Académique Documents
Professionnel Documents
Culture Documents
V100R006C01
01
Date
2011-10-26
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 01 (2011-10-26)
Commissioning engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 01 (2011-10-26)
TIP
NOTE
ii
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
Italic
[]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... }*
[ x | y | ... ]*
&<1-n>
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Issue 01 (2011-10-26)
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 Ethernet Interface Configuration...............................................................................................1
1.1 Introduction to Ethernet Interfaces.....................................................................................................................2
1.2 Ethernet Interface Features Supported by the S9300.........................................................................................2
1.3 Configuring Basic Attributes of the Ethernet Interface......................................................................................3
1.3.1 Establishing the Configuration Task.........................................................................................................3
1.3.2 (Optional) Configuring a Description for an Interface..............................................................................3
1.3.3 (Optional) Configuring the Cable Type on an Interface............................................................................4
1.3.4 (Optional) Setting the Duplex Mode.........................................................................................................5
1.3.5 (Optional) Setting the Rate of an Interface................................................................................................5
1.3.6 (Optional) Enabling Auto-Negotiation......................................................................................................6
1.3.7 (Optional) Switching Between Optical and Electrical Interfaces..............................................................6
1.3.8 (Optional) Configuring an Interface to Work at Layer 2 or Layer 3.........................................................7
1.3.9 Checking the Configuration.......................................................................................................................7
1.4 Configuring Advanced Attributes of an Ethernet Interface................................................................................8
1.4.1 Establishing the Configuration Task.........................................................................................................8
1.4.2 (Optional) Configuring Loopback on the Ethernet Interface....................................................................9
1.4.3 (Optional) Setting the Minimum Interval for Re-enabling an Interface....................................................9
1.4.4 (Optional) Configuring the Interface Group..............................................................................................9
1.4.5 (Optional) Setting the Maximum Frame Length on the Ethernet Interface.............................................10
1.4.6 (Optional) Enabling Flow Control...........................................................................................................10
1.4.7 (Optional) Enabling Auto-Negotiation of Flow Control.........................................................................11
1.4.8 (Optional) Enabling Port Isolation..........................................................................................................11
1.4.9 (Optional) Performing a Cable Test on an Interface...............................................................................12
1.4.10 (Optional) Configuring Link Flapping Protection on an Interface........................................................13
1.4.11 (Optional) Assigning an IP Address to an Ethernet Sub-interface........................................................14
1.4.12 Checking the Configuration...................................................................................................................14
1.5 Maintaining Ethernet Interfaces.......................................................................................................................15
1.5.1 Debugging Ethernet Interfaces................................................................................................................15
1.6 Configuration Examples...................................................................................................................................15
1.6.1 Example for Configuring Port Isolation..................................................................................................15
iv
Contents
Contents
3 VLAN Configuration..................................................................................................................73
3.1 Introduction......................................................................................................................................................75
3.2 VLAN Features Supported by the S9300.........................................................................................................82
3.3 Dividing a LAN into VLANs...........................................................................................................................86
3.3.1 Establishing the Configuration Task.......................................................................................................86
3.3.2 Dividing a LAN into VLANs Based on Ports.........................................................................................89
3.3.3 Dividing a LAN into VLANs Based on MAC Addresses.......................................................................91
3.3.4 Dividing a LAN into VLANs Based on IP Subnets................................................................................92
3.3.5 Dividing a LAN into VLANs Based on Protocols..................................................................................94
3.3.6 Dividing a LAN into VLANs Based on Policies.....................................................................................96
3.3.7 Checking the Configuration.....................................................................................................................97
3.4 Creating a VLANIF Interface...........................................................................................................................98
3.4.1 Establishing the Configuration Task.......................................................................................................98
3.4.2 Creating a VLANIF Interface..................................................................................................................98
3.4.3 Assigning an IP Address to a VLANIF Interface....................................................................................99
3.4.4 (Optional) Setting a Delay After Which a VLANIF Interface Goes Down............................................99
3.4.5 (Optional) Setting the MTU of a VLANIF Interface.............................................................................100
3.4.6 Checking the Configuration...................................................................................................................101
3.5 Configuring Inter-VLAN Communication.....................................................................................................101
3.5.1 Establishing the Configuration Task.....................................................................................................101
3.5.2 Configuring VLANIF Interfaces for Inter-VLAN Communication......................................................103
3.5.3 Configuring Sub-interface for Inter-VLAN Communication................................................................105
3.5.4 Configuring VLAN Switch for Inter-VLAN Communication..............................................................105
3.5.5 Checking the Configuration...................................................................................................................106
3.6 Configuring VLAN Aggregation to Save IP Addresses.................................................................................107
3.6.1 Establishing the Configuration Task.....................................................................................................107
3.6.2 Creating a Sub-VLAN...........................................................................................................................108
3.6.3 Creating a Super-VLAN........................................................................................................................109
3.6.4 Assigning an IP Address to the VLANIF Interface of a Super-VLAN.................................................110
Issue 01 (2011-10-26)
vi
Contents
vii
Contents
5 QinQ Configuration..................................................................................................................199
5.1 Concept of QinQ.............................................................................................................................................201
5.2 QinQ Features Supported by the S9300.........................................................................................................201
5.3 Configuring QinQ on an Interface..................................................................................................................201
5.3.1 Establishing the Configuration Task.....................................................................................................201
5.3.2 Setting the Link Type of an Interface....................................................................................................202
5.3.3 Specifying the Outer VLAN ID.............................................................................................................203
5.3.4 Checking the Configuration...................................................................................................................203
5.4 Configuring Selective QinQ...........................................................................................................................203
5.4.1 Establishing the Configuration Task.....................................................................................................203
Issue 01 (2011-10-26)
viii
Contents
ix
Contents
6 GVRP Configuration................................................................................................................340
6.1 GVRP Overview.............................................................................................................................................341
6.2 GVRP Features Supported by the S9300.......................................................................................................344
6.3 Configuring GVRP.........................................................................................................................................345
6.3.1 Establishing the Configuration Task.....................................................................................................345
6.3.2 Enabling GVRP.....................................................................................................................................345
6.3.3 (Optional) Setting the Registration Mode of a GVRP Interface............................................................346
6.3.4 (Optional) Setting the GARP Timers....................................................................................................347
6.3.5 Checking the Configuration...................................................................................................................348
6.4 Maintaining GVRP.........................................................................................................................................348
6.4.1 Clearing GARP Statistics......................................................................................................................348
Issue 01 (2011-10-26)
Contents
xi
Contents
8 STP/RSTP Configuration.........................................................................................................391
8.1 STP/RSTP Overview......................................................................................................................................392
8.1.1 STP/RSTP Overview.............................................................................................................................392
8.1.2 STP/RSTP Features Supported by the S9300........................................................................................397
8.2 Configuring Basic STP/RSTP Functions.......................................................................................................399
8.2.1 Establishing the Configuration Task.....................................................................................................399
8.2.2 Configuring the STP/RSTP Mode.........................................................................................................401
8.2.3 (Optional) Configuring Switching Device Priorities.............................................................................401
8.2.4 (Optional) Setting the Path Cost for a Port............................................................................................402
8.2.5 (Optional) Configuring Port Priorities...................................................................................................403
8.2.6 Enabling STP/RSTP..............................................................................................................................404
8.2.7 Checking the Configuration...................................................................................................................404
8.3 Configuring STP/RSTP Parameters on an Interface......................................................................................405
8.3.1 Establishing the Configuration Task.....................................................................................................407
8.3.2 Setting System Parameters....................................................................................................................408
8.3.3 Setting Port Parameters.........................................................................................................................409
8.3.4 Checking the Configuration...................................................................................................................411
8.4 Configuring RSTP Protection Functions........................................................................................................411
8.4.1 Establishing the Configuration Task.....................................................................................................411
8.4.2 Configuring BPDU Protection on a Switching Device.........................................................................413
8.4.3 Configuring TC Protection on a Switching Device...............................................................................414
8.4.4 Configuring Root Protection on a Port..................................................................................................414
8.4.5 Configuring Loop Protection on a Port.................................................................................................415
8.4.6 Checking the Configuration...................................................................................................................416
8.5 Configuring STP/RSTP Interoperability Between Huawei Devices and Non-Huawei Devices....................416
8.5.1 Establishing the Configuration Task.....................................................................................................416
8.5.2 Configuring the Proposal/Agreement Mechanism................................................................................417
8.5.3 Checking the Configuration...................................................................................................................418
8.6 Maintaining STP/RSTP..................................................................................................................................418
8.6.1 Clearing STP/RSTP Statistics...............................................................................................................419
8.7 Configuration Examples.................................................................................................................................419
8.7.1 Example for Configuring Basic STP Functions....................................................................................419
8.7.2 Example for Configuring Basic RSTP Functions..................................................................................423
9 MSTP Configuration.................................................................................................................429
9.1 MSTP Overview.............................................................................................................................................431
9.1.1 MSTP Introduction................................................................................................................................431
9.1.2 MSTP Features Supported by the S9300...............................................................................................439
9.2 Configuring Basic MSTP Functions...............................................................................................................443
9.2.1 Establishing the Configuration Task.....................................................................................................443
9.2.2 Configuring the MSTP Mode................................................................................................................445
Issue 01 (2011-10-26)
xii
Contents
10 SEP Configuration...................................................................................................................497
10.1 SEP Overview...............................................................................................................................................499
Issue 01 (2011-10-26)
xiii
Contents
xiv
Contents
12 HVRP Configuration..............................................................................................................623
12.1 HVRP Overview...........................................................................................................................................624
12.2 HVRP Features Supported by the S9300.....................................................................................................625
12.3 Enabling HVRP............................................................................................................................................628
12.3.1 Establishing the Configuration Task...................................................................................................628
12.3.2 Enabling HVRP Globally....................................................................................................................630
12.3.3 Enabling HVRP on an Interface..........................................................................................................630
12.3.4 (Optional) Setting the VLAN Registration Timer...............................................................................631
12.3.5 (Optional) Setting the Aging Time of Registered VLANs..................................................................631
12.3.6 (Optional) Configuring Permanent VLANs........................................................................................632
12.3.7 (Optional) Configuring the S9300 to Age All the VLANs.................................................................632
12.3.8 Checking the Configuration.................................................................................................................633
12.4 Maintaining HVRP.......................................................................................................................................633
12.4.1 Debugging HVRP................................................................................................................................633
12.5 Configuration Examples...............................................................................................................................634
12.5.1 Example for Configuring HVRP.........................................................................................................634
xv
Contents
Issue 01 (2011-10-26)
xvi
Issue 01 (2011-10-26)
Rate (Mbit/
s)
Auto-negotiation
Non-negotiation
Full
Duplex
Half
Duplex
Full
Duplex
Half
Duplex
Ethernet
electrical
interface
10
Yes
Yes
Yes
Yes
100
Yes
Yes
Yes
Yes
1000
Yes
No
Yes
No
100
No
No
Yes
No
1000
Yes
No
Yes
No
10000
No
No
Yes
No
Ethernet
optical
interface
If the local interface works in auto-negotiation mode, the peer interface must also work in autonegotiation mode; otherwise, packet loss may occur.
Port Group
The port group function enables you to configure multiple interfaces at the same time. You can
run commands in the port group view to configure all the interfaces in the group.
Auto-Negotiation
The auto-negotiation function allows interfaces on both ends of a link to select the same operating
parameters by exchanging capability information. Each interface sends its capability information
to the remote end and checks capabilities of the remote end. After both interfaces receive the
capability information from each other, they adopt the highest capability they support to
communicate with each other.
The interfaces negotiate the duplex mode, speed, and flow control parameters. After a successful
negotiation, the interfaces use the same duplex mode, speed, and flow control parameters.
Issue 01 (2011-10-26)
Port Isolation
The port isolation function isolates Layer 2 and Layer 3 communication between ports in the
same VLAN. This function restricts packet transmission between ports flexibly, providing a
secure and flexible network solution.
You can configure the description of interfaces to facilitate the identification, maintenance,
and configuration of the interfaces.
By default, an FE electrical interface automatically identifies the network cable type. If the
interface cannot identify the cable type properly, set the cable type for the interface
manually.
By default, an FE electrical interface negotiates the duplex mode and rate with the
equipment that is directly connected to the interface. If the connected equipment does not
have the auto-negotiation capability, set the duplex mode and rate for the FE interface
manually so that the interface can work with the connected equipment.
Pre-configuration Tasks
None
Data Preparation
To configure the basic functions of Ethernet interfaces, you need the following data.
No.
Data
Context
Perform the following steps on the S9300.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Step 4 Run:
speed { 10 | 100 | 1000 }
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
Issue 01 (2011-10-26)
system-view
Procedure
Step 1 Run the display interface [ interface-type [ interface-number [.subnumber ] ] ] command to
display the description, duplex mode, and rate of an Ethernet interface.
----End
The S9300 provides the interface group function, which enables you to configure multiple
interfaces at the same time.
If the traffic volume received on an interface of the S9300 may exceed the processing
capability of the interface and the directly connected interface supports traffic control,
enable the traffic control function on the interface. When the rate of received traffic reaches
the threshold, the interface sends a Pause frame (in full duplex mode) or sends a back
pressure signal (in half duplex mode) to notify the peer interface. If the peer interface
supports traffic control, it decreases the rate of at which it sends traffic so that the local
interface can properly process received traffic.
Ports enabled with port isolation cannot communicate with each other so that ports on the
same VLAN can be isolated. Port isolation provides secure and flexible networking
schemes for customers.
Pre-configuration Tasks
None.
Data Preparation
To configure the advanced functions of Ethernet interfaces, you need the following data.
Issue 01 (2011-10-26)
No.
Data
Interface number
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Context
Do as follows on the S9300 where you need to configure interface groups.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
10
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
11
Context
Do as follows on the S9300 where you need to enable port isolation.
Procedure
Step 1 Run:
system-view
After interface A is isolated from interface B unidirectionally, packets sent by interface A cannot reach
interface B, whereas packets sent from interface B can reach interface A.
Step 5 Run:
port-isolate enable [ group group-id ]
Ports in a port isolation group are isolated from each other, and ports in different port isolation groups can
communicate with each other. If group-id is not specified, a port is added to port isolation group 1.
----End
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
12
----End
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
13
Follow-up Procedure
By default, an interface that is shut down can only be restored manually by running the undo
shutdown command. To configure the interface to restore to Up state automatically, run the
error-down auto-recovery cause link-flap command in the system view to set a recovery delay.
The interface can then go Up automatically after the specified delay.
Run the display port-group [ all | port-group-name ] command to check information about
a port group.
----End
Issue 01 (2011-10-26)
14
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When an Ethernet interface or Eth-Trunk fault occurs, run the following debugging commands
in the user view to locate the fault.
Procedure
Step 1 Run the debugging l2if [ error | event | msg | updown ] command to enable the debugging of
link layer features.
----End
Issue 01 (2011-10-26)
15
Switch
GE1/0/2
GE1/0/1
GE1/0/3
PC1
PC2
PC3
10.10.10.1/24 10.10.10.2/24 10.10.10.3/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enable port isolation on the ports connected to PC1 and PC2 respectively to prevent PC1
and PC2 from communicating with each other.
