*Peer Router ID : 3.3.3.3
primary or secondary : primary
ignore-standby-state : no
VC Label : 1027
Peer Type : dynamic
Session : up
Tunnel ID : 0x6
Broadcast Tunnel ID : 0x6
Broad BackupTunnel ID : 0x0
CKey : 4
NKey : 3
StpEnable : 0
PwIndex : 0
**PW Information:
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify vpls
[PE2-sep-segment1] quit
Step 4 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW3.
The configuration details are not provided here. For details, see configuration files in this
example.
Step 5 Verify the configuration.
Simulate a fault, and then check whether the status of the blocked interface changes from
blocked to forwarding.
Run the shutdown command on GE 1/0/1 of LSW2 to simulate an interface fault.
l Run the display sep interface command on LSW2 to check whether the status of GE
1/0/2 in SEP segment 1 changes from blocked to forwarding.
[LSW2] display sep interface GigabitEthernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
----End
Configuration Files
l PE1 configuration file
#
sysname PE1
#
vlan batch 10 20 30 100
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 600
tc-notify vpls
protected-instance 0 to 4094
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 2.2.2.2
peer 3.3.3.3
#
mpls ldp
#
isis 1
is-level level-2
network-entity 49.0010.0100.1009.00
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif100
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 20
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1 edge primary
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 30
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
return
l PE2 configuration file
#
sysname PE2
#
vlan batch 10 20 40 100
#
sep segment 1
control-vlan 10
tc-notify vpls
protected-instance 0 to 4094
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.1
peer 3.3.3.3
#
mpls ldp
#
isis 1
is-level level-2
network-entity 49.0020.0200.2009.00
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif40
ip address 10.3.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif100
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 20
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 10 100
stp disable
sep segment 1 edge primary
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 40
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
return
l PE3 configuration file
#
sysname PE3
#
vlan batch 30 40 100
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.1
peer 2.2.2.2
#
mpls ldp
#
isis 1
is-level level-2
network-entity 49.0030.0300.3009.00
#
interface Vlanif30
ip address 20.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif40
ip address 10.3.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif100
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 30
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 40
#
interface GigabitEthernet1/0/3
port link-type hybrid
port hybrid tagged vlan 100
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
return
#
sysname LSW3
#
vlan batch 10
#
sep segment 1
control-vlan 10
protected-instance 0 to 4094
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
return
18 RRPP Configuration
This chapter describes how to configure the Rapid Ring Protection Protocol (RRPP) to
prevent loops and implement fast convergence on ring networks.
Definition
The Rapid Ring Protection Protocol (RRPP) is a link layer protocol used to prevent loops on
an Ethernet ring network.
When the network is complete, RRPP-enabled devices discover and eliminate loops on the
network by blocking certain interfaces. If a network fault occurs, RRPP-enabled devices
unblock blocked interfaces and switch data services to a running link.
Purpose
The ring network topology is applied to MANs and enterprise intranets to improve network
reliability. If a fault occurs on a node or on a link between nodes, data services are switched to
the backup link to ensure service. However, broadcast storms may occur on ring networks.
Many protocols can prevent broadcast storms on ring networks. However, if a fault occurs on
a ring network, it takes some time for the device to switch data services to the backup link.
The network convergence is slow and if the convergence takes too much time, services are
interrupted.
To shorten the convergence time and eliminate the impact of network scale on convergence
time, Huawei developed RRPP. Compared with other Ethernet ring technologies, RRPP has
the following advantages as described in Table 18-1:
l RRPP applies to large networks because the convergence time is not affected by the
number of nodes on the ring network.
l RRPP prevents broadcast storms caused by data loops when an Ethernet ring is
complete.
l In case of an Ethernet ring network failure, the backup link rapidly restores the
communication among the Ethernet ring network nodes.
Token Ring The token ring was the first ring technology introduced to the data
communication field and applied in LANs.
The token ring does not have the self-healing capability.
18.2 Principles
After an RRPP domain and ring are created, RRPP specifies devices on the ring network as
nodes in different roles. Nodes on the ring network detect the ring network status and transmit
topology changes by sending, receiving, and processing RRPP packets through primary and
secondary interfaces. Nodes on the ring network block or unblock the interfaces based on the
ring network status. RRPP can prevent loops when the ring is complete, and rapidly switch
service data to the backup link if a device or link fails, ensuring nonstop service transmission.
RRPP Composition
A group of interconnected switches configured with the same domain ID and control VLAN
constitute an RRPP domain.
C
E
RRPP Domain ID
An RRPP domain ID distinguishes an RRPP domain.
RRPP Ring
A physical RRPP ring uses an Ethernet ring topology. An RRPP domain comprises a single
ring or multiple interconnected rings. When multiple interconnected rings exist, one ring is
the major ring and the others are sub-rings.
An RRPP domain may have multiple sub-rings but only one major ring. The RRPP domain in
Figure 18-1 consists of a major ring and a sub-ring.
RRPP is applied to the networking of a single ring, intersecting rings, and tangent rings. For
details about networking modes, see Common RRPP Rings.
Node
Each device on an RRPP ring is a node. Nodes on the RRPP ring are classified into the
following types:
NOTE
The status of the RRPP ring on a node is the status of the node.
l Master node
The master node determines how to handle topology changes. Each RRPP ring must
have only one master node.
Any device on an Ethernet ring can serve as the master node.
The master node can be in either Complete or Failed state. The master node status
indicates the RRPP ring status.
l Transit node
On an RRPP ring, all nodes except the master node are transit nodes. A transit node
monitors the status of its directly-connected links and notifies the master node of link
changes.
A transit node can be in LinkUp, LinkDown, or Preforwarding state.
– When the primary and secondary interfaces of a transit node are Up, the transit node
is in LinkUp state. The transit node can receive and forward data packets and RRPP
packets.
– When the primary or secondary interface of a transit node is Down, the transit node
is in LinkDown state.
– When the primary or secondary interface of a transit node is Blocked, the transit
node is in Preforwarding state and can receive and forward only RRPP packets.
l Edge node and assistant edge node
A switch functions as an edge node or an assistant edge node on a sub-ring, and
functions as a transit node on the major ring.
On the link where the major ring and sub-ring overlap, if the switch on one intersection
point is an edge node, the switch on the other intersection point is an assistant edge node.
A sub-ring has only one edge node and one assistant edge node.
Edge nodes and assistant edge nodes are special transit nodes. They support the same
states as transit nodes but have the following differences:
– If an edge interface is Up, the edge node or assistant edge node is in LinkUp state
and can receive and forward data packets and RRPP packets.
– If an edge interface is Down, the edge node or assistant edge node is in LinkDown
state.
– If an edge interface is blocked, the edge node or assistant edge node is in
Preforwarding state and can receive and forward only RRPP packets.
If the state transition is caused by the changes of the link status on the interface of an
edge node or assistant edge node, only the edge interface status changes.
Interfaces
l Primary interface and secondary interface
On both the master node and transit node, one of the two interfaces connected to an
Ethernet ring is the primary interface, and the other is the secondary interface. The
interface roles depend on the configuration.
The primary and secondary interfaces on the master node provide different functions:
– The master node sends Hello packets from its primary interface and receives Hello
packets on its secondary interface.
– Based on the network status, the master node blocks the secondary interface to
prevent loops or unblocks the secondary interface to ensure communication among
all the nodes on the ring.
The primary and secondary interfaces on a transit node provide the same function.
l Common interface and edge interface
On an edge node or an assistant edge node, an interface shared by the major ring and a
sub-ring is called the common interface. An interface used only by a sub-ring is called
the edge interface.
The common interface is considered an interface on the major ring and belongs to both
the major control VLAN and sub-control VLAN. The edge interface belongs only to the
sub-control VLAN.
Single Ring
SwitchA SwitchB
Ring 1
When only one ring exists in the network topology, you can define one RRPP domain and one
RRPP ring. This topology features quick response to topology changes and short convergence
time. It is applicable to simple ring networks.
Intersecting Rings
SwitchA SwitchB
Edge Node
Master Node
SwitchE
Ring 1
Ring 2
Master Node
When two or more rings exist in the network topology, but multiple common nodes exist
between two neighboring rings, you need to define only one RRPP domain. Configure one
ring as the major ring and the remaining rings as sub-rings. This topology is applicable when
the master node on a sub-ring needs to be dual-homed to the major ring through the edge node
and assistant edge node to provide uplink backup.
Tangent Rings
SwitchA SwitchE
Transit Node
Transit Node
SwitchB
SwitchD
Ring 2
SwitchF
Master Node Ring 1
SwitchC Transit Node
SwitchG
Domain 2
Transit Node
When two or more rings exist in the network topology and only one common node exists
between two neighboring rings, you need to configure the rings to belong to different RRPP
domains. This topology is applicable to large-scale networks that require domain-based
management.
Hello Packet sent by the master node to check for loops on a network.
(HEALTH)
LINK-DOWN Packet sent by transit nodes, edge nodes, or assistant edge nodes to
notify the master node that an interface is Down.
COMMON- Packet sent by the master node to request that transit nodes, edge
FLUSH-FDB nodes, or assistant edge nodes update their MAC address forwarding
entries, ARP entries and ND entries.
COMPLETE- Packet sent by the master node to request that transit nodes, edge
FLUSH-FDB nodes, or assistant edge nodes update their MAC address forwarding
entries, ARP entries and ND entries, and enable transit nodes to
unblock temporarily blocked interfaces to forward data packets.
EDGE-HELLO Packet sent by the edge node on a sub-ring and received by the
assistant edge node on the same sub-ring to check whether the major
ring is complete in the same RRPP domain as the sub-ring.
MAJOR-FAULT Packet sent by the assistant edge node on a sub-ring to notify the edge
node that the major ring in the RRPP domain fails when the assistant
edge node does not receive the Edge-Hello packet from the edge
interface within a specified period.
l Destination MAC address: indicates the destination MAC address of the packet. The
field occupies 48 bits.
l Source MAC address: indicates the source MAC address of the packet. The MAC
address is the bridge MAC address. The field occupies 48 bits.
l EtherType: indicates the encapsulation type. The EtherType value is fixed as 0x8100,
which indicates tagged encapsulation. The field occupies 16 bits.
l PRI: indicates the Class of Service (CoS) value. The PRI value is fixed as 0xe. The field
occupies 4 bits.
l VLAN ID: indicates the ID of the VLAN to which the packet belongs. The field
occupies 12 bits.
l Frame Length: indicates the length of the Ethernet frame. The Frame Length value is
fixed as 0x0048. The field occupies 16 bits.
l DSAP/SSAP: indicates the destination or source service access point. The DSAP/SSAP
value is fixed as 0xaaaa. The field occupies 16 bits.
l CONTROL: The field has no significance and occupies 8 bits. The CONTROL value is
fixed as 0x03.
l OUI: The field has no significance and occupies 24 bits. The OUI value is fixed as
0x00e02b.
l RRPP_LENGTH: indicates the length of the RRPP data unit. The RRPP_LENGTH
value is fixed as 0x0040. The field occupies 16 bits.
l RRPP_VER: indicates the RRPP version. The current version is 0x01. The field
occupies 8 bits.
l RRPP TYPE: indicates the type of the RRPP packet. The field occupies 8 bits. The
RRPP packet types and values are described as follows:
– HEALTH = 0x05
– COMPLETE-FLUSH-FDB = 0x06
– COMMON-FLUSH-FDB = 0x07
– LINK-DOWN = 0x08
– EDGE-HELLO = 0x0a
– MAJOR-FAULT = 0x0b
l DOMAIN_ID: indicates the ID of the RRPP domain to which the packet belongs. The
field occupies 16 bits.
l RING_ID: indicates the ID of the RRPP ring to which the packet belongs. The field
occupies 16 bits.
l SYSTEM_MAC_ADDR: indicates the bridge MAC address from which the packet is
sent. The field occupies 48 bits.
l HELLO_TIMER: indicates the timeout period (in seconds) of the Hello timer on the
node that sends the packet. The field occupies 16 bits.
l FAIL_TIMER: indicates the timeout period (in seconds) of the Fail timer on the node
that sends the packet. The field occupies 16 bits.
l LEVEL: indicates the level of the RRPP ring to which the packet belongs. The field
occupies 8 bits.
l HELLO-SEQ: indicates the sequence number of the Hello packet. The field occupies 16
bits.
As demonstrated in Figure 18-6, the master node blocks its secondary interface to prevent
broadcast loops caused by data packets. The blocked secondary interface can only receive
RRPP packets but cannot forward data packets. Hello packets sent by the master node to
monitor the ring status can pass through the secondary interface.
Network
Router1 Router2
Master Node
Block
P S
User
network
primary interface
secondary interface
Data Packet
Hello
Polling Mechanism
The master node uses the polling mechanism to monitor the ring status and perform
operations by sending Hello packets.
The polling mechanism uses the Hello timer and Fail timer.
l The value of the Hello timer specifies the interval at which the master node sends Hello
packets from the primary interface.
l The value of the Fail timer specifies the maximum delay in which the primary interface
sends a Hello packet and the secondary interface receives the Hello packet.
l The value of the Fail timer must be three times or larger the value of the Hello timer.
The master node determines whether to unblock the secondary interface by sending a Hello
packet according to the value of the Hello timer and checking whether the secondary interface
receives the Hello packet within the delay specified by the Fail timer.
Process of the polling mechanism
1. The master node periodically sends a Hello packet from its primary interface based on
the value of the Hello timer.
2. As shown in Figure 18-6, the Hello packet is transmitted along transit nodes on the ring.
The master node typically receives the Hello packet on its secondary interface.
– If the secondary interface on the master node receives the Hello packet before the
Fail timer times out, the master node considers the ring complete.
– If the secondary interface on the master node does not receive the Hello packet after
the Fail timer times out, the master node considers the ring faulty.
Network
Router1 Router2
Interface2
SwitchB
Link Failure
SwitchA
Interface1 Master Node
P S
User
network
primary interface
secondary interface
Data Packet
LINK-DOWN
l When SwitchA and SwitchB detect the link failure, they send LinkDown packets to the
master node from Interface1 and Interface2 respectively.
l Upon receiving a LinkDown packet, the master node changes from Complete state to
Failed state and unblocks the secondary interface so that data packets can pass through.
l When the network topology changes, the master node updates the forwarding entries to
ensure correct packet forwarding. In addition, the master node sends a Common-Flush-
FDB packet from the primary interface to request that all transit nodes update the
forwarding entries.
sends a Common-Flush-FDB packet from the secondary interface to request that all the
transit nodes on the ring update their MAC address forwarding entries and ARP entries.
l If the interface on a transit node is Down, the node sends a LinkDown packet from its
interface in Up state to the master node. When receiving the LinkDown packet, the
master node changes to Failed state and unblocks its secondary interface. When the
network topology changes, the master node must update its MAC address forwarding
entries and ARP entries to prevent incorrect packet forwarding. In addition, the master
node sends a Common-Flush-FDB packet from its primary and secondary interfaces to
request that all transit nodes update their MAC address forwarding entries and ARP
entries.
Polling mechanism
If the LinkDown packet is lost during transmission, the polling mechanism is used on the
master node.
The master node periodically sends Hello packets from its primary interface. The packets are
then transmitted through all transit nodes on the ring. If the secondary interface on the master
node does not receive the Hello packet from the primary interface in the specified period, the
master node considers the ring faulty. The fault is processed in the same way as a fault
actively reported by a transit node. The master node changes to Failed state and unblocks the
secondary interface. In addition, the master node sends a Common-Flush-FDB packet from its
primary and secondary interfaces to request that all transit nodes update their MAC address
forwarding entries and ARP entries.
The LinkDown notification mechanism processes faults more quickly than the polling
mechanism so that RRPP can implement fast link switchover and convergence.
Network
Router1 Router2
Master Node
Block
P S
User
network
primary interface
secondary interface
Data Packet
COMPLETE-FLUSH-FDB
receiving no Complete-Flush-FDB packet from the master node in the period specified by the
Fail timer. The transit node then updates its MAC address forwarding entries and ARP entries
to recover data communication.
LinkUp Timer
After the link recovers, traffic transmission paths are switched frequently if the link status
changes frequently on a ring. As a result, loop flapping occurs and system performance
deteriorates. To address this problem, a LinkUp timer is used to set the period after which the
master node changes to Complete state. This prevents transmission paths from changing
frequently and reduces loop flapping impact on system performance.
If a LinkUp timer is configured, the master node does not immediately enter Complete state
when its secondary interface receives a Hello message. Instead, the master node triggers the
LinkUp timer and performs the following operations:
l Before the LinkUp timer expires, the master node does not process the Hello message
received from the secondary interface and the RRPP ring topology remains unchanged.
If the link status changes (for example, the master node receives a LinkDown packet or
the link goes Down) the timer is closed.
l After the LinkUp timer expires, the master node processes the Hello message. The
master node blocks its secondary interface and requests all transit nodes to update their
forwarding entries. The RRPP ring is re-converged.
Network
Router1 Router2
SwitchD
Link Failure
Master Node
SwitchC
Block
P S
User
network
primary interface
secondary interface
Data Flow1
Data Flow2
As demonstrated in Figure 18-9, traffic between SwitchC and SwitchD is forwarded along
data flow 1 when the ring fails. After the fault is rectified, the RRPP ring recalculates the
topology. Traffic between SwitchC and SwitchD is switched to data flow 2.
l When no LinkUp timer is configured, if the recovered link is unstable and fails again, the
RRPP ring recalculates the topology. Traffic between SwitchC and SwitchD is switched
to data flow 1. This may cause frequent changes of traffic transmission paths. As a result,
traffic is lost and system performance deteriorates.
l When a LinkUp timer is configured, traffic is not switched immediately when the fault is
rectified. If the recovered link fails again, traffic between SwitchC and SwitchD is still
transmitted along data flow 1.
l A transit node on the major ring unblocks the temporarily blocked interface only when
receiving a Complete-Flush-FDB packet sent from the major ring instead of the sub-ring.
l The path status detection mechanism for sub-ring protocol packets on the major ring is
used in the case of multiple rings. For details, see Path Status Detection Mechanism
for Sub-Ring Protocol Packets on the Major Ring.
l Ring groups are used to improve system performance. For details, see Ring Group.
Path Status Detection Mechanism for Sub-Ring Protocol Packets on the Major
Ring
This mechanism applies to networks where multiple sub-rings are intersecting with the master
ring to prevent loops among sub-rings after secondary interfaces are unblocked by master
nodes on sub-rings.
As shown in Figure 18-10, when the common link between the major ring and sub-ring is
faulty and at least one non-common link is faulty, the master node on each sub-ring unblocks
its secondary interface (S in the preceding figure) because the secondary interface does not
receive Hello packets. In this case, broadcast loops (blue dashed lines in the preceding figure)
may occur between sub-rings. To prevent loops, the network deploys the path status detection
mechanism for sub-ring protocol packets on the major ring. After this mechanism is
configured, the edge node and assistant edge node detect the path status. When the edge node
detects that the path is interrupted, the edge interfaces on the two sub-rings are blocked before
the master nodes on the two sub-rings unblock their secondary interfaces. This prevents loops
between sub-rings. The edge interfaces on the edge nodes of sub-ring 1 and sub-ring 2 are
blocked, preventing loops.
Network
Router1 Router2
Master Transit
Major Ring
Edge
Assistant-Edge
Block Block
Sub-Ring1 Sub-Ring2
P P
Sub S Sub
S
Master 1 Master2
PC1 PC2
S Secondary Interface Possible ring if the Edge interfaces are not blocked
The path status detection mechanism for sub-ring protocol packets on the major ring prevents
loops in the following procedures:
1. The edge node checks the path status of sub-ring protocol packets on the major ring.
The edge node on a sub-ring periodically sends Edge-Hello packets to the major ring
through two RRPP interfaces on the major ring. Edge-Hello packets are transmitted
through all transit nodes on the ring. The assistant edge node does not forward the
received Edge-Hello packets.
As shown in Figure 18-11, the edge node sends Edge-Hello packets to the major ring
through Interface1 and Interface2, which are also located on the major ring.
Network
Router1 Router2
P
Master
S Block
Major Ring
Interface1
Edge
Assistant
Interface2
Sub Ring
Block
S P
Master
EDGE-HELLO
Data Packet
Block
PC
P Primary Interface
S Secondary Interface
If the assistant edge node receives the Edge-Hello packets within the specified period,
the protocol packet path is normal; if the assistant edge node receives no Edge-Hello
packets within the specified period, the path is faulty.
2. The path is disconnected and the edge node blocks the edge interfaces.
Upon detecting that the sub-ring protocol packet path is disconnected, the assistant edge
node immediately sends a Major-Fault packet to the edge node. After receiving the
Major-Fault packet, the edge node blocks its edge interfaces.
As shown in Figure 18-12, the assistant node sends a Major-Fault packet to the edge
node from Interface3.
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Block Master
MAJOR-FAULT
Data Packet
Block
PC
P Primary Interface
S Secondary Interface
3. The master node on the sub-ring unblocks the secondary interface after the Fail timer
expires.
After the edge node blocks its edge interfaces, the path for sub-ring protocol packets is
disconnected because of the failure on the major ring. As a result, the master node on the
sub-ring cannot receive the Hello packet sent by the master node within the specified
period. The master node changes to Failed state and unblocks the secondary interface.
As Figure 18-13 demonstrates, the edge node blocks its edge interfaces. The master
node on the sub-ring unblocks the secondary interface that is blocked in Figure 18-12.
Figure 18-13 Sub-ring disconnected due to the blocked path on the major ring
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Master
Data Packet
Block
PC
P Primary Interface
S Secondary Interface
4. The sub-ring protocol packet path recovers.
As Figure 18-14 demonstrates, after the link on the major ring recovers, the
communication between the edge node and assistant edge node recovers, and the path for
the sub-ring protocol packets is recovered. The secondary interface on the sub-ring can
receive the Hello packets sent from the master node. The master node then changes to
Complete state and blocks the secondary interface.
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Block Master
Hello
Data Packet
Block
PC
P Primary Interface
S Secondary Interface
As Figure 18-15 demonstrates, the master node on the sub-ring sends a Complete-Flush-
FDB packet. Upon receiving the packet, the edge node unblocks the edge interfaces.
Figure 18-15 Unblocking the edge interfaces on the edge node of the sub-ring
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3
Sub Ring
S P
Block Master
Hello
Data Packet
Block
PC
P Primary Interface
S Secondary Interface
Ring Group
In RRPP multi-instance, sub-rings are grouped to reduce the number of received and sent
Edge-Hello packets and to improve system performance.
In the path status detection mechanism for sub-ring protocol packets on the major ring, the
edge node on a sub-ring periodically sends Edge-Hello packets to the two RRPP interfaces on
the major ring to detect the completeness of the path for sub-ring protocol packets.
As Figure 18-16 demonstrates, the edge nodes on multiple sub-rings (sub-ring 2 and sub-ring
3 in domain 1; sub-ring 2 and sub-ring 3 in domain 2) are the same device, and the assistant
edge nodes on the sub-rings are the same device. In addition, edge nodes and assistant edge
nodes connect to the major ring in the same link. The Edge-Hello packets from edge nodes on
the sub-rings arrive at assistant edge nodes along the same path. In this case, the sub-rings
with the same edge nodes and assistant edge nodes can be added into a ring group. A sub-ring
in the ring group is selected to send Edge-Hello packets to detect the path for sub-ring
protocol packets on the major ring. This reduces the number of received and sent Edge-Hello
packets and improves system performance.
Network
Router1 Router2
SwitchC SwitchD
Edge
Assistant SwitchB
SwitchA
SwitchE SwitchF
Master Master
PC1 PC2
domain 1
domain 2
A sub-ring in the ring group is selected to send the Edge-Hello packet in the following
procedure:
1. The sub-rings with the smallest domain ID are selected from all the activated rings in the
ring group on the edge node. In Figure 18-16, the sub-rings with the smallest domain ID
are Ring 2 in Domain 1 and Ring 3 in Domain 1.
2. The smallest ring ID is selected from the rings with the smallest domain ID. The edge
node on the ring with the smallest ring ID then sends Edge-Hello packets. In Figure
18-16, the sub-ring with the smallest ring ID is Ring 2 in Domain 1. Therefore, the edge
node on Ring 2 in Domain 1 sends Edge-Hello packets in the ring group formed by Ring
2 in Domain 1, Ring 3 in Domain 1, Ring 2 in Domain 2, and Ring 3 in Domain 2.
3. When any sub-ring receives an Edge-Hello packet on all the activated rings in the ring
group where assistant edge nodes reside, the sub-ring notifies other sub-rings of the
packet.
VLAN100-200
SwitchE
RRPP ring Backbone
network
VLAN201-400
SwitchB
Block
The device supports multiple RRPP domains on one physical ring. The RRPP protocol in a
domain takes effect for data from its protected VLANs in the domain. Therefore, you can
configure different protected VLANs for each domain. When the master node in a domain
blocks its secondary interface, data from protected VLANs in different domains is transmitted
through different paths. This implements link backup and traffic load balancing.
NOTE
In RRPP implementation, you must configure protected VLANs. The RRPP protocol takes effect for
data only from protected VLANs. The control VLANs and data VLANs are typically configured as
protected VLANs. Loops may occur if data does not belong to the protected VLANs.
As illustrated in Figure 18-18, two domains exist on the RRPP multi-instance ring that
consists of SwitchA, SwitchB, SwitchC, SwitchD, and SwitchE. SwitchC is the master node
in Domain 2 and SwitchD is the master node in Domain 1.
l Instance1 is created in Domain 1, and data in VLANs 100 to 200 is mapped to Instance1
and transmitted along the path SwitchA -> SwitchC -> SwitchE. Master2 (SwitchC)
serves as the master node in Domain 2. The secondary interface on Master2 is blocked.
Only data in VLANs 201 to 400 is blocked and data in VLANs 100 to 200 can pass
through.
l Instance2 is created in Domain 2, and data in VLANs 201 to 400 is mapped to Instance2
and transmitted along the path SwitchB -> SwitchD -> SwitchE. Master1 (SwitchD)
serves as the master node in Domain 1. The secondary interface on Master1 is blocked.
Only data in VLANs 100 to 200 is blocked and data in VLANs 201 to 400 can pass
through.
Instance1:
VLAN 100 - 200
SwitchE
RRPP ring Backbone
network
Instance2:
VLAN 201 - 400
SwitchB P
S(Block) Master1
SwitchD
Block
P Primary interface
S Secondary interface
Instance1:VLAN100-200
Instance2:VLAN201-400
When a node or link is faulty, each RRPP domain independently calculates the topology and
updates forwarding entries on each node.
In Figure 18-19, a fault occurs on the link between SwitchD and SwitchE. This fault does not
affect the transmission path for the packets in VLANs 100 to 200 in Domain 1, but the
transmission path is blocked for the packets in VLANs 201 to 400 in Domain 2.
The master node SwitchC in Domain 2 cannot receive Hello packets on the secondary
interface. As a result, SwitchC unblocks the secondary interface and requests nodes in
Domain 2 to update their forwarding entries. After the topology in Domain 2 re-converges,
the transmission path of the packets in VLANs 201 to 400 changes to SwitchB ->SwitchA -
>SwitchC->SwitchE.
Instance1:
VLAN 100 - 200
SwitchE Backbone
RRPP ring network
Instance2:
VLAN 201 - 400
SwitchB
P
S(Block) Master1
SwitchD Block
P Primary interface
S Secondary interface
Instance1:VLAN100-200
Instance2:VLAN201-400
After the link between SwitchD and SwitchE recovers, SwitchC receives Hello packets on the
secondary interface. As a result, SwitchC blocks the secondary interface and requests nodes in
Domain 2 to update their forwarding entries. After the topology in Domain 2 re-converges,
the packets in VLANs 201 to 400 are switched back to the original path SwitchB ->SwitchD -
>SwitchE.
Transit 2
CE
Master
P
Core Net
CE Transit 1 S
BLOCK MSE/NPE
Data Flow
CE:Customer Edge
MSE:Multi Service Edge
Transit 3 NPE:Network Provider Edge
If RRPP detects a fault on the link between Transit 1 and Transit 2, Master unblocks its
secondary interface and immediately requests that other nodes on the ring update their MAC
address entries and ARP entries. Traffic on the RRPP ring is then switched to the path Transit
1 -> Transit 3 -> Master.
Master
UPE
UPE PE-AGG
RRPP Transit 1
Domain2
Master
PE-AGG
UPE RRPP P IP/MPLS
Domain1 Core
UPE S
UPE Block NPE
RRPP Transit 2
Domain3
PE-AGG
PE-AGG:PE-Aggregation
NPE:Network Provider Edge
Master UPE:Underlayer Provider Edge
UPE
Two tangent rings cannot belong to the same RRPP domain. The tangent point on the tangent
rings is on both rings. The master node on a ring can be the node at the tangent point.
On multiple tangent RRPP rings, the failure of a ring in a domain does not affect other
domains. The convergence process of RRPP rings in the domain is the same as that of a single
ring.
UPE
PE-AGG
Edge Master
Sub PE-AGG
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG PE-AGG:PE-Aggregation
Master NPE:Network Provider Edge
UPE:Underlayer Provider Edge
CE
The RRPP major ring on the aggregation layer and the RRPP sub-rings belong to the same
RRPP domain.
The major ring and sub-rings have two intersecting points. A node cannot exist on the
intersecting segments. These two nodes can be configured only as transit nodes on the major
ring. On a sub-ring, when one node is the edge node, the other is configured as the assistant
edge node.
Master
UPE1
RRPP Ring
UPE3
PE-AGG NPE
UPE2
intersecting device (UPE1) so that the RRPP network and the STP/RSTP/MSTP network are
used together.
Figure 18-24 Intersecting RRPP rings of multi-instance in a MAN (CEs supporting RRPP
multi-instance)
CE
Master Domain 1 ring 2 Domain 1 ring 1
UPE
Edge UPE
Domain 2
ring 2
PE-AGG
Backbone
network
ring 3 Master
Domain 2
Assistant
UPE
Master UPE
Block
CE Domain 1 ring 3 Instance1: VLAN 101-200
Domain 2 ring 1
Instance2: VLAN 1-100
domain 1
domain 2
UPE: Underlayer Provider Edge NPE: Network Provider Edge
PE-AGG: PE-Aggregation -
Four UPEs and one PE-AGG construct a ring and RRPP multi-instance is configured on the
ring. Traffic on the RRPP ring flows into the backbone network through the PE-AGG.
Two RRPP rings are configured on the four UPEs and the PE-AGG: Ring 1 in Domain 1 and
Ring 1 in Domain 2. Domain 1 processes data in VLANs 101 to 200 and Domain 2 processes
data in VLANs 1 to 100.
Four RRPP rings are configured on the two CEs and two UPEs: Ring 2 in Domain 1, Ring 2
in Domain 2, Ring 3 in Domain 1, and Ring 3 in Domain 2.
Various services are sent to sub-rings. RRPP rings provide master/slave protection and load
balancing for the Layer 2 services in VLANs 1 to 200. When all the nodes and links on the
rings are normal, traffic sent to sub-rings is transmitted along different paths according to the
service VLAN, implementing load balancing.