Data Preparation
To complete the configuration, you need the following data:
l
Port isolation mode: Layer 2 isolation and Layer 3 communication (default configuration)
ID of the VLAN that the ports connected to PC1, PC2, and PC3 belong to (VLAN 1 by
default)
Port isolation group that the ports connected to PC1 and PC2 belong to (group 1 by default)
Procedure
Step 1 Enable port isolation.
# Isolate ports on Layer 2 and allow them to communicate on Layer 3.
<Quidway> system-view
[Quidway] port-isolate mode l2
Issue 01 (2011-10-26)
16
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
interface GigabitEthernet1/0/1
port-isolate enable group 1
#
interface GigabitEthernet1/0/2
port-isolate enable group 1
#
interface GigabitEthernet1/0/3
#
return
Issue 01 (2011-10-26)
17
Issue 01 (2011-10-26)
18
This section provides several configuration examples of link aggregation in manual load
balancing mode and in static LACP mode.
Issue 01 (2011-10-26)
19
20
Manual load balancing mode: Generally, all member interfaces are active interfaces unless
a fault occurs on these interfaces.
Static LACP mode: The interfaces connected to M links are active interfaces that are
responsible for forwarding data; the interfaces connected to N links are inactive interfaces
that are used for redundancy backup.
SwitchA
SwitchB
21
Applicable Environment
When the bandwidth or the reliability of two devices should be increased and either of the two
devices does not support LACP, you should create an Eth-Trunk in manual load balancing mode
on Switches and add member interfaces to the Eth-Trunk to increase the bandwidth and improve
reliability of devices.
As shown in Figure 2-2, Eth-Trunks are created between SwitchA and SwitchB.
Figure 2-2 Networking diagram for configuring link aggregation in load balancing mode
Eth-Trunk 1
Eth-Trunk 1
Eth-Trunk
SwitchA
SwitchB
Pre-configuration Tasks
Before configuring an Eth-Trunk in manual load balancing mode, complete the following tasks:
l
Data Preparation
To configure an Eth-Trunk in manual load balancing mode, you need the following data.
No.
Data
Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the
Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be
changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk command in the
interface view or run the undo trunkport interface-type interface-number command in the Eth-Trunk
view.
Do as follows on the S9300 where you need to configure an Eth-Trunk in manual load balancing
mode.
Issue 01 (2011-10-26)
22
Procedure
Step 1 Run:
system-view
Procedure
l
Run:
system-view
Run:
interface eth-trunk trunk-id
Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
Run:
system-view
Run:
interface interface-type interface-number
23
3.
Run:
eth-trunk trunk-id
Procedure
Step 1 Run:
system-view
24
l dst-ip: load balancing based on the destination IP address. In this mode, the system obtains
the specified three bits from each of the destination IP address and the TCP or UDP port
number in outgoing packets to perform the Exclusive-OR calculation, and then selects the
outgoing interface from the Eth-Trunk table according to the calculation result.
l dst-mac: load balancing based on the destination MAC address. In this mode, the system
obtains the specified three bits from each of the destination MAC address, VLAN ID,
Ethernet type, and incoming interface information to perform the Exclusive-OR calculation,
and then selects the outgoing interface from the Eth-Trunk table according to the calculation
result.
l src-ip: load balancing based on the source IP address. In this mode, the system obtains the
specified three bits from each of the source IP address and the TCP or UDP port number in
incoming packets to perform the Exclusive-OR calculation, and then selects the outgoing
interface from the Eth-Trunk table according to the calculation result.
l src-mac: load balancing based on the source MAC address. In this mode, the system obtains
the specified three bits from each of the source MAC address, VLAN ID, Ethernet type, and
incoming interface information to perform the Exclusive-OR calculation, and then selects
the outgoing interface from the Eth-Trunk table according to the calculation result.
l src-dst-ip: load balancing based on the Exclusive-OR result of the source IP address and
destination IP address. In this mode, the system performs the Exclusive-OR calculation
between the Exclusive-OR results of the dip and dmac modes, and then selects the outgoing
interface from the Eth-Trunk table according to the calculation result.
l src-dst-mac: load balancing based on the Exclusive-OR result of the source MAC address
and destination MAC address. In this mode, the system obtains three bits from each of the
source MAC address, destination MAC address, VLAN ID, Ethernet type, and incoming
interface information to perform the Exclusive-OR calculation, and then selects the outgoing
interface from the Eth-Trunk table according to the calculation result.
l Enhanced load balancing: The S9300 selects interfaces to forward packets according to the
load balancing mode defined for different packets by the enhanced load balancing profile.
Member interfaces of an Eth-Trunk perform per-flow load balancing. The local end and the
remote end can use different load balancing modes, and the load balancing mode on one end
does not affect load balancing on the other end.
----End
Procedure
l
Setting the upper threshold of the number of interfaces that determine bandwidth of the
Eth-Trunk
1.
Run:
system-view
Run:
interface eth-trunk trunk-id
Issue 01 (2011-10-26)
25
Run:
max bandwidth-affected-linknumber link-number
The maximum number of interfaces that determine bandwidth of the Eth-Trunk is set.
By default, the maximum number of interfaces that determine bandwidth of the EthTrunk is 8.
NOTE
l The upper threshold the number of interfaces that determine bandwidth of the Eth-Trunk of the
local S9300 and that of the remote S9300 can be different. If the upper thresholds at two ends
are different, the smaller one is used.
Run:
system-view
Run:
interface eth-trunk trunk-id
Run:
least active-linknumber link-number
l The lower threshold of the number of active interfaces of the local S9300 and that of the remote
S9300 can be different. If the lower thresholds at two ends are different, the larger one is used.
----End
Procedure
Step 1 Run:
system-view
26
Step 2 Run:
load-balance-profile profile-name
A profile of enhanced Eth-Trunks in load balancing mode is created and the profile view is
displayed.
Step 3 Run:
l2 field [ dmac | l2-protocol | smac | sport | vlan ]
The load balancing mode of Layer 3 IPv4 packets is specified in the profile.
By default, load balancing of Layer 3 IPv4 packets is based on the source IP address (sip) and
destination IP address (dip) of each packet.
Step 5 Run:
ipv6 field [ dip | l4-dport | l4-sport | protocol | sip | sport | vlan ]
The load balancing mode of Layer 3 IPv6 packets is specified in the profile.
By default, load balancing of Layer 3 IPv6 packets is based on the source IP address (sip) and
destination IP address (dip) of each packet.
Step 6 Run:
mpls field [ 2nd-label | dip | sip | sport | top-label | vlan ]
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
27
Run the display trunkmembership eth-trunk trunk-id command to display the member
interfaces of the Eth-Trunk.
Run the display eth-trunk trunk-id command to display the load balancing status of the
Eth-Trunk.
----End
The links between two devices can implement redundancy backup. When a fault occurs on
some links, the backup links replace the faulty ones to keep data transmission uninterrupted.
Eth-Trunk 1
Eth-Trunk 1
Eth-Trunk
Active link
Standby link
SwitchB
SwitchA
Pre-configuration Tasks
Before configuring an Eth-Trunk in static LACP mode, complete the following tasks:
l
Data Preparation
To configure an Eth-Trunk in static LACP mode, you need the following data.
Issue 01 (2011-10-26)
28
No.
Data
Check whether the Eth-Trunk contains member interfaces before you configure the operation mode of the
Eth-Trunk. If the Eth-Trunk contains member interfaces, the operation mode of the Eth-Trunk cannot be
changed. To delete member interfaces from the Eth-Trunk, run the undo eth-trunk command in the
interface view or run the undo trunkport interface-type interface-number command in the Eth-Trunk
view.
Do as follows on the S9300 where you need to configure an Eth-Trunk of static LACP mode.
Procedure
Step 1 Run:
system-view
29
Procedure
l
Run:
system-view
Run:
interface eth-trunk trunk-id
Run:
trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
Run:
system-view
Run:
interface interface-type interface-number
Run:
eth-trunk trunk-id
30
Procedure
Step 1 Run:
system-view
31
interface information to perform the Exclusive-OR calculation, and then selects the outgoing
interface from the Eth-Trunk table according to the calculation result.
l Enhanced load balancing: The S9300 selects interfaces to forward packets according to the
load balancing mode defined for different packets by the enhanced load balancing profile.
Member interfaces of an Eth-Trunk perform per-flow load balancing. The local end and the
remote end can use different load balancing modes, and the load balancing mode on one end
does not affect load balancing on the other end.
----End
Procedure
l
Run:
system-view
Run:
interface eth-trunk trunk-id
Run:
max active-linknumber link-number
l The upper threshold of the number of active interfaces should not be smaller the lower threshold
for the number of active interfaces.
l The upper threshold of the number of active interfaces of the local S9300 and that of the remote
S9300 can be different. If the upper thresholds at two ends are different, the smaller one is used.
Run:
system-view
Run:
interface eth-trunk trunk-id
Issue 01 (2011-10-26)
32
Run:
least active-linknumber link-number
l The lower threshold of the number of active interfaces should not be larger than the upper
threshold of the number of active interfaces.
l The lower threshold of the number of active interfaces of the local S9300 and that of the remote
S9300 can be different. If the lower thresholds at two ends are different, the larger one is used.
----End
Procedure
Step 1 Run:
system-view
33
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
To ensure normal running of an Eth-Trunk, it is recommended that you enable or disable LACP preemption
on both ends of the Eth-Trunk.
Step 4 Run:
lacp preempt delay delay-time
34
Procedure
Step 1 Run:
system-view
The timeout for receiving LACP protocol packets the Eth-Trunk is set.
NOTE
l After the lacp timeout command is used, the local end informs the peer end of the timeout interval
through LACP packets. If the fast is selected, the interval for sending LACP packets is 1 second. If
the slow keyword is selected, the interval for sending LACP packets is 30 seconds.
l The timeout interval for receiving LACP packets is three times the interval for sending LACP packets.
That is, when the fast keyword is used, the timeout interval for receiving LACP packets is 3s; when
the slow keyword is used, the timeout interval for receiving LACP packets is 90s.
l You can select different keywords on the two ends. To facilitate the maintenance, however, it is
recommended that you select the same keyword on both ends.
----End
35
Context
Do as follows on the S9300s involved in the enhanced Eth-trunk in load balancing mode.
Procedure
Step 1 Run:
system-view
A profile of enhanced Eth-Trunks in load balancing mode is created and the profile view is
displayed.
Step 3 Run:
l2 field [ dmac | l2-protocol | smac | sport | vlan ]
The load balancing mode of Layer 3 IPv4 packets is specified in the profile.
By default, load balancing of Layer 3 IPv4 packets is based on the source IP address (sip) and
destination IP address (dip) of each packet.
Step 5 Run:
ipv6 field [ dip | l4-dport | l4-sport | protocol | sip | sport | vlan ]
The load balancing mode of Layer 3 IPv6 packets is specified in the profile.
By default, load balancing of Layer 3 IPv6 packets is based on the source IP address (sip) and
destination IP address (dip) of each packet.
Step 6 Run:
mpls field [ 2nd-label | dip | sip | sport | top-label | vlan ]
36
Procedure
Step 1 Run:
system-view
Run the display trunkmembership eth-trunk trunk-id command to display the member
interfaces of the Eth-Trunk.
----End
Pre-configuration Tasks
Before configuring an Eth-Trunk sub-interface, complete the following tasks:
l
Data Preparation
To configure an Eth-Trunk sub-interface, you need the following data.
Issue 01 (2011-10-26)
37
No.
Data
38
When more than one IP address is set for an Eth-Trunk interface, the keyword sub can be used
to indicate the IP addresses other than the first IP address.
----End
Run the display interface eth-trunk [ trunk-id [.subnumber ] ] command to check the
status of an Eth-Trunk interface.
----End
Applicable Environment
As shown in Figure 2-4, the E-Trunk is used to protect the links between a CE and two PEs
when the CE is dual-homed to the two PEs. The CE is connected to PE1 and PE2 through a static
LACP Eth-Trunk respectively. The two Eth-Trunks form an E-Trunk to implement backup of
link aggregation groups between PE1 and PE2, enhancing the network reliability.
Figure 2-4 Networking diagram of the E-Trunk
nk 1
-Tru
h
t
E
PE1
E-Trunk1
Network
CE
Eth
-Tru
nk 2
PE2
Pre-configuration Tasks
Before configuring an E-Trunk, complete the following tasks:
Issue 01 (2011-10-26)
39
Data Preparation
To configure an E-Trunk, you need the following data.
No.
Data
Encrypted password
Interval for sending hello packets and time multiplier for detecting hello packets
Context
Do as follows on the member devices of the E-Trunk.
Procedure
Step 1 Run:
system-view
40
The master and backup devices in an E-Trunk must use the same LACP priority.
----End
Context
Do as follows on the member devices of the E-Trunk.
Procedure
Step 1 Run:
system-view
An Eth-Trunk is created.
If the specified E-Trunk already exists, the E-Trunk view is displayed directly.
The member devices in an E-Trunk must be configured with the same E-Trunk ID.
At most 16 E-Trunks can be created on a device.
Step 3 Run:
priority priority
Context
Do as follows on the member devices of the E-Trunk.
Issue 01 (2011-10-26)
41
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
42
Context
Do as follows on the member devices of the E-Trunk.
Procedure
Step 1 Run:
system-view
Context
Do as follows on the member devices of the E-Trunk.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
43
Context
You can encrypt the password in plain text or cipher text.
l
When the password is encrypted in plain text, it can be displayed in the configuration file.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
44
CAUTION
If simple is selected, the password is saved in the configuration file in plain text. In this case,
users at a lower level can easily obtain the password by viewing the configuration file. This
brings security risks. Therefore, it is recommended that you select cipher to save the password
in cipher text.
----End
Context
Do as follows on the member devices of the E-Trunk.
Procedure
Step 1 Run:
system-view
45
Context
If an E-Trunk works with other services, after the master device recovers from a fault, the status
of the member Eth-Trunk on the master device may be restored before other services are restored.
If traffic is immediately switched back to the master device, service traffic will be interrupted.
After the revertive switching delay is set, the local Eth-Trunk becomes Up only after the delay
timer times out. Then the local device becomes the master again. This delays the revertive
switching of the service traffic, thus ensuring uninterrupted forwarding of the service traffic.
Do as follows on the member devices of the E-Trunk.
Procedure
Step 1 Run:
system-view
Procedure
l
Run the display e-trunk e-trunk-id command to view information about the E-Trunk.
----End
Issue 01 (2011-10-26)
46
Applicable Environment
Deploying a CSS increases the total capacity of switches. An inter-chassis Eth-Trunk interface
helps implement backup between switches, improving reliability. However, an Eth-Trunk
interface selects member interfaces to forward traffic based on the hash algorithm. As a result,
traffic flowing into a chassis may be forwarded by another chassis. This occupies bandwidth
resources between chassis and degrades traffic forwarding efficiency. To prevent this problem,
you can configure the inter-chassis Eth-Trunk interface to forward traffic preferentially through
a local member interface.
CAUTION
Before configuring an inter-chassis Eth-Trunk interface to forward traffic preferentially through
a local member interface, ensure that the outbound bandwidth of Eth-Trunk member interfaces
is sufficient for forwarding traffic; otherwise, certain traffic may be discarded.
Issue 01 (2011-10-26)
47
Eth-Trunk
Eth-Trunk
CSS
Switch3
Switch4
Switch2
Switch1
CSS
Switch3
Switch4
Switch2
Switch1
In the CSS shown in Figure 2-5, an Eth-Trunk interface is configured to be the outbound
interface of traffic to ensure reliable transmission. Obviously, member interfaces of the EthTrunk interface are on different chassis. When the CSS forwards traffic, the Eth-Trunk interface
may select an inter-chassis member interface based on the hash algorithm. This increases
bandwidth usage between chassis and degrades traffic forwarding efficiency.
To prevent the preceding problem in the case of comprehensive networking with the CSS and
trunk interface, Huawei develops the technique to enable an inter-chassis Eth-Trunk interface
to forward traffic preferentially through a local member interface.
l
Issue 01 (2011-10-26)
48
l CSS
A CSS is a logical device formed by connecting two switches through stack cables.
After switches are stacked, interfaces of the CSS are named in the format of chassis ID/slot ID/subcard
number/interface number. For example, the number 2 in GE 2/1/0/1 indicates the chassis number.
l Inter-chassis Eth-Trunk interface
Physical interfaces in the CSS are added to an Eth-Trunk interface. When a switch in the CSS fails or
a physical interface added to the Eth-Trunk interface fails, traffic can be transmitted between chassis
through stack cables. This ensures reliable transmission and implements device backup.
Pre-configuration Tasks
Before configuring an inter-chassis Eth-Trunk interface to forward traffic preferentially through
a local member interface, complete the following task:
l
Connecting devices correctly and completing CSS configurations so that a CSS can be
established
Data Preparation
To configure an inter-chassis Eth-Trunk interface to forward traffic preferentially through a local
member interface, you need the following data.
No.
Data
Context
CAUTION
Before configuring an inter-chassis Eth-Trunk interface to forward traffic preferentially through
a local member interface, ensure that the outbound bandwidth of Eth-Trunk member interfaces
is sufficient for forwarding traffic; otherwise, certain traffic may be discarded.
Issue 01 (2011-10-26)
49
Procedure
Step 1 Run:
system-view
The view of the Eth-Trunk interface that needs to be configured to forward traffic preferentially
through a local member interface is displayed.
Step 3 Run:
local-preference enable
The Eth-Trunk interface is configured to forward traffic preferentially through a local member
interface.
By default, an inter-chassis Eth-Trunk interface is enabled from forwarding traffic preferentially
through a local Eth-Trunk member interface.
----End
Prerequisite
An Eth-Trunk interface has been configured to forward traffic preferentially through a local
member interface.
Procedure
l
----End
Issue 01 (2011-10-26)
50
Context
CAUTION
The statistics of LACP packets cannot be restored after you clear them. So, confirm the action
before you use the command.
Procedure
l
Run the reset lacp statistics eth-trunk [ trunk-id ] command to clear statistics of received
and sent LACP packets.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When a running fault occurs in the link aggregation group, run the following debugging
commands in the user view to check the debugging information, and locate and analyze the fault.
Procedure
l
Run the debugging trunk error command to enable the debugging of Eth-Trunk errors.
Run the debugging trunk event command to enable the debugging of Eth-Trunk events.
Run the debugging trunk lacp-pdu command to enable the debugging of LACP packets.
Run the debugging trunk lagmsg command to enable the debugging of LACP protocol
messages.
Run the debugging trunk msg command to enable the debugging of Eth-Trunk messages.
Run the debugging trunk state-machine command to enable the debugging of Eth-Trunk
status machine.
Run the debugging trunk updown command to enable the debugging of Eth-Trunk Up
and Down messages.
Run the debugging trunk command to enable the debugging of Eth-Trunk messages.
----End
51
Context
During the daily maintenance, you can run the following commands in any view to check the
operation status of the link aggregation group.
Procedure
l
Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type interfacenumber ] ] command to display the statistics of sent and received LACP packets.
Run the display trunkmembership eth-trunk trunk-id command to display the member
interfaces of the Eth-Trunk.
----End
Issue 01 (2011-10-26)
52
Figure 2-6 Networking diagram for configuring link aggregation in manual load balancing mode
SwitchA
Eth-Trunk 60
Eth-Trunk
Eth-Trunk 120
GE2/0/0
GE3/0/0
Switch
GE1/0/0
VLAN 100-150
GE1/0/5
VLAN 151-200
LAN Switch
LAN Switch
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create an Eth-Trunk.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create an Eth-Trunk.
# Create Eth-Trunk 120.
<Quidway> system-view
[Quidway] sysname Switch
[Switch] interface eth-trunk 120
[Switch-Eth-Trunk120] quit
53
The preceding information indicates that Eth-Trunk 120 consists of member interfaces GE 2/0/0
and GE 3/0/0. The member interfaces are both in Up state.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
interface Eth-Trunk120
port link-type trunk
port trunk allow-pass vlan 100 to 200
#
interface GigabitEthernet2/0/0
eth-trunk 120
Issue 01 (2011-10-26)
54
#
interface GigabitEthernet3/0/0
eth-trunk 120
#
return
N links between two Switches can carry out redundancy backup. When a fault occurs on
an active link, the backup link replaces the faulty link to keep the reliability of data
transmission.
Figure 2-7 Networking diagram for configuring link aggregation in static LACP mode
Eth-Trunk 1
GE 1/0/1
GE 1/0/2
GE 1/0/3
Eth-Trunk
Eth-Trunk 1
GE 1/0/1
GE 1/0/2
GE 1/0/3
Active link
Backup link
SwitchB
SwitchA
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create an Eth-Trunk on the Switch and configure the Eth-Trunk to work in static LACP
mode.
2.
3.
4.
5.
Set the priority of the interface and determine the active link.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-10-26)
55
Procedure
Step 1 Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static LACP mode.
# Configure SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] mode lacp-static
[SwitchA-Eth-Trunk1] quit
# Configure SwitchB.
<Quidway> system-view
[Quidway] sysname SwitchB
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] mode lacp-static
[SwitchB-Eth-Trunk1] quit
# Configure SwitchB.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] eth-trunk 1
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] eth-trunk 1
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] eth-trunk 1
[SwitchB-GigabitEthernet1/0/3] quit
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100
Step 4 Set the upper threshold M of active interfaces on SwitchA to 2.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] max active-linknumber 2
[SwitchA-Eth-Trunk1] quit
Step 5 Set the priority of the interface and determine active links on SwitchA.
[SwitchA] interface gigabitethernet
[SwitchA-GigabitEthernet1/0/1] lacp
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet
[SwitchA-GigabitEthernet1/0/2] lacp
[SwitchA-GigabitEthernet1/0/2] quit
1/0/1
priority 100
1/0/2
priority 100
56
The preceding information shows that the system priority of SwitchA is 100 and it is higher than
the system priority of SwitchB. Member interfaces GE1/0/1 and GE1/0/2 become the active
interfaces and are in Selected state. Interface GE1/0/3 is in Unselect state. M active links work
in load balancing mode and N links are the backup links.
----End
Configuration Files
l
#
sysname SwitchA
#
Issue 01 (2011-10-26)
57
#
sysname SwitchB
#
interface Eth-Trunk1
mode lacp-static
#
interface GigabitEthernet1/0/1
eth-trunk 1
#
interface GigabitEthernet1/0/2
eth-trunk 1
#
interface GigabitEthernet1/0/3
eth-trunk 1
#
return
Issue 01 (2011-10-26)
58
Loopback1
Eth-Trunk10
PE1
GE1/0/0
Eth-Trunk20
VLAN10
Loopback1
E-Trunk1
CE1
GE1/0/1
PE3
GE1/0/2
GE1/0/0
CE2
VLAN10
GE1/0/0
Eth-Trunk10
PE2
Loopback1
Switch
Interface
VLANIF interface
IP address
PE1
GigabitEthernet1/0/0
VLANIF 100
10.1.1.1/24
GigabitEthernet1/0/1
GigabitEthernet1/0/2
Loopback1
PE2
PE3
Issue 01 (2011-10-26)
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 200
10.1.2.1/24
GigabitEthernet1/0/1
GigabitEthernet1/0/2
Loopback1
2.2.2.9/32
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet1/0/1
VLANIF 100
10.1.1.2/24
GigabitEthernet1/0/2
VLANIF 200
10.1.2.2/24
Loopback1
3.3.3.9/32
59
CE1
CE2
GigabitEthernet1/0/1
GigabitEthernet1/0/2
GigabitEthernet1/0/3
GigabitEthernet1/0/4
GigabitEthernet1/0/0
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
E-Trunk priority
Interval for sending hello packets and time multiplier for detecting hello packets
Issue 01 (2011-10-26)
60
Procedure
Step 1 Configure VLANs and IP addresses on the PW-side interfaces according to Figure 2-8.
Configure a routing protocol on the backbone network to ensure that devices can communicate
with each other. OSPF is used in this example.
Configuration details are not mentioned here.
After the configuration is complete, PE1, PE2, and PE3 use OSPF to discover IP routes to
Loopback1 of one another, and they can ping one another. Run the display ip routing-table
command on PE1, PE2, and PE3. You can see that the PEs have learned the routes to one another.
NOTE
l The AC-side interface and PW-side interface of a PE cannot be added to the same VLAN; otherwise,
a loop occurs.
l When configuring OSPF, configure PE1, PE2, and PE3 to advertise 32-bit loopback addresses.
Step 2 Configure an Eth-Trunk in static LACP mode on CE1, PE1, and PE2, and add member interfaces
to the Eth-Trunk. Configure Layer 2 forwarding on CE1.
# Configure CE1.
[CE1] vlan batch 10
[CE1] interface eth-trunk 20
[CE1-Eth-Trunk20] port link-type trunk
[CE1-Eth-Trunk20] port trunk allow-pass vlan 10
[CE1-Eth-Trunk20] mode lacp-static
[CE1-Eth-Trunk20] trunkport GigabitEthernet 1/0/1 to 1/0/4
[CE1-Eth-Trunk20] quit
# Configure PE1.
[PE1] interface eth-trunk 10
[PE1-Eth-Trunk10] mode lacp-static
[PE1-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2
[PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] mode lacp-static
[PE2-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2
[PE2-Eth-Trunk10] quit
Step 3 Create an E-Trunk and set the LACP priority, LACP system ID, E-Trunk priority, local and
remote IP addresses, time multiplier for detecting hello packets, and interval for sending hello
packets.
# Configure PE1.
[PE1] e-trunk 1
[PE1-e-trunk-1] quit
[PE1] lacp e-trunk priority 1
[PE1] lacp e-trunk system-id 00E0-FC00-0000
[PE1] e-trunk 1
[PE1-e-trunk-1] priority 10
[PE1-e-trunk-1] timer hold-on-failure multiplier 3
[PE1-e-trunk-1] timer hello 9
Issue 01 (2011-10-26)
61
# Configure PE2.
[PE2] e-trunk 1
[PE2-e-trunk-1] quit
[PE2] lacp e-trunk priority 1
[PE2] lacp e-trunk system-id 00E0-FC00-0000
[PE2] e-trunk 1
[PE2-e-trunk-1] priority 20
[PE2-e-trunk-1] quit
[PE2] e-trunk 1
[PE2-e-trunk-1] peer-address 1.1.1.9 source-address 2.2.2.9
[PE2-e-trunk-1] quit
# Configure PE2.
[PE2] e-trunk 1
[PE2-e-trunk-1] quit
[PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] e-trunk 1
[PE2-Eth-Trunk10] quit
The IP addresses of the local and remote ends of a BFD session must be the same as those
of the E-Trunk.
# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
[PE2] bfd hello bind peer-ip 1.1.1.9 source-ip 2.2.2.9
[PE2-bfd-session-hello] discriminator local 2
[PE2-bfd-session-hello] discriminator remote 1
[PE2-bfd-session-hello] commit
[PE2-bfd-session-hello] quit
# Configure PE2.
[PE2] e-trunk 1
[PE2-e-trunk-1] e-trunk track bfd-session 2
Issue 01 (2011-10-26)
62
[PE2-e-trunk-1] quit
Step 6 Configure PEs so that CE1 can access the VPLS network.
1.
Configure basic MPLS functions and LDP on PE1, PE2, and PE3.
Configuration details are not mentioned here.
2.
3.
4.
Create a VSI on PE1,PE2, and PE and specify LDP as the signaling protocol in the VSI.
Configuration details are not mentioned here.
5.
Configure an Eth-Trunk sub-interface on PE1 and PE2, and bind the VSI to the Eth-Trunk
sub-interface.
# Configure PE1.
[PE1] interface Eth-Trunk 10.1
[PE1-Eth-Trunk10.1] control-vid 300 dot1q-termination
[PE1-Eth-Trunk10.1] dot1q termination vid 10
[PE1-Eth-Trunk10.1] l2 binding vsi ldp1
[PE1-Eth-Trunk10.1] quit
# Configure PE2.
[PE2] interface Eth-Trunk 10.1
[PE2-Eth-Trunk10.1] control-vid 300 dot1q-termination
[PE2-Eth-Trunk10.1] dot1q termination vid 10
[PE2-Eth-Trunk10.1] l2 binding vsi ldp1
[PE2-Eth-Trunk10.1] quit
6.
Issue 01 (2011-10-26)
63
ID
10
Work-Mode
auto
State
Master
Causation
PEER_MEMBER_DOWN
The preceding information shows that the E-Trunk priority on PE1 is 10, and the E-Trunk
status is Master; the E-Trunk priority on PE2 is 20, and the E-Trunk status is Backup. Link
backup is implemented.
----End
Configuration Files
l
Issue 01 (2011-10-26)
64
timer hello 9
e-trunk track bfd-session 1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.9
remote-ip 3.3.3.9
#
interface Vlanif 100
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Eth-Trunk10
mode lacp-static
e-trunk 1
#
interface Eth-Trunk10.1
control-vid 300 dot1q-termination
dot1q termination vid 10
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/2
eth-trunk 10
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bfd hello bind peer-ip 2.2.2.9 source-ip 1.1.1.9
discriminator local 1
discriminator remote 2
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
65
e-trunk 1
priority 20
peer-address 1.1.1.9 source-address 2.2.2.9
timer hello 9
e-trunk track bfd-session 2
#
bfd
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.9
remote-ip 3.3.3.9
#
interface Vlanif 200
ip address 10.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface Eth-Trunk 10
mode lacp-static
e-trunk 1
#
interface Eth-Trunk10.1
control-vid 300 dot1q-termination
dot1q termination vid 10
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/1
eth-trunk 10
#
interface GigabitEthernet1/0/2
eth-trunk 10
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bfd hello bind peer-ip 1.1.1.9 source-ip 2.2.2.9
discriminator local 2
discriminator remote 1
commit
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
66
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
peer 2.2.2.9
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
mpls ldp remote-peer 2.2.2.9
remote-ip 2.2.2.9
#
interface Vlanif 100
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 200
ip address 10.1.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/0.1
control-vid 300 dot1q-termination
dot1q termination vid 10
l2 binding vsi ldp1
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
67
Networking Requirements
On the network shown in Figure 2-9, switch 3 and switch 4 are connected through stack cables
to increase the total capacity of devices. In this manner, the two switches are considered as a
logical switch. To implement backup between devices and improve reliability, physical
interfaces on the two switches are added to an Eth-Trunk interface. In normal conditions, when
checking information about member interfaces on the PE, you can find that traffic from VLAN
2 is forwarded through GE 1/0/2 rather than GE 1/0/1; traffic from VLAN 3 is forwarded through
GE 1/0/2.