As Figure 18-25 illustrates, CEs may not support RRPP multi-instance. The major ring
constructed by four UPEs and one PE-AGG belongs to multiple domains; however, the sub-
rings constructed by CEs and UPEs belong to only one domain. Load balancing is not
implemented on the sub-ring, and data in all VLANs is transmitted along the same path on the
sub-ring. After entering the major ring, the traffic sent to sub-rings is transmitted along
different paths according to the service VLAN, implementing load balancing.
Figure 18-25 Intersecting RRPP rings of multi-instance in a MAN (CEs not supporting multi-
instance)
CE
Master Domain 1 ring 1
UPE
Edge UPE
Domain 1
ring 2
PE-AGG
Backbone
network
Master
Domain 1
ring 3
Assistant
UPE
Master UPE
Block
CE Instance1: VLAN 101-200
Domain 2 ring 1
Instance2: VLAN 1-100
domain 1
domain 2
UPE
CE UPE UPE
Domain 1 processes data in VLANs 101 to 200, Domain 2 processes data in VLANs 1 to 100,
and Domain 3 processes data in VLANs 1 to 200.
The RRPP ring on the left side implements master/slave protection and load balancing for the
Layer 2 services in VLANs 1 to 200. When all the nodes and links on the RRPP rings are
normal, traffic sent to rings from CEs is transmitted along different paths according to the
service VLAN, implementing traffic load balancing.
Traffic in VLANs 1 to 200 flows from the tangent node into the RRPP ring on the right side.
2
a nce
inst Backbone
network
CE PE-AGG
Master 1 Block
UPE P Primary interface
P S Secondary interface
S UPE Domain 1
Domain 2
PE-AGG: PE-Aggregation -
Four UPEs and one PE-AGG construct a ring in two domains: Ring 1 in Domain 1 and Ring 1
in Domain 2. Domain 1 processes data in VLANs 101 to 200 and Domain 2 processes data in
VLANs 1 to 100.
Domain 1 maps Instance 1 and Domain 2 maps Instance 2. Services in VLANs 1 to 200 are
sent from CEs.
Service VLANs processed in the two RRPP domains do not overlap and all service VLANs
are processed. Traffic in Domain 1 and Domain 2 is load balanced on the RRPP ring.
UPE UPE
PE-AGG
CE
Backbone
network
Master
UPE UPE
Block
Domain 2 ring 1
Instance1: VLAN 101-200
Instance2: VLAN 1-100
domain 1
domain 2
UPE: Underlayer Provider Edge NPE: Network Provider Edge
PE-AGG: PE-Aggregation -
Four UPEs and one PE-AGG construct a ring. After RRPP multi-instance on the ring is
enabled, traffic flows into the backbone network through the PE-AGG.
Nodes on the RRPP ring and the PE-AGG must support SmartLink.
GE1/0/0.100 GE2/0/0.100
NPED
GE RRPP ring
Control VLAN:100
P User VLAN:10~20
UPEA UPEB
S
data packet
hello packet
P primary interface
S secondary interface
RRPP snooping is enabled on the sub-interface or VLANIF interface of NPED and associated
with other VSIs on the local device. When the RRPP ring is faulty, NPED on the VPLS
network clears the forwarding entries of the VSIs (including the associated VSIs) on the local
node and the forwarding entries of the remote NPEB to re-learn forwarding entries. This
ensures that traffic can be switched to a normal path and downstream traffic can be properly
forwarded.
As Figure 18-30 demonstrates, when the link between NPED and UPEA is faulty, and the
master node UPEA sends a Common-Flush-FDB packet to request that the transit nodes on
the RRPP ring clear their MAC address tables.
Figure 18-30 RRPP and VPLS network (when the RRPP ring is faulty)
NPEB
VPLS NPEC
NPEA
GE1/0/0.100 GE2/0/0.100
NPED
GE RRPP ring
Control VLAN:100
P User VLAN:10~20
UPEA UPEB
S
data packet
COMMON-FLUSH-FDB
P primary interface
S secondary interface
The original MAC address table is not cleared because NPED cannot process the Common-
Flush-FDB packet. If downstream service packets are still sent to UPEA, NPED sends the
packets to UPEA along the original path. This interrupts the downstream traffic between
NPED and NPEA. After UPEB clears the MAC address table, the upstream service packets
sent by UPEA are regarded as unknown unicast packets and are forwarded to the VPLS
network along the path UPEA -> UPEB -> NPED. After re-learning the MAC address, NPED
can forward the downstream traffic destined to UPEA.
When the fault on the RRPP ring is recovered, the master node UPEA sends a Complete-
Flush-FDB packet to request that the transit nodes clear their MAC address tables. The
downstream traffic between NPED and UPEA is interrupted because NPED cannot process
the Complete-Flush-FDB packet.
Figure 18-31 demonstrates that after RRPP snooping is enabled on sub-interfaces
GE1/0/0.100 and GE2/0/0.100 of NPED, NPED can process the Common-Flush-FDB and
Complete-Flush-FDB packets.
Figure 18-31 RRPP and VPLS network (when RRPP snooping is enabled)
NPEB
GE1/0/0.100 GE2/0/0.100
RRPP snooping RRPP snooping
NPED
GE RRPP ring
Control VLAN:100
P User VLAN:10~20
UPEA UPEB
S
data packet
COMMON-FLUSH-FDB
P primary interface
S secondary interface
When the RRPP ring topology changes and NPED receives the Common-Flush-FDB or
Complete-Flush-FDB packet from the master node UPEA, NPED clears the MAC address
table of the VSI associated with sub-interfaces GE1/0/0.100 and GE2/0/0.100. NPED then
requests that other NPEs in this VSI clear their MAC address tables.
If the downstream data packets are still sent to UPEA, the packets are regarded as unknown
unicast packets and are broadcast in the VLAN and sent to UPEA along the path UPED ->
UPEB -> NPEA because NPED cannot find mapping MAC address entries. This ensures
downstream traffic continuity.
Configure RRPP snooping RRPP snooping notifies the 18.7.2 Configuring RRPP
VPLS network of changes in Snooping
an RRPP ring. After RRPP
snooping is enabled on sub-
interfaces or VLANIF
interfaces, the VPLS
network can transparently
transmit RRPP packets,
detect changes in the RRPP
ring, and update forwarding
entries, ensuring that traffic
can be rapidly switched to a
non-blocking path.
License Support
RRPP is a basic feature of a switch and is not under license control.
RRPP snooping can be only used on the device enabled with MPLS. MPLS requires a license.
By default, MPLS of a newly purchased device is disabled. To use MPLS, apply for and
purchase the license from the equipment supplier.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Context
Data in different VLANs is transmitted on the RRPP ring, including data VLANs and control
VLANs. You need to configure an interface to allow data from these VLANs to pass through,
ensuring data transmission on the ring.
RRPP cannot be configured on an interface configured with Smart Link, Loopback Detection
(LDT), MUX VLAN, or MSTP. Before configuring RRPP, ensure that the interface is not
configured with protocols that conflict with RRPP.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
port link-type hybrid
NOTE
If RRPP snooping is enabled on the VLANIF interface of a VLAN, RRPP-enabled interfaces cannot be
added to the VLAN.
Step 5 Run:
stp disable
----End
Context
A group of interconnected switches configured with the same domain ID and control VLAN
constitute an RRPP domain. Different RRPP domains must be configured with different
domain IDs and control VLANs.
An RRPP domain has two control VLANs, that is, the major control VLAN and sub-control
VLAN. Protocol packets on the major ring are transmitted in the major control VLAN, and
RRPP packets on the sub-rings are transmitted in the sub-control VLAN.
Procedure
Step 1 On each switch in an RRPP domain, run:
system-view
When creating an RRPP domain, specify the domain ID. If the domain to be configured
exists, the domain view is displayed.
Step 3 (Optional) Run:
description text
NOTE
----End
Context
You can map data in VLANs to an instance and configure the instance to the protected VLAN
so that the device can control data in VLANs based on RRPP.
Procedure
Step 1 Run:
system-view
Step 3 Run:
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
instance-id in this command must be the same as instance-id used by the protected-instance
command.
NOTE
The control VLANs of the major ring and the sub-rings must be contained in the VLAN list.
To configure the mapping between the instance and MUX VLAN, you are advised to configure the
principal VLAN, and subordinate group VLANs and subordinate separate VLANs of the MUX VLAN
in the same instance. Otherwise, loops may occur.
Step 4 Run:
active region-configuration
----End
Context
The device controls only data in the protected VLANs based on RRPP. Data out of the
protected VLANs may cause storms on the ring network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
rrpp domain domain-id
Step 3 Run:
protected-vlan reference-instance { { instance-id1 [ to instance-id2 ] } &<1-10>
| all }
All the VLANs whose packets need to pass through an RRPP interface, including the control
VLANs and data VLANs, must be configured as protected VLANs.
NOTE
When you configure the list of protected VLANs, note the following points:
l Protected VLANs must be configured before you configure an RRPP ring.
l You can delete or change existing protected VLANs before configuring an RRPP ring. The protected
VLANs cannot be changed after the RRPP ring is configured.
l In the same physical topology, the control VLAN in a domain cannot be configured as a protected
VLAN in another domain.
l The control VLAN must be included in the protected VLANs; otherwise, the RRPP ring cannot be
configured.
l The control VLAN can be mapped to other instances before the RRPP ring is created. After the
RRPP ring is created, the mapping cannot be changed unless you delete the RRPP ring.
l When the mapping between an instance and VLANs changes, the protected VLANs in the RRPP
domain also change.
l All the VLANs allowed by an RRPP interface must be configured as protected VLANs.
----End
Context
The device can use the RRPP version defined by Huawei or the national standard of China.
RRPP defined by Huawei supports some Huawei proprietary protocols. The RRPP version
defined by the national standard of China is provided for users with customized requirements
and the version defined by Huawei is used by other users as required.
The RRPP working mode is set on the master node in the RRPP domain.
NOTE
l Only the RRPP version defined by Huawei supports functions and configurations of edge nodes,
assistant edge nodes, common interfaces, edge interfaces, and ring groups.
l Each node on an RRPP ring must use the same working mode. Otherwise, the entire ring network
cannot be restored after a transit node link recovers.
Procedure
Step 1 Run:
system-view
Step 2 Run:
rrpp working-mode { hw | gb }
hw indicates the RRPP version defined by Huawei; gb indicates the RRPP version defined by
the national standard of China.
----End
Context
You need to manually add nodes to an RRPP ring and configure an interface role for each
node.
The RRPP ring can be activated only when both the RRPP ring and the RRPP protocol are
enabled on all the switches on an RRPP ring.
Prerequisites
STP has been disabled on the interfaces that need to be added to the RRPP ring. (By default,
STP is enabled on all interfaces of the device.)
Procedure
Step 1 Run:
system-view
NOTE
l A domain contains only one major ring. Before creating a sub-ring, you must create the major ring.
l In the RRPP version defined by the national standard of China, the master node on the sub-ring
cannot serve as the assistant edge node. In the RRPP version defined by Huawei, the master node on
the sub-ring cannot server as the edge node or the assistant edge node.
l A maximum of 64 RRPP rings can be configured on a device.
l Before adding an interface to a RRPP ring, disable port security on the interface; otherwise, loops
cannot be prevented.
Step 4 Configuring an RRPP sub-ring using the following commands based on versions
l For the RRPP version defined by the national standard of China:
Run:
ring ring-id node-mode transit secondary-port interface-type interface-number
Run:
ring ring-id node-mode { assistant-edge | edge } common-port interface-type
interface-number edge-port interface-type interface-number
An edge node and an assistant edge node on the RRPP sub-ring are configured.
In the RRPP version defined by Huawei, you need to configure an edge node and an
assistant edge node for an RRPP sub-ring.
The common interfaces on the edge node and assistant edge node must be located on the
major ring.
The system automatically sets the level of the ring where the edge node and assistant
edge node reside to 1.
Step 5 Run:
ring ring-id enable
----End
Context
After the RRPP ring is enabled, you need to enable the RRPP protocol for devices on the
RRPP ring so that RRPP can work properly.
Procedure
Step 1 Run:
system-view
RRPP is enabled.
----End
Context
To reduce the number of received and sent Edge-Hello packets, you can use a ring group,
which is a group of sub-rings with the same configuration of edge nodes or assistant edge
nodes are added to the ring group.
Procedure
Step 1 On the edge node or assistant edge node, run:
system-view
Step 2 Run:
rrpp ring-group ring-group-id
----End
18.7.1.9 (Optional) Setting the Values of the Hello Timer and Fail Timer in an
RRPP Domain
Context
The Hello timer and Fail timer are used when the master node sends and receives RRPP
packets. The value of the Hello timer specifies the interval at which the master node sends
Hello packets from the primary interface. The value of the Fail timer specifies the maximum
delay in which the primary interface on the master node sends a Hello packet and the
secondary interface receives the Hello packet.
You only need to set the values of the Hello timer and Fail timer on the master node in an
RRPP domain.
Procedure
Step 1 Run:
system-view
The values of the Hello timer and the Fail timer in an RRPP domain are set.
The value of the Fail timer must be no smaller than three times the value of the Hello timer.
By default, the value of the Hello timer on an edge node is half of the value of the Hello timer
on the master node of the major ring.
The values of both the Hello timer and Fail timer must be set the same on each node in an
RRPP domain; otherwise, edge interfaces on the edge nodes may be unstable.
It is recommended that the value of the Fail timer be configured based on the actual
networking. If the value of the Fail timer is incorrect, for example, the value is too small,
loops may occur.
----End
Context
After the value of the Link-Up timer is set, the RRPP link does not immediately change its
status but changes the status when the Link-Up timer times out. This reduces flapping of the
link status.
You only need to set the value of the Link-Up timer on the master node.
Procedure
Step 1 On the master node, run:
system-view
The value of the Link-Up timer is set for the RRPP link.
The value set by the linkup-delay-timer-value command must be no larger than the value of
the Fail timer minus twice the value of the Hello timer. The default value of the Link-Up
timer is 0.
----End
Procedure
l Run the display stp region-configuration command to check the mapping between
MSTIs and VLANs.
l Run the display rrpp brief [ domain domain-id ] command to check summary
information about an RRPP domain.
l Run the display rrpp verbose domain domain-id [ ring ring-id ] command to check
detailed information about an RRPP domain.
l Run the display rrpp statistics domain domain-id [ ring ring-id ] command to check
the statistics on packets in an RRPP domain.
----End
Prerequisites
Before configuring RRPP snooping, complete the following tasks:
l Configure a VPLS network.
l Configure RRPP.
Context
When RRPP snooping is enabled on an interface, the status of the RRPP ring can be detected
through RRPP control packets. When the status of the RRPP ring changes, the interface
requests the VSI bound to the interface to update its MAC address table.
NOTE
RRPP and RRPP snooping cannot be simultaneously configured on the same interface.
Configure RRPP snooping only on the node connecting the RRPP ring to the VPLS network.
Procedure
Step 1 Run:
system-view
----End
Context
If you associate an RRPP snooping-enabled sub-interface or VLANIF interface with another
VSI on the device, the interface notifies the associated VSI of changes of the RRPP ring
status. In this way, the VSI can immediately update the MAC address table.
You only need to configure the VSI associated with RRPP snooping on the NPE node
connecting the RRPP ring to the VPLS network.
Procedure
Step 1 Run:
system-view
The VSI associated with RRPP snooping is configured on the sub-interface or VLANIF
interface.
l Run:
rrpp snooping all-vsi
VSIs that are bound to all the other sub-interfaces connected to the same main interface
are automatically associated on the sub-interface.
NOTE
The rrpp snooping vsi vsi-name command associates the interface with only one VSI at a time. To
associate the sub-interface or VLANIF interface with multiple VSIs, run this command multiple times.
----End
Procedure
l Run the display rrpp snooping enable { all | interface vlanif interface-number } or the
display rrpp snooping enable { all | interface interface-type interface-
number.subinterface-number } command to check the interfaces that are enabled with
RRPP snooping.
l Run the display rrpp snooping vsi { all | interface vlanif interface-number } or the
display rrpp snooping vsi { all | interface interface-type interface-number.subinterface-
number } command to check the VSIs associated with RRPP snooping.
----End
Context
You can set the RRPP statistics to 0 for collecting new statistics about RRPP packets.
NOTICE
RRPP statistics cannot be restored after you clear them. Therefore, exercise caution when you
run the command.
Procedure
Step 1 Run the reset rrpp statistics domain domain-id [ ring ring-id ] command in the user view to
clear RRPP statistics.
----End
Networking Requirements
As shown in Figure 18-32, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and implement fast
convergence to rapidly restore communication between nodes on the ring when the ring fails.
You can enable RRPP on SwitchA, SwitchB, and SwitchC to meet this requirement.
GE2/0/2
GE2/0/1 GE2/0/1
Ring 1
GE2/0/2 GE2/0/2 SwitchC
GE2/0/1
SwitchA
Primary interface
Secondary interface
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
2. Create an RRPP domain and its control VLAN.
3. Map data that needs to pass through the VLANs on the RRPP ring to Instance 1,
including data VLANs 100 to 300 and control VLANs 20 and 21 (VLAN 21 is the sub-
control VLAN generated by the device).
4. In the RRPP domain, configure a protected VLAN, create an RRPP ring and configure
SwitchA, SwitchB, and SwitchC as nodes on Ring 1 in Domain 1. Configure SwitchA as
the master node on Ring 1, and configure SwitchB and SwitchC as transit nodes on Ring
1.
5. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure SwitchA. The configurations on SwitchB and SwitchC are similar to that on
SwitchA and not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
Step 2 Map Instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300.
# Configure SwitchA. The configurations on SwitchB and SwitchC are the same as that of
SwitchA and not mentioned here. For details, see the configuration files.
[SwitchA] vlan batch 100 to 300
[SwitchA] stp region-configuration
[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces, allow data VLANs
100 to 300 to pass through the interfaces, and disable STP on the interfaces.
# Configure SwitchA. The configurations on SwitchB and SwitchC are the same as that
ofSwitchA and not mentioned here. For details, see the configuration files.
[SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
[SwitchA-GigabitEthernet2/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/1] port trunk allow-pass vlan 100 to 300
[SwitchA-GigabitEthernet2/0/1] stp disable
[SwitchA-GigabitEthernet2/0/1] quit
[SwitchA] interface gigabitethernet 2/0/2
[SwitchA-GigabitEthernet2/0/2] port link-type trunk
[SwitchA-GigabitEthernet2/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/2] port trunk allow-pass vlan 100 to 300
[SwitchA-GigabitEthernet2/0/2] stp disable
[SwitchA-GigabitEthernet2/0/2] quit
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure SwitchA.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
[SwitchA-rrpp-domain-region1] quit
# Configure SwitchB.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure SwitchC.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on SwitchA, the major control VLAN of
domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21, and SwitchA is the master
node on Ring 1. The primary interface is GigabitEthernet2/0/1 and the secondary interface is
GigabitEthernet2/0/2.
# Run the display rrpp verbose domain command on SwitchA. The command output is as
follows:
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: BLOCKED
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 1 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 1 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
Networking Requirements
A metro Ethernet network uses two-layer rings: one is the aggregation layer between
aggregation devices PE-AGGs and the other is the access layer between PE-AGGs and UPEs.
Figure 18-33 Networking diagram of intersecting RRPP rings with a single instance
RRPP Domain
UPE1 PE-AGG2
Edge Master
Sub PE-AGG1
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG3 PE-AGG:PE-Aggregation
Master NPE:Network Provider Edge
UPE:Underlayer Provider Edge
CE
As shown in Figure 18-33, the network is required to prevent loops when the ring is complete
and implement fast convergence to rapidly restore communication between nodes on the ring
when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You can
configure the aggregation layer as the major ring and the access layer as the sub-ring,
simplifying the network configuration. To enable devices from different vendors to
communicate with each other on the network, you can use the RRPP version defined by the
national standard of China.
As shown in Figure 18-34, SwitchB, SwitchA, SwitchD, and SwitchC map PE-AGG1, PE-
AGG2, PE-AGG3, and UPE1 in Figure 18-33 respectively. Figure 18-34 is used as an
example to describe how to configure intersecting RRPP rings with a single instance in the
RRPP version defined by national standard of China.
Figure 18-34 Networking diagram of intersecting RRPP rings with a single instance (RRPP
defined by the national standard of China)
SwitchA
GE1/0/3 GE1/0/1
GE1/0/3 GE1/0/1
SwitchD
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
2. Create an RRPP domain and its control VLAN.
3. Map the VLANs that needs to pass through the RRPP ring to Instance 1, including data
VLANs 2 to 9 and control VLANs 10 and 11 (VLAN 11 is the sub-control VLAN
generated by the device).
4. Configure the devices to use the RRPP version defined by the national standard of
China.
5. Configure a protected VLAN and create an RRPP ring in the RRPP domain.
a. Configure Ring 1 (major ring) in RRPP Domain 1 on SwitchA, SwitchB, and
SwitchD.
b. Configure Ring 2 (sub-ring) in RRPP Domain 1 on SwitchA, SwitchC, and
SwitchD.
c. Configure SwitchB as the master node on the major ring and configure SwitchA
and SwitchD as transit nodes on the major ring.
d. Configure SwitchC as the master node on the sub-ring and configure SwitchA and
SwitchD as edge transit nodes on the sub-ring.
6. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
Procedure
Step 1 Configure SwitchB as the master node on the major ring.
# Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
[SwitchB] stp region-configuration
[SwitchB-mst-region] instance 1 vlan 2 to 11
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Configure Domain 1 on SwitchB. Configure VLAN 10 as the major control VLAN and bind
Instance 1 to the protected VLAN in Domain 1.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] control-vlan 10
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] quit
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP
interface as a trunk interface to allow data from VLANs 2 to 9 to pass through.
[SwitchB] interface gigabitethernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] port link-type trunk
[SwitchB-GigabitEthernet2/0/1] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet2/0/1] port trunk allow-pass vlan 2 to 9
[SwitchB-GigabitEthernet2/0/1] stp disable
[SwitchB-GigabitEthernet2/0/1] quit
[SwitchB] interface gigabitethernet 2/0/2
[SwitchB-GigabitEthernet2/0/2] port link-type trunk
[SwitchB-GigabitEthernet2/0/2] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet2/0/2] port trunk allow-pass vlan 2 to 9
[SwitchB-GigabitEthernet2/0/2] stp disable
[SwitchB-GigabitEthernet2/0/2] quit
# Configure SwitchB to use the RRPP version defined by the national standard of China.
[SwitchB] rrpp working-mode gb
# Configure the primary interface and secondary interface on the master node of the major
ring.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
[SwitchC] stp region-configuration
[SwitchC-mst-region] instance 1 vlan 2 to 11
[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
# Configure Domain 1 on SwitchC. Configure VLAN 10 as the major control VLAN and bind
Instance 1 to the protected VLAN in Domain 1.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] control-vlan 10
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] quit
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP
interface as a trunk interface to allow data from VLANs 2 to 9 to pass through.
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 9
[SwitchC-GigabitEthernet1/0/1] stp disable
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 9
[SwitchC-GigabitEthernet1/0/2] stp disable
[SwitchC-GigabitEthernet1/0/2] quit
# Configure SwitchC to use the RRPP version defined by the national standard of China.
[SwitchC] rrpp working-mode gb
# Configure the primary interface and secondary interface on the master node of the sub-ring.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] ring 2 node-mode master primary-port
gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 1
[SwitchC-rrpp-domain-region1] ring 2 enable
[SwitchC-rrpp-domain-region1] quit
Step 3 Configure SwitchA as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 2 to 9
# Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
[SwitchA] stp region-configuration
[SwitchA-mst-region] instance 1 vlan 2 to 11
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
# Configure Domain 1 on SwitchA. Then configure VLAN 10 as the major control VLAN
and bind Instance 1 to protected VLANs in Domain 1.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] control-vlan 10
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchA-rrpp-domain-region1] quit
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP
interface as a trunk interface to allow data from VLANs 2 to 9 to pass through.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 9
[SwitchA-GigabitEthernet1/0/1] stp disable
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 9
[SwitchA-GigabitEthernet1/0/2] stp disable
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
# Configure SwitchA to use the RRPP version defined by the national standard of China.
[SwitchA] rrpp working-mode gb
# Configure the primary interface and secondary interface on the transit node of the major
ring.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/2 secondary-port gigabitethernet 1/0/1 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
[SwitchA-rrpp-domain-region1] quit
# Configure the edge interface of the edge transit node on the sub-ring.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] ring 2 node-mode transit secondary-port
gigabitethernet 1/0/3
[SwitchA-rrpp-domain-region1] ring 2 enable
[SwitchA-rrpp-domain-region1] quit
Step 4 Configure SwitchD as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchD.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] vlan batch 2 to 9
# Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
[SwitchD] stp region-configuration
[SwitchD-mst-region] instance 1 vlan 2 to 11
[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
# On SwitchD, configure Domain 1. Configure VLAN 10 as the major control VLAN and
bind Instance 1 to the protected VLAN in Domain 1.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] control-vlan 10
[SwitchD-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchD-rrpp-domain-region1] quit
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP
interface as a trunk interface.
[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] port link-type trunk
[SwitchD-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 9
[SwitchD-GigabitEthernet1/0/1] stp disable
[SwitchD-GigabitEthernet1/0/1] quit
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] port link-type trunk
[SwitchD-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 9
[SwitchD-GigabitEthernet1/0/2] stp disable
[SwitchD-GigabitEthernet1/0/2] quit
[SwitchD] interface gigabitethernet 1/0/3
[SwitchD-GigabitEthernet1/0/3] port link-type trunk
[SwitchD-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 to 9
# Configure SwitchD to use the RRPP version defined by the national standard of China.
[SwitchD] rrpp working-mode gb
# Configure the primary interface and secondary interface on the transit node of the major
ring.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/2 secondary-port gigabitethernet 1/0/1 level 0
[SwitchD-rrpp-domain-region1] ring 1 enable
[SwitchD-rrpp-domain-region1] quit
# Configure the edge interface of the edge transit node on the sub-ring.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] ring 2 node-mode transit secondary-port
gigabitethernet 1/0/3
[SwitchD-rrpp-domain-region1] ring 2 enable
[SwitchD-rrpp-domain-region1] quit
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on SwitchB. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11; SwitchB is the master node on the major
ring, with GE2/0/1 as the primary interface and GE2/0/2 as the secondary interface.
# Run the display rrpp verbose domain command on SwitchB. The command output is as
follows:
[SwitchB] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: BLOCKED
The command output shows that the ring is in Complete state, and the secondary interface on
the master node is blocked.
# Run the display rrpp brief command on SwitchC. The command output is as follows:
[SwitchC] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , EM - Edge Master, ET - Edge Transit
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on SwitchC. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchC is the master node on the sub-
ring, with GE1/0/1 as the primary interface and GE1/0/2 as the secondary interface.
# Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
[SwitchC] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 2
Ring Level : 1
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet1/0/2 Port status: BLOCKED
You can find that the sub-ring is in Complete state, and the secondary interface of the master
node on the sub-ring is blocked.
# Run the display rrpp brief command on SwitchA. The command output is as follows:
[SwitchA] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , EM - Edge Master, ET - Edge Transit
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on SwitchA. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchA is the master node on the major
ring, with GE1/0/2 as the primary interface and GE1/0/1 as the secondary interface.
SwitchA is also the edge transit node on the sub-ring, with GE1/0/3 as the edge interface.
# Run the display rrpp verbose domain command on SwitchA. The command output is as
follows:
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/2 Port status: UP
Secondary port : GigabitEthernet1/0/1 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/2 Port status: UP
GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet1/0/3 Port status: UP
# Run the display rrpp brief command on SwitchD. The command output is as follows:
[SwitchD] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , EM - Edge Master, ET - Edge Transit
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on SwitchD. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchD is the transit node on the major
ring, with GE1/0/2 as the primary interface and GE1/0/1 as the secondary interface. SwitchD
is also the edge transit node on the sub-ring, with GE1/0/3 as the edge interface.
# Run the display rrpp verbose domain command on SwitchD. The command output is as
follows:
[SwitchD] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/2 Port status: UP
Secondary port : GigabitEthernet1/0/1 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/2 Port status: UP
GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet1/0/3 Port status: UP
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 11
#
rrpp enable
rrpp working-mode GB
#
stp region-
configuration
instance 1 vlan 2 to 11
active region-
configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port Gigabitethernet1/0/2 secondary-port
Gigabitethernet1/0/1 level 0
ring 1 enable
ring 2 node-mode transit secondary-port Gigabitethernet1/0/3
ring 2 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 11
stp disable
#
interface GigabitEthernet1/0/2
stp region-
configuration
instance 1 vlan 2 to 11
active region-
configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
ring 1 node-mode master primary-port Gigabitethernet2/0/1 secondary-port
Gigabitethernet2/0/2 level 0
ring 1 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 11
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 11
stp disable
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 2 to 11
#
rrpp enable
rrpp working-mode GB
#
stp region-
configuration
instance 1 vlan 2 to 11
active region-
configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
ring 2 node-mode master primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 1
ring 2 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 9 11
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 9 11
stp disable
#
return
stp region-
configuration
instance 1 vlan 2 to 11
active region-
configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/2 secondary-port
GigabitEthernet1/0/1 level 0
ring 1 enable
ring 2 node-mode transit secondary-port GigabitEthernet1/0/3
ring 2 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 11
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 11
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 9 11
stp disable
#
return
Networking Requirements
A metro Ethernet network uses two-layer rings: one is the aggregation layer between
aggregation devices PE-AGGs and the other is the access layer between PE-AGGs and UPEs.
Figure 18-35 Networking diagram of intersecting RRPP rings with a single instance
RRPP Domain
UPE1 PE-AGG2
Edge Master
Sub PE-AGG1
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG3 PE-AGG:PE-Aggregation
Master NPE:Network Provider Edge
UPE:Underlayer Provider Edge
CE
As shown in Figure 18-35, the network is required to prevent loops when the ring is complete
and implement fast convergence to rapidly restore communication between nodes on the ring
when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You can
configure the aggregation layer as the major ring and the access layer as the sub-ring,
simplifying the network configuration. All the devices on the network are Huawei devices;
therefore, the RRPP version defined by Huawei is used.
As shown in Figure 18-36, SwitchB, SwitchA, SwitchD, and SwitchC map PE-AGG1, PE-
AGG2, PE-AGG3, and UPE1 in Figure 18-35 respectively. Figure 18-36 is used as an
example to describe how to configure intersecting RRPP rings with a single instance in the
RRPP version defined by Huawei.
Figure 18-36 Networking diagram of intersecting RRPP rings with a single instance (RRPP
defined by Huawei)
SwitchA
GE1/0/3 GE1/0/1
GE1/0/3 GE1/0/1
SwitchD
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure SwitchB as the master node on the major ring.
# Configure instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
[SwitchB] stp region-configuration
[SwitchB-mst-region] instance 1 vlan 2 to 11
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Configure Domain 1 on SwitchB. Configure VLAN 10 as the major control VLAN and bind
Instance 1 to the protected VLAN in Domain 1.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] control-vlan 10
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] quit
# Configure the RRPP interface as a trunk interface to allow data from VLANs 2 to 9 to pass
through and disable STP on the interface to be added to the RRPP ring.