To ensure that traffic from VLAN 2 is forwarded through GE 1/0/1 and traffic from VLAN 3 is
forwarded through GE 1/0/2, configure the Eth-Trunk interface to forward traffic preferentially
through a local member interface.
Figure 2-9 Configuring an Eth-Trunk interface to forward traffic preferentially through a local
member interface
Network
PE
GE1/0/1
GE1/0/2
Eth-Trunk 10
GE1/1/0/4
Switch3 GE1/1/0/3
GE2/1/0/4
CSS
GE2/1/0/3 Switch4
GE1/0/2
GE1/0/2
Switch1
GE1/0/1
Switch2
GE1/0/1
VLAN 2
VLAN 3
68
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Configure the Eth-Trunk interface to forward traffic preferentially through a local member
interface.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create an Eth-Trunk interface and configure the ID of a VLAN from which packets can pass
through the Eth-Trunk interface.
# Configure the CSS.
<Quidway> system-view
[Quidway] sysname CSS
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] port trunk allow-pass vlan all
[CSS-Eth-Trunk10] quit
Issue 01 (2011-10-26)
69
Step 3 In the CSS view, configure the Eth-Trunk interface to forward traffic preferentially through a
local member interface.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] local-preference enable
[CSS-Eth-Trunk10] quit
# Configure switch 1.
<Quidway> system-view
[Quidway] sysname Switch1
[Switch1] vlan 2
[Switch1-vlan2] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet1/0/1] port
[Switch1-GigabitEthernet1/0/1] port
[Switch1-GigabitEthernet1/0/1] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet1/0/2] port
[Switch1-GigabitEthernet1/0/2] port
[Switch1-GigabitEthernet1/0/2] quit
1/0/1
link-type trunk
trunk allow-pass vlan 2
1/0/2
link-type trunk
trunk allow-pass vlan 2
# Configure switch 2.
<Quidway> system-view
[Quidway] sysname Switch2
[Switch2] vlan 3
[Switch2-vlan3] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet1/0/1] port
[Switch2-GigabitEthernet1/0/1] port
[Switch2-GigabitEthernet1/0/1] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet1/0/2] port
[Switch2-GigabitEthernet1/0/2] port
[Switch2-GigabitEthernet1/0/2] quit
1/0/1
link-type trunk
trunk allow-pass vlan 3
1/0/2
link-type trunk
trunk allow-pass vlan 3
Issue 01 (2011-10-26)
70
----End
Configuration Files
l
Issue 01 (2011-10-26)
71
#
vlan batch 3
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 3
#
return
Issue 01 (2011-10-26)
72
3 VLAN Configuration
VLAN Configuration
73
3 VLAN Configuration
Configuring an mVLAN allows users to use the IP address of the VLANIF interface
corresponding to the mVLAN to log in to a management switch to manage devices attached to
the switch.
3.10 Configuring VLAN Transparent Transport
VLAN transparent transport improves forwarding efficiency. A switch directly forwards packets
of a specific VLAN without sending the packets to its CPU.
3.11 Maintaining VLAN
A command of clearing statistics helps to locate the faults in a VLAN.
3.12 Configuration Examples
This section provides several examples of VLAN configuration.
Issue 01 (2011-10-26)
74
3 VLAN Configuration
3.1 Introduction
The VLAN technology is important for forwarding on Layer 2 networks. This section describes
the background, functions, and advantages of the VLAN technology.
Overview of VLAN
The Ethernet technology is for sharing communication mediums and data based on the Carrier
Sense Multiple Access/Collision Detect (CSMA/CD). If there are a large number of PCs on an
Ethernet network, collision becomes a serious problem and can lead to broadcast storms. As a
result, network performance deteriorates. This can even cause the Ethernet network to become
unavailable. Switches can be used to interconnect local area networks (LANs). Switches forward
information received by inbound ports to specified outbound ports, thereby preventing access
collision in a shared medium. If no specified outbound port is found for information received
by an inbound port, the switch will forward the information from all ports except the inbound
port. This forms a broadcast domain.
To prevent broadcast domains from being too broad and causing problems, you can divide a
network into segments. In this manner, a large broadcast domain is divided into multiple small
broadcast domains to confine the possible scope of broadcast packets. Routers can be deployed
at the network layer to separate broadcast domains, but this method has disadvantages, which
include: complex network planning, inflexible networking, and high levels of expenditure. The
Virtual Local Area Network (VLAN) technology can divide a large Layer 2 network into
broadcast domains to prevent broadcast storms and protect network security.
Definition of VLAN
The VLAN technology is used to divide a physical LAN into multiple logical broadcast domains,
each of which is called a VLAN. Each VLAN contains a group of PCs that have the same
requirements. A VLAN has the same attributes as a LAN. PCs of a VLAN can be placed on
different LAN segments. If two PCs are located on one LAN segment but belong to different
VLANs, they do not broadcast packets to each other. With VLAN, the broadcast traffic volume
is reduced; fewer devices are required; network management is simplified; and network security
is improved.
Figure 3-1 shows a typical VLAN application. Three switches are placed in different locations,
for example, different stories of an office building. The VLAN technology allows enterprises to
share LAN facilities and ensures information security for each enterprise network.
Issue 01 (2011-10-26)
75
3 VLAN Configuration
Router
Switch1
Switch2
Switch3
VLAN-A
VLAN-B
VLAN-C
Broadcast domains are confined. A broadcast domain is confined to a VLAN. This saves
bandwidth and improves network processing capabilities.
Network security is enhanced. Packets from different VLANs are separately transmitted.
PCs in one VLAN cannot directly communicate with PCs in another VLAN.
Network robustness is improved. A fault in a VLAN does not affect PCs in other VLANs.
Virtual groups are set up flexibly. With the VLAN technology, PCs in different
geographical areas can be grouped together. This facilitates network construction and
maintenance.
6bytes
Destination
address
6bytes
2bytes
46-1500bytes 4bytes
Source
Data
FCS
Length/Type
address
IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It
adds a 32-bit field between the Source address and the Length/Type fields of the original
frame, as shown in Figure 3-3.
Issue 01 (2011-10-26)
76
3 VLAN Configuration
6bytes
4bytes
TPID
2bytes
PRI
Data
FCS
CFI VID
Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to identify
the frame as an IEEE 802.1Q-tagged frame. If an 802.1Q-incapable device receives an
802.1Q frame, it will discard the frame.
Priority (PRI): a 3-bit field which indicates the frame priority. The value ranges from 0
to 7. The greater the value, the higher the priority. These values can be used to prioritize
different classes of traffic to ensure that frames with high priorities are transmitted first
when traffic is heavy.
Canonical Format Indicator (CFI): a 1-bit field. If the value of this field is 1, the MAC
address is in the non-canonical format. If the value is 0, the MAC address is in the
canonical format. CFI is used to ensure compatibility between Ethernet networks and
Token Ring networks. It is always set to zero for Ethernet switches.
VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs.
On the S9300, VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved,
and therefore VLAN IDs range from 1 to 4094.
Each frame sent by an 802.1Q-capable switch carries a VLAN ID. On a VLAN, Ethernet
frames are classified into the following types:
Tagged frames: frames with 32-bits 802.1Q tags.
Untagged frames: frames without 32-bits 802.1Q tags.
l
Definition
Port-based
VLAN division
Issue 01 (2011-10-26)
77
3 VLAN Configuration
VLAN
Division
Method
Definition
IP subnet-based
VLAN division
Policy-based
VLAN division
VLAN3
PC4
Access link
3
3
2
Trunk link
CE1
PC1
VLAN2
3
2
Trunk link
PE
2
Access link
CE2
PC2
VLAN2
As shown in Figure 3-4, there are the following types of VLAN links:
Issue 01 (2011-10-26)
78
3 VLAN Configuration
Access link: connects a PC to a switch. Generally, a PC does not know which VLAN
it belongs to, and PC hardware cannot distinguish frames with VLAN tags. Therefore,
PCs send and receive only untagged frames.
Trunk link: connects a switch to another switch or to a router. Data of different VLANs
are transmitted along a trunk link. The two ends of a trunk link must be able to distinguish
frames with VLAN tags. Therefore, only tagged frames are transmitted along trunk
links.
l
Port types
Table 3-2 lists VLAN port types.
Table 3-2 Port types
Port
Type
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
Access
port
Accepts an untagged
frame and adds a tag
with the default
VLAN ID to the
frame.
l Accepts a
tagged
frame if the
VLAN ID
carried in
the frame is
the same as
the default
VLAN ID.
An access port
connects a
switch to a PC
and can be
added to only
one VLAN.
l Discards a
tagged
frame if the
VLAN ID
carried in
the frame is
different
from the
default
VLAN ID.
Issue 01 (2011-10-26)
79
Port
Type
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
Trunk
port
l Accepts a
tagged
frame if the
port permits
the VLAN
ID carried in
the frame.
l Removes the
tag from a
received
frame and
sends the
frame if the
VLAN ID
carried in the
frame is the
same as the
default
VLAN ID
and
permitted by
the port.
A trunk port
can be added to
multiple
VLANs to send
and receive
frames for these
VLANs. A
trunk port
connects a
switch to
another switch
or to a router.
Hybrid
port
Issue 01 (2011-10-26)
3 VLAN Configuration
l Discards a
tagged
frame if the
port denies
the VLAN
ID carried in
the frame.
l Directly
sends a
received
frame if the
VLAN ID
carried in the
frame is
different
from the
default
VLAN ID
but permitted
by the port.
Sends a received
frame if the port
permits the
VLAN ID
carried in the
frame. A
specified
command can be
used to
determine
whether a hybrid
port sends
frames with or
without tags.
A hybrid port
can be added to
multiple
VLANs to send
and receive
frames for these
VLANs. A
hybrid port can
connect a
switch to a PC
or connect a
network device
to another
network
device.
80
3 VLAN Configuration
Port
Type
Method of
Processing
Received
Untagged Frames
Method of
Processing
Received
Tagged
Frames
Method of
Sending
Frames
Application
QinQ
port
QinQ ports are enabled with the IEEE 802.1QinQ protocol. A QinQ port adds
a tag to a single-tagged frame, and thus supports a maximum of 4094 x 4094
VLAN tags, which meets the requirement of a Networkfor the number of
VLANs.
Each access, trunk, hybrid, or QinQ port can be configured with a default VLAN, namely,
the port default VLAN ID (PVID) to specify the VLAN to which the port belongs.
The PVID of an access port indicates the VLAN to which the port belongs.
As a trunk or hybrid port can be added to multiple VLANs, the port must be configured
with PVIDs.
By default, a port is added to VLAN 1.
l
Assume that VLANs are configured based on MAC addresses. After an access port on CE 1
receives an untagged frame from PC 1, the port checks the VLAN mapping table for a VLAN
ID corresponding to the source MAC address, and adds a tag with the obtained VLAN ID to
the frame.
2.
After the trunk port on CE 1 and PE receives the frame, the port checks whether the
VLAN ID carried in the frame is the same as that configured on the port. If the VLAN
ID has been configured on the port, the port transparently transmits the frame to CE
2. If the VLAN ID is not configured on the port, the port discards the frame.
3.
After a trunk port on CE 2 receives the frame, the system searches the MAC address
table for an outbound port which connects CE 2 to PC 2.
4.
After the frame is sent to the access port connecting CE 2 to PC 2, the port checks that
the VLAN ID carried in the frame is the same as that configured on the port. The port
then removes the tag from the frame and sends the untagged frame to PC 2.
VLANIF interface
A VLANIF interface is a Layer 3 logical interface, which can be configured on either a
Layer 3 switch or a router.
Layer 3 switching combines routing and switching techniques to implement routing on a
switch, thus improving the overall network performance. After sending the first data flow,
a Layer 3 switch generates mappings between MAC addresses and IP addresses. To send
the same data flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based
on this mapping table.
Issue 01 (2011-10-26)
81
3 VLAN Configuration
To allow that new data flows are correctly forwarded based on the routing table, be sure
that the routing table's routing entries are correct. Therefore, VLANIF interfaces and
routing protocols must be configured on Layer 3 switches for reachable Layer 3 routes.
NOTE
A PC does not need to know the VLAN to which it belongs. It sends only untagged frames.
After receiving an untagged frame from a PC, a switching device determines the VLAN to which
the frame belongs. The determination is based on the configured VLAN division method such as port
information, and then the switching device processes the frame accordingly.
If the frame needs to be forwarded to another switching device, the frame must be transparently
transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow
other switching devices to properly forward the frame based on the VLAN information.
Before sending the frame to the destination PC, the switching device connected to the destination PC
removes the VLAN tag from the frame to ensure that the PC receives an untagged frame.
Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on
access links. In this manner, switching devices on the network can properly process VLAN information
and PCs are not concerned about VLAN information.
After VLANs are configured, users in a VLAN can communicate with each other.
2.
3.
The following VLAN features are also supported to meet requirements of special
applications and extended functions:
l VLAN aggregation: prevents the waste of IP addresses and implements inter-VLAN
communication.
l MUX VLAN: provides a mechanism to isolate Layer 2 traffic between interfaces in a
VLAN.
l Voice VLAN: select voice data packets from various packets and changes the priority
of voice data packets to improve the voice data transmission quality.
l Management VLAN (mVLAN): helps implement integrated management by using a
remote device. A user can use the IP address of the VLANIF interface corresponding
to the mVLAN to telnet to a management switch.
l VLAN transparent transport: improves forwarding efficiency. A switch directly
forwards frames of a specific VLAN without sending the frames to its CPU.
VLAN Assignment
VLAN assignment is a basic VLAN configuration. After VLANs are configured, users in a
VLAN can communicate with each other. VLANs are configured in different manners, as shown
in Table 3-3.
Issue 01 (2011-10-26)
82
3 VLAN Configuration
Advantage
Disadvantage
Usage Scenario
Port-based
VLAN
assignment
The configuration is
simple. It is the most
common VLAN
assignment method.
The configuration is
not flexible. If a port
needs to transmit
frames of another
VLAN, the port must
be deleted from the
original VLAN and
added to the new
VLAN. For a network
having a large number
of traveling users, the
network administrator
needs to spend more
time on maintenance.
Port-based VLAN
assignment is applicable
to large-scale networks
that do not have high
security requirements.
A network
administrator needs to
configure a switch
with a MAC address
associated with a
specific VLAN. For a
network with a large
number of terminals,
configuration will take
the network
administrator a lot of
work before VLANbased communication
can be enabled.
MAC address-based
VLAN assignment is
applicable to networks
that have high security
requirements and many
traveling users.
IP subnetbased VLAN
assignment
IP subnet-based and
protocol-based VLAN
assignment are both
called network layerbased VLAN
assignment.
Network layer-based
VLAN assignment
greatly reduces the
workload of manual
configurations and
allows users to easily
join a VLAN, move
from one VLAN to
another VLAN, or
leave a VLAN.
IP subnet-based VLAN
assignment is applicable
to networks that have
traveling users and
require simple
management.
Switches need to
analyze protocol
address formats and
convert between them.
This slows down the
response of switches.