[SwitchB] interface gigabitethernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] port link-type trunk
[SwitchB-GigabitEthernet2/0/1] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet2/0/1] port trunk allow-pass vlan 2 to 9
[SwitchB-GigabitEthernet2/0/1] stp disable
[SwitchB-GigabitEthernet2/0/1] quit
[SwitchB] interface gigabitethernet 2/0/2
[SwitchB-GigabitEthernet2/0/2] port link-type trunk
[SwitchB-GigabitEthernet2/0/2] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet2/0/2] port trunk allow-pass vlan 2 to 9
[SwitchB-GigabitEthernet2/0/2] stp disable
[SwitchB-GigabitEthernet2/0/2] quit
# Configure the primary interface and secondary interface on the master node of the major
ring.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
[SwitchC] stp region-configuration
[SwitchC-mst-region] instance 1 vlan 2 to 11
[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
# Configure Domain 1 on SwitchC. Configure VLAN 10 as the major control VLAN and bind
Instance 1 to the protected VLAN in Domain 1.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] control-vlan 10
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] quit
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP
interface as a trunk interface to allow data from VLANs 2 to 9 to pass through.
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 9
[SwitchC-GigabitEthernet1/0/1] stp disable
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 9
[SwitchC-GigabitEthernet1/0/2] stp disable
[SwitchC-GigabitEthernet1/0/2] quit
# Configure the primary interface and secondary interface on the master node of the sub-ring.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] ring 2 node-mode master primary-port
gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 1
[SwitchC-rrpp-domain-region1] ring 2 enable
[SwitchC-rrpp-domain-region1] quit
Step 3 Configure SwitchA as the transit node on the major ring and the edge node on the sub-ring.
# Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
# Configure Domain 1 on SwitchA. Configure VLAN 10 as the major control VLAN and
bind Instance 1 to the protected VLAN in Domain 1.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] control-vlan 10
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchA-rrpp-domain-region1] quit
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP
interface as a trunk interface to allow data from VLANs 2 to 9 to pass through.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 9
[SwitchA-GigabitEthernet1/0/1] stp disable
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 9
[SwitchA-GigabitEthernet1/0/2] stp disable
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 to 9
[SwitchA-GigabitEthernet1/0/3] stp disable
[SwitchA-GigabitEthernet1/0/3] quit
# Configure the primary interface and secondary interface on the transit node of the major
ring.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/2 secondary-port gigabitethernet 1/0/1 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
[SwitchA-rrpp-domain-region1] quit
# Configure the common interface and edge interface on the edge node of the sub-ring.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] ring 2 node-mode edge common-port gigabitethernet
1/0/2 edge-port gigabitethernet 1/0/3
[SwitchA-rrpp-domain-region1] ring 2 enable
[SwitchA-rrpp-domain-region1] quit
Step 4 Configure SwitchD as the transit node on the major ring and the assistant edge node on the
sub-ring.
# Create data VLANs 2 to 9 on SwitchD.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] vlan batch 2 to 9
# Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
[SwitchD] stp region-configuration
[SwitchD-mst-region] instance 1 vlan 2 to 11
[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
# On SwitchD, configure Domain 1. Configure VLAN 10 as the major control VLAN and
bind Instance 1 to the protected VLAN in Domain 1.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] control-vlan 10
[SwitchD-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchD-rrpp-domain-region1] quit
# Disable STP on the interface to be added to the RRPP ring, configure the RRPP interface as
a trunk interface, and configure the interfaces to allow service packets of VLAN 2 to VLAN 9
to pass through.
[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] port link-type trunk
[SwitchD-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 9
[SwitchD-GigabitEthernet1/0/1] stp disable
[SwitchD-GigabitEthernet1/0/1] quit
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] port link-type trunk
[SwitchD-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 9
[SwitchD-GigabitEthernet1/0/2] stp disable
[SwitchD-GigabitEthernet1/0/2] quit
[SwitchD] interface gigabitethernet 1/0/3
[SwitchD-GigabitEthernet1/0/3] port link-type trunk
[SwitchD-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 to 9
[SwitchD-GigabitEthernet1/0/3] stp disable
[SwitchD-GigabitEthernet1/0/3] quit
# Configure the primary interface and secondary interface on the transit node of the major
ring.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/2 secondary-port gigabitethernet 1/0/1 level 0
[SwitchD-rrpp-domain-region1] ring 1 enable
[SwitchD-rrpp-domain-region1] quit
# Configure the common interface and edge interface on the assistant edge node of the sub-
ring.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port
gigabitethernet 1/0/2 edge-port gigabitethernet 1/0/3
[SwitchD-rrpp-domain-region1] ring 2 enable
[SwitchD-rrpp-domain-region1] quit
Step 5 Configure the devices to use the default RRPP version defined by Huawei.
# Configure SwitchA. The configurations on SwitchB, SwitchC, and SwitchD are the same as
that of SwitchA and not mentioned here. For details, see the configuration files.
[SwitchA] rrpp working-mode hw
# Run the display rrpp brief command on SwitchB. The command output is as follows:
[SwitchB] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on SwitchB. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11; SwitchB is the master node on the major
ring, with GE2/0/1 as the primary interface and GE2/0/2 as the secondary interface.
# Run the display rrpp verbose domain command on SwitchB. The command output is as
follows:
[SwitchB] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: BLOCKED
The command output shows that the ring is in Complete state, and the secondary interface on
the master node is blocked.
# Run the display rrpp brief command on SwitchC. The command output is as follows:
[SwitchC] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
You can find that RRPP is enabled on SwitchC. The major control VLAN is VLAN 10, and
the sub-control VLAN is VLAN 11; SwitchC is the master node on the sub-ring, with
GE1/0/1 as the primary interface and GE1/0/2 as the secondary interface.
# Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
[SwitchC] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 2
Ring Level : 1
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet1/0/2 Port status: BLOCKED
The command output shows that the sub-ring is in Complete state, and the secondary interface
on the master node of the sub-ring is blocked.
# Run the display rrpp brief command on SwitchA. The command output is as follows:
[SwitchA] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on SwitchA. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchA is the transit node on the major
ring. The primary interface is GE10/2 and the secondary interface is GE1/0/1.
SwitchA is also the edge node on the sub-ring, with GE1/0/2 as the common interface and
GE1/0/3 as the edge interface.
# Run the display rrpp verbose domain command on SwitchA. The command output is as
follows:
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Common port : GigabitEthernet1/0/2 Port status: UP
Edge port : GigabitEthernet1/0/3 Port status: UP
# Run the display rrpp brief command on SwitchD. The command output is as follows:
[SwitchD] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on SwitchD. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchD is the transit node on the major
ring, with GE1/0/2 as the primary interface and GE1/0/1 as the secondary interface. SwitchD
is also the assistant edge node on the sub-ring, with GE1/0/2 as the common interface and
GE1/0/3 as the edge interface.
# Run the display rrpp verbose domain command on SwitchD. The command output is as
follows:
[SwitchD] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/2 Port status: UP
Secondary port : GigabitEthernet1/0/1 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Assistant-edge
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Common port : GigabitEthernet1/0/2 Port status: UP
Edge port : GigabitEthernet1/0/3 Port status: UP
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-configuration
instance 1 vlan 2 to 11
active region-configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/2 secondary-port
GigabitEthernet1/0/1 level 0
ring 1 enable
ring 2 node-mode edge common-port GigabitEthernet1/0/2 edge-port
GigabitEthernet1/0/3
ring 2 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 11
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 11
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 9 11
stp disable
#
return
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 11
stp disable
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-configuration
instance 1 vlan 2 to 11
active region-configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
ring 2 node-mode master primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 1
ring 2 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 9 11
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 9 11
stp disable
#
return
l SwitchD configuration file
#
sysname SwitchD
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-configuration
instance 1 vlan 2 to 11
active region-configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/2 secondary-port
GigabitEthernet1/0/1 level 0
ring 1 enable
ring 2 node-mode assistant-edge common-port GigabitEthernet1/0/2 edge-port
GigabitEthernet1/0/3
ring 2 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 11
stp disable
#
interface GigabitEthernet1/0/2
Networking Requirements
A metro Ethernet network uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs, such as RRPP
Domain 1 in Figure 18-37.
l The other layer is the access layer between PE-AGGs and UPEs, such as RRPP Domain
2 and RRPP Domain 3 in Figure 18-37.
Master
UPE1
UPE2 PE-AGG3
RRPP Transit 1
Domain2
Master
PE-AGG1
UPE RRPP P IP/MPLS
Domain1 Core
UPE S
UPE Block NPE
RRPP Transit 2
Domain3
PE-AGG2
Master PE-AGG:PE-Aggregation
UPE NPE:Network Provider Edge
UMG:Universal Media Gateway
UPE:Underlayer Provider Edge
DSLAM:Digital Subscriber Line Access Multiplexer
As shown in Figure 18-37, the network is required to prevent loops when the ring is complete
and implement fast convergence to rapidly restore communication between nodes on the ring
when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You can
configure the aggregation layer and access layer as RRPP rings and the two rings are tangent,
simplifying the network configuration.
As shown in Figure 18-38, SwitchE, SwitchD, SwitchC, SwitchA, and SwitchB map PE-
AGG1, PE-AGG2, PE-AGG3, UPE 1, and UPE 2 in Figure 18-37 respectively. Figure 18-38
is used as an example to describe how to configure tangent RRPP rings with a single instance.
Domain 2 Domain 1
Configuration Roadmap
The configuration roadmap is as follows:
1. Create different RRPP domains and control VLANs to configure an RRPP ring.
2. Map the VLANs that need to pass through Ring 1 to Instance 1, including data VLANs
and control VLANs to configure protected VLANs.
Map the VLANs that need to pass through Ring 2 to Instance 2, including data VLANs
and control VLANs to configure protected VLANs.
3. Configure timers for different RRPP domains.
NOTE
You can configure two timers for tangent points because two tangent rings locate in different
domains.
4. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
5. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Configure Ring 2 in Domain 2 on SwitchA, SwitchB, and SwitchC.
b. Configure Ring 1 in Domain 1 on SwitchC, SwitchD, and SwitchE.
c. Configure SwitchA as the master node on Ring 2, and configure SwitchB and
SwitchC as transit nodes on Ring 2.
d. Configure SwitchE as the master node on Ring 1, and configure SwitchC and
SwitchD as transit nodes on Ring 1.
6. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
Procedure
Step 1 Configure instance 2, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.
# Configure SwitchA. The configurations on SwitchB, SwitchC, SwitchD, and SwitchE are
similar to that on SwitchA and not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] stp region-configuration
[SwitchA-mst-region] instance 2 vlan 20 to 21
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
Step 2 Create RRPP domains and configure control VLANs and protected VLANs in the domains.
# Configure SwitchE. The configurations on SwitchB, SwitchC, and SwitchD are similar to
that on SwitchA and not mentioned here. For details, see the configuration files.
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchE-rrpp-domain-region1] quit
Step 4 Configure the interfaces to be added to the RRPP ring as trunk interfaces and disable STP on
the interfaces.
# Configure SwitchA. The configurations on SwitchB, SwitchC, SwitchD, and SwitchE are
the same as that of SwitchA and not mentioned here. For details, see the configuration files.
[SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
[SwitchA-GigabitEthernet2/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/1] stp disable
[SwitchA-GigabitEthernet2/0/1] quit
[SwitchA] interface gigabitethernet 2/0/2
[SwitchA-GigabitEthernet2/0/2] port link-type trunk
[SwitchA-GigabitEthernet2/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet2/0/2] stp disable
[SwitchA-GigabitEthernet2/0/2] quit
# Configure SwitchB as a transit node on Ring 2 (major ring) and specify the primary
and secondary interfaces.
[SwitchB] rrpp domain 2
[SwitchB-rrpp-domain-region2] ring 2 node-mode transit primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchB-rrpp-domain-region2] ring 2 enable
[SwitchB-rrpp-domain-region2] quit
# Configure SwitchC as a transit node on Ring 2 and specify the primary and secondary
interfaces.
[SwitchC] rrpp domain 2
[SwitchC-rrpp-domain-region2] ring 2 node-mode transit primary-port
gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0
[SwitchC-rrpp-domain-region2] ring 2 enable
[SwitchC-rrpp-domain-region2] quit
# Configure SwitchC as a transit node on Ring 1 and specify the primary and secondary
interfaces.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
# Configure SwitchD as a transit node on Ring 1 and specify the primary and secondary
interfaces.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0
[SwitchD-rrpp-domain-region1] ring 1 enable
[SwitchD-rrpp-domain-region1] quit
After the preceding configurations are complete and the network topology becomes stable,
perform the following operations to verify the configuration. The tangent point SwitchC is
used as an example.
# Run the display rrpp brief command on SwitchC. The command output is as follows:
[SwitchC] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 1
Hello Timer : 2 sec(default is 1 sec) Fail Timer : 7 sec(default is 6 sec)
Domain Index : 2
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 2
Hello Timer : 3 sec(default is 1 sec) Fail Timer : 10 sec(default is 6 sec)
The command output shows that RRPP is enabled on SwitchC. In Domain 1, the major
control VLAN is VLAN 10, and the sub-control VLAN is VLAN 11. SwitchC is the transit
node on the major ring, with GigabitEthernet1/0/1 as the primary interface and
GigabitEthernet1/0/2 as the secondary interface.
In Domain 2, the major control VLAN is VLAN 20, and the sub-control VLAN is VLAN 21.
SwitchC is a transit node on Ring 2. GigabitEthernet2/0/1 is the primary interface and
GigabitEthernet2/0/2 is the secondary interface.
Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet1/0/2 Port status: UP
RRPP Ring : 2
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: UP
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#
stp region-configuration
instance 2 vlan 20 to 21
active region-configuration
#
rrpp domain 2
control-vlan 20
protected-vlan reference-instance 2
timer hello-timer 3 fail-timer 10
ring 2 node-mode master primary-port GigabitEthernet2/0/1 secondary-port
GigabitEthernet2/0/2 level 0
ring 2 enable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
interface GigabitEthernet2/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21
stp disable
#
return
#
return
l SwitchD configuration file
#
sysname SwitchD
#
vlan batch 10 to 11
#
rrpp enable
#
stp region-configuration
instance 1 vlan 10 to 11
active region-configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
timer hello-timer 2 fail-timer 7
ring 1 node-mode transit primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 11
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 11
stp disable
#
return
l SwitchE configuration file
#
sysname SwitchE
#
vlan batch 10 to 11
#
rrpp enable
#
stp region-configuration
instance 1 vlan 10 to 11
active region-configuration
#
rrpp domain 1
control-vlan 10
protected-vlan reference-instance 1
timer hello-timer 2 fail-timer 7
ring 1 node-mode master primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet1/0/2 level 0
ring 1 enable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 11
stp disable
#
interface GigabitEthernet1/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 to 11
stp disable
#
return
Networking Requirements
As shown in Figure 18-39, on a ring network, idle links are required to forward data. In this
way, data in different VLANs are forwarded along different paths, improving network
efficiency and implementing load balancing.
Figure 18-39 Networking diagram of single RRPP ring with multiple instances
UPEB
GE1/0/0 GE2/0/0
CE 1
VLAN 100-300
PEAGG
GE2/0/0 Ring GE1/0/0
Master 1 Backbone
UPEA 1
network
Master 2
GE1/0/0 GE2/0/0
CE 2
VLAN 100-300
Domain 1 ring 1
GE2/0/0 GE1/0/0
Domain 2 ring 1
UPEC
Table 18-6 shows the mapping between protected VLANs and instances in Domain 1 and
Domain 2.
Table 18-7 shows the master node on each ring and the primary and secondary interfaces on
each master node.
Table 18-7 Master node and its primary and secondary interfaces
Ring ID Master Node Primary Port Secondary Port
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure UPEA. The configurations on UPEB, UPEC, and PEAGG are similar to that on
UPEA and not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname UPEA
[UPEA] rrpp domain 1
[UPEA-rrpp-domain-region1] control-vlan 5
[UPEA-rrpp-domain-region1] quit
[UPEA] rrpp domain 2
[UPEA-rrpp-domain-region2] control-vlan 10
[UPEA-rrpp-domain-region2] quit
Step 2 Configure instances, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure UPEA. The configurations on UPEB, UPEC, and PEAGG are the same as that of
UPEA and not mentioned here. For details, see the configuration files.
[UPEA] vlan batch 100 to 300
[UPEA] stp region-configuration
[UPEA-mst-region] instance 1 vlan 5 6 100 to 200
[UPEA-mst-region] instance 2 vlan 10 11 201 to 300
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure UPEA as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEA.
[UPEA] rrpp domain 1
[UPEA-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEA-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEA-rrpp-domain-region1] ring 1 enable
[UPEA-rrpp-domain-region1] quit
# Configure UPEA as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPEA.
[UPEA] rrpp domain 2
[UPEA-rrpp-domain-region2] protected-vlan reference-instance 2
[UPEA-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEA-rrpp-domain-region2] ring 1 enable
[UPEA-rrpp-domain-region2] quit
# Configure UPEB as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEB.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEB-rrpp-domain-region1] ring 1 enable
[UPEB-rrpp-domain-region1] quit
# Configure UPEB as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPEB.
[UPEB] rrpp domain 2
[UPEB-rrpp-domain-region2] protected-vlan reference-instance 2
[UPEB-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEB-rrpp-domain-region2] ring 1 enable
[UPEB-rrpp-domain-region2] quit
# Configure UPEC as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEC.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] protected-vlan reference-instance 1
# Configure UPEC as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPEC.
[UPEC] rrpp domain 2
[UPEC-rrpp-domain-region2] protected-vlan reference-instance 2
[UPEC-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEC-rrpp-domain-region2] ring 1 enable
[UPEC-rrpp-domain-region2] quit
# Configure PEAGG as the master node on Ring 1 in Domain 1, with GE1/0/0 as the primary
interface and GE2/0/0 as the secondary interface.
[PEAGG] rrpp domain 1
[PEAGG-rrpp-domain-region1] protected-vlan reference-instance 1
[PEAGG-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[PEAGG-rrpp-domain-region1] ring 1 enable
[PEAGG-rrpp-domain-region1] quit
# Configure PEAGG as the master node on Ring 1 in Domain 2, with GE2/0/0 as the primary
interface and GE1/0/0 as the secondary interface.
[PEAGG] rrpp domain 2
[PEAGG-rrpp-domain-region2] protected-vlan reference-instance 2
[PEAGG-rrpp-domain-region2] ring 1 node-mode master primary-port gigabitethernet
2/0/0 secondary-port gigabitethernet 1/0/0 level 0
[PEAGG-rrpp-domain-region2] ring 1 enable
[PEAGG-rrpp-domain-region2] quit
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: UP
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the
protected VLANs are the VLANs mapping Instance 1. UPEA is a transit node in Domain 1
and is in LinkUp state.
# Check detailed information about UPEA in Domain 2.
[UPEA] display rrpp verbose domain 2
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: UP
The command output shows that, in Domain 2, the control VLAN is VLAN 10 and the
protected VLAN is the VLAN mapped to Instance 2. UPEA is a transit node in Domain 2 and
is in LinkUp state.
Run the display rrpp verbose domain command on PEAGG. The command output is as
follows:
# Check detailed information about PEAGG in Domain 1.
[PEAGG] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: BLOCKED
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the
protected VLANs are the VLANs mapping Instance 1.
PEAGG is the master node in Domain 1 and is in Complete state.
The primary interface is GigabitEthernet1/0/0 and the secondary interface is
GigabitEthernet2/0/0.
# Check detailed information about PEAGG in Domain 2.
[PEAGG] display rrpp verbose domain 2
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/0 Port status: UP
Secondary port : GigabitEthernet1/0/0 Port status: BLOCKED
The command output shows that, in Domain 2, the control VLAN is VLAN 10, and the
protected VLAN is the VLAN mapped to Instance 2.
PEAGG is the master node in Domain 2 and is in Complete state.
The primary interface is GigabitEthernet2/0/0 and the secondary interface is
GigabitEthernet1/0/0.
----End
Configuration Files
l UPEA configuration file
#
sysname UPEA
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
return
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
return
l UPEC configuration file
#
sysname UPEC
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
Networking Requirements
As shown in Figure 18-40, on a ring network, idle links are required to forward data. In this
way, data in different VLANs are forwarded along different paths, improving network
efficiency and implementing load balancing. To enable devices from different vendors to
communicate with each other on the network, you can use the RRPP version defined by the
national standard of China.
Figure 18-40 Networking diagram of intersecting RRPP rings with multiple instances
Backbone
network
GE1/0/0 GE2/0/0
PEAGG
Master 1
GE2/0/0 Master 2 GE1/0/0
UPEA Domain 1 ring 1 UPED
GE1/0/0 Domain 2 ring 1 GE2/0/0
Domain 1
Domain 2
Table 18-8 shows the mapping between protected VLANs and instances in Domain 1 and
Domain 2.
Table 18-9 shows the master node on each ring and the primary and secondary interfaces on
each master node.
Table 18-9 Master node and its primary and secondary interfaces
Ring ID Master Node Primary Port Secondary Port Ring Type
Table 18-10 shows the edge transit nodes and edge nodes on the sub-rings.
Table 18-10 Edge transit nodes and edge nodes on the sub-rings
Ring ID Edge-Transit Edge Port Edge-Transit Edge Port
Node Node
Configuration Roadmap
The configuration roadmap is as follows:
1. Create different RRPP domains and control VLANs.
2. Map the VLANs that need to pass through Domain 1 to Instance 1, including data
VLANs and control VLANs.
Map the VLANs that need to pass through Domain 2 to Instance 2, including data
VLANs and control VLANs.
3. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
4. Configure the devices to use the RRPP version defined by the national standard of
China.
5. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Add UPEA, UPEB, UPEC, UPED, and PEAGG to Ring 1 in Domain 1 and Ring 1
in Domain 2.
b. Add CE1, UPEB, and UPEC to Ring 2 in Domain 1 and Ring 2 in Domain 2.
c. Add CE2, UPEB, and UPEC to Ring 3 in Domain 1 and Ring 3 in Domain 2.
d. Configure PEAGG as the master node and configure UPEA, UPEB, UPEC, and
UPED as transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
e. Configure CE1 as the master node and configure UPEB and UPEC as transit nodes
on Ring 2 in Domain 1 and Ring 2 in Domain 2.
f. Configure CE2 as the master node and configure UPEB and UPEC as transit nodes
on Ring 3 in Domain 1 and Ring 3 in Domain 2.
6. To prevent topology flapping, set the LinkUp timer on the master nodes.
7. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
Procedure
Step 1 Configure instances, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure CE1. The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PEAGG are
the same as that of CE1 and not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] stp region-configuration
[CE1-mst-region] instance 1 vlan 5 6 100 to 200
[CE1-mst-region] instance 2 vlan 10 11 201 to 300
[CE1-mst-region] active region-configuration
[CE1-mst-region] quit
Step 3 Create RRPP domains, configure the device to use the RRPP version defined by the national
standard of China, and configure protected VLANs and control VLANs.
# Configure CE1. The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PEAGG are
the same as that of CE1 and not mentioned here. For details, see the configuration files.
[CE1] rrpp working-mode gb
[CE1] rrpp domain 1
# Configure CE1 as the master node on Ring 2 in Domain 2. Configure GE2/0/0 as the
primary interface and GE1/0/0 as the secondary interface.
[CE1] rrpp domain 2
[CE1-rrpp-domain-region2] ring 2 node-mode master primary-port gigabitethernet
2/0/0 secondary-port gigabitethernet 1/0/0 level 1
[CE1-rrpp-domain-region2] ring 2 enable
[CE1-rrpp-domain-region2] quit
# Configure CE2 as the master node on Ring 3 in Domain 1. Configure GE1/0/0 as the
primary interface and GE2/0/0 as the secondary interface.
[CE2] rrpp domain 1
[CE2-rrpp-domain-region1] ring 3 node-mode master primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 1
[CE2-rrpp-domain-region1] ring 3 enable
[CE2-rrpp-domain-region1] quit
# Configure CE2 as the master node on Ring 3 in Domain 2. Configure GE2/0/0 as the
primary interface and GE1/0/0 as the secondary interface.
[CE2] rrpp domain 2
[CE2-rrpp-domain-region2] ring 3 node-mode master primary-port gigabitethernet
2/0/0 secondary-port gigabitethernet 1/0/0 level 1
[CE2-rrpp-domain-region2] ring 3 enable
[CE2-rrpp-domain-region2] quit
# Configure UPEA as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEA.
[UPEA] rrpp domain 1
[UPEA-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEA-rrpp-domain-region1] ring 1 enable
[UPEA-rrpp-domain-region1] quit
# Configure UPEA as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPEA.
[UPEA] rrpp domain 2
[UPEA-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEA-rrpp-domain-region2] ring 1 enable
[UPEA-rrpp-domain-region2] quit
# Configure UPEB as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEB.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
# Configure UPEB as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPEB.
[UPEB] rrpp domain 2
[UPEB-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEB-rrpp-domain-region2] ring 1 enable
[UPEB-rrpp-domain-region2] quit
# Configure UPEB as an edge transit node on Ring 2 in Domain 1 and configure GE3/0/0 as
the edge interface.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] ring 2 node-mode transit secondary-port
gigabitethernet 3/0/0
[UPEB-rrpp-domain-region1] ring 2 enable
[UPEB-rrpp-domain-region1] quit
# Configure UPEB as an edge transit node on Ring 2 in Domain 2 and configure GE3/0/0 as
the edge interface.
[UPEB] rrpp domain 2
[UPEB-rrpp-domain-region2] ring 2 node-mode transit secondary-port
gigabitethernet 3/0/0
[UPEB-rrpp-domain-region2] ring 2 enable
[UPEB-rrpp-domain-region2] quit
# Configure UPEB as an edge transit node on Ring 3 in Domain 1 and configure GE3/0/1 as
the edge interface.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] ring 3 node-mode transit secondary-port
gigabitethernet 3/0/1
[UPEB-rrpp-domain-region1] ring 3 enable
[UPEB-rrpp-domain-region1] quit
# Configure UPEB as an edge transit node on Ring 3 in Domain 2 and configure GE3/0/1 as
the edge interface.
[UPEB] rrpp domain 2
[UPEB-rrpp-domain-region2] ring 3 node-mode transit secondary-port
gigabitethernet 3/0/1
[UPEB-rrpp-domain-region2] ring 3 enable
[UPEB-rrpp-domain-region2] quit
# Configure UPEC as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEC.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEC-rrpp-domain-region1] ring 1 enable
[UPEC-rrpp-domain-region1] quit
# Configure UPEC as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPEC.
[UPEC] rrpp domain 2
[UPEC-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEC-rrpp-domain-region2] ring 1 enable
[UPEC-rrpp-domain-region2] quit
# Configure UPEC as an edge transit node on Ring 2 in Domain 1 and configure GE3/0/0 as
the edge interface.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] ring 2 node-mode transit secondary-port
gigabitethernet 3/0/0
[UPEC-rrpp-domain-region1] ring 2 enable
[UPEC-rrpp-domain-region1] quit
# Configure UPEC as an edge transit node on Ring 2 in Domain 2 and configure GE3/0/0 as
the edge interface.
[UPEC] rrpp domain 2
[UPEC-rrpp-domain-region2] ring 2 node-mode transit secondary-port
gigabitethernet 3/0/0
[UPEC-rrpp-domain-region2] ring 2 enable
[UPEC-rrpp-domain-region2] quit
# Configure UPEC as an edge transit node on Ring 3 in Domain 1 and configure GE3/0/1 as
the edge interface.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] ring 3 node-mode transit secondary-port
gigabitethernet 3/0/1
[UPEC-rrpp-domain-region1] ring 3 enable
[UPEC-rrpp-domain-region1] quit
# Configure UPEC as an edge transit node on Ring 3 in Domain 2 and configure GE3/0/1 as
the edge interface.
[UPEC] rrpp domain 2
[UPEC-rrpp-domain-region2] ring 3 node-mode transit secondary-port
gigabitethernet 3/0/1
[UPEC-rrpp-domain-region2] ring 3 enable
[UPEC-rrpp-domain-region2] quit
# Configure UPED as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPED.
[UPED] rrpp domain 1
[UPED-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPED-rrpp-domain-region1] ring 1 enable
[UPED-rrpp-domain-region1] quit
# Configure UPED as a transit node of Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPED.
[UPED] rrpp domain 2
[UPED-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPED-rrpp-domain-region2] ring 1 enable
[UPED-rrpp-domain-region2] quit
# Configure PEAGG as the master node on Ring 1 in Domain 1, with GE1/0/0 as the primary
interface and GE2/0/0 as the secondary interface.
[PEAGG] rrpp domain 1
[PEAGG-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[PEAGG-rrpp-domain-region1] ring 1 enable
[PEAGG-rrpp-domain-region1] quit
# Configure PEAGG as the master node on Ring 1 in Domain 2, with GE2/0/0 as the primary
interface and GE1/0/0 as the secondary interface.
[PEAGG] rrpp domain 2
[PEAGG-rrpp-domain-region2] ring 1 node-mode master primary-port gigabitethernet
# Configure CE1. The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PEAGG are
the same as that of CE1 and not mentioned here. For details, see the configuration files.
[CE1] rrpp enable
# Set the LinkUp timer to 1 second. CE1 is used as an example. The configurations on CE2
and PEAGG are the same as that of CE1 and not mentioned here. For details, see the
configuration files.
[CE1] rrpp linkup-delay-timer 1
After the preceding configurations are complete and the network becomes stable, run the
following commands to verify the configuration. UPEB and PEAGG are used as examples.
# Run the display rrpp brief command on UPEB. The command output is as follows:
[UPEB] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , EM - Edge Master, ET - Edge Transit
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
In Domain 1:
The major control VLAN is VLAN 5, and the protected VLANs are the VLANs mapped to
Instance 1.
UPEB is a transit node on Ring 1. GigabitEthernet1/0/0 is the primary interface and GE2/0/0
is the secondary interface.
UPEB is an edge transit node on Ring 2. The edge interface is GigabitEthernet3/0/0.
UPEB is an edge transit node on Ring 3. The edge interface is GigabitEthernet3/0/1.
In Domain 2:
The major control VLAN is VLAN 10, and the protected VLANs are the VLANs mapped to
Instance 2.
UPEB is a transit node on Ring 1. GigabitEthernet1/0/0 is the primary interface and
GigabitEthernet2/0/0 is the secondary interface.
UPEB is an edge transit node on Ring 2. The edge interface is GigabitEthernet3/0/0.
UPEB is an edge transit node on Ring 3. The edge interface is GigabitEthernet3/0/1.
# Run the display rrpp brief command on PEAGG. The command output is as follows:
[PEAGG]display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , EM - Edge Master, ET - Edge Transit
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on PEAGG, and the LinkUp timer is 1
second.
In Domain 1, the major control VLAN is VLAN 5, the protected VLAN is the VLAN mapped
to Instance 1, and the master node on Ring 1 is PEAGG. GigabitEthernet1/0/0 is the primary
interface and GigabitEthernet2/0/0 is the secondary interface.
In Domain 2, the major control VLAN is VLAN 10, the protected VLAN is the VLAN
mapped to Instance 2, and the master node on Ring 1 is PEAGG. GigabitEthernet2/0/0 is the
primary interface and GigabitEthernet1/0/0 is the secondary interface.
Run the display rrpp verbose domain command on UPEB. The command output is as
follows:
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: UP
RRPP Ring :
2
Ring Level :
1
Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Enable Is Active: Yes
Primary port :
GigabitEthernet1/0/0 Port status: UP
GigabitEthernet2/0/0 Port status: UP
Secondary port : GigabitEthernet3/0/0 Port status: UP
RRPP Ring :
3
Ring Level :
1
Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Enable Is Active: Yes
Primary port :
GigabitEthernet1/0/0 Port status: UP
GigabitEthernet2/0/0 Port status: UP
Secondary port : GigabitEthernet3/0/1 Port status: UP
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the
protected VLANs are the VLANs mapping Instance 1.
UPEB is a transit node on Ring 2 in Domain 1 and is in LinkUp state. GE3/0/0 is the edge
interface.
UPEB is an edge transit node of Ring 3 in Domain 1 and is in LinkUp state. GE3/0/1 is the
edge interface.
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
RRPP Ring :
3
Ring Level :
1
Node Mode :
Edge Transit
Ring State :
LinkUp
Is Enabled :
Enable Is Active: Yes
Primary port :
GigabitEthernet1/0/0 Port status: UP
GigabitEthernet2/0/0 Port status: UP
Secondary port : GigabitEthernet3/0/1 Port status: UP
The command output shows that, in Domain 2, the control VLAN is VLAN 10, and the
protected VLAN is the VLAN mapped to Instance 2.
UPEB is an edge transit node of Ring 2 in Domain 2 and is in LinkUp state. GE3/0/0 is the
edge interface.
UPEB is an edge transit node of Ring 3 in Domain 2 and is in LinkUp state. GE3/0/1 is the
edge interface.
Run the display rrpp verbose domain command on PEAGG. The command output is as
follows:
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: BLOCKED
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the
protected VLANs are the VLANs mapping Instance 1.
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/0 Port status: UP
The command output shows that, in Domain 2, the control VLAN is VLAN 10, and the
protected VLAN is the VLAN mapped to Instance 2.
PEAGG is the master node in Domain 2 and is in Complete state.
GigabitEthernet2/0/0 is the primary interface and GigabitEthernet1/0/0 is the secondary
interface.
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
rrpp working-mode GB
rrpp linkup-delay-timer 1
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 2 node-mode master primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 1
ring 2 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 2 node-mode master primary-port GigabitEthernet2/0/0 secondary-port
GigabitEthernet1/0/0 level 1
ring 2 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
return
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 3 node-mode master primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 1
ring 3 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 3 node-mode master primary-port GigabitEthernet2/0/0 secondary-port
GigabitEthernet1/0/0 level 1
ring 3 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
return
l UPEA configuration file
#
sysname UPEA
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
rrpp working-mode GB
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
return
l UPEB configuration file
#
sysname UPEB
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
rrpp working-mode GB
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
ring 2 node-mode transit secondary-port GigabitEthernet3/0/0
ring 2 enable
ring 3 node-mode transit secondary-port GigabitEthernet3/0/1
ring 3 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
ring 2 node-mode transit secondary-port GigabitEthernet3/0/0
ring 2 enable
ring 3 node-mode transit secondary-port GigabitEthernet3/0/1
ring 3 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet3/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
interface GigabitEthernet3/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
return
l UPEC configuration file
#
sysname UPEC
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
rrpp working-mode GB
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
ring 2 node-mode transit secondary-port GigabitEthernet3/0/0
ring 2 enable
ring 3 node-mode transit secondary-port GigabitEthernet3/0/1
ring 3 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
ring 2 node-mode transit secondary-port GigabitEthernet3/0/0
ring 2 enable
ring 3 node-mode transit secondary-port GigabitEthernet3/0/1
ring 3 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet3/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
interface GigabitEthernet3/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
return
l UPED configuration file
#
sysname UPED
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
rrpp working-mode GB
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
return
Networking Requirements
As shown in Figure 18-41, on a ring network, idle links are required to forward data. In this
way, data in different VLANs are forwarded along different paths, improving network
efficiency and implementing load balancing. All the devices on the network are Huawei
devices; therefore, the RRPP version defined by Huawei is used.
Figure 18-41 Networking diagram of intersecting RRPP rings with multiple instances
Backbone
network
GE1/0/0 GE2/0/0
PEAGG
Master 1
GE2/0/0 Master 2 GE1/0/0
UPEA Domain 1 ring 1 UPED
GE1/0/0 Domain 2 ring 1 GE2/0/0
Domain 1
Domain 2
Table 18-11 shows the mapping between protected VLANs and instances in Domain 1 and
Domain 2.
Table 18-12 shows the master node on each ring and the primary and secondary interfaces on
each master node.
Table 18-12 Master node and its primary and secondary interfaces
Table 18-13 shows the edge nodes, assistant edge nodes, common interface, and edge
interfaces of the sub-rings.
Table 18-13 Edge nodes, assistant edge nodes, common interface, and edge interfaces of the
sub-rings
Configuration Roadmap
The configuration roadmap is as follows:
1. Create different RRPP domains and control VLANs.
2. Map the VLANs that need to pass through Domain 1 to Instance 1, including data
VLANs and control VLANs.
Map the VLANs that need to pass through Domain 2 to Instance 2, including data
VLANs and control VLANs.
3. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
4. Configure the devices to use the RRPP version defined by Huawei.
5. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Add UPEA, UPEB, UPEC, UPED, and PEAGG to Ring 1 in Domain 1 and Ring 1
in Domain 2.
b. Add CE1, UPEB, and UPEC to Ring 2 in Domain 1 and Ring 2 in Domain 2.
c. Add CE2, UPEB, and UPEC to Ring 3 in Domain 1 and Ring 3 in Domain 2.
d. Configure PEAGG as the master node and configure UPEA, UPEB, UPEC, and
UPED as transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
e. Configure CE1 as the master node, UPEB as an edge node, and UPEC as an
assistant edge node on Ring 2 in Domain 1 and Ring 2 in Domain 2.
f. Configure CE2 as the master node, UPEB as an edge node, and UPEC as an
assistant edge node on Ring 3 in Domain 1 and Ring 3 in Domain 2.
6. To prevent topology flapping, set the LinkUp timer on the master nodes.
7. To reduce the Edge-Hello packets sent on the major ring and increase available
bandwidth, add the four sub-rings to a ring group.
8. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
Procedure
Step 1 Configure instances, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure CE1. The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PEAGG are
the same as that of CE1 and not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] stp region-configuration
[CE1-mst-region] instance 1 vlan 5 6 100 to 200
[CE1-mst-region] instance 2 vlan 10 11 201 to 300
[CE1-mst-region] active region-configuration
[CE1-mst-region] quit
Step 3 Create RRPP domains and configure protected VLANs and control VLANs.
# Configure CE1. The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PEAGG are
the same as that of CE1 and not mentioned here. For details, see the configuration files.
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] protected-vlan reference-instance 1
[CE1-rrpp-domain-region1] control-vlan 5
[CE1-rrpp-domain-region1] quit
[CE1] rrpp domain 2
[CE1-rrpp-domain-region2] protected-vlan reference-instance 2
[CE1-rrpp-domain-region2] control-vlan 10
[CE1-rrpp-domain-region2] quit
# Configure PEAGG as the master node on Ring 1 in Domain 2, with GE2/0/0 as the primary
interface and GE1/0/0 as the secondary interface.
[PEAGG] rrpp domain 2
[PEAGG-rrpp-domain-region2] ring 1 node-mode master primary-port gigabitethernet
2/0/0 secondary-port gigabitethernet 1/0/0 level 0
[PEAGG-rrpp-domain-region2] ring 1 enable
[PEAGG-rrpp-domain-region2] quit
# Configure UPEA as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces.
[UPEA] rrpp domain 1
[UPEA-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEA-rrpp-domain-region1] ring 1 enable
[UPEA-rrpp-domain-region1] quit
# Configure UPEA as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces.
[UPEA] rrpp domain 2
[UPEA-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEA-rrpp-domain-region2] ring 1 enable
[UPEA-rrpp-domain-region2] quit
# Configure UPED as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces.
[UPED] rrpp domain 1
[UPED-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPED-rrpp-domain-region1] ring 1 enable
[UPED-rrpp-domain-region1] quit
# Configure UPED as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces.
[UPED] rrpp domain 2
[UPED-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPED-rrpp-domain-region2] ring 1 enable
[UPED-rrpp-domain-region2] quit
# Configure UPEB as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEB-rrpp-domain-region1] ring 1 enable
[UPEB-rrpp-domain-region1] quit
# Configure UPEB as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces.
[UPEB] rrpp domain 2
[UPEB-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEB-rrpp-domain-region2] ring 1 enable
[UPEB-rrpp-domain-region2] quit
# Configure UPEB as an edge node on Ring 2 in Domain 1, with GE1/0/0 as the common
interface and GE3/0/0 as the edge interface.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] ring 2 node-mode edge common-port gigabitethernet
1/0/0 edge-port gigabitethernet 3/0/0
[UPEB-rrpp-domain-region1] ring 2 enable
[UPEB-rrpp-domain-region1] quit
# Configure UPEB as an edge node on Ring 2 in Domain 2, with GE1/0/0 as the common
interface and GE3/0/0 as the edge interface.
[UPEB] rrpp domain 2
[UPEB-rrpp-domain-region2] ring 2 node-mode edge common-port gigabitethernet
1/0/0 edge-port gigabitethernet 3/0/0
[UPEB-rrpp-domain-region2] ring 2 enable
[UPEB-rrpp-domain-region2] quit
# Configure UPEB as an edge node on Ring 3 in Domain 1, with GE1/0/0 as the common
interface and GE3/0/1 as the edge interface.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] ring 3 node-mode edge common-port gigabitethernet
# Configure UPEB as an edge node on Ring 3 in Domain 2, with GE1/0/0 as the common
interface and GE3/0/1 as the edge interface.
[UPEB] rrpp domain 2
[UPEB-rrpp-domain-region2] ring 3 node-mode edge common-port gigabitethernet
1/0/0 edge-port gigabitethernet 3/0/1
[UPEB-rrpp-domain-region2] ring 3 enable
[UPEB-rrpp-domain-region2] quit
# Configure UPEC as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEC-rrpp-domain-region1] ring 1 enable
[UPEC-rrpp-domain-region1] quit
# Configure UPEC as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces.
[UPEC] rrpp domain 2
[UPEC-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEC-rrpp-domain-region2] ring 1 enable
[UPEC-rrpp-domain-region2] quit
# Configure UPEC as an assistant edge node on Ring 2 in Domain 1, with GE2/0/0 as the
common interface and GE3/0/0 as the edge interface.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port
gigabitethernet 2/0/0 edge-port gigabitethernet 3/0/0
[UPEC-rrpp-domain-region1] ring 2 enable
[UPEC-rrpp-domain-region1] quit
# Configure UPEC as an assistant edge node on Ring 2 in Domain 2, with GE2/0/0 as the
common interface and GE3/0/0 as the edge interface.
[UPEC] rrpp domain 2
[UPEC-rrpp-domain-region2] ring 2 node-mode assistant-edge common-port
gigabitethernet 2/0/0 edge-port gigabitethernet 3/0/0
[UPEC-rrpp-domain-region2] ring 2 enable
[UPEC-rrpp-domain-region2] quit
# Configure UPEC as an assistant edge node on Ring 3 in Domain 1, with GE2/0/0 as the
common interface and GE3/0/1 as the edge interface.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] ring 3 node-mode assistant-edge common-port
gigabitethernet 2/0/0 edge-port gigabitethernet 3/0/1
[UPEC-rrpp-domain-region1] ring 3 enable
[UPEC-rrpp-domain-region1] quit
# Configure UPEC as an assistant edge node on Ring 3 in Domain 2, with GE2/0/0 as the
common interface and GE3/0/1 as the edge interface.
[UPEC] rrpp domain 2
[UPEC-rrpp-domain-region2] ring 3 node-mode assistant-edge common-port
gigabitethernet 2/0/0 edge-port gigabitethernet 3/0/1
[UPEC-rrpp-domain-region2] ring 3 enable
[UPEC-rrpp-domain-region2] quit
# Configure CE1 as the master node on Ring 2 in Domain 1, with GE1/0/0 as the primary
interface and GE2/0/0 as the secondary interface.
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] ring 2 node-mode master primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 1
[CE1-rrpp-domain-region1] ring 2 enable
[CE1-rrpp-domain-region1] quit
# Configure CE1 as the master node on Ring 2 in Domain 2, with GE2/0/0 as the primary
interface and GE1/0/0 as the secondary interface.
[CE1] rrpp domain 2
[CE1-rrpp-domain-region2] ring 2 node-mode master primary-port gigabitethernet
2/0/0 secondary-port gigabitethernet 1/0/0 level 1
[CE1-rrpp-domain-region2] ring 2 enable
[CE1-rrpp-domain-region2] quit
# Configure CE2 as the master node on Ring 3 in Domain 1, with GE1/0/0 as the primary
interface and GE2/0/0 as the secondary interface.
[CE2] rrpp domain 1
[CE2-rrpp-domain-region1] ring 3 node-mode master primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 1
[CE2-rrpp-domain-region1] ring 3 enable
[CE2-rrpp-domain-region1] quit
# Configure CE2 as the master node on Ring 3 in Domain 2, with GE2/0/0 as the primary
interface and GE1/0/0 as the secondary interface.
[CE2] rrpp domain 2
[CE2-rrpp-domain-region2] ring 3 node-mode master primary-port gigabitethernet
2/0/0 secondary-port gigabitethernet 1/0/0 level 1
[CE2-rrpp-domain-region2] ring 3 enable
[CE2-rrpp-domain-region2] quit
Step 5 Configure the devices to use the default RRPP version defined by Huawei.
# Configure CE1. The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PEAGG are
the same as that of CE1 and not mentioned here.
[CE1] rrpp working-mode hw
# Create ring group 1 on UPEB, which consists of four sub-rings: Ring 2 in Domain 1, Ring 3
in Domain 1, Ring 2 in Domain 2, and Ring 3 in Domain 2.
[UPEB] rrpp ring-group 1
[UPEB-rrpp-ring-group1] domain 1 ring 2 to 3
[UPEB-rrpp-ring-group1] domain 2 ring 2 to 3
[UPEB-rrpp-ring-group1] quit
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The major control VLAN is VLAN 10, and the protected VLANs are the VLANs mapped to
Instance 2.
UPEB is a transit node on Ring 1. The primary interface is GE1/0/0 and the secondary
interface is GE2/0/0.
On Ring 2, UPEB is the edge node. GE1/0/0 is the common interface and GE3/0/0 is the edge
interface.
On Ring 3, UPEB is the edge node. GE1/0/0 is the common interface and GE3/0/1 is the edge
interface.
# Run the display rrpp brief command on PEAGG. The command output is as follows:
[PEAGG] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The command output shows that RRPP is enabled on PEAGG, and the LinkUp timer is 2
seconds.
In Domain 1, the major control VLAN is VLAN 5, the protected VLAN is the VLAN mapped
to Instance 1, and the master node on Ring 1 is PEAGG. The primary interface is GE1/0/0
and the secondary interface is GE2/0/0.
In Domain 2, the major control VLAN is VLAN 10, the protected VLAN is the VLAN
mapped to Instance 2, and the master node on Ring 1 is PEAGG. The primary interface is
GE2/0/0 and the secondary interface is GE1/0/0.
Run the display rrpp verbose domain command on UPEB. The command output is as
follows:
# Check detailed information about UPEB in Domain 1.
[UPEB] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Common port : GigabitEthernet1/0/0 Port status: UP
Edge port : GigabitEthernet3/0/0 Port status: UP
RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Common port : GigabitEthernet1/0/0 Port status: UP
Edge port : GigabitEthernet3/0/1 Port status: UP
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the
protected VLANs are the VLANs mapping Instance 1.
UPEB is a transit node on Ring 1 in Domain 1 and is in LinkUp state.
UPEB is the edge node on Ring 2 in Domain 1 and is in LinkUp state. GE1/0/0 is the
common interface and GE3/0/0 is the edge interface.
UPEB is the edge node on Ring 3 in Domain 1 and is in LinkUp state. GE1/0/0 is the
common interface and GE3/0/1 is the edge interface.
# Check detailed information about UPEB in Domain 2.
[UPEB] display rrpp verbose domain 2
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Common port : GigabitEthernet1/0/0 Port status: UP
Edge port : GigabitEthernet3/0/0 Port status: UP
RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Common port : GigabitEthernet1/0/0 Port status: UP
Edge port : GigabitEthernet3/0/1 Port status: UP
You can find that, in Domain 2, the control VLAN is VLAN 10, and the protected VLAN is
the VLAN mapped to Instance 2.
UPEB is the edge node on Ring 2 in Domain 2 and is in LinkUp state. GE1/0/0 is the
common interface and GE3/0/0 is the edge interface.
UPEB is the edge node on Ring 3 in Domain 2 and is in LinkUp state. GE1/0/0 is the
common interface and GE3/0/1 is the edge interface.
Run the display rrpp verbose domain 1 command on PEAGG. The command output is as
follows:
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: BLOCKED
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the
protected VLANs are the VLANs mapping Instance 1.
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/0 Port status: UP
Secondary port : GigabitEthernet1/0/0 Port status: BLOCKED
The command output shows that, in Domain 2, the control VLAN is VLAN 10, and the
protected VLAN is the VLAN mapped to Instance 2.
Run the display rrpp ring-group command on UPEB to check the configuration of the ring
group.
domain 2 ring 2 to 3
domain 1 ring 2 send Edge-Hello packet
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
rrpp linkup-delay-timer 1
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 2 node-mode master primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 1
ring 2 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 2 node-mode master primary-port GigabitEthernet2/0/0 secondary-port
GigabitEthernet1/0/0 level 1
ring 2 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
return
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 3 node-mode master primary-port GigabitEthernet2/0/0 secondary-port
GigabitEthernet1/0/0 level 1
ring 3 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
return
l UPEA configuration file
#
sysname UPEA
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
return
l UPEB configuration file
#
sysname UPEB
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
stp region-configuration
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
ring 2 node-mode assistant-edge common-port GigabitEthernet2/0/0 edge-port
GigabitEthernet3/0/0
ring 2 enable
ring 3 node-mode assistant-edge common-port GigabitEthernet2/0/0 edge-port
GigabitEthernet3/0/1
ring 3 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
ring 2 node-mode assistant-edge common-port GigabitEthernet2/0/0 edge-port
GigabitEthernet3/0/0
ring 2 enable
ring 3 node-mode assistant-edge common-port GigabitEthernet2/0/0 edge-port
GigabitEthernet3/0/1
ring 3 enable
#
rrpp ring-group 1
domain 1 ring 2 to 3
domain 2 ring 2 to 3
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet3/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
interface GigabitEthernet3/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
return
l UPED configuration file
#
sysname UPED
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
return
Networking Requirements
As shown in Figure 18-42, on a ring network, idle links are required to forward data. In this
way, data in different VLANs are forwarded along different paths, improving network
efficiency and implementing load balancing.
Figure 18-42 Networking diagram of tangent RRPP rings with multiple instances
UPEB UPEE
GE1/0/0 GE2/0/0
GE1/0/0 GE2/0/0
Domain 1 ring 1
CE GE2/0/0 GE1/0/0
GE1/0/1 GE1/0/0 UPEF
Master 1
UPEA
Master 2 UPED Master 3
VLAN 100-300 GE1/0/0 GE2/0/0 GE2/0/1 GE2/0/0
Domain 2 ring 1 Domain 3 ring 1
UPEC UPEG
domain 1
domain 2
domain 3
Table 18-14 shows the mapping between protected VLANs and instances in Domain 1,
Domain 2, and Domain 3.
Table 18-15 shows the master node on each ring, and its primary and secondary interfaces.
Table 18-15 Master node and its primary and secondary interfaces
Ring ID Master Node Primary Port Secondary Port
Configuration Roadmap
The configuration roadmap is as follows:
1. Create different RRPP domains and control VLANs.
2. Map the VLANs that need to pass through the domain to the instance.
3. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
4. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Add UPEA, UPEB, UPEC, and UPED to Ring 1 in Domain 1 and Ring 1 in
Domain 2.
b. Add UPED, UPEE, UPEF, and UPEG to Ring 1 in Domain 3.
c. Configure UPED as the master node and configure UPEA, UPEB, and UPEC as
transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
d. Configure UPEF as the master node and configure UPED, UPEE, and UPEG as
transit nodes on Ring 1 in Domain 3.
5. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
Procedure
Step 1 Configure instances, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure UPEA. The configurations on UPEB, UPEC, UPED, UPEE, UPEF, and UPEG
are the same as that of UPEA and not mentioned here. For details, see the configuration files.
<HUAWEI> system-view
[HUAWEI] sysname UPEA
[UPEA] stp region-configuration
[UPEA-mst-region] instance 1 vlan 5 6 100 to 200
[UPEA-mst-region] instance 2 vlan 10 11 201 to 300
[UPEA-mst-region] active region-configuration
[UPEA-mst-region] quit
[UPEA-GigabitEthernet1/0/0] quit
[UPEA] interface gigabitethernet 2/0/0
[UPEA-GigabitEthernet2/0/0] port link-type trunk
[UPEA-GigabitEthernet2/0/0] undo port trunk allow-pass vlan 1
[UPEA-GigabitEthernet2/0/0] port trunk allow-pass vlan 100 to 300
[UPEA-GigabitEthernet2/0/0] stp disable
[UPEA-GigabitEthernet2/0/0] quit
Step 3 Create RRPP domains and configure protected VLANs and control VLANs.
# Configure UPEA. The configurations on UPEB, UPEC, UPED, UPEE, UPEF, and UPEG
are similar to that on UPEA and not mentioned here. For details, see the configuration files.
[UPEA] rrpp domain 1
[UPEA-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEA-rrpp-domain-region1] control-vlan 5
[UPEA-rrpp-domain-region1] quit
[UPEA] rrpp domain 2
[UPEA-rrpp-domain-region2] protected-vlan reference-instance 2
[UPEA-rrpp-domain-region2] control-vlan 10
[UPEA-rrpp-domain-region2] quit
# Configure UPEA as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPEA.
[UPEA] rrpp domain 2
[UPEA-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEA-rrpp-domain-region2] ring 1 enable
[UPEA-rrpp-domain-region2] quit
# Configure UPEB as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEB.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEB-rrpp-domain-region1] ring 1 enable
[UPEB-rrpp-domain-region1] quit
# Configure UPEB as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPEB.
[UPEB] rrpp domain 2
[UPEB-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEB-rrpp-domain-region2] ring 1 enable
[UPEB-rrpp-domain-region2] quit
# Configure UPEC as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEC.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEC-rrpp-domain-region1] ring 1 enable
[UPEC-rrpp-domain-region1] quit
# Configure UPEC as a transit node on Ring 1 in Domain 2 and specify primary and
secondary interfaces on UPEC.
[UPEC] rrpp domain 2
[UPEC-rrpp-domain-region2] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEC-rrpp-domain-region2] ring 1 enable
[UPEC-rrpp-domain-region2] quit
# Configure UPED as the master node on Ring 1 in Domain 1 and specify GE1/0/0 as the
primary interface and GE2/0/0 as the secondary interface on UPED.
[UPED] rrpp domain 1
[UPED-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPED-rrpp-domain-region1] ring 1 enable
[UPED-rrpp-domain-region1] quit
# Configure UPED as the master node on Ring 1 in Domain 2 and specify GE2/0/0 as the
primary interface and GE1/0/0 as the secondary interface on UPED.
[UPED] rrpp domain 2
[UPED-rrpp-domain-region2] ring 1 node-mode master primary-port gigabitethernet
2/0/0 secondary-port gigabitethernet 1/0/0 level 0
[UPED-rrpp-domain-region2] ring 1 enable
[UPED-rrpp-domain-region2] quit
# Configure UPED as a transit node on Ring 1 in Domain 3 and specify primary and
secondary interfaces on UPED.
[UPED] rrpp domain 3
[UPED-rrpp-domain-region3] ring 1 node-mode transit primary-port gigabitethernet
1/0/1 secondary-port gigabitethernet 2/0/1 level 0
[UPED-rrpp-domain-region3] ring 1 enable
[UPED-rrpp-domain-region3] quit
# Configure UPEE as a transit node on Ring 1 in Domain 3 and specify primary and
secondary interfaces on UPEE.
[UPEE] rrpp domain 3
[UPEE-rrpp-domain-region3] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEE-rrpp-domain-region3] ring 1 enable
[UPEE-rrpp-domain-region3] quit
# Configure UPEF as the master node on Ring 1 in Domain 3 and specify GE1/0/0 as the
primary interface and GE2/0/0 as the secondary interface on UPEF.
# Configure UPEG as a transit node on Ring 1 in Domain 3 and specify primary and
secondary interfaces.
[UPEG] rrpp domain 3
[UPEG-rrpp-domain-region3] ring 1 node-mode transit primary-port gigabitethernet
1/0/0 secondary-port gigabitethernet 2/0/0 level 0
[UPEG-rrpp-domain-region3] ring 1 enable
[UPEG-rrpp-domain-region3] quit
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Domain Index : 3
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1 to 3
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
The major control VLAN is VLAN 20, and the protected VLANs are the VLANs mapped to
instances 1 to 3.
UPED is a transit node on Ring 1. GigabitEthernet1/0/1 is the primary interface and
GigabitEthernet2/0/1 is the secondary interface.
Run the display rrpp verbose domain command on UPED. The command output is as
follows:
# Check detailed information about UPED in Domain 1.
[UPED] display rrpp verbose domain 1
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/0 Port status: UP
Secondary port : GigabitEthernet2/0/0 Port status: BLOCKED
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the
protected VLANs are the VLANs mapping Instance 1.
UPED is the master node in Domain 1 and is in Complete state.
The primary interface is GigabitEthernet1/0/0 and the secondary interface is
GigabitEthernet2/0/0.
# Check detailed information about UPED in Domain 2.
[UPED] display rrpp verbose domain 2
Domain Index : 2
Control VLAN : major 10 sub 11
Protected VLAN : Reference Instance 2
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/0 Port status: UP
Secondary port : GigabitEthernet1/0/0 Port status: BLOCKED
The command output shows that, in Domain 2, the control VLAN is VLAN 10, and the
protected VLAN is the VLAN mapped to Instance 2.
UPED is the master node in Domain 2 and is in Complete state.
The primary interface is GigabitEthernet2/0/0 and the secondary interface is
GigabitEthernet1/0/0.
# Check detailed information about UPED in Domain 3.
[UPED] display rrpp verbose domain 3
Domain Index : 3
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1 to 3
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet1/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/1 Port status: UP
The command output shows that, in Domain 3, the control VLAN is VLAN 20 and the
protected VLANs are the VLANs mapped to instances 1 to 3.
UPED is a transit node in Domain 3 and is in LinkUp state.
The primary interface is GigabitEthernet1/0/1 and the secondary interface is
GigabitEthernet2/0/1.
----End
Configuration Files
l UPEA configuration file
#
sysname UPEA
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
return
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
return
#
return
l UPED configuration file
#
sysname UPED
#
vlan batch 5 to 6 10 to 11 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 5 to 6 100 to 200
instance 2 vlan 10 to 11 201 to 300
instance 3 vlan 20 to 21
active region-configuration
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
rrpp domain 2
control-vlan 10
protected-vlan reference-instance 2
ring 1 node-mode master primary-port GigabitEthernet2/0/0 secondary-port
GigabitEthernet1/0/0 level 0
ring 1 enable
rrpp domain 3
control-vlan 20
protected-vlan reference-instance 1 to 3
ring 1 node-mode transit primary-port GigabitEthernet1/0/1 secondary-port
GigabitEthernet2/0/1 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet1/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
interface GigabitEthernet2/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
l UPEE configuration file
#
sysname UPEE
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 3
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
l UPEF configuration file
#
sysname UPEF
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 3
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
l UPEG configuration file
#
sysname UPEG
#
vlan batch 20 to 21 100 to 300
#
rrpp enable
#
stp region-configuration
instance 1 vlan 20 to 21 100 to 300
active region-configuration
#
rrpp domain 3
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port GigabitEthernet1/0/0 secondary-port
GigabitEthernet2/0/0 level 0
ring 1 enable
#
interface GigabitEthernet1/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
interface GigabitEthernet2/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
return
Fault Description
After the RRPP configuration is complete, a loop occurs.
This fault is commonly caused by one of the following:
l RRPP is incorrectly configured.
l The values of the Fail timers are set different on the devices of the ring.
Procedure
Step 1 Check whether nodes are correctly configured on the RRPP ring.
Run the display this command in the RRPP domain view on nodes of the ring to check RRPP
configurations.
Check whether nodes on the RRPP ring are located in the same domain, whether the control
VLAN map the instance, and whether only one master node exists on the RRPP ring.
l If a fault occurs in the preceding configurations, see 18 RRPP Configuration in the
S7700&S9700 Series Switches Configuration Guide - Reliability Configuration.
l If the preceding configurations are correct, go to step 2.
Step 2 Check whether the values of Fail timers are set the same on nodes of the RRPP ring.
Run the display rrpp verbose domain domain-id command in any view to check detailed
information about the RRPP configuration.
If the values of the Fail timer are set different on nodes of the RRPP ring, see 18 RRPP
Configuration in the S7700&S9700 Series Switches Configuration Guide - Reliability
Configuration.
----End
Fault Symptom
After the primary port of a transit node on an RRPP ring network becomes down and then
recovers, the transit node and other transit nodes cannot register with the master node.
Procedure
Step 1 Check the master node on the RRPP ring.
Run the display rrpp verbose domaindomain-id [ ringring-id ] command in any view on
each node on an RRPP ring to view the role of each node.
If the value of Node Mode is Master, the node is the master node.
Then go to step 2.
Step 2 Check whether MAC address entries and ARP entries of the master node are updated.
Run the display mac-address and display arp all commands in any view of the master node
on an RRPP ring to check the MAC address table and ARP table on the master node. Check
whether there are MAC address entries and ARP entries of transit nodes that cannot register.
l If there are no MAC address entries and ARP entries of transit nodes that cannot register,
MAC address entries and ARP entries of the master node are not updated. Go to step 3.
l If there are MAC address entries and ARP entries of transit nodes that cannot register, go
to step 4.
Step 3 Check whether nodes on an RRPP ring use the same working mode.
Run the display rrpp brief [ domaindomain-id ] command in any view to view the RRPP
configuration.
Check whether the configuration contains the rrpp working-mode gb command. If the rrpp
working-mode gb command has been executed on a node, the node uses the RRPP standard
version. If the rrpp working-mode gb command is not executed on a node, the node uses
Huawei proprietary version.
l If the master node and other transit nodes use different working modes, run the undo
rrpp enable command in the system view of the chassis switch to disable RRPP and
deactivate all RRPP rings. Then run the rrpp working-mode { hw | gb} command to
change the working mode of each node to be the same.
l If the master node and other transit nodes use the same working mode, go to step 4.
Step 4 Collect alarms, logs, and location information, and then contact Huawei technical support
personnel.
----End
18.11 FAQ
18.12 References
RRPP is a Huawei proprietary protocol.
This chapter describes how to configure the Ethernet Ring Protection Switching (ERPS).
ERPS is a protocol defined by the International Telecommunication Union -
Telecommunication Standardization Sector (ITU-T) to eliminate loops at Layer 2. It
implements convergence of carrier-class reliability standards, and allows all ERPS-capable
devices on a ring network to communicate.