Protocolbased VLAN
assignment
Issue 01 (2011-10-26)
83
3 VLAN Configuration
VLAN
Assignment
Method
Advantage
Disadvantage
Usage Scenario
Policies-based
VLAN
assignment
MAC and IP
addresses-based or
MAC addresses, IP
addresses and
interfaces-based
VLAN assignment is
of high security. This
VLAN assignment
method does not allow
users to change MAC
addresses or IP
addresses based on
which VLANs are
configured.
Policies-based VLAN
assignment is applicable
to small-scale networks
that have strict security
requirements and a large
number of traveling
users.
Inter-VLAN Communication
After VLANs are configured, users in a VLAN can communicate with each other. Users in
different VLANs cannot directly communicate with each other. Table 3-4 lists schemes for interVLAN communication.
Issue 01 (2011-10-26)
84
3 VLAN Configuration
Advantage
Disadvantage
Usage Scenario
Sub-interface
This scheme is
applicable to smallscale networks on
which users belong to
different network
segments.
After VLANIF
interfaces are
configured, users in
different VLANs and
network segments can
communicate with
each other as long as
routes are reachable.
If multiple users on a
network belong to
different VLANs, each
VLAN requires a
VLANIF interface.
Each VLANIF interface
needs to be assigned an
IP address. This
increases configuration
workload and uses a lot
of IP addresses.
This scheme is
applicable to smallscale networks on
which users belong to
different network
segments and IP
addresses of these
users are seldom
changed.
This scheme is
applicable to smallscale and topologystable networks.
VLANIF
interface
Inter-VLAN
communication can
also be implemented by
Layer 3 switches if
routes are reachable.
This scheme boasts of
low operating costs.
VLAN
Switch
Issue 01 (2011-10-26)
l If multiple users on a
network belong to
different VLANs,
each VLAN requires
a sub-interface on a
Layer 3 device. Each
sub-interface needs
to be assigned an IP
address. This
increases
configuration
workload and uses
up a large number of
IP addresses.
If Layer 3 forwarding
of packets is mainly
required, use subinterfaces.
If a large number of
VLANs are configured
and both Layer 2 and
Layer 3 forwarding of
packets are required,
use VLANIF
interfaces.
85
3 VLAN Configuration
VLAN Aggregation
To implement inter-VLAN communication on switches, configure IP addresses for the VLANIF
interfaces. When many VLANs are deployed, a great number of IP addresses are occupied.
VLAN aggregation can solve the problem of occupation of excessive IP addresses.
VLAN aggregation means that multiple VLANs are aggregated into a super-VLAN. The VLANs
that form the super-VLAN is called sub-VLANs.
You can create a VLANIF interface for a super-VLAN. Then, you can configure an IP address
only for this interface rather than for each sub-VLAN. All sub-VLANs share the same IP network
segment, which optimizes the use of IP addresses.
MUX VLAN
A MUX VLAN is used to isolate Layer 2 traffic between interfaces in a VLAN. For example,
on an intranet, a user interface can communicate with a server interface, but the user interfaces
cannot communicate with each other.
In MUX VLAN implementation, VLANs are classified in to MUX VLANs and subordinate
VLANs. Subordinate VLANs are classified into subordinate group VLANs and subordinate
separate VLANs.
The MUX VLAN can communicate with the subordinate VLANs, but the subordinate VLANs
cannot communicate with each. Interfaces in a subordinate group VLAN can communicate with
each other, but interfaces in a subordinate separate VLAN cannot communicate with each other.
You can implement inter-device MUX VLAN by configuring the same MUX VLAN on multiple
devices and configuring interfaces between the devices to allow packets of the MUX VLAN.
Implementation of inter-device MUX VLAN is the same as the implementation of MUX VLAN
on a single device.
Issue 01 (2011-10-26)
86
3 VLAN Configuration
Applicable Environment
Currently, the S9300 supports the following VLAN division modes. You can choose one of them
as required. Table 3-5 lists VLAN division modes.
Table 3-5 VLAN assignment in different usage scenarios
Issue 01 (2011-10-26)
VLAN
Assignment
Method
Advantage
Disadvantage
Usage Scenario
Port-based
VLAN
assignment
The configuration is
simple. It is the most
common VLAN
assignment method.
The configuration is
not flexible. If a port
needs to transmit
frames of another
VLAN, the port must
be deleted from the
original VLAN and
added to the new
VLAN. For a network
having a large number
of traveling users, the
network administrator
needs to spend more
time on maintenance.
Port-based VLAN
assignment is applicable
to large-scale networks
that do not have high
security requirements.
A network
administrator needs to
configure a switch
with a MAC address
associated with a
specific VLAN. For a
network with a large
number of terminals,
configuration will take
the network
administrator a lot of
work before VLANbased communication
can be enabled.
MAC address-based
VLAN assignment is
applicable to networks
that have high security
requirements and many
traveling users.
IP subnetbased VLAN
assignment
IP subnet-based and
protocol-based VLAN
assignment are both
called network layerbased VLAN
assignment.
Network layer-based
VLAN assignment
greatly reduces the
workload of manual
configurations and
allows users to easily
IP subnet-based VLAN
assignment is applicable
to networks that have
traveling users and
require simple
management.
87
3 VLAN Configuration
VLAN
Assignment
Method
Advantage
Disadvantage
Usage Scenario
Protocolbased VLAN
assignment
Switches need to
analyze protocol
address formats and
convert between them.
This slows down the
response of switches.
Policies-based
VLAN
assignment
MAC and IP
addresses-based or
MAC addresses, IP
addresses and
interfaces-based
VLAN assignment is
of high security. This
VLAN assignment
method does not allow
users to change MAC
addresses or IP
addresses based on
which VLANs are
configured.
Policies-based VLAN
assignment is applicable
to small-scale networks
that have strict security
requirements and a large
number of traveling
users.
NOTE
In the case that the S9300 supports multiple VLAN division modes, the priorities of these VLAN division
modes are in descending order:
1. Policies-based VLAN division
This mode has the highest priority, but is not commonly used.
2. MAC address-based VLAN division and IP subnet-based VLAN division
By default, MAC address-based VLAN division is set as the preference. You can run commands to
change priorities of these two VLAN division modes.
3. Protocol-based VLAN division
4. Port-based VLAN division
Port-based VLAN division has the lowest priority, but is most commonly used.
Pre-configuration Tasks
Before dividing a LAN into VLANs, complete the following task:
l
Issue 01 (2011-10-26)
Connecting ports and configuring physical parameters of the ports, ensuring that the ports
are physically Up
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
88
3 VLAN Configuration
Data Preparation
To dividing a LAN into VLANs, you need the following data.
No.
Data
VLAN ID, number of each Ethernet port to be added to the VLAN, and (optional)
attribute of Ethernet ports
VLAN ID, MAC address mapped to the VLAN and (optional) 802.1p priority
value related to the MAC address
VLAN ID, (optional) IP subnet index, IP address mapped to the VLAN and
(optional) 802.1p priority value related to the IP address or network segment
VLAN ID, (optional) protocol template index, protocol type mapped to the
VLAN, and (optional) 802.1p priority value related to the protocol
VLAN ID, MAC address and IP address mapped to the VLAN and (optional)
number of the Ethernet port added to a VLAN based on its MAC and IP addresses
Context
After VLANs are configured based on ports, the VLANs can process tagged and untagged frames
in the following manners:
l
After receiving an untagged frame, a port adds the PVID to the frame, searches the MAC
address table for an outbound port, and sends the tagged frame from the outbound port.
After a port receives a tagged frame, it checks the VLAN ID carried in the frame:
If the port allows frames with the specified VLAN ID to pass through, it forwards the
frame.
If the port does not allow frames with the specified VLAN ID to pass through, it discards
the frame.
Create VLANs.
2.
3.
Procedure
Step 1 Run:
system-view
89
3 VLAN Configuration
Step 2 Run:
vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
quit
2.
Run the port link-type { access | hybrid | trunk | dot1q-tunnel } command to configure
the port type.
By default, the port type is hybrid.
l If a Layer 2 Ethernet port is directly connected to a terminal, set the port type to access
or hybrid.
l If a Layer 2 Ethernet port is connected to another switch, the port type can be set to
access, trunk, hybrid, or QinQ.
90
3 VLAN Configuration
In tagged mode, a port forwards frames without removing their tags. This is applicable
to scenarios in which Layer 2 Ethernet ports are connected to switches.
(Optional) Run the port hybrid pvid vlan vlan-id command to specify the default VLAN
of a hybrid interface.
By default, all ports are added to VLAN 1.
----End
Context
VLANs configured based on MAC addresses process only untagged frames, and treat tagged
frames in the same manner as VLANs configured based on ports.
After receiving an untagged frame, a port searches for a MAC-VLAN mapping based on the
source MAC address in the frame.
l
If a mapping is found, the port forwards the frame based on the VLAN ID and priority
value in the mapping.
If no matching mapping is found, the port matches the frame with other matching rules.
Create VLANs.
2.
3.
4.
(Optional) Configure the highest priority for MAC address-based VLAN division.
NOTE
By default, MAC address-based VLAN division is set as the preference. To use IP subnet-based
VLAN division, set a higher priority for it.
5.
Procedure
Step 1 Run:
system-view
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
Issue 01 (2011-10-26)
91
3 VLAN Configuration
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
mac-vlan mac-address mac-address [ priority priority ]
Run the interface interface-type interface-number command to enter the view of the port
to be configured to allow frames with a specified VLAN ID to pass through.
2.
Run the port link-type hybrid command to set the port type to hybrid.
By default, the port type is hybrid.
3.
Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command
to configure the hybrid port to allow frames with a specified VLAN ID to pass through.
Step 6 (Optional) Run the vlan precedence mac-vlan command to configure a higher priority for MAC
address-based VLAN division.
By default, MAC address-based VLAN division is set as the preference.
Step 7 Run:
mac-vlan enable
MAC address-based VLAN assignment conflict with MUX VLAN and port vlan-stacking untagged.
They cannot be configured on the same interface.
----End
92
3 VLAN Configuration
Context
VLANs configured based on IP subnets process only untagged frames. and treat tagged frames
in the same manner as VLANs configured based on ports.
After receiving untagged frames, a device determines the VLANs to which the frames belong
based on their source IP addresses before sending them to corresponding VLANs.
The configuration roadmap is as follows:
1.
Create VLANs.
2.
Associate IP subnets with VLANs to determine mappings between subnets and VLANs.
3.
4.
By default, MAC address-based VLAN division is set as the preference. To use IP subnet-based
VLAN division, set a higher priority for it.
5.
Procedure
Step 1 Run:
system-view
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length }
[ priority priority ]
93
3 VLAN Configuration
quit
Run the interface interface-type interface-number command to enter the view of the port
to be configured to allow frames with the specified VLAN ID to pass through.
2.
Run the port link-type hybrid command to set the port type to hybrid.
By default, the port type is hybrid.
3.
Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command
to allow frames with the specified VLAN ID to pass through.
Context
VLANs configured based on protocols process only untagged frames. and treat tagged frames
in the same manner as VLANs configured based on ports.
After receiving an untagged frame, a port identifies the protocol template used by the frame to
determine the VLAN to which the frame belongs.
l
If the port has been added to VLANs corresponding to some protocols, and the protocol
template adopted by the frame matches one of these protocols, the port adds the
corresponding VLAN ID to the frame.
If the port has been added to VLANs corresponding to some protocols, but the protocol
template adopted by the frame does not match any one of these protocols, the port adds the
PVID to the frame.
Create VLANs.
2.
Associate protocols with VLANs to determine mappings between protocols and VLANs.
3.
Issue 01 (2011-10-26)
94
3 VLAN Configuration
(2) Configure a port to allow frames with the specified VLAN ID to pass through.
(3) Associate ports with VLANs.
After receiving a frame associated with a specified protocol, the system automatically
assigns the VLAN ID associated with the protocol to the frame.
Procedure
Step 1 Run:
system-view
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw
| snap } | mode { ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id | snapetype etype-id2 } }
Run the interface interface-type interface-number command to enter the view of the port
to be configured to allow frames with the specified VLAN ID to pass through.
2.
Run the port link-type hybrid command to set the port type to hybrid.
By default, the port type is hybrid.
3.
Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command
to allow frames with the specified VLAN ID to pass through.
4.
Run:
protocol-vlan vlan vlan-id { all | protocol-index1 [ to protocol-index2 ] }
[ priority priority ]
95
3 VLAN Configuration
l The optional parameter priority specifies the 802.1p priority value related to the
protocol. The value ranges from 0 to 7. The greater the value, the higher the priority.
The default value is 0. After the 802.1p priority value is specified, frames with high
priorities are first forwarded when traffic is congested.
----End
Context
A LAN can be divided into VLANs based on MAC and IP addresses or based on MAC and IP
addresses and interfaces.
To divide a LAN into VLANs based on policies, configure MAC and IP addresses of terminals
on a switch and associate pairs of MAC addresses ,IP addresses and interfaces with VLANs.
Only users matching a policy can be added to a specified VLAN. If the IP or MAC addresses
of users added to a VLAN are changed, they will exit from the VLAN.
Policy VLANs process only untagged frames. and treat tagged frames in the same manner as
VLANs configured based on ports.
After receiving an untagged frame, the device finds a VLAN matching both MAC and IP
addresses of the frame, and transmits the frame in the VLAN.
The configuration roadmap is as follows:
1.
Create VLANs.
2.
Associate pairs of MAC and IP addresses with VLANs to divide a LAN into VLANs based
on both MAC and IP addresses.
3.
Procedure
Step 1 Run:
system-view
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
Issue 01 (2011-10-26)
96
3 VLAN Configuration
Run the interface interface-type interface-number command to enter the view of the port
to be configured with a policy VLAN.
2.
Run the port link-type hybrid command to set the port type to hybrid.
By default, the port type is hybrid.
3.
Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command
to allow frames with specified MAC and IP addresses to pass through.
----End
Prerequisite
The configurations of VLAN division are complete.
Procedure
l
Run the display vlan [ vlan-id [ verbose ] ] command to check information about all
VLANs or a specified VLAN.
Run the display mac-vlan { mac-address { all | mac-address } | vlan vlan-id } command
to check information about VLANs configured based on MAC addresses.
Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check
information about VLANs configured based on IP subnets.
Run the display protocol-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command to check
information about VLANs configured based on protocols.
Run the display policy-vlan { all | vlan vlan-id } command to check information about
policy vlan.
----End
Issue 01 (2011-10-26)
97
3 VLAN Configuration
Applicable Environment
Layer 3 switching combines routing and switching techniques to implement routing on a switch,
thus improving the overall network performance. After sending the first data flow, a Layer 3
switch generates mappings between MAC addresses and IP addresses. To send the same data
flow, the switch directly sends the data flow at Layer 2 but not Layer 3 based on this mapping
table.
To allow that new data flows are correctly forwarded based on the routing table, be sure that the
routing table's routing entries are correct. Therefore, VLANIF interfaces and routing protocols
must be configured on Layer 3 switches for reachable Layer 3 routes.
Pre-configuration Tasks
Before creating a VLANIF interface, complete the following task:
l
Creating a VLAN
Data Preparation
To create a VLANIF interface, you need to the following data.
No.
Data
VLAN ID
Issue 01 (2011-10-26)
98
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
----End
Procedure
Step 1 Run:
system-view
An IP address is assigned to the VLANIF interface for communication at the network layer.