Definition
ERPS is a protocol defined by the International Telecommunication Union -
Telecommunication Standardization Sector (ITU-T) to eliminate loops at Layer 2. Because
the standard number is ITU-T G.8032/Y1344, ERPS is also called G.8032. ERPS defines
Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs) and protection
switching mechanisms.
ERPS has two versions: ERPSv1 released by ITU-T in June 2008 and ERPSv2 released in
August 2010. EPRSv2, fully compatible with ERPSv1, provides the following enhanced
functions:
l Multi-ring topologies, such as intersecting rings
l RAPS PDU transmission on virtual channels (VCs) and non-virtual-channels (NVCs) in
sub-rings
l Forced Switch (FS) and Manual Switch (MS)
l Revertive and non-revertive switching
Purpose
Generally, redundant links are used on an Ethernet switching network such as a ring network
to provide link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address table unstable.
As a result, communication quality deteriorates, and communication services may even be
interrupted. Table 19-1 describes ring network protocols supported by devices.
Ethernet networks demand faster protection switching. STP does not meet the requirement for
fast convergence. RRPP and SEP are Huawei proprietary ring protocols, which cannot be
used for communication between Huawei and non-Huawei devices on a ring network.
ERPS, a standard ITU-T protocol, prevent loops on ring networks. It optimizes detection and
performs fast convergence. ERPS allows all ERPS-capable devices on a ring network to
communicate.
Benefits
l Prevents broadcast storms and implements fast traffic switchover on a network where
there are loops.
l Provides fast convergence and carrier-class reliability.
l Allows all ERPS-capable devices on a ring network to communicate.
19.2 Principles
network. To eliminate redundant links and ensure link connectivity, ERPS is used to prevent
loops.
Network
Router1 Router2
SwitchA SwitchD
ERPS
RPL SwitchC
SwitchB
User
network
RPL owner
RPL neighbour
ERPS Ring
An ERPS ring consists of interconnected Layer 2 switching devices configured with the same
control VLAN.
An ERPS ring can be a major ring or a sub-ring. By default, an ERPS ring is a major ring.
The major ring is a closed ring, whereas a sub-ring is a non-closed ring. The major ring and
sub-ring are configured using commands. On the network shown in Figure 19-2, SwitchA
through SwitchD constitute a major ring, and SwitchC through SwitchF constitute a sub-ring.
Only ERPSv2 supports sub-rings.
SwitchB SwitchF
SwitchD
Node
A node refers to a Layer 2 switching device added to an ERPS ring. A maximum of two ports
on each node can be added to the same ERPS ring. SwitchA through SwitchD in Figure 19-2
are nodes in an ERPS major ring.
Port Role
ERPS defines three port roles: RPL owner port, RPL neighbor port (only in ERPSv2), and
common port.
l RPL owner port
An RPL owner port is responsible for blocking traffic over the Ring Protection Link
(RPL) to prevent loops. An ERPS ring has only one RPL owner port.
When the node on which the RPL owner port resides receives an RAPS PDU indicating
a link or node fault in an ERPS ring, the node unblocks the RPL owner port. Then the
RPL owner port can send and receive traffic to ensure nonstop traffic forwarding.
The link where the RPL owner port resides is the RPL.
l RPL neighbor port
An RPL neighbor port is directly connected to an RPL owner port.
Both the RPL owner port and RPL neighbor ports are blocked in normal situations to
prevent loops.
If an ERPS ring fails, both the RPL owner and neighbor ports are unblocked.
The RPL neighbor port helps reduce the number of FDB entry updates on the device
where the RPL neighbor port resides.
l Common port
Common ports are ring ports other than the RPL owner and neighbor ports.
A common port monitors the status of the directly connected ERPS link and sends RAPS
PDUs to notify the other ports of its link status changes.
Port Status
On an ERPS ring, an ERPS-enabled port has two statuses:
l Forwarding: forwards user traffic and sends and receives RAPS PDUs.
l Discarding: only sends and receives RAPS PDUs.
Control VLAN
A control VLAN is configured in an ERPS ring to transmit RAPS PDUs.
Each ERPS ring must be configured with a control VLAN. After a port is added to an ERPS
ring configured with a control VLAN, the port is added to the control VLAN automatically.
Different ERPS rings must use different control VLANs.
Data VLAN
Unlike control VLANs, data VLANs are used to transmit data packets.
ERP Instance
On a Layer 2 device running ERPS, the VLAN in which RAPS PDUs and data packets are
transmitted must be mapped to an Ethernet Ring Protection (ERP) instance so that ERPS
forwards or blocks the packets based on configured rules. If the mapping is not configured,
the preceding packets may cause broadcast storms on the ring network. As a result, the
network becomes unavailable.
Timer
ERPS defines four timers: Guard timer, WTR timer, Holdoff timer, and WTB timer (only in
ERPSv2).
l Guard timer
After a faulty link or node recovers or a clear operation is executed, the device sends
RAPS No Request (NR) messages to inform the other nodes of the link or node recovery
and starts the Guard timer. Before the Guard timer expires, the device does not process
any RAPS (NR) messages to avoid receiving out-of-date RAPS (NR) messages. After
the Guard timer expires, if the device still receives an RAPS (NR) message, the local
port enters the Forwarding state.
l WTR timer
If an RPL owner port is unblocked due to a link or node fault, the involved port may not
go Up immediately after the link or node recovers. Blocking the RPL owner port may
cause network flapping. To prevent this problem, the node where the RPL owner port
resides starts the wait to restore (WTR) timer after receiving an RAPS (NR) message. If
the node receives an RAPS Signal Fail (SF) message before the timer expires, it
terminates the WTR timer. If the node does not receive any RAPS (SF) message before
the timer expires, it blocks the RPL owner port when the timer expires and sends an
RAPS (no request, root blocked) message. After receiving this RAPS (NR, RB)
message, the nodes set their recovered ports on the ring to the Forwarding state.
l Holdoff timer
On Layer 2 networks running EPRS, there may be different requirements for protection
switching. For example, on a network where multi-layer services are provided, after a
server fails, users may require a period of time to rectify the server fault so that clients do
not detect the fault. You can set the Holdoff timer. If the fault occurs, the fault is not
immediately sent to ERPS until the Holdoff timer expires.
l WTB timer
The wait to block (WTB) timer starts when Forced Switch (FS) or Manual Switch (MS)
is performed. Because multiple nodes on an ERPS ring may be in FS or MS state, the
clear operation takes effect only after the WTB timer expires. This prevents the RPL
owner port from being blocked immediately.
The WTB timer value cannot be configured. Its value is the Guard timer value plus 5.
The default WTB timer value is 7s.
l In revertive switching, the RPL owner port is re-blocked after the WTR timer expires,
and the RPL is blocked.
l In non-revertive switching, the WTR timer is not started, and the original faulty link is
still blocked.
ERPSv1 supports only revertive switching. ERPSv2 supports both revertive and non-revertive
switching.
In addition to FS and MS operations, ERPS also supports the clear operation. The clear
operation has the following functions:
l Clears an existing FS or MS operation.
l Triggers revertive switching before the WTR or WTB timer expires in the case of
revertive switching operations.
l Triggers revertive switching in the case of non-revertive switching operations.
l VC: RAPS PDUs in sub-rings are transmitted to the major ring through interconnected
nodes. The RPL owner port of the sub-ring blocks both RAPS PDUs and data traffic.
l NVC: RAPS PDUs in sub-rings are terminated on the interconnected nodes. The RPL
owner port blocks data traffic but not RAPS PDUs in each sub-ring.
On the network shown in Figure 19-3, a major ring is interconnected with two sub-rings. The
sub-ring on the left has a VC, whereas the sub-ring on the right has an NVC.
Major Ring
Sub-Ring Sub-Ring
with virtual without virtual
channel channel
Interconnection Node
By default, sub-rings use NVCs to transmit RAPS PDUs, except for the scenario shown in
Figure 19-4.
NOTE
On the network shown in Figure 19-4, links b and d belong to major rings 1 and 2
respectively; links a and c belong to the sub-ring. As links a and c are incontiguous, they
cannot detect the status change between each other, so VCs must be used for RAPS PDU
transmission.
Sub-Ring
with virtual
channel
b d
Major Major
Ring1 Ring2
c
Interconnection Node
Table 19-2 lists the advantages and disadvantages of RAPS PDU transmission modes in sub-
rings with VCs or NVCs.
Table 19-2 Comparison between RAPS PDU transmission modes in a sub-ring with VCs or
NVCs
RAPS Advantage Disadvantage
PDU
Transmis
sion
Mode in
a Sub-
ring
NVC Does not need to reserve Is not applicable to scenarios in which sub-
resources or control VLAN ring links are incontiguous.
assignment from adjacent rings.
...
37
[optional TLV starts here;otherwise End TLV]
last End TLV(0)
MEL 3 bits Identifies the maintenance entity group (MEG) level of the
RAPS PDU.
OpCode 8 bits Indicates an RAPS PDU. The value of this field is 0x28.
Flags 8 bits Is ignored upon RAPS PDU receiving. The value of this field
is 0x00.
TLV Offset 8 bits Indicates that the TLV starts after an offset of 32 bytes. The
value of this field is 0x20.
R-APS Specific 32x8 Is the core field in an RAPS PDU and carries ERPS ring
Information bits information. There are differences between sub-fields in
ERPSv1 and ERPSv2. Figure 19-6 shows the R-APS
Specific Information field format in ERPSv1. Figure 19-7
shows the R-APS Specific Information field format in
ERPSv2.
(Node ID)
(Node ID)
Request/ 4 bits Indicates that this RAPS PDU is a request or state PDU. The
State value can be:
l 1101: forced switch (FS)
l 1110: Event
l 1011: signal failed (SF)
l 0111: manual switch (MS)
l 0000: no request (NR)
l Others: reserved
Reserved 2 24 x 8 bits Is reserved and ignored upon RAPS PDU receiving. The value
is all 0 during RAPS PDU transmission.
Network
Router1 Router2
SwitchA SwitchE
ERPS
User
network
Blocked Interface
Data Flow
A Link Fails
As shown in Figure 19-9, if the link between SwitchD and SwitchE fails, the ERPS
protection switching mechanism is triggered. The ports on both ends of the faulty link are
blocked, and the RPL owner port and RPL neighbor port are unblocked to send and receive
traffic. This mechanism ensures nonstop traffic transmission. The process is as follows:
1. After SwitchD and SwitchE detect the link fault, they block their ports on the faulty link
and update Filtering Database (FDB) entries.
2. SwitchD and SwitchE send three consecutive RAPS Signal Fail (SF) messages to the
other LSWs and send one RAPS (SF) message at an interval of 5s afterwards.
3. After receiving an RAPS (SF) message, the other LSWs update their FDB entries.
SwitchC on which the RPL owner port resides and SwitchB on which the RPL neighbor
port resides unblock the respective RPL owner port and RPL neighbor port, and update
FDB entries.
Figure 19-9 ERPS single-ring networking (unblocking the RPL owner port and RPL neighbor
port if a link fails)
Network
Router1 Router2
SwitchA SwitchE
ERPS
User
network
Failed Link
Blocked Interface
Data Flow
1. After the link between SwitchD and SwitchE recovers, SwitchD and SwitchE start the
Guard timer to avoid receiving out-of-date RAPS PDUs. The two switches do not
receive any RAPS PDUs before the timer expires. At the same time, SwitchD and
SwitchE send RAPS (NR) messages to the other LSWs.
2. After receiving an RAPS (NR) message, SwitchC on which the RPL owner port resides
starts the WTR timer. After the WTR timer expires, SwitchC blocks the RPL owner port
and sends RAPS (NR, RB) messages.
3. After receiving an RAPS (NR, RB) message, SwitchD and SwitchE unblock the ports at
the two ends of the link that has recovered, stop sending RAPS (NR) messages, and
update FDB entries. The other LSWs also update FDB entries after receiving an RAPS
(NR, RB) message.
Protection Switching
l Forced switch
On the network shown in Figure 19-10, SwitchA through SwitchE in the ERPS ring can
communicate with each other. A forced switch (FS) operation is performed on the
SwitchE's port that connects to SwitchD, and the SwitchE's port is blocked. Then the
RPL owner port and RPL neighbor port are unblocked to send and receive traffic. This
mechanism ensures nonstop traffic transmission. The process is as follows:
a. After the SwitchD's port that connects to SwitchE is forcibly blocked, SwitchE
update FDB entries.
b. SwitchE sends three consecutive RAPS (SF) messages to the other LSWs and sends
one RAPS (SF) message at an interval of 5s afterwards.
c. After receiving an RAPS (SF) message, the other LSWs update their FDB entries.
SwitchC on which the RPL owner port resides and SwitchB on which the RPL
neighbor port resides unblock the respective RPL owner port and RPL neighbor
port, and update FDB entries.
Network
Router1 Router2
SwitchE
SwitchA
ERPS
SwitchB RPL
SwitchD
User
network
Blocked Interface
Data Flow
l Clear
After a clear operation is performed on SwitchE, the port that is forcibly blocked by FS
sends RAPS (NR) messages to all other ports in the ERPS ring.
– If the ERPS ring uses revertive switching, the RPL owner port starts the WTB timer
after receiving an RAPS (NR) message. After the WTB timer expires, the FS
operation is cleared. Then the RPL owner port is blocked, and the blocked port on
SwitchE is unblocked. If you perform a clear operation on SwitchC on which the
RPL owner port resides before the WTB timer expires, the RPL owner port is
immediately blocked, and the blocked port on SwitchE is unblocked.
– If the ERPS ring uses non-revertive switching and you want to block the RPL
owner port, perform a clear operation on SwitchC on which the RPL owner port
resides.
l Manual switch
The MS process in an ERPS ring is similar to the FS process. The difference is that the
MS operation does not take effect when the ERPS ring is not idle or pending.
Network
Router1 Router2
SwitchA SwitchE
Sub-Ring2
Sub-Ring1 RP
L SwitchC L
RP
SwitchF SwitchG
PC1 PC2
RPL owner
Data Flow
A Link Fails
As shown in Figure 19-12, if the link between SwitchD and SwitchG fails, the ERPS
protection switching mechanism is triggered. The ports on both ends of the faulty link are
blocked, and the RPL owner port in sub-ring 2 is unblocked to send and receive traffic. In this
situation, traffic from PC1 still travels along the original path. SwitchC and SwitchD inform
the other nodes in the major ring of the topology change so that traffic from PC2 is also not
interrupted. Traffic between PC2 and the upper-layer network travels along the path PC2 ->
SwitchG -> SwitchC -> SwitchB -> SwitchA -> SwitchE -> Router2. The process is as
follows:
1. After SwitchD and SwitchG detect the link fault, they block their ports on the faulty link
and update Filtering Database (FDB) entries.
2. SwitchG sends three consecutive RAPS (SF) messages to the other LSWs and sends one
RAPS (SF) message at an interval of 5s afterwards.
3. SwitchG then unblocks the RPL owner port and updates FDB entries.
4. After the interconnected node SwitchC receives an RAPS (SF) message, it updates FDB
entries. SwitchC and SwitchD then send RAPS Event messages within the major ring to
notify the topology change in sub-ring 2.
5. After receiving an RAPS Event message, the other LSWs in the major ring update FDB
entries.
Then traffic from PC2 is switched to a normal link.
Figure 19-12 ERPS multi-ring networking (unblocking the RPL owner port if a link fails)
Network
Router1 Router2
SwitchA SwitchE
Major Ring
SwitchB
RPL SwitchD
Sub-Ring2
Sub-Ring1 RP
L SwitchC L
RP
SwitchF SwitchG
PC1 PC2
Blocked Interface
Data Flow
l If the ERPS ring uses non-revertive switching, the RPL remains unblocked, and the link
that has recovered is still blocked.
The following example uses revertive switching to illustrate the process after the link
recovers.
1. After the link between SwitchD and SwitchG recovers, SwitchD and SwitchG start the
Guard timer to avoid receiving out-of-date RAPS PDUs. The two devices do not receive
any RAPS PDUs before the timer expires. Then SwitchD and SwitchG send RAPS (NR)
messages within sub-ring 2.
2. SwitchG on which the RPL owner port resides starts the WTR timer. After the WTR
timer expires, SwitchG blocks the RPL owner port and unblocks its port on the link that
has recovered and then sends RAPS (NR, RB) messages within sub-ring 2.
3. After receiving an RAPS (NR, RB) message from SwitchG, SwitchD unblocks its port
on the recovered link, stops sending RAPS (NR) messages, and updates FDB entries.
SwitchC also updates FDB entries.
4. SwitchC and SwitchD (interconnected nodes) send RAPS Event messages within the
major ring to notify the link recovery of sub-ring 2.
5. After receiving an RAPS Event message, the other LSWs in the major ring update FDB
entries.
Then traffic changes to the normal state, as shown in Figure 19-11.
Network
Router1 Router2
SwitchE
SwitchA
ERPS Ring2
ERPS Ring1
SwitchD
SwitchB
Interface2 Interface1
SwitchC
Ring1 Blocked Port
CE1 Ring2 Blocked Port
Data Flow1
VLAN100-200 Data Flow2
and VLAN300-
400
To improve link use efficiency, only two logical rings can be configured in the same physical
ring in the ERPS multi-instance. A port may have different roles in different ERPS rings and
different ERPS rings use different control VLANs. A physical ring can have two blocked
ports accordingly. Each blocked port independently monitors the physical ring status and is
blocked or unblocked. An ERPS ring must be configured with an ERP instance, and each
ERP instance specifies a range of VLANs. The topology calculated for a specific ERPS ring
only takes effect in the ERPS ring. Different VLANs can use separate paths, implementing
traffic load balancing and link backup.
As shown in Figure 19-13, you can configure ERPS Ring1 and ERPS Ring2 in the physical
ring consisting of SwitchA through SwitchE. Interface1 is the blocked port in ERPS Ring1.
The VLANs mapping to the ERP instance is VLANs 100 to 200. Interface2 is the blocked
port in ERPS Ring2. The VLANs mapping to the ERP instance is VLANs 300 to 400. After
the configuration is completed, data from VLANs 100 to 200 is forwarded through Data
Flow1, and data from VLANs 300 to 400 is forwarded through Data Flow2. In this manner,
load balancing is implemented and link use efficiency is improved.
Network
Router1 Router2
SwitchE
SwitchA
ERPS SwitchD
SwitchB
RPL
RPL Owner
SwitchC
User
network1 User
network3
User
network2
Blocked Port
Data Flow1
Data Flow2
Data Flow3
As shown in Figure 19-14, SwitchA through SwitchE constitute a ring. The ring runs ERPS
to provide protection switching for Layer 2 redundant links and prevent loops that cause
broadcast storms and render the MAC address table unstable.
Generally, the RPL owner port is blocked and does not forward service packets, preventing
loops. If a fault occurs on the link between SwitchA and SwitchB, ERPS will unblock the
blocked RPL owner port and traffic from User network1 and User network2 is forwarded
through the path SwitchC ->SwitchD ->SwitchE.
License Support
ERPS is a basic feature of a switch and is not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Context
ERPS works for ERPS rings. An ERPS ring consists of interconnected Layer 2 switching
devices configured with the same control VLAN and data VLAN. Before configuring other
ERPS functions, you must configure an ERPS ring.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
The description of the device is configured. The description can contain the ERPS ring ID,
which facilitate device maintenance in an ERPS ring.
By default, the description of an ERPS ring is the ERPS ring name, for example, Ring 1.
----End
Context
In an ERPS ring, the control VLAN is used only to forward RAPS PDUs but not service
packets, so the security of ERPS is improved. All the devices in an ERPS ring must be
configured with the same control VLAN, and different ERPS rings must use different control
VLANs.
Procedure
Step 1 Run:
system-view
----End
19.7.1.3 Configuring an ERP Instance and Activating the Mapping Between the
ERP Instance and VLAN
Context
On a Layer 2 device running ERPS, the VLAN in which RAPS PDUs and data packets are
transmitted must be mapped to an ERP instance so that ERPS forwards or blocks the packets
based on configured rules. If the mapping is not configured, the preceding packets may cause
broadcast storms on the ring network. As a result, the network becomes unavailable.
Procedure
Step 1 Run:
system-view
NOTE
l If the stp mode (system view) command is used to set the STP working mode to VLAN-based
Spanning Tree (VBST), the ERP instance specified by the protected-instance command must be the
created static instance.
l If you run the protected-instance command multiple times in the same ERPS ring, multiple ERP
instances are configured.
l If the ERPS ring contains ports, the ERP instance cannot be changed. To delete the configured ERP
instance, run the undo erps ring command in the interface view or the undo port command in the
ERPS ring view to delete ports from the ERPS ring, and run the undo protected instance command
to delete the ERP instance.
Step 4 Run:
quit
– A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has already been
mapped to an MSTI to another MSTI, the original mapping will be deleted.
– The vlan-mapping modulo modulo command configures the mapping between MSTIs and
VLANs based on the default algorithm. However, the mapping configured using this command
cannot always meet the actual demand. Therefore, running this command is not recommended.
– To configure the mapping between an ERP instance and a MUX VLAN, you are advised to
configure the principal VLAN, subordinate group VLANs, and subordinate separate VLANs
of the MUX VLAN in the same ERP instance. Otherwise, loops may occur.
3. Run:
active region-configuration
The mapping between the ERP instance and the VLAN is activated.
----End
19.7.1.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role
Context
After ERPS is configured, add Layer 2 ports to an ERPS ring and configure port roles so that
ERPS can work properly.
You can add a Layer 2 port to an ERPS ring in either of the following ways:
l In the ERPS ring view, add a specified port to the ERPS ring and configure the port role.
l In the interface view, add the current port to the ERPS ring and configure the port role.
NOTE
l A port can be added to at most two ERPS rings, but cannot be added to ERPS rings configured with
the same protected instance.
l An ERPS-enabled port needs to allow packets of control VLANs and data VLANs to pass through,
so the link type of the port must be configured as trunk or hybrid.
l Flush-FDB packets for updating MAC addresses cannot be separately sent, so do not configure a
direct link between two upstream nodes as the RPL.
l Before changing the port role, use the shutdown command to disable the port. When the port role is
changed, use the undo shutdown command to enable the port. This prevents traffic interruptions.
l Before adding an interface to a ERPS ring, disable port security on the interface; otherwise, loops
cannot be prevented.
Prerequisites
l The port is not a Layer 3 port. If the port is a Layer 3 port, run the portswitch command
to switch the port to the Layer 2 mode.
l Spanning Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), Smart Ethernet
Protection (SEP), or Smart Link is not enabled on the port.
– If the port has STP enabled, run the stp disable command in the interface view to
disable STP.
– If the port has RRPP enabled, run the undo ring ring-id command in the RRPP
domain view to disable RRPP.
– If the port has SEP enabled, run the undo sep segment segment-id command in the
interface view to disable SEP.
– If the port has Smart Link enabled, run the undo port command in the Smart Link
group view to disable Smart Link.
l The control-vlan command has been executed to configure a control VLAN and the
protected-instance command has been executed to configure an ERP instance.
Procedure
Step 1 Run:
system-view
Step 2 Add a Layer 2 port to an ERPS ring and configure the port role in either of the following
ways.
l In the ERPS ring view, add a specified port to the ERPS ring and configure the port role.
a. Run:
interface interface-type interface-number
The port is added to the ERPS ring and its role is configured. If rpl owner is
specified, the port is configured as an RPL owner port. If rpl owner is not
specified, the port is a common port.
l In the interface view, add the current port to the ERPS ring and configure the port role.
a. Run:
interface interface-type interface-number
VLAN to pass through. Therefore, you need to specify only the IDs of data VLANs
in this step.
e. Run:
erps ring ring-id [ rpl owner ]
The current port is added to the ERPS ring and its role is configured. If rpl owner
is specified, the port is configured as an RPL owner port. If rpl owner is not
specified, the port is a common port.
----End
Context
After a link or node failure in an ERPS ring recovers, the device starts timers in the ERPS
ring to reduce traffic interruptions. This prevents network flapping.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Configure the WTR timer, Guard timer, and Holdoff timer in the ERPS ring according to
actual networking.
l Run:
wtr-timer time-value
----End
Context
On a Layer 2 network running ERPS, if another fault detection protocol (for example, CFM)
is enabled, the MEL field in RAPS PDUs determines whether the RAPS PDUs can be
forwarded. If the MEL value in an ERPS ring is smaller than the MEL value of the fault
detection protocol, the RAPS PDUs have a lower priority and are discarded. If the MEL value
in an ERPS ring is larger than the MEL value of the fault detection protocol, the RAPS PDUs
can be forwarded. In addition, the MEL value can also be used for interworking with other
vendors' devices in an ERPS ring. The same MEL value ensures smooth communication
between devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Run:
raps-mel level-id
----End
Context
Association between Ethernet Connectivity Fault Management (CFM) and Ethernet Ring
Protection Switching (ERPS) on a port added to an ERPS ring accelerates fault detection,
implements fast convergence, and shortens traffic interruptions.
Before configuring association between ERPS and Ethernet CFM, configure basic CFM
functions on the port added to the ERPS ring. For details, see Configuring Basic Ethernet
CFM Functions.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
erps ring ring-id track cfm md md-name ma ma-name mep mep-id remote-mep rmep-id
The association between ERPS and CFM takes effect only when the interface has ERPS
associated with CFM and has an interface-based MEP created using the mep mep-id
command.
----End
Follow-up Procedure
After ERPS is associated with Ethernet CFM, ensure that the maintenance entity group level
(MEL) value of Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs) in
ERPS rings is larger than the MEL value in CFM protocol packets. Otherwise, Ethernet CFM
cannot allow RAPS PDUs to pass through. The MEL value can be used for interworking with
other vendors' devices in an ERPS ring. The same MEL value ensures smooth communication
between devices.
You can run the raps-mel level-id command in the ERPS ring view to set the MEL value in
RAPS PDUs.
Procedure
l Run the display erps [ ring ring-id ] [ verbose ] command to check the device ports
added to an ERPS ring and ERPS ring configurations.
l Run the display erps interface interface-type interface-number [ ring ring-id ]
command to check physical configurations of the port added to an ERPS ring.
----End
Context
ERPS works for ERPS rings. An ERPS ring consists of interconnected Layer 2 switching
devices configured with the same control VLAN and data VLAN. Before configuring other
ERPS functions, configure an ERPS ring.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
By default, an ERPS ring configured using the erps ring ring-id command is a major ring.
Step 3 Run:
version v2
ERPSv2 is specified.
Before specifying ERPSv1 for an ERPSv2-enabled device, delete all ERPS configurations
that ERPSv1 does not support.
By default, an ERPS ring is a major ring. Major rings are closed, and sub-rings are open. This
step is performed only when an existing ERPS ring needs to be used as a sub-ring.
An ERPS ring that has a port cannot be configured as a sub-ring. Before configuring an ERPS
ring that has a port as a sub-ring, run the undo erps ring command in the interface view or
the undo port command in the ERPS ring view to delete the port from the ERPS ring. Then
run the sub-ring command to configure the ERPS ring as a sub-ring.
By default, sub-rings use non-virtual-channels (NVCs) to transmit RAPS PDUs. The default
transmission mode is recommended. When sub-ring links are incontiguous, VCs must be
used. This step takes effect only in a sub-ring.
NOTE
If a virtual channel (VC) needs to be used, configure VCs on all nodes of a sub-ring and intersecting
point of the sub-ring and major ring.
By default, the description of an ERPS ring is the ERPS ring name, for example, Ring 1.
----End
Context
In an ERPS ring, the control VLAN is used only to forward RAPS PDUs but not service
packets, so the security of ERPS is improved. All the devices in an ERPS ring must be
configured with the same control VLAN, and different ERPS rings must use different control
VLANs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Run:
control-vlan vlan-id
l The control VLAN specified by vlan-id must be a VLAN that has not been created or
used.
l If you run the control-vlan command multiple times, only the latest configuration takes
effect.
l If the ERPS ring contains ports, the control VLAN cannot be changed. To delete the
configured control VLAN, run the undo erps ring command in the interface view or the
undo port command in the ERPS ring view to delete ports from the ERPS ring, and run
the undo control-vlan command to delete the control VLAN.
l After a control VLAN is created, the vlan batch vlan-id1 [ to vlan-id2 ] &<1-10>
command used to create common VLANs is displayed in the configuration file.
l After a port is added to an ERPS ring configured with a control VLAN, the port is added
to the control VLAN.
– If the port is a trunk port, the port trunk allow-pass vlan vlan-id command is
displayed in the record of the port that has been added to the ERPS ring in the
configuration file.
– If the port is a hybrid port, the port hybrid tagged vlan vlan-id command is
displayed in the record of the port that has been added to the ERPS ring in the
configuration file.
----End
19.7.2.3 Configuring an ERP Instance and Activating the Mapping Between the
ERP Instance and VLAN
Context
On a Layer 2 device running ERPS, the VLAN in which RAPS PDUs and data packets are
transmitted must be mapped to an ERP instance so that ERPS forwards or blocks the packets
based on configured rules. If the mapping is not configured, the preceding packets may cause
broadcast storms on the ring network. As a result, the network becomes unavailable.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Run:
protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
NOTE
l If the stp mode (system view) command is used to set the STP working mode to VLAN-based
Spanning Tree (VBST), the ERP instance specified by the protected-instance command must be the
created static instance.
l If you run the protected-instance command multiple times in the same ERPS ring, multiple ERP
instances are configured.
l If the ERPS ring contains ports, the ERP instance cannot be changed. To delete the configured ERP
instance, run the undo erps ring command in the interface view or the undo port command in the
ERPS ring view to delete ports from the ERPS ring, and run the undo protected instance command
to delete the ERP instance.
Step 4 Run:
quit
NOTE
– A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has already been
mapped to an MSTI to another MSTI, the original mapping will be deleted.
– The vlan-mapping modulo modulo command configures the mapping between MSTIs and
VLANs based on the default algorithm. However, the mapping configured using this command
cannot always meet the actual demand. Therefore, running this command is not recommended.
– To configure the mapping between an ERP instance and a MUX VLAN, you are advised to
configure the principal VLAN, subordinate group VLANs, and subordinate separate VLANs
of the MUX VLAN in the same ERP instance. Otherwise, loops may occur.
3. Run:
active region-configuration
The mapping between the ERP instance and the VLAN is activated.
----End
19.7.2.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role
Context
After ERPS is configured, add Layer 2 ports to an ERPS ring and configure port roles so that
ERPS can work properly.
You can add a Layer 2 port to an ERPS ring in either of the following ways:
l In the ERPS ring view, add a specified port to the ERPS ring and configure the port role.
l In the interface view, add the current port to the ERPS ring and configure the port role.
NOTE
Prerequisites
l The port is not a Layer 3 port. If the port is a Layer 3 port, run the portswitch command
to switch the port to the Layer 2 mode.
l Spanning Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), Smart Ethernet
Protection (SEP), or Smart Link is not enabled on the port.
– If the port has STP enabled, run the stp disable command in the interface view to
disable STP.
– If the port has RRPP enabled, run the undo ring ring-id command in the RRPP
domain view to disable RRPP.
– If the port has SEP enabled, run the undo sep segment segment-id command in the
interface view to disable SEP.
– If the port has Smart Link enabled, run the undo port command in the Smart Link
group view to disable Smart Link.
l The control-vlan command has been executed to configure a control VLAN and the
protected-instance command has been executed to configure an ERP instance.
Procedure
Step 1 Run:
system-view
The port is added to the ERPS ring and its role is configured.
l In the interface view, add the current port to the ERPS ring and configure the port role.
a. Run:
interface interface-type interface-number
stp disable
The current port is added to the ERPS ring and its role is configured.
----End
Context
If an upper-layer Layer 2 network is not notified of the topology change in an ERPS ring, the
MAC address entries remain unchanged on the upper-layer network and therefore user traffic
is interrupted. To ensure nonstop traffic transmission, configure the topology change
notification function and specify the ERPS rings that will be notified of the topology change.
In addition, if an ERPS ring frequently receives topology change notifications, its nodes will
have lower CPU processing capability and repeatedly update Flush-FDB packets, consuming
much bandwidth. To resolve this problem, set the topology change protection interval at
which topology change notifications are sent to suppress topology change notification
transmission, and set the maximum number of topology change notifications that can be
processed during the topology change protection interval to prevent frequent MAC address
and ARP entry updates.
Procedure
Step 1 Run:
system-view
The ERPS ring is configured to notify other ERPS rings of its topology change.
ring-id1 [ to ring-id2 ] specifies the start and end ring IDs of the ERPS rings that will be
notified of the topology change. Ensure that the ERPS rings specified by ring-id1 and ring-
id2 exist. If the specified rings do not exist, the topology change notification function does not
take effect.
After the ERPS rings receive the topology change notification from an ERPS ring, they send
Flush-FDB messages on their separate rings to instruct their nodes to update MAC addresses
so that user traffic is not interrupted.
Step 4 (Optional) Run:
tc-protection interval interval-value
The topology change protection interval at which topology change notification messages are
sent is set.
Step 5 (Optional) Run:
tc-protection threshold threshold-value
The number of times ERPS parses topology change notifications and updates forwarding
entries in the topology change protection interval is set.
The topology change protection interval is the one specified by the tc-protection interval
command.
----End
Context
To ensure that ERPS rings function normally when a node or link fails, configure revertive/
non-revertive switching, port blocking mode, and timers.
Procedure
Step 1 Run:
system-view
Step 6 Run:
erps ring ring-id protect-switch { force | manual }
The ERPS ring specified by ring ring-id must be the one to which the port belongs.
To delete the specified port blocking mode, run the clear command in the ERPS ring view.
Step 7 Run:
quit
----End
Context
After a link or node failure in an ERPS ring recovers, the device starts timers in the ERPS
ring to reduce traffic interruptions. This prevents network flapping.
Procedure
Step 1 Run:
system-view
Step 2 Run:
erps ring ring-id
Step 3 Configure the WTR timer, Guard timer, and Holdoff timer in the ERPS ring according to
actual networking.
l Run:
wtr-timer time-value
----End
Context
Association between Ethernet Connectivity Fault Management (CFM) and Ethernet Ring
Protection Switching (ERPS) on a port added to an ERPS ring accelerates fault detection,
implements fast convergence, and shortens traffic interruptions.
Before configuring association between ERPS and Ethernet CFM, configure basic CFM
functions on the port added to the ERPS ring. For details, see Configuring Basic Ethernet
CFM Functions.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
erps ring ring-id track cfm md md-name ma ma-name mep mep-id remote-mep rmep-id
The association between ERPS and CFM takes effect only when the interface has ERPS
associated with CFM and has an interface-based MEP created using the mep mep-id
command.
----End
Follow-up Procedure
After ERPS is associated with Ethernet CFM, ensure that the maintenance entity group level
(MEL) value of Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs) in
ERPS rings is larger than the MEL value in CFM protocol packets. Otherwise, Ethernet CFM
cannot allow RAPS PDUs to pass through. The MEL value can be used for interworking with
other vendors' devices in an ERPS ring. The same MEL value ensures smooth communication
between devices.
You can run the raps-mel level-id command in the ERPS ring view to set the MEL value in
RAPS PDUs.
Procedure
l Run the display erps [ ring ring-id ] [ verbose ] command to check the device ports
added to an ERPS ring and ERPS ring configurations.
l Run the display erps interface interface-type interface-number [ ring ring-id ]
command to check physical configurations of the port added to an ERPS ring.
----End
Context
Before recollecting ERPS statistics, run the reset erps command to clear existing ERPS
statistics.
NOTICE
The cleared ERPS statistics cannot be restored. Exercise caution when you run this command.
Procedure
Step 1 Run the reset erps [ ring ring-id ] statistics command to clear packet statistics in an ERPS
ring.
----End
Networking Requirements
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result,
communication quality deteriorates, and communication services may even be interrupted.
To prevent loops caused by redundant links, enable ERPS on the nodes of the ring network.
ERPS is a Layer 2 loop-breaking protocol defined by the ITU-T, and provides fast
convergence of carrier-class reliability standards.
Figure 19-15 shows a network on which a multi-instance ERPS ring is used. SwitchA
through SwitchD constitute a ring network at the aggregation layer to implement service
aggregation at Layer 2 and process Layer 3 services. ERPS is used on the ring network to
provide protection switching for Layer 2 redundant links. ERPS ring 1 and ERPS ring 2 are
configured on SwitchA through SwitchD. P1 on SwitchB is a blocked port in ERPS ring 1,
and P2 on SwitchA is a blocked port in ERPS ring 2, implementing load balancing and link
backup.
Network
Router1 Router2
SwitchC GE1/0/1
SwitchD
GE1/0/2
GE1/0/1
GE1/0/2
ERPS
GE1/0/2
GE1/0/1
SwitchA P2 GE1/0/2
SwitchB
GE1/0/1
P1
VLAN: VLAN:
100~200 300~400
ERPS ring1
ERPS ring2
Blocked Port1
Blocked Port2
Data Flow1
Data Flow2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the link type of all ports to be added to ERPS rings as trunk.
2. Create ERPS rings and configure control VLANs and Ethernet Ring Protection (ERP)
instances in the ERPS rings.
3. Add Layer 2 ports to ERPS rings and specify port roles.
4. Configure the Guard timers and WTR timers in the ERPS rings.
5. Configure Layer 2 forwarding on SwitchA through SwitchD.
Procedure
Step 1 Configure the link type of all ports to be added to an ERPS ring as trunk.
# Configure SwitchA.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] quit
# Configure SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] quit
# Configure SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] quit
# Configure SwitchD.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] port link-type trunk
[SwitchD-GigabitEthernet1/0/1] quit
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] port link-type trunk
[SwitchD-GigabitEthernet1/0/2] quit
Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances in the two rings. Set the
control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring 2 to 20.
Enable ERPS ring 1 to transmit data packets from VLANs 100 to 200 and enable ERPS ring 2
to transmit data packets from VLANs 300 to 400.
# Configure SwitchA.
[SwitchA] erps ring 1
[SwitchA-erps-ring1] control-vlan 10
[SwitchA-erps-ring1] protected-instance 1
[SwitchA-erps-ring1] quit
# Configure SwitchB.
[SwitchB] erps ring 1
[SwitchB-erps-ring1] control-vlan 10
[SwitchB-erps-ring1] protected-instance 1
[SwitchB-erps-ring1] quit
[SwitchB] stp region-configuration
[SwitchB-mst-region] instance 1 vlan 10 100 to 200
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
[SwitchB] erps ring 2
[SwitchB-erps-ring2] control-vlan 20
[SwitchB-erps-ring2] protected-instance 2
[SwitchB-erps-ring2] quit
[SwitchB] stp region-configuration
[SwitchB-mst-region] instance 2 vlan 20 300 to 400
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Configure SwitchC.
[SwitchC] erps ring 1
[SwitchC-erps-ring1] control-vlan 10
[SwitchC-erps-ring1] protected-instance 1
[SwitchC-erps-ring1] quit
[SwitchC] stp region-configuration
[SwitchC-mst-region] instance 1 vlan 10 100 to 200
[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
[SwitchC] erps ring 2
[SwitchC-erps-ring2] control-vlan 20
[SwitchC-erps-ring2] protected-instance 2
[SwitchC-erps-ring2] quit
[SwitchC] stp region-configuration
[SwitchC-mst-region] instance 2 vlan 20 300 to 400
[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
# Configure SwitchD.
[SwitchD] erps ring 1
[SwitchD-erps-ring1] control-vlan 10
[SwitchD-erps-ring1] protected-instance 1
[SwitchD-erps-ring1] quit
[SwitchD] stp region-configuration
[SwitchD-mst-region] instance 1 vlan 10 100 to 200
[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
[SwitchD] erps ring 2
[SwitchD-erps-ring2] control-vlan 20
[SwitchD-erps-ring2] protected-instance 2
[SwitchD-erps-ring2] quit
[SwitchD] stp region-configuration
[SwitchD-mst-region] instance 2 vlan 20 300 to 400
[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
Step 3 Add Layer 2 ports to ERPS rings and specify port roles. Configure GE 1/0/1 on SwitchA and
GE 1/0/2 on SwitchB as their respective RPL owner ports.
# Configure SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp disable
[SwitchA-GigabitEthernet1/0/1] erps ring 1
[SwitchA-GigabitEthernet1/0/1] erps ring 2 rpl owner
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] stp disable
[SwitchA-GigabitEthernet1/0/2] erps ring 1
[SwitchA-GigabitEthernet1/0/2] erps ring 2
[SwitchA-GigabitEthernet1/0/2] quit
# Configure SwitchB.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] stp disable
[SwitchB-GigabitEthernet1/0/1] erps ring 1
[SwitchB-GigabitEthernet1/0/1] erps ring 2
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] stp disable
[SwitchB-GigabitEthernet1/0/2] erps ring 1 rpl owner
[SwitchB-GigabitEthernet1/0/2] erps ring 2
[SwitchB-GigabitEthernet1/0/2] quit
# Configure SwitchC.
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] stp disable
[SwitchC-GigabitEthernet1/0/1] erps ring 1
[SwitchC-GigabitEthernet1/0/1] erps ring 2
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] stp disable
[SwitchC-GigabitEthernet1/0/2] erps ring 1
[SwitchC-GigabitEthernet1/0/2] erps ring 2
[SwitchC-GigabitEthernet1/0/2] quit
# Configure SwitchD.
[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] stp disable
[SwitchD-GigabitEthernet1/0/1] erps ring 1
[SwitchD-GigabitEthernet1/0/1] erps ring 2
[SwitchD-GigabitEthernet1/0/1] quit
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] stp disable
[SwitchD-GigabitEthernet1/0/2] erps ring 1
[SwitchD-GigabitEthernet1/0/2] erps ring 2
[SwitchD-GigabitEthernet1/0/2] quit
Step 4 Configure the Guard timers and WTR timers in the ERPS rings.
# Configure SwitchA.
[SwitchA] erps ring 1
[SwitchA-erps-ring1] wtr-timer 6
[SwitchA-erps-ring1] guard-timer 100
[SwitchA-erps-ring1] quit
[SwitchA] erps ring 2
[SwitchA-erps-ring2] wtr-timer 6
[SwitchA-erps-ring2] guard-timer 100
[SwitchA-erps-ring2] quit
# Configure SwitchB.
# Configure SwitchC.
[SwitchC] erps ring 1
[SwitchC-erps-ring1] wtr-timer 6
[SwitchC-erps-ring1] guard-timer 100
[SwitchC-erps-ring1] quit
[SwitchC] erps ring 2
[SwitchC-erps-ring2] wtr-timer 6
[SwitchC-erps-ring2] guard-timer 100
[SwitchC-erps-ring2] quit
# Configure SwitchD.
[SwitchD] erps ring 1
[SwitchD-erps-ring1] wtr-timer 6
[SwitchD-erps-ring1] guard-timer 100
[SwitchD-erps-ring1] quit
[SwitchD] erps ring 2
[SwitchD-erps-ring2] wtr-timer 6
[SwitchD-erps-ring2] guard-timer 100
[SwitchD-erps-ring2] quit
# Configure SwitchB.
[SwitchB] vlan batch 100 to 200 300 to 400
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchB-GigabitEthernet1/0/2] quit
# Configure SwitchC.
[SwitchC] vlan batch 100 to 200 300 to 400
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchC-GigabitEthernet1/0/2] quit
# Configure SwitchD.
[SwitchD] vlan batch 100 to 200 300 to 400
[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchD-GigabitEthernet1/0/1] quit
[SwitchD] interface gigabitethernet 1/0/2
# Run the display erps verbose command to check detailed information about the ERPS ring
and ports added to the ERPS ring. SwitchB is used as an example.
[SwitchB] display erps verbose
Ring ID : 1
Description : Ring 1
Control Vlan : 10
Protected Instance : 1
Service Vlan : 100 to 200
WTR Timer Setting (min) : 6 Running (s) : 0
Guard Timer Setting (csec) : 100 Running (csec) : 0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
WTB Timer Running (csec) : 0
Ring State : Idle
RAPS_MEL : 7
Revertive Mode : Revertive
R-APS Channel Mode : -
Version : 1
Sub-ring : No
Forced Switch Port : -
Manual Switch Port : -
TC-Notify : -
Time since last topology change : 0 days 0h:35m:5s
--------------------------------------------------------------------------------
Port Port Role Port Status Signal Status
--------------------------------------------------------------------------------
GE1/0/1 Common Forwarding Non-failed
GE1/0/2 RPL Owner Discarding Non-failed
Ring ID : 2
Description : Ring 2
Control Vlan : 20
Protected Instance : 2
Service Vlan : 300 to 400
WTR Timer Setting (min) : 6 Running (s) : 0
Guard Timer Setting (csec) : 100 Running (csec) : 0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
WTB Timer Running (csec) : 0
Ring State : Idle
RAPS_MEL : 7
Revertive Mode : Revertive
R-APS Channel Mode : -
Version : 1
Sub-ring : No
Forced Switch Port : -
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20 100 to 200 300 to 400
#
stp region-configuration
instance 1 vlan 10 100 to 200
instance 2 vlan 20 300 to 400
active region-configuration
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
protected-instance 2
wtr-timer 6
guard-timer 100
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2 rpl owner
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
return
control-vlan 20
protected-instance 2
wtr-timer 6
guard-timer 100
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1 rpl owner
erps ring 2
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10 20 100 to 200 300 to 400
#
stp region-configuration
instance 1 vlan 10 100 to 200
instance 2 vlan 20 300 to 400
active region-configuration
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
protected-instance 2
wtr-timer 6
guard-timer 100
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
return
l SwitchD configuration file
#
sysname SwitchD
#
vlan batch 10 20 100 to 200 300 to 400
#
stp region-configuration
instance 1 vlan 10 100 to 200
instance 2 vlan 20 300 to 400
active region-configuration
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
protected-instance 2
wtr-timer 6
guard-timer 100
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
return
Networking Requirements
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result, the
communication quality deteriorates, and communication services may even be interrupted.
To prevent loops caused by redundant links, enable ERPS on the nodes of the ring network.
ERPS is a Layer 2 loop-breaking protocol defined by the ITU-T, and provides fast
convergence of carrier-class reliability standards.
As shown in Figure 19-16, intersecting ERPS rings are used. SwitchA, SwitchB, SwitchC,
and SwitchD constitute the major ring, and SwitchA, LSW1, LSW2, LSW3, and SwitchD
constitute a sub-ring.
Network
Router1 Router2
GE1/0/2
GE1/0/2 SwitchC
SwitchB
GE1/0/1
GE1/0/1
major ring
ring 1
GE1/0/3
GE1/0/1 GE1/0/3 GE1/0/1
GE1/0/1 GE1/0/2
LSW2 RPL owner
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the link type of all ports to be added to ERPS rings as trunk.
2. Create ERPS rings and configure control VLANs and Ethernet Ring Protection (ERP)
instances in the ERPS rings.
3. Specify the ERPS version and configure a sub-ring.
4. Add Layer 2 ports to ERPS rings and specify port roles.
5. Configure the topology change notification and TC protection.
6. Configure the Guard timers and WTR timers in the ERPS rings.
7. Configure Layer 2 forwarding on SwitchA through SwitchD and LSW1 through LSW3.
Procedure
Step 1 Configure the link type of all ports to be added to ERPS rings as trunk.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, LSW1, LSW2, and
LSW3 are similar to the configuration of SwitchA, and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] quit
Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances in the two rings. Set the
control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring 2 to 20.
Enable ERPS rings 1 and 2 to transmit data packets from VLANs 100 to 200.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, LSW1, LSW2, and
LSW3 are similar to the configuration of SwitchA, and are not mentioned here.
[SwitchA] stp region-configuration
[SwitchA-mst-region] instance 1 vlan 10 20 100 to 200
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
[SwitchA] erps ring 1
[SwitchA-erps-ring1] control-vlan 10
[SwitchA-erps-ring1] protected-instance 1
[SwitchA-erps-ring1] quit
[SwitchA] erps ring 2
[SwitchA-erps-ring2] control-vlan 20
[SwitchA-erps-ring2] protected-instance 1
[SwitchA-erps-ring2] quit
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, LSW1, LSW2, and
LSW3 are similar to the configuration of SwitchA, and are not mentioned here.
[SwitchA] erps ring 1
[SwitchA-erps-ring1] version v2
[SwitchA-erps-ring1] quit
[SwitchA] erps ring 2
[SwitchA-erps-ring2] version v2
[SwitchA-erps-ring2] sub-ring
[SwitchA-erps-ring2] quit
Step 4 Add the ports to ERPS rings and specify port roles. Configure GE1/0/1 on SwitchB and
GE1/0/2 on LSW3 as their respective RPL owner ports.
# Configure SwitchA. The configurations of SwitchC, SwitchD, LSW1, and LSW2 are
similar to the configuration of SwitchA, and are not mentioned here.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp disable
[SwitchA-GigabitEthernet1/0/1] erps ring 2
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] stp disable
[SwitchA-GigabitEthernet1/0/2] erps ring 1
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] stp disable
[SwitchA-GigabitEthernet1/0/3] erps ring 1
[SwitchA-GigabitEthernet1/0/3] quit
Step 5 Configure the topology change notification function and TC protection on SwitchA and
SwitchD (interconnecting nodes).
# Configure SwitchA.
[SwitchA] erps ring 1
[SwitchA-erps-ring1] tc-protection interval 200
[SwitchA-erps-ring1] tc-protection threshold 60
[SwitchA-erps-ring1] quit
[SwitchA] erps ring 2
[SwitchA-erps-ring2] tc-notify erps ring 1
[SwitchA-erps-ring2] quit
# Configure SwitchD.
[SwitchD] erps ring 1
[SwitchD-erps-ring1] tc-protection interval 200
[SwitchD-erps-ring1] tc-protection threshold 60
[SwitchD-erps-ring1] quit
[SwitchD] erps ring 2
[SwitchD-erps-ring2] tc-notify erps ring 1
[SwitchD-erps-ring2] quit
Step 6 Configure the Guard timers and WTR timers in the ERPS rings.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, LSW1, LSW2, and
LSW3 are similar to the configuration of SwitchA, and are not mentioned here.
[SwitchA] erps ring 1
[SwitchA-erps-ring1] wtr-timer 6
[SwitchA-erps-ring1] guard-timer 100
[SwitchA-erps-ring1] quit
[SwitchA] erps ring 2
[SwitchA-erps-ring2] wtr-timer 6
[SwitchA-erps-ring2] guard-timer 100
[SwitchA-erps-ring2] quit
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, LSW1, LSW2, and
LSW3 are similar to the configuration of SwitchA, and are not mentioned here.
[SwitchA] vlan batch 100 to 200
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 200
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 to 200
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 to 200
[SwitchA-GigabitEthernet1/0/3] quit
# After the network becomes stable, run the display erps command to check brief
information about the ERPS ring and ports added to the ERPS ring. SwitchB is used as an
example.
# Run the display erps verbose command to check detailed information about the ERPS ring
and ports added to the ERPS ring.
[SwitchB] display erps verbose
Ring ID : 1
Description : Ring 1
Control Vlan : 10
Protected Instance : 1
Service Vlan : 100 to 200
WTR Timer Setting (min) : 6 Running (s) : 0
Guard Timer Setting (csec) : 100 Running (csec) : 0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
WTB Timer Running (csec) : 0
Ring State : Idle
RAPS_MEL : 7
Revertive Mode : Revertive
R-APS Channel Mode : -
Version : 2
Sub-ring : No
Forced Switch Port : -
Manual Switch Port : -
TC-Notify : -
Time since last topology change : 0 days 4h:12m:20s
--------------------------------------------------------------------------------
Port Port Role Port Status Signal Status
--------------------------------------------------------------------------------
GE1/0/1 RPL Owner Discarding Non-failed
GE1/0/2 Common Forwarding Non-failed
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20 100 to 200
#
stp region-configuration
instance 1 vlan 10 20 100 to 200
active region-configuration
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
tc-protection interval 200
tc-protection threshold 60
erps ring 2
control-vlan 20
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
sub-ring
tc-notify erps ring 1
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 100 to 200
#
stp region-configuration
instance 1 vlan 10 100 to 200
active region-configuration
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1 rpl owner
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
return
l SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10 100 to 200
#
stp region-configuration
instance 1 vlan 10 100 to 200
active region-configuration
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
return
l SwitchD configuration file
#
sysname SwitchD
#
vlan batch 10 20 100 to 200
#
stp region-configuration
instance 1 vlan 10 20 100 to 200
active region-configuration
#
erps ring 1
control-vlan 10
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
tc-protection interval 200
tc-protection threshold 60
erps ring 2
control-vlan 20
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
sub-ring
tc-notify erps ring 1
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 10 100 to 200
stp disable
erps ring 1
#
return
l LSW1 configuration file
#
sysname LSW1
#
vlan batch 20 100 to 200
#
stp region-configuration
instance 1 vlan 20 100 to 200
active region-configuration
#
erps ring 2
control-vlan 20
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
sub-ring
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2
#
return
l LSW2 configuration file
#
sysname LSW2
#
vlan batch 20 100 to 200
#
stp region-configuration
instance 1 vlan 20 100 to 200
active region-configuration
#
erps ring 2
control-vlan 20
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
sub-ring
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2
#
return
l LSW3 configuration file
#
sysname LSW3
#
vlan batch 20 100 to 200
#
stp region-configuration
instance 1 vlan 20 100 to 200
active region-configuration
#
erps ring 2
control-vlan 20
protected-instance 1
wtr-timer 6
guard-timer 100
version v2
sub-ring
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2 rpl owner
#
return
Fault Description
After ERPS is configured, user traffic cannot be properly forwarded due to abnormal ERPS
ring status.
Procedure
Step 1 Check the port roles in the ERPS ring and status of each device in the ring.
In an ERPS ring, there should be only one RPL owner port. Other ports are common ports or
RPL neighbor ports.
Run the display erps [ ring ring-id ] verbose command in any view to check whether the
value of Ring State is Idle. (Perform this operation on each device in the ERPS ring.)
If the ERPS ring is incomplete or its status is abnormal, perform the following operations:
1. Verify that all nodes in the ERPS ring are added to the ERPS ring.
2. Check whether the ERPS ring configuration including the ERPS version number and
major ring/sub-ring on devices in the ERPS ring are the same.
3. Verify that port roles, control VLANs, and protected instances are correctly configured
on all nodes in the ERPS ring.
4. Verify that ports can allow packets of the specified VLANs to pass.
----End
19.11 References
The following table lists the references of this document.
This chapter describes how to configure Loop detection (LDT) and loopback detection
(LBDT), which allow the device to detect loopbacks on an interface, loops on the downstream
network or device and loops between two device interfaces. When detecting a loop, the device
notifies users in a timely manner and takes a preconfigured action on the problematic
interface to minimize the impact of the loop on the device and network.
NOTE
LDT and LBDT can only detect loops on a single node, but cannot eliminate loops on the entire network
in the same manner as ring network technologies of ERPS, RRPP, SEP, Smart Link, and STP/RSTP/
MSTP/VBST.
The S7700&S9700 support LDT and LBDT. Table 20-1 describes the differences between
LDT and LBDT.
Detection packet Sends only tagged detection Sends tagged and untagged
packets, so loops are detection packets, so loops
detected based on VLANs. are detected based on
interfaces and VLANs.
Action taken after a loop is Provide actions of Trap, Block, Shutdown, No Learning,
detected and Quitvlan. (See Action Taken After a Loop Is
Detected.)
20.2 Principles
LDT and LBDT periodically send detection packets on an interface (see Detection Packet) to
check whether the packets return to the local device (through the same interface or another
interface), and determines whether a loop occurs on the interface, on the downstream network
or device, or between two device interfaces.
l If detection packets are received by the same interface, a loopback occurs on the
interface or a loop occurs on the downstream network or device connected to the
interface.
l If detection packets are received by another interface on the same device, a loop occurs
on the device or network connected to the interface.
After a loop is detected, the device sends a trap to the NMS and records a log, and takes a
preconfigured action on the interface (see Action Taken After a Loop Is Detected) to
minimize the impact of the loop on the device and entire network.
The problematic interface continues to send detection packets. When the device does not
receive detection packets from the interface within a given period of time, the device
considers that the loop is eliminated and restores the interface. Details about this process are
described in Automatic Recovery of an Interface.
Detection Packet
LDT and LBDT periodically send detection packets on an interface to check whether the
packets return to the local device, and determine whether loops occur on the interface, on the
downstream network or device, or between two device interfaces. The following conditions
must be met:
l When a loop occurs on an interface or network connected to the interface, detection
packets sent from the interface can be sent back to the local device.
l The system can identify detection packets sent from the local device and the interface
that sends the detection packets.
A detection packet sent from a device carries the device MAC address and outbound interface
number so that the device can identify the packet sent by itself and the interface from which it
sends the packet. In addition, the packet carries the broadcast or multicast destination MAC
address to ensure that the packet can be sent back to the local device when a loop occurs on
the interface or network connected to the interface. Figure 20-1 shows the format of LDT and
LBDT packets.
Item Description
SMAC Source MAC address. The value is the system MAC address of the
device, which identifies packets sent from the local device.
802.1Q Tag Tag Protocol Identifier (TPID). The value of the TPID is 0x8100,
representing the 802.1Q tagged frame.
LDT-Type Detection packet type, including the protocol number and subprotocol
number.
The protocol number is 0x9998. The subprotocol number is as follows:
l 0x0001: indicates LBDT packets.
l 0x0002: indicates LDT packets.
PortInfo Information about the interface that sends detection packets, which is
used by the device to determine whether packets are sent from the
interface.
LDT sends only tagged detection packets. LBDT sends tagged and untagged detection
packets. Therefore, LDT can detect loops based on VLANs only, whereas LBDT can detect
loops based on interfaces and VLANs.
Trap The device only sends a trap to the Select this action when only traps need
NMS and records a log. to be reported without affecting traffic
forwarding on the interface.
This action cannot suppress broadcast
storms.
Block The device sends a trap to the NMS, Select this action when the interface
blocks the interface, and allows only needs to be disabled from forwarding
BPDUs to pass through. data packets and needs to forward some
BPDUs such as Link Layer Discovery
Protocol Data Units (LLDPDUs).
This action can suppress broadcast
storms.
Shutdo The device sends a trap to the NMS Select this action to prevent broadcast
wn and shuts down the interface. storms when the interface does not
participate in any calculation or
forwarding.
This action can suppress broadcast
storms.
No The device sends a trap to the NMS Select this action when the interface
learnin and disables the interface from still needs to process data packets and
g learning new MAC addresses. to send them to the correct link.
This action cannot suppress broadcast
storms.
Quitvla The device sends a trap to the NMS Select this action when loops in a
n and removes the interface from the VLAN need to be eliminated without
VLAN where the loop occurs. affecting traffic forwarding in other
VLANs.
This action can suppress broadcast
storms.
Regardless of which action is taken, loops on an interface or a network affect normal services.
LDT and LBDT can only detect loops on a single node, but cannot eliminate loops on the
entire network. After a loop is detected, you are advised to eliminate the loop immediately.
NOTE
Tx Rx
You can configure LDT or LBDT on the interface of the Switch to detect loopbacks. When
detecting a loopback on the interface, the Switch reports a trap and records a log, and takes a
preconfigured action (such as Shutdown, Block, No learning, or Quitvlan) on the interface
to reduce the impact of the loopback on the Switch. When the Switch detects that the
loopback is eliminated on the interface, the interface can be restored. However, the interface
shut down by LBDT cannot be restored.
Interface1
Interface1
You can configure LDT or LBDT on Interface1 of the Switch to detect whether a loop occurs
on the downstream network or device. When detecting a loop on the downstream network or
device, the Switch reports a trap and records a log, and takes a preconfigured action (such as
Shutdown, Block, No learning, or Quitvlan) on the interface to reduce the impact of the
loop on the Switch. When the Switch detects that the loop is eliminated on the downstream
network or device, the interface can be restored. However, the interface shut down by LBDT
cannot be restored.
Switch
Interface1 Interface2
You can configure LDT or LBDT on Interface1 and Interface2 of the Switch to detect whether
a loop occurs on the local network or between two device interfaces. When detecting a loop,
the Switch reports a trap and records a log, and takes preconfigured actions (such as
Shutdown, Block, No learning, or Quitvlan) on Interface1 and Interface2 to reduce the
impact of the loop on the Switch. When the Switch detects that the loop is eliminated on the
local network or between two interfaces, Interface1 or Interface2 can be restored. However,
the interface shut down by LBDT cannot be restored.
License Support
LDT and LBDT are basic features of a switch and are not under license control.
Version Support
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Context
After global LDT is enabled in the system view, the system does not detect loops in any
VLAN by default. To make LDT take effect, you must first enable global LDT and then
enable LDT in a specified VLAN.
NOTICE
l LDT needs to send a large number of detection packets to detect loops, occupying system
resources. Therefore, run the undo loop-detection enable or undo loop-detection enable
vlan command to disable LDT if loops do not need to be detected.
l LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart Link,
and STP/RSTP/MSTP/VBST. Do not configure ring network technologies on an interface
of a LDT-enabled VLAN. In contrary, if LDT is enabled globally and ring network
technologies need to be configured on an interface, run the loop-detection disable
command to disable LDT on the interface.
l When loops occur in multiple VLANs on many interfaces, LDT performance is lowered
due to limitations of security policies and CPU processing capability. The more VLANs
and interfaces are involved, the lower the performance is, especially performance of the
standby chassis in the cluster. Manually eliminating loops is recommended.
Procedure
Step 1 Run:
system-view
LDT does not take effect in dynamic VLANs, and support LDT in a maximum of 4094
VLANs.
----End
Context
An LDT-enabled interface sends LDT packets at intervals. A shorter interval indicates that the
system sends more LDT packets in a given period and detects loops more accurately.
However, more system resources are consumed and system performance is affected. You can
adjust the interval for sending LDT packets according to actual networking to balance system
performance and LDT accuracy.
Procedure
Step 1 Run:
system-view
Step 2 Run:
loop-detection interval-time interval-time
----End
Context
By default, when a loop on an interface or the network connected to the interface, the device
does not take any action. To notify users of network connections and configurations when a
loop occurs on an interface, and minimize the impact of loops on the device and entire
network, configure an action taken on the problematic interface.
The device provides the following actions after LDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device isolates an interface where a loop occurs from other interfaces, and
can forward only BPDUs.
l No learning: The interface is disabled from learning MAC addresses.
l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
For details about the actions, see Action Taken After a Loop Is Detected. You can configure
one of the actions according to actual networking.