----End
Context
If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports
the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF
interface to go Down.
Issue 01 (2011-10-26)
99
3 VLAN Configuration
To prevent network flapping caused by changes of VLANIF interface status, enable VLAN
damping on the VLANIF interface. After the last Up port in a VLAN goes Down, the system
starts a delay timer and informs the corresponding VLANIF interface of the VLAN Down event
after the timer expires. If a port in the VLAN goes Up during the delay period, the VLANIF
interface remains Up.
Procedure
Step 1 Run:
system-view
l After changing the maximum transmission unit (MTU) by using the mtu command on a specified
interface, you need to restart the interface to make the new MTU take effect. To restart the interface,
run the shutdown command and then the undo shutdown command, or run the restart command in
the interface view.
l If you change the MTU of an interface, you need to change the MTU of the peer interface to the same
value by using the mtu command; otherwise, services may be interrupted.
l To ensure availability of Layer 3 functions, set the MTU value of the VLANIF interface to be smaller
than the maximum length of frames on the physical interface in the corresponding VLAN.
Procedure
Step 1 Run:
system-view
100
3 VLAN Configuration
mtu mtu
If the MTU is too small whereas the packet size is large, the packet is probably split into many fragments.
Therefore, the packet may be discarded due to the insufficient QoS queue length. To avoid this situation,
lengthen the QoS queue accordingly.
----End
Prerequisite
The configurations of a VLANIF interface are complete.
Procedure
l
Run the display interface vlanif [ vlan-id ] command to check the physical status, link
protocol status, description, and IP address of the VLANIF interface.
----End
Applicable Environment
Currently, schemes listed in Table 3-6 are provided for inter-VLAN communication. You can
choose one of them based on the real world situation.
Issue 01 (2011-10-26)
101
3 VLAN Configuration
Advantage
Disadvantage
Usage Scenario
Sub-interface
This scheme is
applicable to smallscale networks on
which users belong to
different network
segments.
After VLANIF
interfaces are
configured, users in
different VLANs and
network segments can
communicate with
each other as long as
routes are reachable.
If multiple users on a
network belong to
different VLANs, each
VLAN requires a
VLANIF interface.
Each VLANIF interface
needs to be assigned an
IP address. This
increases configuration
workload and uses a lot
of IP addresses.
This scheme is
applicable to smallscale networks on
which users belong to
different network
segments and IP
addresses of these
users are seldom
changed.
This scheme is
applicable to smallscale and topologystable networks.
VLANIF
interface
Inter-VLAN
communication can
also be implemented by
Layer 3 switches if
routes are reachable.
This scheme boasts of
low operating costs.
VLAN
Switch
Issue 01 (2011-10-26)
l If multiple users on a
network belong to
different VLANs,
each VLAN requires
a sub-interface on a
Layer 3 device. Each
sub-interface needs
to be assigned an IP
address. This
increases
configuration
workload and uses
up a large number of
IP addresses.
If Layer 3 forwarding
of packets is mainly
required, use subinterfaces.
If a large number of
VLANs are configured
and both Layer 2 and
Layer 3 forwarding of
packets are required,
use VLANIF
interfaces.
102
3 VLAN Configuration
Pre-configuration Tasks
Before configuring inter-VLAN communication, complete the following task:
l
Creating VLANs
Data Preparation
To configure inter-VLAN communication, you need the following data.
No.
Data
VLAN ID, VLANIF interface number, IP address and mask of the VLANIF
interface
(Optional) Port type, VLAN ID before mapping, VLAN ID after mapping, outer
VLAN ID to be added, source port number, and destination port number
Context
VLAIF interfaces are Layer 3 logical interfaces. After being assigned IP addresses, VLANIF
interfaces are able to communicate at the network layer.
By using VLANIF interfaces to implement inter-VLAN communication, you need to configure
a VLANIF interface for each VLAN and assign an IP address to each VLANIF interface. The
communication process by using VLANIF interfaces is similar to that by using sub-interfaces.
Issue 01 (2011-10-26)
103
3 VLAN Configuration
Figure 3-5 Networking diagram for configuring VLANIF interfaces for inter-VLAN
communication
Switch
VLANIF2
VLAN2
VLANIF3
VLAN3
NOTE
The default gateway address of each PC in a VLAN must be the IP address of the corresponding VLANIF
interface. Otherwise, inter-VLAN communication will fail.
Procedure
Step 1 Run:
system-view
A VLANIF interface is Up only when at least one physical port added to the corresponding VLAN is Up.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
104
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
The control VLAN ID and encapsulation mode of the sub-interface are set.
Step 5 Run:
dot1q termination vid vid
The VLANs whose packets are allowed to pass through the dot1q sub-interface are specified.
When a sub-interface is used for Layer 3 forwarding, you cannot specify multiple VLANs in
the command.
Step 6 Run:
arp broadcast enable
105
3 VLAN Configuration
Context
VLAN Switch is a forwarding technique based on VLAN tags. VLAN Switch requires a preconfigured static forwarding path along switches on the network. After receiving VLAN-tagged
frames that meet forwarding requirements, a switch forwards the frames to corresponding ports
based on the VLAN switching table without searching the MAC address table. This improves
forwarding efficiency and network security, and prevents broadcast storms and attacks by using
MAC address.
The S9300 supports the following VLAN Switch functions:
l
VLAN Switch switch-vlan, which replaces the outer VLAN tag. It is similar to VLAN
mapping and helps implement inter-VLAN communication.
VLAN Switch stack-vlan, which adds a VLAN tag to single-tagged frames. Similar to
VLAN stacking, it is a technique for adding outer VLAN tags to frames carrying different
inner VLAN tags.
This section describes the VLAN Switch switch-vlan function. For detailed configuration about
the VLAN Switch stack-vlan function, see 5.4.4 Configuring Selective QinQ.
Procedure
Step 1 Run:
system-view
l Ports specified for VLAN Switch must meet the following requirement:
The source and destination ports specified in the vlan-switch command must be hybrid or trunk ports,
but not access ports or Eth-Trunk member ports.
l VLAN IDs specified for VLAN switch must meet the following requirements:
l Any VLAN ID specified in the vlan-switch command cannot be a global VLAN ID. If a VLAN
ID has been applied in VLAN Switch, the VLAN cannot be created in the system view.
l If a specified VLAN ID has been applied in QinQ, this VLAN ID cannot be applied in VLAN
Switch.
l If the outer VLAN ID of a double-tagged frame has been applied in the port vlan-stacking or port
vlan-mapping command or a control VLAN, this VLAN ID cannot be applied in VLAN Switch.
l Currently, you can specify double tags before VLAN switching only on the E-series and F-series boards.
----End
106
3 VLAN Configuration
Prerequisite
The configurations of inter-VLAN communication are complete.
Procedure
l
Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interfacetype interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -system-time | -t
timeout | -tos tos-value | -v | -vpn-instance vpn-instance-name ] * host command to check
whether users in different VLANs can communicate with each other.
If the ping fails, you can run the following commands to locate the fault:
Run the display vlan [ vlan-id [ verbose ] ] command to check information about all
VLANs or a specified VLAN.
Run the display interface vlanif [ vlan-id ] command to check information about
VLANIF interfaces.
Before running this command, ensure that VLANIF interfaces have been configured.
Run the display vlan-switch [ vlan-switch-name | interface interface-type interfacenumber ] command to check the configuration of VLAN Switch.
Before running this command, ensure that VLAN Switch has been configured.
----End
Applicable Environment
As networks expand, address resources become insufficient. VLAN aggregation is developed
to save IP addresses.
In VLAN aggregation, one super-VLAN is associated with multiple sub-VLANs. Physical ports
cannot join a super-VLAN but a VLANIF interface can be created for the super-VLAN and an
IP address can be assigned to the VLANIF interface. Physical ports can join a sub-VLAN but
no VLANIF interface can be created for the sub-VLAN. All the ports in the sub-VLAN use the
same IP address with the VLANIF interface of the super-VLAN. This saves subnet IDs, default
gateway addresses of the subnets, and directed broadcast addresses of the subnets. In addition,
different broadcast domains can use the addresses in the same subnet segment. As a result, subnet
differences are eliminated, addressing becomes flexible, and the number of idle addresses is
reduced. VLAN aggregation allows each sub-VLAN to function as a broadcast domain and
reduces the waste of IP addresses to be assigned to ordinary VLANs.
Figure 3-6 shows the typical VLAN aggregation networking.
Issue 01 (2011-10-26)
107
3 VLAN Configuration
PE
Super
VLAN4
CE1
CE2
Sub-VLAN 2
Sub-VLAN 3
Pre-configuration Tasks
Before configuring VLAN aggregation, complete the following task:
l
Connecting ports and configuring physical parameters of the ports, ensuring that the ports
are physically Up
Data Preparation
To configure VLAN aggregation, you need the following data.
No.
Data
ID of a super-VLAN
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
108
3 VLAN Configuration
Context
NOTE
Procedure
Step 1 Run:
system-view
A super-VLAN is created.
A super-VLAN cannot contain any physical interfaces.
Issue 01 (2011-10-26)
109
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run:
ip address ip-address { mask | mask-length } [ sub ]
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other at the network layer.
PCs in ordinary VLANs can communicate with each other at the network layer by using different
gateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet address
and gateway address. As PCs in different sub-VLANs belong to one subnet, they communicate
Issue 01 (2011-10-26)
110
3 VLAN Configuration
with each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer
2. Consequently, PCs in different sub-VLANs cannot communicate with each other.
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another subVLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created,
proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request and
reply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the network
layer.
NOTE
An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN.
Otherwise, proxy ARP cannot take effect.
VLAN aggregation simplifies configurations for the network where many VLANs are
configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run:
system-view
Prerequisite
The VLAN aggregation configurations are complete.
Procedure
l
Run the display vlan [ vlan-id [ verbose ] ] command to check VLAN information.
Run the display interface vlanif [ vlan-id ] command to check information about a specific
VLANIF interface.
----End
111
3 VLAN Configuration
Applicable Environment
In an enterprise network, all employees of the enterprise can access the enterprise's server. It is
required that some employees be able to communicate with each other, whereas some employees
not communicate with each other.
Configuring a MUX VLAN on the switch connected to PCs helps to save VLAN ID resources,
reduce the configuration workload of the network administrator, and facilitate network
maintenance.
Figure 3-7 Networking diagram for a MUX VLAN
Switch
Principal PORT
Group PORT
Enterprise
employee1
Enterprise
employee2
In the MUX VLAN shown in Figure 3-7, the principal port connects the switch to the enterprise's
server; separate ports connect the switch to employees that do not communicate with each other;
group ports connect the switch to employees that need to communicate with each other. A MUX
VLAN consists of VLANs in different types listed in Table 3-7.
Table 3-7 Components of a MUX VLAN
Issue 01 (2011-10-26)
MUX
VLAN
VLAN
Type
Port Type
Communication Rights
Principal
VLAN
Principal port
112
3 VLAN Configuration
MUX
VLAN
VLAN
Type
Port Type
Communication Rights
Subordinate
VLAN
Separate
VLAN
Separate port
Group
VLAN
Group port
Pre-configuration Tasks
Before configuring a MUX VLAN, complete the following task:
l
Creating VLANs
Data Preparation
To configure a MUX VLAN, you need the following data.
No.
Data
ID of each principal VLAN and number of each port belonging to the principal VLAN
ID of each group VLAN and number of each port belonging to the group VLAN
ID of each separate VLAN and number of each port belonging to the separate VLAN
Procedure
Step 1 Run:
system-view
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created,
the VLAN view is directly displayed.
Issue 01 (2011-10-26)
113
3 VLAN Configuration
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run
the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
mux-vlan
Context
In a MUX VLAN, group VLANs cannot share the same VLAN ID with a separate VLAN.
Do as follows on a switching device that requires a group VLAN:
Procedure
Step 1 Run:
system-view
Context
Group VLANs and separate VLANs in one MUX VLAN cannot use the same VLAN ID.
Issue 01 (2011-10-26)
114
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
Context
Before the MUX VLAN function is enabled on a port, ensure that:
l
The port has been added to only one ordinary VLAN. If the port has been added to multiple
VLANs, the MUX VLAN function cannot be enabled on this port.
Do as follows on the switching device on which a port needs to be enabled with the MUX VLAN
function:
Procedure
Step 1 Run:
system-view
115
3 VLAN Configuration
After being enabled with the MUX VLAN function, the port can no longer be configured with
VLAN mapping or VLAN stacking.
NOTE
l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface
affects the MUX VLAN function on the interface.
l The MUX VLAN and port security functions cannot be enabled on the same interface.
l The MUX VLAN and MAC address authentication cannot be enabled on the same interface.
l The MUX VLAN and 802.1x authentication cannot be enabled on the same interface.
----End
Prerequisite
The configurations of a MUX VLAN are complete.
Procedure
Step 1 Run the display mux-vlan command to check information about the MUX VLAN.
----End
Applicable Environment
Voice and non-voice data are transmitted on networks. Voice data is configured with a higher
priority than non-voice data to reduce the probability of the transmission delay and packet loss.
In most cases, an Access Control List (ACL) is configured to distinguish voice data from nonvoice data, and the Quality of Service (QoS) is used to ensure the transmission quality of voice
data.
Voice over IP (VoIP) phones are commonly used. If an ACL is configured to distinguish voice
data from non-voice data, and QoS is used to ensure the transmission quality of voice data, each
terminal needs to be configured with an ACL rule. This increases the network administrator's
workload and burdens maintenance.
The voice VLAN technique is introduced to solve the preceding problem.
After being enabled with the voice VLAN function, a device determines voice data based on
source MAC addresses of received frames, adds ports that receive voice data to a voice VLAN,
Issue 01 (2011-10-26)
116
3 VLAN Configuration
and automatically applies priority rules to ensure high priorities and good qualities of voice data.
This simplifies user configuration and facilitates management on voice data.
On the network shown in Figure 3-8, a user's High Speed Internet (HSI), VoIP, and Internet
Protocol Television (IPTV) services are connected to a switch. A voice VLAN can be configured
on the switch to implement QoS for voice data, prioritize voice data, and ensure the
communication quality.
Figure 3-8 Networking diagram for configuring a voice VLAN
Server
Network
Voice VLAN
VLAN 10
Switch
LAN Switch2
LAN Switch1
HSI
VoIP
IPTV
HSI
VoIP
IPTV
Voice flow
Pre-configuration Tasks
Before configuring a voice VLAN, complete the following task:
l
Creating VLANs
Data Preparation
To configure a voice VLAN, you need the following data.
Issue 01 (2011-10-26)
No.
Data
Type and number of the port enabled with the voice VLAN function, voice VLAN
ID
The Organizationally Unique Identifier (OUI) address and mask of the voice VLAN
117
3 VLAN Configuration
No.
Data
(Optional) 802.1p priority and DSCP value for the voice VLAN
Procedure
Step 1 Run:
system-view
The view of a port connecting the device to users' voice devices is displayed.
Step 3 Run:
voice-vlan vlan-id enable
A voice VLAN is configured and the voice VLAN function is enabled on the port.
By default, the voice VLAN function is disabled on ports.
NOTE
----End
118
3 VLAN Configuration
Context
An OUI is a globally-unique identifier assigned by the Institute of Electrical and Electronics
Engineers (IEEE) to a specific equipment vendor. An OUI represents the first 24 bits of a binary
MAC address.