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap enable
Or, run:
snmp-agent trap enable feature-name ldttrap
The trap function is enabled for LDT. This function allows the device to send traps of LDT.
Step 3 Run:
interface interface-type interface-number
Step 4 Run:
loop-detection mode { port-trap | port-blocking | port-nolearning | port-shutdown
| port-quitvlan }
NOTICE
l When a loop occurs on the network-side interface where the block or shutdown action is
configured, all services on the device are interrupted. Do not deploy LDT on the network-
side interface.
l The Quitvlan action cannot be used with such functions as GVRP, HVRP and the
function of removing an interface from the VLAN where MAC address flapping occurs.
These functions dynamically delete an interface from a VLAN.
----End
Context
When LDT detects a loop on an interface, a preconfigured action is taken on the interface.
You can set the recovery time of the interface after the loop is eliminated. When the system
does not receive LDT packets from the interface in the recovery time, it considers that the
loop is eliminated on the interface and restores the interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
loop-detection recovery-time recovery-time
NOTE
l To prevent interface status flapping, set the interface recovery time to be larger than the interval for
sending LDT packets.
l Configure the interface recovery time according to the network situation and LDT scope. The LDT
scope is determined by the total number of VLANs and interfaces where LDT is enabled. A larger
number indicates a wider scope. When there are many loops on the network and LDT is enabled in a
wide scope, it is recommended that you retain the default recovery time or set a longer recovery time
(for example, 100s). If the recovery time is short in this situation, the CPU usage becomes high.
----End
Procedure
Step 1 Run the display loop-detection [ interface interface-type interface-number ] command to
check the LDT configuration and interface status.
If interface-type and interface-number are not specified, the status of the global LDT function
is displayed. If the function is enabled, the system displays the interval for sending LDT
packets, ID of the VLANs with this function enabled, detected loops, and actions taken on the
interfaces where loops are detected.
If interface-type and interface-number are specified, the system displays the interface status,
interface recovery time, and LDT-enabled VLAN.
----End
NOTICE
LBDT needs to send a large number of LBDT packets to detect loops, occupying system
resources. Therefore, disable LBDT if loops do not need to be detected.
An LBDT-enabled interface periodically sends untagged LBDT packets with the destination
MAC address as the BPDU MAC address to detect loops. Generally, the switch does not
allow BPDUs to pass through, so LBDT can only detect loopbacks on an Interface, but
cannot detect a loop on the downstream network or device or between two device
interfaces.
To enable LBDT to detect a loop on the downstream network or device, configure LBDT
in a specified VLAN. When the connected interface is an access interface or the PVIDs of the
inbound and outbound interfaces are the same, you can also run the loopback-detect untagged
mac-address command to detect loops.
To enable LBDT to detect a loop between two device interfaces, configure LBDT in a
specified VLAN.
On the S7700&S9700, you can enable LBDT on all interfaces in the system view or on an
interface.
Procedure
Step 1 Run:
system-view
– An interface sends tagged LBDT packets only when the specified VLAN has been created.
– LBDT does not take effect in dynamic VLANs.
– Loops may be not detected in a VLAN specified by the PVID of an interface or VLAN where
an interface is added in untagged mode. This is because VLAN tags of LBDT packets are
removed and the packet priority changes.
l Configuring the destination MAC address of untagged LBDT packets
----End
Context
An LBDT-enabled interface sends LBDT packets at intervals. A shorter interval indicates that
the system sends more LBDT packets in a given period and detects loops more accurately.
However, more system resources are consumed and system performance is affected. You can
adjust the interval for sending LBDT packets according to actual networking to balance
system performance and LBDT accuracy.
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Or, run:
snmp-agent trap enable feature-name lbdt
The trap function is enabled for LBDT. This function allows the device to send traps of
LBDT.
By default, the trap function is enabled for LBDT.
Step 3 Run:
interface interface-type interface-number
NOTE
l When the Quitvlan action is used, the configuration file remains unchanged.
l The Quitvlan action cannot be used with such functions as GVRP, HVRP and the function of
removing an interface from the VLAN where MAC address flapping occurs. These functions
dynamically delete an interface from a VLAN.
----End
Context
An LBDT-enabled interface periodically sends LBDT packets to detect loops. After a loop is
detected, an action configured by the loopback-detect action command is taken on the
interface. In addition, the system counts the time. After the configured recovery time expires,
the system attempts to restore the problematic interface. If the device does not receive
detection packets from the problematic interface within the next recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
Procedure
Step 1 Run:
system-view
NOTE
l It is recommended that the interface recovery time be three times the packet sending interval. If the
packet sending interval has been set to a small value, the interface recovery time should be at least
10 seconds longer than the packet sending interval.
l Automatic recovery is valid for Trap, Quitvlan, Block, and No learning. After a loop is eliminated,
the shutdown interface cannot be restored automatically. You must run the shutdown and undo
shutdown commands or run the restart command to restore the interface.
----End
Procedure
l Run the display loopback-detect command to check the LBDT configuration and status
of LBDT-enabled interfaces.
----End
Networking Requirements
As shown in Figure 20-5, a new branch network of an enterprise connects to the aggregation
switch Switch, and VLANs 10 to 20 are deployed on the branch network. Loops may occur
due to incorrect connections or configurations. As a result, communication on the Switch and
uplink network may be Haffected.
It is required that the Switch should immediately detect loops on the new branch network to
prevent the impact of loops on the Switch and uplink network.
Figure 20-5 Networking for configuring LDT to detect loops on the downstream network
Switch
GE1/0/1
New branch
VLAN 10-20
Configuration Roadmap
Loops need to be detected in VLANs 10 to 20 (more than eight VLANs) on the new branch
network, so you need to configure LDT on the Switch to detect loops on the new branch
network. The configuration roadmap is as follows:
1. Enable LDT on the GE1/0/1 of the Switch to detect loops in a specified VLAN so that
loops on the downstream network can be detected.
2. Configure an action after loops are detected so that the Switch can immediately shut
down the interface where a loop is detected. This prevents the impact of the loop on the
Switch and uplink network.
NOTE
l Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity on the new
branch network and between the new branch network and the Switch.
l The configurations in this example can also be performed to detect loopbacks on interfaces
connecting switching devices.
Procedure
Step 1 Enable global LDT.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] loop-detection enable
Step 3 Set the interval for sending LDT packets on the interface.
[Switch] loop-detection interval-time 10
# After the configuration is complete, run the display loop-detection command to check
global LDT information.
[Switch] display loop-detection
Loop Detection is enabled.
Detection interval time is 10 seconds.
Following vlans enable loop-detection:
vlan 10 to 20
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
GigabitEthernet1/0/1 Include Vlans:
10
Following ports are nolearning for loop:
NULL
Following ports are trapped for loop:
NULL
Following ports are quitvlan for loop:
NULL
The command output shows that LDT is enabled in VLAN 10 to VLAN 20 and the
Shutdown action is taken on GE1/0/1 in VLAN 10, indicating that a loop is detected in
VLAN 10.
NOTE
When the system detects loops in one or more VLANs, the Shutdown action is taken on the interface.
The loops are therefore eliminated; however, loops in all VLANs cannot be detected.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 10 to 20
stp disable
#
snmp-agent
snmp-agent local-engineid 800007DB03020000000211
snmp-agent sys-info version v3
snmp-agent trap enable feature-name LDTTRAP
#
return
Networking Requirements
As shown in Figure 20-6, an enterprise uses Layer 2 networking. The Switch is the
aggregation switch, and each switch allows packets from VLANs 10 to 20 to pass through.
Because employees often move, the network topology changes frequently. Connections or
configurations may be incorrect due to misoperations. As a result, loops may occur in VLANs
10 to 20.
Loops cause broadcast storms and affect device and network communication. It is required
that loops be detected and eliminated in VLANs in a timely manner to prevent broadcast
storms.
Figure 20-6 Networking for configuring LDT to detect loops on the local network
Switch
GE1/0/0 GE2/0/0
VLAN 10~20
Configuration Roadmap
Loops need to be detected in VLANs 10 to 20. Because there are more than eight VLANs,
you can configure LDT to detect loops and configure an action after loops are detected to
prevent broadcast storms. All VLANs share a link. To prevent loop removal in a VLAN from
affecting data forwarding in other VLANs, configure the QuitVLAN action. The
configuration roadmap is as follows:
1. Enable LDT on GE1/0/0 and GE2/0/0 on the Switch to detect loops in VLANs 10 to 20.
2. Configure an action taken after a loop is detected on GE1/0/0 and GE2/0/0, and set the
recovery time so that the Switch can immediately take the preconfigured action on the
interface to prevent broadcast storms after a loop is detected. In addition, the Switch can
restore the interface after the loop is eliminated.
NOTE
l Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity.
l The configurations in this example can also be performed to detect loopbacks on interfaces
connecting switching devices.
Procedure
Step 1 Enable global LDT.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] loop-detection enable
Step 3 Set the interval for sending LDT packets on the interface.
[Switch] loop-detection interval-time 10
# After the configuration is complete, run the display loop-detection command to check
global LDT information.
[Switch] display loop-detection
Loop Detection is
enabled.
Detection interval time is 10
seconds.
Following vlans enable loop-detection:
vlan 10 to 20
Following ports are blocked for
loop:
NULL
Quitvlan Quitvlan 30 10
Quitvlan Quitvlan 30 11
Quitvlan Quitvlan 30 12
Normal Quitvlan 30
13
Normal Quitvlan 30
14
Normal Quitvlan 30
15
Quitvlan Quitvlan 30 16
Normal Quitvlan 30
17
Normal Quitvlan 30
18
Quitvlan Quitvlan 30 19
Normal Quitvlan 30
20
[Switch] display loop-detection interface gigabitethernet 2/0/0
The port is
enabled.
The port's status
list:
Status WorkMode Recovery-time
EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30 10
Normal Quitvlan 30
11
Normal Quitvlan 30
12
Quitvlan Quitvlan 30 13
Quitvlan Quitvlan 30 14
Quitvlan Quitvlan 30 15
Normal Quitvlan 30
16
Quitvlan Quitvlan 30 17
Quitvlan Quitvlan 30 18
Normal Quitvlan 30
19
Quitvlan Quitvlan 30 20
LDT is enabled in VLAN 10 to VLAN 20, the Quitvlan action is taken on GE1/0/0 and
GE2/0/0, GE1/0/0 is deleted from VLANs 10, 11, 12, 16, and 19, and GE2/0/0 is deleted
from VLAN 13s, 14, 15, 17, 18, and 20.
NOTE
The VLANs where an interface is deleted are uncertain, but the interface is deleted from all
VLANs on the network where the loop occurs.
2. After the loop is eliminated (for example, GE2/0/0 is shut down, and faults in the
connection between devices are rectified), check whether GE1/0/0 and GE2/0/0 are
restored.
[Switch] display loop-detection interface gigabitethernet 1/0/0
The port is
enabled.
The port's status
list:
Status WorkMode Recovery-time
EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30
10
Normal Quitvlan 30
11
Normal Quitvlan 30
12
Normal Quitvlan 30
13
Normal Quitvlan 30
14
Normal Quitvlan 30
15
Normal Quitvlan 30
16
Normal Quitvlan 30
17
Normal Quitvlan 30
18
Normal Quitvlan 30
19
Normal Quitvlan 30
20
[Switch] display loop-detection interface gigabitethernet 2/0/0
The port is
enabled.
The port's status
list:
Status WorkMode Recovery-time
EnabledVLAN
-----------------------------------------------------------------------
Normal Quitvlan 30
10
Normal Quitvlan 30
11
Normal Quitvlan 30
12
Normal Quitvlan 30
13
Normal Quitvlan 30
14
Normal Quitvlan 30
15
Normal Quitvlan 30
16
Normal Quitvlan 30
17
Normal Quitvlan 30
18
Normal Quitvlan 30
19
Normal Quitvlan 30 20
The command output shows that GE1/0/0 and GE2/0/0 are restored.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 10 to 20
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
interface GigabitEthernet2/0/0
port link-type hybrid
port hybrid tagged vlan 10 to 20
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
snmp-agent
snmp-agent local-engineid 800007DB03020000000211
snmp-agent sys-info version v3
snmp-agent trap enable feature-name LDTTRAP
#
return
Networking Requirements
As shown in Figure 20-7, aggregation switch SwitchA on an enterprise network connects to a
new access switch SwitchB. To prevent a loopback from occurring between the Tx and Rx
ends of GE1/0/0 due to incorrect fiber connection or high voltage damage, SwitchA is
required to detect loopbacks on GE1/0/0. Furthermore, it is required that the interface be
blocked to reduce the impact of the loopback on the network when a loopback is detected, and
the interface be restored after the loopback is removed.
GE1/0/0
Tx Rx
GE1/0/0
SwitchB
Configuration Roadmap
To detect loopbacks on downlink interface GE1/0/0 of SwitchA, configure LBDT on GE1/0/0
of SwitchA. The configuration roadmap is as follows:
1. Enable LBDT on GE1/0/0 of SwitchA to detect loopbacks.
2. Configure an action taken after a loopback is detected and set the recovery time. After a
loopback is detected, the system blocks the interface to reduce the impact of the
loopback on the network. After a loop is eliminated, the system restores the interface.
Procedure
Step 1 Enable LBDT on an interface.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] loopback-detect enable
[SwitchA-GigabitEthernet1/0/0] quit
Step 2 Configure an action taken after a loopback is detected and set the recovery time.
[SwitchA] interface gigabitethernet 1/0/0
[SwitchA-GigabitEthernet1/0/0] loopback-detect action block
[SwitchA-GigabitEthernet1/0/0] loopback-detect recovery-time 30
[SwitchA-GigabitEthernet1/0/0] quit
------------------------------------------------------------------------------
----
Interface RecoverTime Action Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block NORMAL
------------------------------------------------------------------------------
----
The preceding command output shows that the LBDT configuration is successful.
2. After about 5s, run the display loopback-detect command to check whether GE1/0/0 is
blocked.
[SwitchA] display loopback-detect
Loopback-detect sending-packet interval:
5
------------------------------------------------------------------------------
----
Interface RecoverTime Action Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block BLOCK(Loopback detected)
------------------------------------------------------------------------------
----
The preceding command output shows that GE1/0/0 is blocked, indicating that a
loopback occurs on GE1/0/0.
3. Manually remove the loopback. Run the display loopback-detect command to check
whether GE1/0/0 is restored.
[SwitchA] display loopback-detect
Loopback-detect sending-packet interval:
5
------------------------------------------------------------------------------
----
Interface RecoverTime Action Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/0 30 block NORMAL
------------------------------------------------------------------------------
----
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
interface GigabitEthernet1/0/0
loopback-detect recovery-time 30
loopback-detect enable
loopback-detect action block
#
return
Networking Requirements
As shown in Figure 20-8, a new department of an enterprise connects to aggregation switch
Switch, and this department belongs to VLAN 100. Loops may occur due to incorrect
connections or configurations. As a result, communication on the Switch and uplink network
may be affected.
It is required that the Switch should detect loops on the new network to prevent the impact of
loops on the Switch and connected network.
Figure 20-8 Networking for configuring LBDT to detect loops on the downstream network
Switch
GE1/0/1
New department
VLAN 100
Configuration Roadmap
The new department network has only VLAN 100, so configure LBDT on the Switch to
detect loops. The configuration roadmap is as follows:
1. Enable LBDT on the GE1/0/1 of the Switch to detect loops in a specified VLAN so that
loops on the downstream network can be detected.
2. Set LBDT parameters so that the Switch can immediately shut down GE1/0/1 after a
loop is detected. This prevents the impact of the loop on the Switch and connected
network.
NOTE
Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity on the new
network and between the new network and the Switch.
Procedure
Step 1 Enable LBDT on the interface.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] loopback-detect enable
[Switch-GigabitEthernet1/0/1] quit
------------------------------------------------------------------------------
----
Interface RecoverTime Action Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 - shutdown NORMAL
------------------------------------------------------------------------------
----
The preceding command output shows that the LBDT configuration is successful.
2. Construct loops on the downstream network and run the display loopback-detect
command to check whether GE1/0/1 is shut down.
[Switch] display loopback-detect
Loopback-detect sending-packet interval:
10
------------------------------------------------------------------------------
----
Interface RecoverTime Action Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 - shutdown SHUTDOWN(Loopback
detected)
------------------------------------------------------------------------------
----
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100
#
loopback-detect packet-interval 10
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
loopback-detect packet vlan 100
loopback-detect enable
#
return
Networking Requirements
As shown in Figure 20-9, a small-scale enterprise uses Layer 2 networking and belongs to
VLAN 100. Because employees often move, the network topology changes frequently. Loops
may occur due to incorrect connections or configurations during the change. As a result,
broadcast storms may occur and affect communication of the Switch and entire network.
The requirements are as follows: The Switch detects loops. When a loop exists, the interface
is blocked to reduce the impact of the loop on the Switch and network. When the loop is
eliminated, the interface can be restored.
Figure 20-9 Networking for configuring LBDT to detect loops on the local network
Switch
GE1/0/1 GE1/0/2
VLAN 100
Configuration Roadmap
To detect loops on the network where the Switch is deployed, configure LBDT on GE1/0/1
and GE1/0/2 of the Switch. In this example, untagged LBDT packets sent by the Switch will
be discarded by other switches on the network. As a result, the packets cannot be sent back to
the Switch, and LBDT fails. Therefore, LBDT is configured in a specified VLAN. The
configuration roadmap is as follows:
1. Enable LBDT on an interface and configure the Switch to detect loops in VLAN 100 to
implement LBDT on the network where the Switch is deployed.
2. Configure an action taken after a loop is detected and set the recovery time. After a loop
is detected, the Switch blocks the interface to reduce the impact of the loop on the
network. After a loop is eliminated, the Switch restores the interface.
NOTE
Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity.
Procedure
Step 1 Enable LBDT on an interface.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] loopback-detect enable
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] loopback-detect enable
[Switch-GigabitEthernet1/0/2] quit
Step 3 Configure an action taken after a loop is detected and set the recovery time.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] loopback-detect action block
[Switch-GigabitEthernet1/0/1] loopback-detect recovery-time 30
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] loopback-detect action block
[Switch-GigabitEthernet1/0/2] loopback-detect recovery-time 30
[Switch-GigabitEthernet1/0/2] quit
------------------------------------------------------------------------------
----
Interface RecoverTime Action Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 30 block NORMAL
GigabitEthernet1/0/2 30 block NORMAL
------------------------------------------------------------------------------
----
The preceding command output shows that the LBDT configuration is successful.
2. After about 5s, run the display loopback-detect command to check whether GE1/0/1 or
GE1/0/2 is blocked.
[Switch] display loopback-detect
Loopback-detect sending-packet interval:
5
------------------------------------------------------------------------------
----
Interface RecoverTime Action Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 30 block NORMAL
GigabitEthernet1/0/2 30 block BLOCK(Loopback detected)
------------------------------------------------------------------------------
----
------------------------------------------------------------------------------
----
Interface RecoverTime Action Status
------------------------------------------------------------------------------
----
GigabitEthernet1/0/1 30 block NORMAL
GigabitEthernet1/0/2 30 block NORMAL
------------------------------------------------------------------------------
----
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid tagged vlan 100
loopback-detect recovery-time 30
loopback-detect packet vlan 100
loopback-detect enable
loopback-detect action block
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid tagged vlan 100
loopback-detect recovery-time 30
loopback-detect packet vlan 100
loopback-detect enable
loopback-detect action block
#
return
21 HVRP Configuration
This chapter describes how to configure the Hierarchy VLAN Register Protocol (HVRP).
Definition
Through dynamic VLAN registration and aging mechanism, the Hierarchy VLAN Register
Protocol (HVRP) ages the VLANs that interfaces join and are not used to forward packets on
an interface and saves only necessary VLANs. This saves MAC address entries.
Purpose
The ring or tree topology is widely used for network deployment. Regardless of topology,
aggregation devices must support a large number of MAC address entries to meet
requirements of downstream users. As users on the network increase quickly, MAC address
entries supported by a switch may be insufficient. As a result, the switch cannot learn the
MAC addresses of some users. In this case, packets of these users are broadcast in the VLAN,
wasting bandwidth and deteriorating network performance.
HVRP can be used when the number of MAC addresses supported by the switch is smaller
than the total number of users connected to the switch. In special networking, HVRP can
dynamically register and age VLANs to save MAC addresses and increase the number of
users that the switch supports.
21.2 Principles
HVRP Concepts
l HVRP interface
An interface that is configured with HVRP attributes. It can send, receive, and process
HVRP packets.
l HVRP root interface
An HVRP interface that functions as the root interface in a Spanning Tree Protocol
(STP) region.
l HVRP designated interface
An HVRP interface that functions as the designated interface in an STP region.
l Local VLAN/User VLAN
A VLAN that does not contain any HVRP interface.
l VLAN registration
A process of adding HVRP interfaces to VLANs that meet certain conditions in tagged
mode.
l VLAN aging
A process of deleting a VLAN from an HVRP interface.
l Permanent VLAN
A VLAN that is never aged by an HVRP interface.
l Local VLAN information sending
The HVRP root interface sends HVRP packets containing local VLAN information after
STP and HVRP are enabled.
l VLAN registration timer
A timer that specifies the interval at which HVRP VLAN registration packets are sent.
l Aging timer of registered VLANs
A timer that specifies the aging time of registered VLANs. If the HVRP designated
interface does not receive any registration packets of a VLAN within the aging time, the
VLAN is aged on the HVRP designated interface.
Protocol Protocol
DMAC SMAC MSTI ID Packet content
flag type
Through dynamic VLAN registration and aging mechanism, HVRP ages the VLANs that are
not used to forward packets on an interface and saves only necessary VLANs. When a VLAN
contains one or two interfaces, MAC addresses do not need to be learned. Instead, data
packets are broadcast in the VLAN without affecting the bandwidth.
In Figure 21-2:
l STP is enabled on the entire network, and the HVRP root interface and HVRP
designated interfaces are calculated through STP.
l The switches are connected through trunk interfaces. All trunk interfaces are enabled
with HVRP and can forward packets of VLAN 101 through VLAN 500.
l HVRP is disabled on STP edge interfaces.
Figure 21-2 shows HVRP networking. The HVRP working mechanism is described based on
this networking.
VLAN:101-500
SwitchB SwitchC
SwitchD SwitchE
VLAN:101-200 VLAN:201-300
SwitchA is the root bridge. Links between SwitchD and SwitchE are blocked by STP. The
VLANs created on each switch include all user VLANs on the ring.
Generally, data packets of users connected to SwitchD are forwarded by the interface
connecting SwitchD to SwitchB. The interface connecting SwitchD to SwitchE does not
forward packets of VLAN 101 through VLAN 200 to other devices. Based on the Layer 2
forwarding principle:
l When there are more than two interfaces on a Layer 2 switch, the switch searches the
MAC address table for the outbound interface based on the destination MAC address in
the packet. If no outbound interface is found, the switch broadcasts a packet to all
interfaces.
l When there are only two interfaces on a Layer 2 switch, the switch forwards the data
packet through the other interface but not the receive interface. The switch does not need
to search the destination MAC address or establish a MAC address entry.
Three interfaces on SwitchD belong to VLAN 101 through VLAN 200, so SwitchD must
learn MAC addresses. However, the interface connecting SwitchD to SwitchE does not
forward packets of VLAN 101 through VLAN 200 to other devices. HVRP deletes the
interfaces that do not forward packets from VLANs so that the switch does not need to learn
MAC addresses. This reduces the number of MAC addresses that the switch learns and
improves stability and manageability of the switch.
VLAN Registration
Each switch periodically sends VLAN registration packets from the root interface to register
VLANs of the local switch. For example, SwitchD periodically sends VLAN registration
packets of VLAN 101 through VLAN 200 to other devices on the ring through the root
interface. After receiving a VLAN registration packet from SwitchD, SwitchB registers
VLAN 101 through VLAN 200 with the interface that receives the VLAN registration packet
and forwards the packet upstream through the root interface.
SwitchB sends VLAN registration packets of local user VLAN 301 to VLAN 400 through the
root interface. After receiving VLAN registration packets from SwitchB and VLAN
registration packets of SwitchD forwarded by SwitchB, SwitchA registers VLANs of SwitchB
and SwitchD on the interface that receives the packets. SwitchA is the root bridge, so it does
not forward or generate VLAN registration packets.
VLAN Aging
If a switch does not receive any registration packets containing a registered VLAN within a
certain period of time, the VLAN is deleted from the non-root interface.
VLAN aging is implemented only on HVRP non-root interfaces. VLANs on the HVRP root
interface never age out because all packets must pass through the HVRP root interface.
After the VLANs are aged out, VLAN 101 through VLAN 200 contain only the interface
connected to SwitchA and the interface connected to SwitchD. VLAN 301 through VLAN
400 contain only the interface connected to SwitchA and the interface connected to users.
Therefore, SwitchB does not need to learn MAC addresses in VLAN 101 through VLAN 500.
After receiving data packets of a VLAN on an interface, SwitchB only needs to forward the
packets through the other interface in the VLAN.
When the role of a local VLAN changes, for example, the VLAN is not a local VLAN any
more because the configuration is changed, the switch sends the local VLAN information
through the HVRP root interface immediately.
21.3 Applications
A switch on a Layer 2 network needs to learn a large number of MAC addresses. To reduce
the MAC addresses that the switch needs to learn, enable HVRP on the switch. As shown in
Figure 21-3, HVRP needs to be configured on a single-ring network. In practice, HVRP
applies to two types of networking.
Single-ring Network
As shown in Figure 21-3, HVRP is configured on a single-ring network.
VLAN:101-500
SwitchB SwitchC
SwitchD SwitchE
VLAN:101-200 VLAN:201-300
Multi-ring Network
As shown in Figure 21-4, HVRP is configured on a multi-ring network.
SwitchA
SwitchC-1 SwitchC-n
License Support
HVRP is a basic feature of a switch and is not under license control.
Version Support
Permanent VLAN No
Pre-configuration Tasks
Before configuring HVRP, complete the following tasks:
l Ensuring that interfaces enabled with HVRP are trunk interfaces
l Enabling STP globally
l Deleting the MSTP multi-process
Context
Through dynamic VLAN registration and aging mechanisms, HVRP ages the VLANs that do
not forward packets on their interfaces and saves only necessary VLANs. When a VLAN
contains 0 to 2 interfaces, the interfaces do not learn MAC addresses, data packets are
broadcast in the VLAN and no extra bandwidth is consumed.
NOTE
l When STP works in VBST mode, do not enale HVRP. When HVRP is enabled, do not change the
working mode of the STP to VBST.
l When the VCMP role is the client or server, HVRP cannot be enabled. In this case, run the vcmp
role command to configure the VCMP role as silent or transparent. If HVRP has been enabled, do
not switch the VCMP role to client or server.
l After HVRP is enabled, the switch dynamically sets the MAC address learning mode for the VLAN.
Therefore, you do not need to set the maximum number of MAC addresses that can be learned in the
VLAN.
l HVRP and GVRP can not be enabled simultaneously.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hvrp enable
----End
Context
An interface enabled with HVRP is an HVRP interface. VLAN registration and aging can be
performed only on HVRP interfaces.
NOTE
l When you configure HVRP attributes, it is recommended that you delete the default VLAN (VLAN
1) from the interface.
l After HVRP is disabled globally, HVRP is disabled on all interfaces.
l After HVRP is disabled on an interface, all HVRP-related configurations such as the VLAN
registration timers become invalid.
l The PVID of the interface is not aged.
Procedure
Step 1 Run:
system-view
----End
Context
The HVRP root interface on each switch periodically sends user VLAN registration packets
according to the VLAN registration timer. HVRP interfaces that receive registration packets
from user VLANs are added to the user VLANs. The switch learns only MAC addresses in
registered VLANs. This reduces the number of MAC addresses that the switch learns and
improves the stability of the switch in network flapping.
NOTE
l The value of the VLAN registration timer must be smaller than the value of the aging timer of
registered VLANs. It is recommended that the value of the aging timer of registered VLANs be
three times the value of the VLAN registration timer or larger.
l All switches on a ring network must be configured with the same VLAN registration timer value.
Procedure
Step 1 Run:
system-view
----End
Context
If an HVRP interface does not receive any registration packets from a VLAN within the aging
time, the VLAN is deleted from the HVRP interface. The switch learns only MAC addresses
in registered VLANs. This reduces the number of MAC addresses that the switch learns and
improves the stability of the switch in network flapping.
NOTE
l VLAN aging is implemented only on HVRP non-root interfaces. VLANs on the HVRP root
interface never age out because all packets must pass through the HVRP root interface.
l The value of the VLAN registration timer must be smaller than the value of the aging timer of
registered VLANs. It is recommended that the value of the aging timer of registered VLANs be
three times the value of the VLAN registration timer or larger.
Procedure
Step 1 Run:
system-view
----End
Context
A permanent VLAN is never aged by an HVRP interface. If an HVRP interface does not
receive any registration packets from a VLAN within the aging time, the VLAN is deleted
from the HVRP interface. If dedicated services are configured for some VLANs and the
VLANs do not need to be aged(such as Management VLAN), you can configure the VLANs
as permanent VLANs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hvrp permanent-vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
----End
Context
On a network with one or more rings, you can enable the device to age all VLANs or only the
local VLANs.
You are advised to enable the device to age all VLANs when the device is located at the
intersection point of rings.
Procedure
Step 1 Run:
system-view
NOTE
In HVRP, VLAN 1 is not identified as the local VLAN. When the PVID is not VLAN 1 and the hvrp vlan-
age all command is executed, VLAN 1 will be aged.
----End
Procedure
l Run the display hvrp verbose command to check detailed information about HVRP.
l Run the display hvrp local-vlan command to check information about local VLANs.
----End
Networking Requirements
As shown in Figure 21-5, switches on the enterprise network are connected through Layer 2
interfaces and constitute a Layer 2 network. STP is used to eliminate loops. SwitchA is the
root bridge and the link between SwitchD and SwitchE is blocked. Because enterprise users
increase continuously, MAC addresses on the switch cannot meet requirements. The
enterprise requires that users increase without switch upgrade.
VLAN:101-500
GE2/0/0
GE3/0/0 GE1/0/0
VLAN:301-400 SwitchA VLAN:401-500
GE2/0/0 GE2/0/0
GE1/0/0 GE1/0/0
GE3/0/0 SwitchB SwitchC GE3/0/0
GE2/0/0 SwitchD SwitchE GE2/0/0
GE1/0/0 GE1/0/0
GE3/0/0 GE3/0/0
VLAN:101-200 VLAN:201-300
Configuration Roadmap
Configure HVRP to meet the preceding requirements. HVRP dynamically registers and ages
VLANs to reserve necessary VLANs. When one or two interfaces exist in a VLAN, the
switch can be disabled from learning MAC addresses to reduce the number of learned MAC
addresses and increase downstream users connected to the switch. The configuration roadmap
is as follows:
1. Enable STP on devices of the ring network to eliminate loops.
2. Configure link types of interfaces and VLANs to implement Layer 2 connectivity.
3. Enable HVRP globally and interfaces so that VLANs are dynamically registered and
aged, and the number MAC addresses learned by the switch is reduced.
Procedure
Step 1 Enable STP on devices of the ring network. SwitchD is used as an example. The
configurations of other devices in the STP ring are similar to the configuration of SwitchD,
and are not mentioned here.
<HUAWEI> system-view
[HUAWEI] sysname SwitchD
[SwitchD] stp enable
Step 2 Configure SwitchA as the root device to block the link between SwitchD and SwitchE.
[SwitchA] stp root primary
Step 3 Create VLANs, and configure link types of interfaces and add interfaces to VLANs. SwitchD
is used as an example. The configurations of other devices in the STP ring are similar to the
configuration of SwitchD, and are not mentioned here.
[SwitchD] vlan batch 101 to 500
[SwitchD] interface gigabitethernet 1/0/0
[SwitchD-GigabitEthernet1/0/0] port link-type trunk
[SwitchD-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 to 500
[SwitchD-GigabitEthernet1/0/0] quit
[SwitchD] interface gigabitethernet 2/0/0
[SwitchD-GigabitEthernet2/0/0] port link-type trunk
[SwitchD-GigabitEthernet2/0/0] port trunk allow-pass vlan 101 to 500
[SwitchD-GigabitEthernet2/0/0] quit
[SwitchD] interface gigabitethernet 3/0/0
[SwitchD-GigabitEthernet3/0/0] port link-type trunk
[SwitchD-GigabitEthernet3/0/0] port trunk allow-pass vlan 101 to 200
[SwitchD-GigabitEthernet3/0/0] quit
Step 4 Enable HVRP. SwitchD is used as an example. The configurations of other devices in the STP
ring are similar to the configuration of SwitchD, and are not mentioned here.
[SwitchD] hvrp enable
[SwitchD] interface gigabitethernet 1/0/0
[SwitchD-GigabitEthernet1/0/0] hvrp enable
[SwitchD-GigabitEthernet1/0/0] quit
[SwitchD] interface gigabitethernet 2/0/0
[SwitchD-GigabitEthernet2/0/0] hvrp enable
[SwitchD-GigabitEthernet2/0/0] quit
When the service volume is the same, run the display mac-address command to view the
number of learned MAC addresses. After HVRP is configured, the number of learned MAC
addresses is reduced, This indicates that HVRP reduces the number of MAC addresses
learned by the switch.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 101 to 500
#
stp instance 0 root primary
#
hvrp enable
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 500
hvrp enable
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 500
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 500
hvrp enable
#
return
21.8 References
The following table lists the references of this document.
Definition
Layer 2 protocol transparent transmission is a Layer 2 tunneling technology that transparently
transmits BPDUs between private networks at different locations over a specified tunnel on a
public Internet Service Provider (ISP) network.
Purpose
Leased lines of ISPs are often used to establish Layer 2 networks. As a result, private
networks of a user can be located at two sides of the ISP network. As shown in Figure 22-1,
User A has two networks: network1 and network2. The two networks are connected through
the ISP network. When network1 and network2 run the same Layer 2 protocol (such as
MSTP), Layer 2 protocol packets from network1 and network2 must be transmitted through
the ISP network to perform Layer 2 protocol calculation (for example, calculating a spanning
tree). Generally, the destination MAC addresses in Layer 2 protocol packets of the same
Layer 2 protocol are the same. For example, the MSTP PDUs are BPDUs with the destination
MAC address 0180-C200-0000. Therefore, when a Layer 2 protocol packet reaches an edge
device on the ISP network, the edge device cannot identify whether the Layer 2 protocol
packet comes from a user network or the ISP network and sends the Layer 2 protocol packets
to the CPU to calculate a spanning tree.
In Figure 22-1, devices on user network1 build a spanning tree together with PE1 but not
with devices on user network2. As a result, the Layer 2 protocol packets on user network1
cannot traverse the ISP network to reach user network2.
Figure 22-1 Transparent transmission of Layer 2 protocol packets on the ISP network
ISP
network
PE1 PE2
CE1 CE2
User A User A
network1 network2
You can use Layer 2 protocol transparent transmission to transparently transmit Layer 2
protocol packets from the user network for the ISP network. This addresses the network
identity issue. The procedure is as follows:
1. After receiving Layer 2 protocol packets sent from CE1, PE1 replaces the destination
MAC address with a specified multicast MAC address. Then PE1 forwards the packets
on the ISP network.
2. The Layer 2 protocol packets are forwarded to PE2. PE2 restores the original destination
MAC address of the packets, and sends the packets to CE2.
Huawei device can transparently transmit packets of the following Layer 2 protocols:
l Spanning Tree Protocol (STP)
l Link Aggregation Control Protocol (LACP)
l Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah)
l Link Layer Discovery Protocol (LLDP)
l Generic VLAN Registration Protocol (GVRP)
l Generic Multicast Registration Protocol (GMRP)
l HUAWEI Group Management Protocol (HGMP)
l VLAN Trunking Protocol (VTP)
l Unidirectional Link Detection (UDLD)
l Port Aggregation Protocol (PAGP)
l Cisco Discovery Protocol (CDP)
l Per VLAN Spanning Tree Plus (PVST+)
l Dynamic Trunking Protocol (DTP)
l Device Link Detection Protocol (DLDP)
l User-defined protocols
22.2 Principles
Layer 2 protocol packets are transparently transmitted based on the following principles:
l On the ingress Provider Edge (PE) of the ISP network, the destination multicast MAC
address of a Layer 2 protocol packet is replaced with a specified multicast MAC address.
l The devices on the ISP network determine whether to process the protocol packet based
on the configured transparent transmission mode.
l When the Layer 2 protocol packet reaches the egress, the PE restores the destination
multicast MAC address of the Layer 2 protocol packet to the standard destination
multicast MAC address based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol configured on the device. The egress
PE also determines whether to process the packet based on the configured transparent
transmission mode.
To transparently transmit Layer 2 protocol packets on the ISP network, ensure that the
following requirements are met:
l Each branch of a user network must be able to receive the Layer 2 protocol packets from
other branches.
l The CPUs of the devices on the ISP network must not process Layer 2 protocol packets
from a user network.
l Layer 2 protocol packets from different user networks must be isolated and not affect
each other.
Huawei devices support the following Layer 2 protocol transparent transmission modes in
different scenarios:
l Interface-based Layer 2 protocol transparent transmission
l VLAN-based Layer 2 protocol transparent transmission
l QinQ-based Layer 2 protocol transparent transmission
ISP Network
BPDU Tunnel
PE1 PE2
As shown in Figure 22-2, each interface on a PE connects to one user network. The user
networks do not belong to the same LAN. If BPDUs received from user networks do not carry
any VLAN tag, the PE must identify the LAN that the BPDUs come from. BPDUs of a user
network in LAN-A must be sent to other user networks in LAN-A. In addition, BPDUs must
not be processed by devices on the ISP network.
In this scenario, the following processing methods are available:
l Change the default multicast MAC address of the Layer 2 protocol packet that can be
identified by the devices on the ISP network to another multicast MAC address. This
method applies only to the STP, RSTP, or MSTP protocol, and the configuration
command is bpdu-tunnel stp bridge role provider.
a. Set the roles of all devices on the ISP network to provider, so that the multicast
MAC addresses of the BPDUs sent by these devices are changed to 01-80-
C2-00-00-08.
b. Set the roles of all devices on a user network to customer, so that the multicast
MAC addresses of the BPDUs sent by the user network are 01-80-C2-00-00-00.
c. On the device of the ISP network, add the interfaces that connect to the same user
network to the same VLAN. PEs add VLAN tags to received Layer 2 protocol
packets based on default VLANs of the interfaces.
d. PEs (providers) do not consider the packets as Layer 2 BPDUs and do not send the
packets to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets
based on the default VLAN IDs of the interfaces.
e. Internal nodes on the ISP network forward the packets through the ISP network as
common Layer 2 packets.
f. PEs on the ISP network forward the packets to CEs without modifying the packets.
l Replace the original multicast MAC address of the Layer 2 protocol packet with a
specified multicast MAC address.
a. On the device of the ISP network, add the interfaces that connect to the same user
network to the same VLAN. After receiving and identifying the Layer 2 protocol
packet (such as a BPDU of the STP protocol) from the user network, the device on
the ISP network adds the default VLAN ID of the interface to the Layer 2 protocol
packet. This method applies to all types of Layer 2 protocol transparent
transmission.
b. Based on the mapping between the specified destination multicast MAC address
and the Layer 2 protocol, the ingress PE on the ISP network replaces the standard
destination multicast MAC address of the Layer 2 protocol packet with the
specified destination multicast MAC address.
c. Internal nodes on the ISP network forward the packet through the ISP network as a
common Layer 2 packet.
d. The egress PE on the ISP network restores the original standard destination MAC
address of the packet based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol and forwards the packet to the CE.
1. On the device of the ISP network, add the interfaces that connect to the same user
network to the same VLAN. After receiving and identifying the Layer 2 protocol packet
(such as a BPDU of the STP protocol) from the user network, the device on the ISP
network adds the default VLAN ID of the interface to the Layer 2 protocol packet.
2. Based on the mapping between the specified destination multicast MAC address and the
Layer 2 protocol, the ingress PE on the ISP network replaces the standard destination
multicast MAC address of the Layer 2 protocol packet with the specified destination
multicast MAC address.
3. Internal nodes on the ISP network forward the packet through the ISP network as a
common Layer 2 packet.
4. The egress PE on the ISP network restores the original standard destination MAC
address of the packet based on the mapping between the specified destination multicast
MAC address and the Layer 2 protocol and forwards the packet to the CE.
LAN-B LAN-B
MSTP MSTP
PE 1 ISP Network PE 2
BPDU Tunnel
LAN-A LAN-A
MSTP MSTP
c. Set specified VLAN IDs for Layer 2 protocol packets sent from user networks to
the ISP network.
d. Enable the devices on the ISP network to identify Layer 2 protocol packets with the
specified VLAN IDs and allow these packets to pass.
e. PEs (providers) do not consider these packets Layer 2 protocol BPDUs and do not
send them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets
based on the default VLANs of interfaces.
f. Internal nodes on the ISP network forward the packets through the ISP network as
common Layer 2 packets.
g. PEs on the ISP network forward the packets to CEs without modifying the packets.
l Replace the original multicast MAC address of the Layer 2 protocol packet with a
specified multicast MAC address. This method applies to all types of Layer 2 protocol
transparent transmission.
a. Set specified VLAN IDs for Layer 2 protocol packets sent from user networks to
the ISP network.
b. Enable the devices on the ISP network to identify Layer 2 protocol packets with the
specified VLAN IDs and allow these packets to pass.
c. Based on the mapping between the specified destination multicast MAC address
and the Layer 2 protocol, the ingress PE on the ISP network replaces the standard
destination multicast MAC address of the Layer 2 protocol packet with the
specified destination multicast MAC address.
d. Internal nodes on the ISP network forward the packets through the ISP network as
common Layer 2 packets.
e. The egress PE on the ISP network restores the original standard destination MAC
address of the packet based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol and forwards the packets to the
CE.
LAN-B LAN-B
MSTP MSTP
PE-VLAN20:CE-VLAN 100~199
PE 2
PE 1 ISP Network
PE-VLAN30:CE-VLAN 200~299
LAN-A LAN-A
MSTP MSTP
As shown in Figure 22-5, CE1 and CE2 are edge devices on private networks of User A in
different locations. The two private networks connect to the ISP network through PE1 and
PE2. Networks of User A have redundant links, so MSTP is used to remove loops on the
Layer 2 network. When MSTP packets sent by CEs reach PEs, PEs send the packets to the
CPUs for processing because they cannot identify the network that MSTP packets come from.
Layer 2 protocol calculations on the user network and ISP network affect each other and
cannot be implemented independently.
You can configure Layer 2 protocol transparent transmission on PEs, so that MSTP packets
are not sent to the CPUs of PEs for processing. This prevents PEs from participating in
spanning tree calculation.
ISP
network
PE1 PE2
CE1 CE2
User A User A
network1 network2
License Support
Layer 2 protocol transparent transmission is a basic feature of a switch and is not under
license control.
Version Support
Table 22-2 Products and versions supporting Layer 2 protocol transparent transmission
Product Product Software Version
Model
NOTE
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Pre-configuration Tasks
Before configuring interface-based Layer 2 protocol transparent transmission, complete the
following task:
l Set link layer protocol parameters and IP addresses for interfaces to ensure that the link
layer protocol on the interfaces is Up.
Context
When non-standard Layer 2 protocol packets with a specified multicast destination MAC
address need to be transparently transmitted on the backbone network, define characteristic
information about the Layer 2 protocol on the PE. The characteristics of the Layer 2 protocol
include the protocol name, Ethernet encapsulation format, destination MAC address, and
MAC address that replaces the destination MAC address of Layer 2 protocol packets.
When defining characteristic information about a Layer 2 protocol, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol
packets:
Procedure
Step 1 Run:
system-view
----End
Context
You can configure the following Layer 2 protocol transparent transmission modes:
l Configure the device to replace the default multicast MAC address of Layer 2 protocol
packets that can be identified by PEs with another multicast MAC address. This mode
can be used to transparently transmit Layer 2 protocol packets of STP, RSTP, and MSTP.
l Configure the device to replace the original multicast MAC address of Layer 2 protocol
packets with a specified multicast MAC address. This mode can be used to transparently
transmit all types of Layer 2 protocol packets.
Use either of the following methods on PEs based on the Layer 2 protocol type and the
required transparent transmission mode.
Procedure
l Replace the default multicast MAC address of Layer 2 protocols that can be identified by
PEs with another multicast MAC address.
a. Run:
system-view
NOTE
Do not replace the destination MAC addresses of STP, GVRP, and GMRP packets with the
same multicast MAC address.
When configuring Layer 2 protocol transparent transmission, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol
packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
----End
Context
Perform the following operations on PEs based on the required Layer 2 protocol transparent
transmission mode.
NOTE
The l2protocol-tunnel and l2protocol-tunnel vlan commands cannot specify the same protocol type on
the same interface. Otherwise, the configurations conflict.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
port link-type hybrid
Step 4 Run:
port hybrid pvid vlan vlan-id
Step 5 Run:
port hybrid untagged vlan vlan-id
Step 6 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }
enable
----End
Procedure
l Run the display l2protocol-tunnel group-mac { all | protocol-type | user-defined-
protocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
Pre-configuration Tasks
Before configuring interface-based Layer 2 protocol transparent transmission, complete the
following task:
l Set link layer protocol parameters and IP addresses for interfaces to ensure that the link
layer protocol on the interfaces is Up.
Context
When non-standard Layer 2 protocol packets with a specified multicast destination MAC
address need to be transparently transmitted on the backbone network, define characteristic
information about the Layer 2 protocol on the PE. The characteristics of the Layer 2 protocol
include the protocol name, Ethernet encapsulation format, destination MAC address, and
MAC address that replaces the destination MAC address of Layer 2 protocol packets.
When defining characteristic information about a Layer 2 protocol, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol
packets:
Procedure
Step 1 Run:
system-view
----End
Context
You can configure the following Layer 2 protocol transparent transmission modes:
l Configure the device to replace the default multicast MAC address of Layer 2 protocol
packets that can be identified by PEs with another multicast MAC address. This mode
can be used to transparently transmit Layer 2 protocol packets of STP, RSTP, and MSTP.
l Configure the device to replace the original multicast MAC address of Layer 2 protocol
packets with a specified multicast MAC address. This mode can be used to transparently
transmit all types of Layer 2 protocol packets.
Use either of the following methods on PEs based on the Layer 2 protocol type and the
required transparent transmission mode.
Procedure
l Replace the default multicast MAC address of Layer 2 protocols that can be identified by
PEs with another multicast MAC address.
a. Run:
system-view
NOTE
Do not replace the destination MAC addresses of STP, GVRP, and GMRP packets with the
same multicast MAC address.
When configuring Layer 2 protocol transparent transmission, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol
packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
----End
Context
Perform the following operations on PEs according to the type of Layer 2 protocol packets to
be transparently transmitted.
NOTE
The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type on
the same interface. Otherwise, the configurations conflict.
Procedure
Step 1 Run:
system-view
NOTE
l The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets
from user networks.
l The VLAN for VLAN-based Layer 2 protocol transparent transmission must be the static VLAN,
and cannot be the VLAN dynamically created by GVRP and VCMP.
Step 5 Run:
----End
Procedure
l Run the display l2protocol-tunnel group-mac { all | protocol-type | user-defined-
protocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
Pre-configuration Tasks
Before configuring interface-based Layer 2 protocol transparent transmission, complete the
following task:
l Set link layer protocol parameters and IP addresses for interfaces to ensure that the link
layer protocol on the interfaces is Up.
Context
When non-standard Layer 2 protocol packets with a specified multicast destination MAC
address need to be transparently transmitted on the backbone network, define characteristic
information about the Layer 2 protocol on the PE. The characteristics of the Layer 2 protocol
include the protocol name, Ethernet encapsulation format, destination MAC address, and
MAC address that replaces the destination MAC address of Layer 2 protocol packets.
When defining characteristic information about a Layer 2 protocol, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol
packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
Perform the following operations on PEs.
Procedure
Step 1 Run:
system-view
----End
Context
You can configure the following Layer 2 protocol transparent transmission modes:
l Configure the device to replace the default multicast MAC address of Layer 2 protocol
packets that can be identified by PEs with another multicast MAC address. This mode
can be used to transparently transmit Layer 2 protocol packets of STP, RSTP, and MSTP.
l Configure the device to replace the original multicast MAC address of Layer 2 protocol
packets with a specified multicast MAC address. This mode can be used to transparently
transmit all types of Layer 2 protocol packets.
Use either of the following methods on PEs based on the Layer 2 protocol type and the
required transparent transmission mode.
Procedure
l Replace the default multicast MAC address of Layer 2 protocols that can be identified by
PEs with another multicast MAC address.
a. Run:
system-view
NOTE
When configuring Layer 2 protocol transparent transmission, do not use the following multicast
MAC addresses to replace the destination MAC address of Layer 2 protocol packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
----End
Context
Perform the following operations on PEs based on the required Layer 2 protocol transparent
transmission mode.
NOTE
The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type on
the same interface. Otherwise, the configurations conflict.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
port link-type hybrid
Step 4 Run:
port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
Step 5 Run:
port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
The interface is configured to add an outer VLAN tag to the Layer 2 protocol packets.
Step 6 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }
vlan { low-id [ to high-id ] } &<1-10>
NOTE
l The outer VLAN tag (vlan-id3) specified in port vlan-stacking command must be included in the
VLAN range specified inport hybrid untagged vlancommand.
----End
Procedure
l Run the display l2protocol-tunnel group-mac { all | protocol-type | user-defined-
protocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
Context
You can run the display l2protocol-tunnel statistics command in any view to check the
statistics about Layer 2 protocol packets that are transparently transmitted on an interface,
which helps you locate faults.
Procedure
l Run the display l2protocol-tunnel statistics command in any view to check the
statistics about Layer 2 protocol packets that are transparently transmitted on an
interface.
----End
Context
Before recollecting statistics about Layer 2 protocol packets transparently transmitted on an
interface in a certain period, clear existing statistics on the interface.
NOTICE
The cleared statistics cannot be restored. Exercise caution when you run this command.
Procedure
l Run the reset l2protocol-tunnel statistics command in any view to clear the statistics
about Layer 2 protocol packets that are transparently transmitted on an interface.
----End
Networking Requirements
As shown in Figure 22-6, CEs are edge devices on two private networks of an enterprise
located in different areas, and PE1 and PE2 are edge devices on the ISP network. The two
private networks of the enterprise are Layer 2 networks and they are connected through the
ISP network. STP is run on the Layer 2 networks to prevent loops. Enterprise users require
that STP run only on the private networks so that spanning trees can be generated correctly.
Figure 22-6 Networking diagram for configuring interface-based Layer 2 protocol transparent
transmission
PE1 PE2
ISP
GE1/0/2 network GE1/0/2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0
CE1
CE2
User A User A
network1 network2
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] stp enable
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type hybrid
[CE1-GigabitEthernet1/0/0] port hybrid pvid vlan 100
[CE1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[CE1-GigabitEthernet1/0/0] quit
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] stp enable
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type hybrid
[CE2-GigabitEthernet1/0/0] port hybrid pvid vlan 100
[CE2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[CE2-GigabitEthernet1/0/0] quit
Step 2 Add GE1/0/0 on PE1 and PE2 to VLAN 100 and enable Layer 2 protocol transparent
transmission on PEs.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port link-type hybrid
[PE1-GigabitEthernet1/0/0] port hybrid pvid vlan 100
[PE1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[PE1-GigabitEthernet1/0/0] l2protocol-tunnel stp enable
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface GigabitEthernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200
[PE1-GigabitEthernet1/0/2] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port link-type hybrid
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 100
[PE2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[PE2-GigabitEthernet1/0/0] l2protocol-tunnel stp enable
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type trunk
[PE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200
[PE2-GigabitEthernet1/0/2] quit
Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-0100-0100
# Configure PE2.
[PE2] l2protocol-tunnel stp group-mac 0100-0100-0100
# After 30s, Run the display stp command on CE1 and CE2 to view the root in the MSTP
region. You can find that a spanning tree is calculated between CE1 and CE2. GE1/0/0 on
CE1 is the root port and GE1/0/0 on CE2 is the designated port.
[CE1] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/0 ROOT FORWARDING NONE
[CE2] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/0 DESI FORWARDING NONE
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 100
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
return
#
return
Networking Requirements
As shown in Figure 22-7, CEs are edge devices on two private networks of an enterprise
located in different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100
and VLAN 200 are Layer 2 networks for different users and are connected through the ISP
network. STP is run on the Layer 2 networks to prevent loops. Enterprise users require that
STP run only on the private networks so that spanning trees can be generated correctly.
l All the devices in VLAN 100 participate in calculation of a spanning tree.
l All the devices in VLAN 200 participate in calculation of a spanning tree.
Figure 22-7 Networking diagram for configuring VLAN-based Layer 2 protocol transparent
transmission
PE1 PE2
GE1/0/3 ISP GE1/0/3
network
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure STP on CEs to prevent loops on Layer 2 networks.
2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.
3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP
packets are not sent to the CPUs of PEs for processing.
Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] stp enable
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] stp enable
# Configure CE3.
<HUAWEI> system-view
[HUAWEI] sysname CE3
[CE3] stp enable
# Configure CE4.
<HUAWEI> system-view
[HUAWEI] sysname CE4
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type hybrid
[CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 100
[CE1-GigabitEthernet1/0/0] stp bpdu vlan 100
[CE1-GigabitEthernet1/0/0] quit
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type hybrid
[CE2-GigabitEthernet1/0/0] port hybrid tagged vlan 100
[CE2-GigabitEthernet1/0/0] stp bpdu vlan 100
[CE2-GigabitEthernet1/0/0] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
[CE3] interface gigabitethernet 1/0/0
[CE3-GigabitEthernet1/0/0] port link-type hybrid
[CE3-GigabitEthernet1/0/0] port hybrid tagged vlan 200
[CE3-GigabitEthernet1/0/0] stp bpdu vlan 200
[CE3-GigabitEthernet1/0/0] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
[CE4] interface gigabitethernet 1/0/0
[CE4-GigabitEthernet1/0/0] port link-type hybrid
[CE4-GigabitEthernet1/0/0] port hybrid tagged vlan 200
[CE4-GigabitEthernet1/0/0] stp bpdu vlan 200
[CE4-GigabitEthernet1/0/0] quit
Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the peer ends.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] vlan 200
[PE1-vlan200] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid tagged vlan 100
[PE1-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 100
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type hybrid
[PE1-GigabitEthernet1/0/2] port hybrid tagged vlan 200
[PE1-GigabitEthernet1/0/2] l2protocol-tunnel stp vlan 200
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface GigabitEthernet 1/0/3
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
[PE1-GigabitEthernet1/0/3] quit
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type hybrid
[PE2-GigabitEthernet1/0/1] port hybrid tagged vlan 100
[PE2-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 100
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type hybrid
[PE2-GigabitEthernet1/0/2] port hybrid tagged vlan 200
[PE2-GigabitEthernet1/0/2] l2protocol-tunnel stp vlan 200
[PE2-GigabitEthernet1/0/2] quit
[PE2] interface GigabitEthernet 1/0/3
[PE2-GigabitEthernet1/0/3] port link-type trunk
[PE2-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
[PE2-GigabitEthernet1/0/3] quit
Step 4 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-0100-0100
# Configure PE2.
[PE2] l2protocol-tunnel stp group-mac 0100-0100-0100
Step 5 Configure CE2 and CE4 to the priority of a switching device is 4096.
# Configure CE2.
[CE2] stp priority 4096
# Configure CE4.
[CE4] stp priority 4096
# After 30s, run the display stp command on CE1 and CE2 to view the root in the MSTP
region. You can find that a spanning tree is calculated between CE1 and CE2. GE1/0/0 on
CE1 is the root port and GE1/0/0 on CE2 is the designated port.
[CE1] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/0 ROOT FORWARDING NONE
[CE2] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/0 DESI FORWARDING NONE
# After 30s, run the display stp command on CE3 and CE4 to view the root in the MSTP
region. You can find that a spanning tree is calculated between CE3 and CE4. GE1/0/0 on
CE3 is the root port and GE1/0/0 on CE4 is the designated port.
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 100
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 100
stp bpdu vlan 100
#
return
Networking Requirements
As shown in Figure 22-8, CEs are edge devices on two private networks of an enterprise
located in different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100
and VLAN 200 are Layer 2 networks for different users and are connected through the ISP
network. STP is run on the Layer 2 networks to prevent loops. Enterprise users require that
STP run only on the private networks so that spanning trees can be generated correctly.
Figure 22-8 Networking diagram for configuring QinQ-based Layer 2 protocol transparent
transmission
User A User A
VLAN100 VLAN100
GE1/0/0
GE1/0/0
GE1/0/1
GE1/0/1
CE1 CE2
GE1/0/3 ISP GE1/0/3
PE1 Network PE2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure STP on CEs to prevent loops on Layer 2 networks.
2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.
3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP
packets are not sent to the CPUs of PEs for processing.
4. Configure QinQ (VLAN stacking) on PEs so that PEs add outer VLAN tag 10 to STP
packets sent from CEs, saving public network VLAN IDs.
Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
<HUAWEI> system-view
[HUAWEI] sysname CE1
[CE1] stp enable
# Configure CE2.
<HUAWEI> system-view
[HUAWEI] sysname CE2
[CE2] stp enable
# Configure CE3.
<HUAWEI> system-view
[HUAWEI] sysname CE3
[CE3] stp enable
# Configure CE4.
<HUAWEI> system-view
[HUAWEI] sysname CE4
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type hybrid
[CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 100
[CE1-GigabitEthernet1/0/0] stp bpdu vlan 100
[CE1-GigabitEthernet1/0/0] quit
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port link-type hybrid
[CE2-GigabitEthernet1/0/0] port hybrid tagged vlan 100
[CE2-GigabitEthernet1/0/0] stp bpdu vlan 100
[CE2-GigabitEthernet1/0/0] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
[CE3] interface gigabitethernet 1/0/0
[CE3-GigabitEthernet1/0/0] port link-type hybrid
[CE3-GigabitEthernet1/0/0] port hybrid tagged vlan 200
[CE3-GigabitEthernet1/0/0] stp bpdu vlan 200
[CE3-GigabitEthernet1/0/0] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
[CE4] interface gigabitethernet 1/0/0
[CE4-GigabitEthernet1/0/0] port link-type hybrid
[CE4-GigabitEthernet1/0/0] port hybrid tagged vlan 200
[CE4-GigabitEthernet1/0/0] stp bpdu vlan 200
[CE4-GigabitEthernet1/0/0] quit
Step 3 Configure QinQ-based Layer 2 protocol transparent transmission on PEs so that STP packets
with VLAN tags 100 and 200 are tagged with outer VLAN 10 by PEs and can be transmitted
on the ISP network.
# Configure PE1.
<HUAWEI> system-view
[HUAWEI] sysname PE1
[PE1] vlan 10
[PE1-vlan10] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[PE1-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 10
[PE1-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 10
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type hybrid
[PE1-GigabitEthernet1/0/2] port hybrid untagged vlan 10
[PE1-GigabitEthernet1/0/2] port vlan-stacking vlan 200 stack-vlan 10
# Configure PE2.
<HUAWEI> system-view
[HUAWEI] sysname PE2
[PE2] vlan 10
[PE2-vlan10] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type hybrid
[PE2-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[PE2-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 10
[PE2-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 10
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type hybrid
[PE2-GigabitEthernet1/0/2] port hybrid untagged vlan 10
[PE2-GigabitEthernet1/0/2] port vlan-stacking vlan 200 stack-vlan 10
[PE2-GigabitEthernet1/0/2] l2protocol-tunnel stp vlan 10
[PE2-GigabitEthernet1/0/2] quit
[PE2] interface GigabitEthernet 1/0/3
[PE2-GigabitEthernet1/0/3] port link-type trunk
[PE2-GigabitEthernet1/0/3] port trunk allow-pass vlan 10
[PE2-GigabitEthernet1/0/3] quit
Step 4 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-0100-0100
# Configure PE2.
[PE2] l2protocol-tunnel stp group-mac 0100-0100-0100
Step 5 Configure CE2 and CE4 to the priority of a switching device is 4096.
# Configure CE2.
[CE2] stp priority 4096
# Configure CE4.
[CE4] stp priority 4096
# After 30s, run the display stp command on CE1 and CE2 to view the root in the MSTP
region. You can find that a spanning tree is calculated between CE1 and CE2. GE1/0/0 on
CE1 is the root port and GE1/0/0 on CE2 is the designated port.
# After 30s, run the display stp command on CE3 and CE4 to view the root in the MSTP
region. You can find that a spanning tree is calculated between CE3 and CE4. GE1/0/0 on
CE3 is the root port and GE1/0/0 on CE4 is the designated port.
[CE3] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/0 ROOT FORWARDING NONE
[CE4] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/0 DESI FORWARDING NONE
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
#
vlan batch 200
#
stp instance 0 priority 4096
#
interface GigabitEthernet1/0/0
port link-type hybrid
port hybrid tagged vlan 200
stp bpdu vlan 200
#
return
l PE1 configuration file
#
sysname PE1
#
vlan batch 10
#
l2protocol-tunnel stp group-mac 0100-0100-0100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 10
port vlan-stacking vlan 100 stack-vlan 10
l2protocol-tunnel stp vlan 10
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid untagged vlan 10
port vlan-stacking vlan 200 stack-vlan 10
l2protocol-tunnel stp vlan 10
#
interface GigabitEthernet1/0/3
port link-type
trunk
port trunk allow-pass vlan 10
#
return
l PE2 configuration file
#
sysname PE2
#
vlan batch 10
#
l2protocol-tunnel stp group-mac 0100-0100-0100
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid untagged vlan 10
port vlan-stacking vlan 100 stack-vlan 10
l2protocol-tunnel stp vlan 10
#
interface GigabitEthernet1/0/2
port link-type hybrid
port hybrid untagged vlan 10
port vlan-stacking vlan 200 stack-vlan 10
l2protocol-tunnel stp vlan 10
#
interface GigabitEthernet1/0/3
port link-type
trunk
port trunk allow-pass vlan 10
#
return
22.8 FAQ
22.9 References
The following table lists the references for this document.