An OUI represents a MAC address segment that is obtained by performing the AND operation
between a 48-bit MAC address and a mask. For example, the MAC address is 1-1-1, and the
mask is FFFF-FF00-0000. The AND operation is performed between the MAC address and the
mask to obtain the OUI 0001-0000-0000. If the first 24 bits of the MAC address of a device are
the same as an OUI, a voice VLAN-enabled port considers the device as a voice device and data
from the device as voice data.
Procedure
Step 1 Run:
system-view
An OUI is configured.
l The mac-address value cannot be all 0s or a multicast or broadcast address.
l A device can be configured with a maximum of 16 OUIs. When the device is configured
with 16 OUIs, subsequent configurations will not take effect.
l When using the undo voice-vlan mac-address command to delete an OUI, specify the macaddress value in this command as the result of the AND operation by using the configured
MAC address and mask.
NOTE
When the source MAC address of a packet matches the OUI, the S9300 changes the priority of the packet
basing on the configuration of 3.8.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for
the Voice VLAN to improve the transmission quality.
----End
Context
The aging timer of a voice VLAN is effective only when ports are automatically added to the
voice VLAN.
If a voice VLAN-enabled port does not receive voice data from a voice device before the aging
timer expires, the port will be automatically deleted from the voice VLAN. If the port receives
voice data from the voice device again, the port will be automatically added to the voice VLAN
and the aging timer will be reset.
Issue 01 (2011-10-26)
119
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
Context
By default, the 802.1p priority and DSCP value for each voice VLAN are 6 and 46 respectively.
Manual configuration of the 802.1p priority and DSCP value will allow you to plan priorities
for different voice services at will.
NOTE
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN frame. This
field determines the transmission priority for data packets when a switching device is congested.
l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4 packet header.
DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks. The traffic controller
on the network gateway takes actions merely based on the information carried by the 6 bits.
Procedure
Step 1 Run:
system-view
An 802.1p priority and a DSCP value are configured for a voice VLAN.
By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.
----End
120
3 VLAN Configuration
Context
Ports can be added to a voice VLAN in either of the following modes:
l
Automatic mode
A voice VLAN-enabled port learns source MAC addresses of frames from voice devices,
adds ports connecting the device to voice devices to a voice VLAN, and uses the voice
VLAN aging timer to control the number of ports in the voice VLAN. If a voice VLANenabled port does not receive voice data from a voice device before the aging timer expires,
the port will be automatically deleted from the voice VLAN. If the port receives voice data
from the voice device again, the port will be automatically added to the voice VLAN.
Manual mode
After the voice VLAN function is enabled, ports connected to voice devices must be
manually added to a voice VLAN. Otherwise, the voice VLAN function does not take
effect.
Procedure
Step 1 Run:
system-view
The view of a port connecting the device to users' voice devices is displayed.
Step 3 Run:
voice-vlan mode { auto | manual }
In Access ports cannot be automatically added to a voice VLAN. To add a port of the access type to the
voice VLAN, run the port link-type command to change the port type to trunk or hybrid.
----End
Issue 01 (2011-10-26)
121
3 VLAN Configuration
Context
Based on the data filtering mechanism, a voice VLAN works in either security or ordinary mode:
l
Security mode
A voice VLAN-enabled inbound port transmits only frames of which the source MAC
addresses match OUIs configured on the device, discards the voice data not belong to the
current voice VLAN and the other data can be forwarded normally.
The security mode prevents a voice VLAN from being attacked by malicious data flows,
but consumes system resources to check frames.
Ordinary mode
A voice VLAN-enabled inbound port transmits both voice and non-voice data. The port
does not compare source MAC addresses in received frames with configured OUIs,
exposing a voice VLAN to malicious attacks.
NOTE
Transmitting voice and service data at the same time in a voice VLAN is not recommended. If a voice
VLAN must transmit both voice and service data, ensure that the voice VLAN works in ordinary mode.
Table 3-8 shows how to process frames in different voice VLAN working modes.
Table 3-8 Frame processing in different voice VLAN working modes
Voice VLAN
Working Mode
Security mode
If the source MAC address of a frame and the OUI do not match,
the priority of the frame is not changed and the frame is prohibited
from forwarding in the voice VLAN.
Ordinary mode
If the source MAC address of a frame and the OUI do not match,
the priority of the frame is not changed and the frame is allowed to
be forwarded in the voice VLAN.
Procedure
l
Security mode
1.
2.
3.
Run the voice-vlan security enable command to configure the voice VLAN work in
security mode.
By default, a voice VLAN works in security mode.
l
Issue 01 (2011-10-26)
Ordinary mode
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
122
3 VLAN Configuration
1.
2.
3.
Run the undo voice-vlan security enable command to configure the voice VLAN
work in ordinary mode.
By default, a voice VLAN works in security mode.
----End
Context
After VoIP devices of some vendors are powered on, proprietary protocol packets but not DHCP
packets are sent to apply for IP addresses. To help Huawei datacom devices communicate with
voice devices of other vendors, you can enable the voice VLAN legacy function. This allows
Huawei devices to identify packets of proprietary protocols of other vendors.
Procedure
Step 1 Run:
system-view
The view of a port connecting the device to users' voice devices is displayed.
Step 3 Run:
voice-vlan legacy enable
Prerequisite
The configurations of a voice VLAN are complete.
Issue 01 (2011-10-26)
123
3 VLAN Configuration
Procedure
l
Run the display voice-vlan [ vlan-id ] status command to check information about the
voice VLAN, including the working mode, security mode, aging timer value and the 802.1p
priority and DSCP value as well as the configuration of the port enabled with the voice
VLAN function.
Run the display voice-vlan oui command to check information about the OUI of the voice
VLAN, including the mask and description of the OUI.
----End
Applicable Environment
An mVLAN can be configured to help a user use an NMS to manage indirectly-connected
devices.
After an mVLAN is configured, a user can use the IP address of the VLANIF interface
corresponding to the mVLAN to telnet to a management switch and manage devices attached
to the switch.
Pre-configuration Tasks
Before configuring an mVLAN, complete the following task:
l
Creating a VLAN
Data Preparation
To configure an mVLAN, you need the following data.
No.
Data
VLAN ID
124
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
An mVLAN is configured.
Only a trunk or hybrid port can be added to an mVLAN.
After the undo management-vlan command is used for an mVLAN, the mVLAN becomes an
ordinary VLAN, to which access, trunk, or hybrid ports can be added.
----End
Procedure
Step 1 Run:
system-view
After assigning an IP address to the VLANIF interface, you can run the telnet command to log
in to a management switch to manage attached devices.
----End
125
3 VLAN Configuration
Prerequisite
The configurations of an mVLAN are complete.
Procedure
l
Run the display vlan command to check information about the mVLAN. The command
output shows information about the mVLAN in the line started with an asterisk sign (*).
----End
Applicable Environment
A company has multiple subsidiary companies. When the parent company attempts to
communicate with a subsidiary company, data is processed by a core switch before being sent
to the parent company or subsidiary company. If multiple subsidiary companies communicate
with the parent company at the same time, processing capabilities of the core switch deteriorate.
The communication efficiency is adversely affected and communication expenditure increases.
VLAN transparent transport can be configured on the core switch to prevent this problem.
On the network shown in Figure 3-9, switch B is enabled with VLAN transparent transmission.
After that, switch B directly forwards data from the specified VLAN instead of sending the data
to its CPU. This improves processing capabilities of the switch, reduces communication
expenditure, and minimizes the probability of malicious attacks on the switch.
Issue 01 (2011-10-26)
126
3 VLAN Configuration
Marketing
Department
VLAN10
Finance
Department
VLAN50
Parent
Company
Technology
Department
VLAN20
SwitchA
Finance
Department
VLAN50
SwitchB
Finance
Department
VLAN50
Subsidiary
Company1
Subsidiary
Company2
Subsidiary
Company3
Marketing
Marketing Technology Marketing Technology
Department
VLAN10 Technology Department Department Department Department
VLAN20
Department VLAN10
VLAN20
VLAN10
VLAN20
Pre-configuration Tasks
Before configuring VLAN transparent transport, complete the following task:
l
Data Preparation
To configure VLAN transparent transport, you need the following data.
No.
Data
127
3 VLAN Configuration
Procedure
Step 1 Run:
system-view
Prerequisite
The VLAN transparent transport configurations are complete.
Procedure
l
Run the display this command in the VLAN view to check the configuration for VLAN
transparent transport.
----End
Context
CAUTION
Statistics about VLAN packets cannot be restored after you clear it. So, confirm the action before
you use the command.
Issue 01 (2011-10-26)
128
3 VLAN Configuration
To clear the Statistics of VLAN Packets, run the following reset command in the user view:
Procedure
l
Run the reset vlan vlan-id statistics [ slot slot-id ] command to clear packets of a specified
VLAN statistics.
----End
Networking Requirements
An enterprise has multiple departments. It is required that departments in charge of the same
service can communicate with each other, and departments in charge of different services cannot
communicate with each other.
As shown in Figure 3-10, the requirements are as follows:
l
Network
GE1/0/4
GE1/0/1
GE1/0/2
Switch
GE1/0/3
Group32 Department 4
Department 1 Department 2 Department
VLAN 3
VLAN 2
VLAN 3
Issue 01 (2011-10-26)
129
3 VLAN Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Add the ports connected to department 1 and department 2 to VLAN 2 and the ports
connected to department 3 and department 4 to VLAN 3 to prevent employees in department
1 or department 2 from communicating with employees in department 3 or department 4.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the Switch.
# Create VLAN 2.
<Quidway> system-view
[Quidway] vlan 2
[Quidway-vlan2] quit
# Set the link type of GE 1/0/1 to trunk and add GE 1/0/1 to VLAN 2.
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] port link-type trunk
[Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 2
[Quidway-GigabitEthernet1/0/1] quit
# Set the link type of GE 1/0/2 to trunk and add GE 1/0/2 to VLAN 2.
[Quidway]interface gigabitethernet 1/0/2
[Quidway-GigabitEthernet1/0/2] port link-type trunk
[Quidway-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
[Quidway-GigabitEthernet1/0/2] quit
# Create VLAN 3.
[Quidway] vlan 3
[Quidway-vlan3] quit
# Set the link type of GE 1/0/3 to trunk and add GE 1/0/3 to VLAN 3.
[Quidway] interface gigabitethernet 1/0/3
[Quidway-GigabitEthernet1/0/3] port link-type trunk
[Quidway-GigabitEthernet1/0/3] port trunk allow-pass vlan 3
[Quidway-GigabitEthernet1/0/3] quit
# Set the link type of GE 1/0/4 to trunk and add GE 1/0/4 to VLAN 3.
[Quidway] interface gigabitethernet 1/0/4
[Quidway-GigabitEthernet1/0/4] port link-type trunk
[Quidway-GigabitEthernet1/0/4] port trunk allow-pass vlan 3
[Quidway-GigabitEthernet1/0/4] quit
Issue 01 (2011-10-26)
130
3 VLAN Configuration
Configuration Files
The following lists the configuration file of the Switch.
#
sysname Quidway
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 3
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 3
#
return
Networking Requirements
On the intranet of a company, the network administrator adds PCs of employees in a department
to the same VLAN. To improve information security, only employees is this department are
allowed to access the intranet.
As shown in Figure 3-11, only PC1, PC2, and PC3 are allowed to access the intranet through
SwitchA and Switch.
Issue 01 (2011-10-26)
131
3 VLAN Configuration
Enterprise
network
GE1/0/2
Switch
GE1/0/1
GE1/0/1
SwitchA
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs and determine the VLAN that PCs of employees belong to.
2.
3.
Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that the
Switch can assign the VLAN to packets according to their source MAC addresses.
Data Preparation
To complete the configuration, you need the following data:
l
VLAN 1 to which all the interfaces are added in untagged mode on SwitchA
MAC addresses of PC1, PC2, and PC3 need to be associated with VLAN 10.
Procedure
Step 1 Configure the Switch.
# Create VLANs.
Issue 01 (2011-10-26)
132
3 VLAN Configuration
<Quidway> system-view
[Quidway] vlan batch 10 100
1/0/1
hybrid pvid vlan 100
hybrid untagged vlan 10
1/0/2
hybrid tagged vlan 10
# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.
[Quidway] vlan 10
[Quidway-Vlan10] mac-vlan mac-address 22-22-22
[Quidway-Vlan10] mac-vlan mac-address 33-33-33
[Quidway-Vlan10] mac-vlan mac-address 44-44-44
[Quidway-Vlan10] quit
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 10 100
#
vlan 10
mac-vlan mac-address 0022-0022-0022
mac-vlan mac-address 0033-0033-0033
mac-vlan mac-address 0044-0044-0044
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 100
port hybrid untagged vlan 10
mac-vlan enable
#
interface GigabitEthernet1/0/2
port hybrid tagged vlan 10
#
return
133
3 VLAN Configuration
Networking Requirements
A company has multiple services including the IPTV, VoIP, and Internet access services. Each
service uses a unique IP address. Packets of the same service must be transmitted in the same
VLAN and packets of different services must be transmitted in different VLANs.
On the network shown in Figure 3-12, a switch receives Internet, IPTV, and voice services from
users of which IP addresses are diverse. Packets of different services need to be transmitted in
different VLANs and packets of each service need to be sent to a specified remote server.
Figure 3-12 Network diagram of IP subnet-based VLAN assignment
IPTV
server
Voice
Network
Internet
RouterB
RouterA
RouterC
GE1/0/3
GE1/0/2
GE1/0/4
Switch
GE1/0/1
192.168.1.2
192.168.3.2
192.168.2.2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Configure a port to allow frames with specified VLAN IDs to pass through.
4.
5.
Issue 01 (2011-10-26)
134
3 VLAN Configuration
Data Preparation
To complete the configuration, you need the following data:
l
VLANs to which GE1/0/1 needs to be added in untagged mode: VLAN 100, VLAN 200,
and VLAN 300
VLANs to which GE1/0/2, GE1/0/3, and GE1/0/4 need to be added in tagged mode
respectively: VLAN 100, VLAN 200, and VLAN 300
IP Subnet
Index
Source IP
Address
Subnet Mask
802.1p Priority
100
192.168.1.2
255.255.255.0
200
192.168.2.2
255.255.255.0
300
192.168.3.2
255.255.255.0
Procedure
Step 1 Create VLANs.
# Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.
<Quidway> system-view
[Quidway] vlan batch 100 200 300
135
3 VLAN Configuration
# Associate 192.168.2.2 to VLAN 200 and set the 802.1p priority of VLAN 200 to 3.
[Quidway] vlan 200
[Quidway-vlan200] ip-subnet-vlan 1 ip 192.168.2.2 24 priority 3
[Quidway-vlan200] quit
# Associate IP subnet 192.168.3.2 to VLAN 100 and set the 802.1p priority of VLAN 300 to 4.
[Quidway] vlan 300
[Quidway-vlan300] ip-subnet-vlan 1 ip 192.168.3.2 24 priority 4
[Quidway-vlan300] quit
----End
Configuration Files
l
Issue 01 (2011-10-26)
136
3 VLAN Configuration
Networking Requirements
A company has multiple services including the IPTV, VoIP, and Internet access services. Each
service uses a unique protocol. It is required that services of the same type be transmitted in a
VLAN and services of different types be transmitted in separate VLANs to facilitate
management and reduce manual VLAN configuration workload.
As shown in Figure 3-13, the Switch receives packets of multiple services that use different
protocols. Users in VLAN 10 use IPv4 to communicate with remote users, and users in VLAN
20 use IPv6 to communicate with the servers. The Switch needs to assign VLANs to packets of
different services and transmit packets with different VLAN IDs to different servers.
Figure 3-13 Network diagram of protocol-based VLAN assignment
Voice
Network
Internet
RouterB
RouterA
GE1/0/2
GE1/0/3
Switch
GE1/0/1
IPv4
VLAN 10
Issue 01 (2011-10-26)
IPv6
VLAN 20
137
3 VLAN Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Configure a port to allow frames with specified VLAN IDs to pass through.
4.
Data Preparation
To complete the configuration, you need the following data:
l
VLANs to which GE1/0/1 of the Switch needs to be added in untagged mode: VLAN 10
and VLAN 20
VLANs to which GE1/0/2 and GE1/0/3 of the Switch need to be added in tagged mode:
VLAN 10 and VLAN 20
Procedure
Step 1 Create VLANs.
<Quidway> system-view
[Quidway] sysname Switch
[Switch] vlan batch 10 20
# Associate GE1/0/1 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6.
Issue 01 (2011-10-26)
138
3 VLAN Configuration
# Add GE1/0/2 to VLAN 10 so that GE1/0/2 allows packets of VLAN 10 to pass through.
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/2] quit
# Add GE1/0/3 to VLAN 20 so that GE1/0/3 allows packets of VLAN 20 to pass through.
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type trunk
[Switch-GigabitEthernet1/0/3] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/3] quit
----End
Configuration Files
l
Issue 01 (2011-10-26)
139
3 VLAN Configuration
#
return
Networking Requirements
Departments of an enterprise are located on different network segments and use same services
such as Internet access and VoIP. Departments in different VLANs need to use the same service,
so communication between VLANs must be implemented.
As shown in Figure 3-14, department 1 and department 2 use the same service but belong to
different VLANs and are located on different network segments. Users in department 1 and
department 2 need to communicate with each other.
Figure 3-14 Communication between VLANs using VLANIF interfaces
Switch
GE1/0/1
SwitchA
GE1/0/2
VLAN 10
Department1
GE1/0/1
GE1/0/3
VLAN 20
Department2
PC1
10.10.10.2/24
PC2
20.20.20.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Add Layer 2 interfaces to the VLANs so that packets of the VLANs can pass through the
Layer 2 interfaces.
3.
On the Layer 3 switch, create VLANIF interfaces corresponding to the VLANs and
configure IP addresses for the VLANIF interfaces to implement Layer 3 communication.
NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as gateway address.
Issue 01 (2011-10-26)
140
3 VLAN Configuration
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 # Configure the Switch.
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 10 20
1/0/1
link-type trunk
trunk allow-pass vlan 10 20
1/0/2
link-type access
default vlan 10
1/0/3
link-type access
default vlan 20
141
3 VLAN Configuration
On PC2 in VLAN 20, set the default gateway address to 20.20.20.1/24, which is the IP address
of VLANIF20.
After the preceding configurations are complete, PC1 in VLAN 10 and PC2 in VLAN 20 can
communicate.
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif20
ip address 20.20.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
Networking Requirements
As shown in Figure 3-15, Switch A and Switch B are connected to Layer 2 networks that VLAN
10 belongs to. Switch A and Switch B communicate with each other through an OSPF-enabled
Layer 3 network.
Issue 01 (2011-10-26)
142
3 VLAN Configuration
It is required that the computers on the two Layer 2 networks be isolated at Layer 2 and
communicate at Layer 3.
Figure 3-15 Networking diagram for communication across a Layer 3 network through VLANIF
interfaces
SwitchA
SwitchB
OSPF
GE1/0/1
GE1/0/1
GE1/0/2
GE1/0/2
VLAN 10
VLAN 10
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure Switch A.
# Create VLANs.
Issue 01 (2011-10-26)
143
3 VLAN Configuration
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan batch 10 30
1/0/1
link-type trunk
trunk allow-pass vlan 10
1/0/2
link-type trunk
trunk allow-pass vlan 30
1/0/2
link-type trunk
trunk allow-pass vlan 10
1/0/1
link-type trunk
trunk allow-pass vlan 30
Issue 01 (2011-10-26)
144
3 VLAN Configuration
Configuration Files
Configuration file of Switch A
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 30.30.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 30.30.30.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
145
3 VLAN Configuration
#
ospf 1
area 0.0.0.0
network 20.20.20.0 0.0.0.255
network 30.30.30.0 0.0.0.255
#
return
Networking Requirements
Departments of an enterprise are located on different network segments and use same services
such as Internet access and VoIP. Departments in different VLANs need to use the same service,
so communication between VLANs must be implemented.
As shown in Figure 3-16, department 1 and department 2 use the same service but belong to
different VLANs and are located on different network segments. Users in department 1 and
department 2 need to communicate with each other.
Figure 3-16 Networking diagram for implementing communication between VLANs through
sub-interfaces
Switch
GE1/0/1.1
10.10.10.1/24
GE1/0/2.1
20.20.20.1/24
SwitchA
SwitchB
Department1
Department2
PC2
PC1
10.10.10.2/24
VLAN 10
20.20.20.2/24
VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Issue 01 (2011-10-26)
146
3 VLAN Configuration
Data Preparation
To complete the configuration, you need the following data:
l
VLANs that GE 1/0/1.1 and GE 1/0/2.1 belong to: VLAN 10 and VLAN 20
VLAN that the uplink of Switch A belongs to: VLAN 10 (tagged mode)
VLAN that the downstream interface of Switch A belongs to: VLAN 10 (default mode)
VLAN that the uplink of Switch B belong to: VLAN 20 (tagged mode)
VLAN that the downstream interface of Switch B belong to: VLAN 20 (default mode)
Procedure
Step 1 Configure the interface connected to Switch A.
# Create and configure sub-interface GE 1/0/1.1.
<Quidway> system-view
[Quidway] interface gigabitethernet 1/0/1.1
[Quidway-GigabitEthernet1/0/1.1] control-vid 100 dot1q-termination rt-protocol
[Quidway-GigabitEthernet1/0/1.1] dot1q termination vid 10
[Quidway-GigabitEthernet1/0/1.1] ip address 10.10.10.1 24
[Quidway-GigabitEthernet1/0/1.1] arp broadcast enable
[Quidway-GigabitEthernet1/0/1.1] quit
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
interface GigabitEthernet1/0/1.1
control-vid 100 dot1q-termination rt-protocol
dot1q termination vid 10
ip address 10.10.10.1 255.255.255.0
arp broadcast enable
Issue 01 (2011-10-26)
147
3 VLAN Configuration
#
interface GigabitEthernet1/0/2.1
control-vid 200 dot1q-termination rt-protocol
dot1q termination vid 20
ip address 20.20.20.1 255.255.255.0
arp broadcast enable
#
return
Networking Requirements
As shown in Figure 3-17, Switch A and Switch B are connected to Layer 2 networks that VLAN
10 belongs to. Switch A communicates with Switch B through a Layer 3 network where OSPF
is enabled.
It is required that the computers of the two Layer 2 networks be isolated at Layer 2 and interwork
at Layer 3.
Figure 3-17 Networking diagram for communication across a Layer 3 network through subinterfaces
SwitchA
SwitchB
GE1/0/2
OSPF
GE1/0/1.1
GE1/0/1
GE1/0/2.1
VLAN 10
VLAN 10
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Issue 01 (2011-10-26)
148
5.
6.
3 VLAN Configuration
NOTE
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure Switch A.
# Create a VLAN.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan batch 30
Issue 01 (2011-10-26)
149
3 VLAN Configuration
Configuration Files
Configuration file of Switch A
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 30
#
interface Vlanif30
ip address 30.30.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1.1
Issue 01 (2011-10-26)
150
3 VLAN Configuration
Networking Requirements
As shown in Figure 3-18, GE 1/0/1 and GE 1/0/2 of the Switch are connected to the uplink
interfaces of Switch A and Switch B respectively.
The downlink interfaces of Switch A and Switch B are added to VLAN 10 and VLAN 20
respectively.
It is required that PCs in VLAN 10 and PCs in VLAN 20 should be able to communicate with
each other.
Issue 01 (2011-10-26)
151
3 VLAN Configuration
Figure 3-18 Networking diagram for communication between VLANs through VLAN
switching
Switch
GE1/0/1
GE1/0/2
VLAN 10
VLAN 20
SwitchA
SwitchB
PC1
PC2
PC3
PC4
Configuration Roadmap
The configuration roadmap is as follows:
1.
Add the uplink and downlink interfaces of Switch A and Switch B to VLANs.
2.
Data Preparation
To complete the configuration, you need the following data:
l
VLAN that the uplink interface of Switch A belongs to: VLAN 10 (tagged mode)
VLAN that the downlink interface of Switch A belongs to: VLAN 10 (default mode)
VLAN that the uplink interface of Switch B belongs to: VLAN 20 (tagged mode)
VLAN that the downlink interface of Switch B belongs to: VLAN 20 (default mode)
NOTE
VLAN 10 and VLAN 20 cannot be created on the Switch; otherwise, the VLAN switching function
cannot be configured.
Procedure
Step 1 Configure the Switch.
# Configure the VLAN switching function on the Switch.
<Quidway> system-view
[Quidway] vlan-switch name1 interface GigabitEthernet 1/0/1 vlan 10 interface
GigabitEthernet 1/0/2 switch-vlan 20
152
3 VLAN Configuration
Configuration Files
Configuration file of a Switch
#
sysname Quidway
#
vlan-switch name1 interface GigabitEthernet1/0/1 vlan 10 interface
GigabitEthernet1/0/2 switch-vlan 20
#
return
Networking Requirements
Assume that an enterprise has many departments and IP addresses of these departments are on
the same network segment, to improve the service security, IP address of employee users in
different departments are added to different VLANs. Employee users in different departments
need to communicate with each other.
As shown in Figure 3-19, IP addresses of the R&D department and test department belong to
different VLANs. It is required that employee users in different VLANs communicate with each
other.
Figure 3-19 Network diagram of VLAN aggregation
Switch
GE1/0/0
GE3/0/0
GE2/0/0
GE4/0/0
VLAN2
VLAN3
VLAN4
VLANIF4:100.1.1.12/24
VLAN3
VLAN2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Issue 01 (2011-10-26)
153
3.
4.
3 VLAN Configuration
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Set the interface type.
# Configure GE 1/0/0 as an access interface.
<Quidway> system-view
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] port link-type access
[Quidway-GigabitEthernet1/0/0] quit
154
3 VLAN Configuration
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 100.1.1.12 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface GigabitEthernet1/0/0
port link-type access
port default vlan 2
#
interface GigabitEthernet2/0/0
port link-type access
port default vlan 2
#
interface GigabitEthernet3/0/0
port link-type access
port default vlan 3
#
interface GigabitEthernet4/0/0
Issue 01 (2011-10-26)
155
3 VLAN Configuration
Networking Requirements
In an enterprise network, all employees of the enterprise can access the enterprise's server. It is
required that some employees be able to communicate with each other, whereas some employees
not communicate with each other.
As shown in Figure 3-20,in an enterprise network, all employees of the enterprise can access
the enterprise's server. It is required that some employees be able to communicate with each
other, whereas some employees not communicate with each other.
For an enterprise with a large number of employees, each employee that is prohibited from
communicating with another needs to be added to a separate VLAN if the preceding scheme is
used. This wastes VLAN ID resources and imposes an additional configuration workload on the
network administrator.
Configuring a MUX VLAN on the switch connected to PCs helps to save VLAN ID resources,
reduce the configuration workload of the network administrator, and facilitate network
maintenance.
Figure 3-20 Typical networking of MUX VLAN configuration
Switch
GE1/0/1
GE1/0/2
GE1/0/3
GE1/0/5
GE1/0/4
HostB HostC
VLAN 3
HostD HostE
VLAN 4
HostA
VLAN 2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Issue 01 (2011-10-26)
156
3 VLAN Configuration
3.
4.
Add interfaces to the VLAN and enable the MUX VLAN function.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4.
<Quidway> system-view
[Quidway] vlan batch 2 3 4
[Quidway] quit
157
3 VLAN Configuration
Host B and Host C cannot ping Host D or host E. Host D and Host E cannot ping Host B or Host
C.
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate group 3
subordinate separate 4
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 2
port mux-vlan enable
#
interface GigabitEthernet1/0/2
port link-type access
port default vlan 3
port mux-vlan enable
#
interface GigabitEthernet1/0/3
port link-type access
port default vlan 3
port mux-vlan enable
#
interface GigabitEthernet1/0/4
port link-type access
port default vlan 4
port mux-vlan enable
#
interface GigabitEthernet1/0/5
port link-type access
port default vlan 4
port mux-vlan enable
#
return
Networking Requirements
Data flows of the HSI, VoIP, and IPTV services are transmitted on a network. Users require
high quality of VoIP services; therefore, voice data flows must be transmitted with a high priority
to ensure the call quality.
As shown in Figure 3-21, after a voice VLAN is configured on the Switch, the Switch checks
whether a data flow received by GigabitEthernet1/0/1 is a voice data flow based on the source
MAC address of the data flow. If the data flow is a voice data flow, the Switch changes the
priority of the flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in
Issue 01 (2011-10-26)
158
3 VLAN Configuration
a common VLAN without changing the priority of the flow. GigabitEthernet1/0/1 needs to be
automatically added to or deleted from the voice VLAN.
Figure 3-21 Networking diagram of a voice VLAN in auto mode
DHCP Server
Internet
Switch
GE1/0/1
LAN Switch
HSI
VoIP
IPTV
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs.
2.
3.
4.
Set the mode of adding the interface to the voice VLAN to auto.
5.
6.
7.
Data Preparation
To complete the configuration, you need the following data:
l
Voice VLAN and VLAN through which the IP phone applies for an IP address: VLAN 2
and VLAN 6
Issue 01 (2011-10-26)
159
3 VLAN Configuration
Procedure
Step 1 Create VLANs and configure the interface on the Switch.
# Create VLAN 2 and VLAN 6.
<Quidway> system-view
[Quidway] vlan batch 2 6
# Set the mode of adding the interface to the voice VLAN to auto.
[Quidway-GigabitEthernet1/0/1] voice-vlan mode auto
[Quidway-GigabitEthernet1/0/1] quit
Run the display voice-vlan 2 status command to check whether the mode of adding the interface
to the voice VLAN, working mode, and aging time of the voice VLAN are correct.
<Quidway> display voice-vlan 2 status
Voice VLAN Configurations:
--------------------------------------------------Voice VLAN ID
: 2
Voice VLAN status
: Enable
Voice VLAN aging time
: 100 (minutes)
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark
: 46
---------------------------------------------------------Port Information:
----------------------------------------------------------Port
Add-Mode Security-Mode Legacy
Issue 01 (2011-10-26)
160
3 VLAN Configuration
----------------------------------------------------------GigabitEthernet1/0/1
Auto
Security
Disable
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 2 6
#
voice-vlan aging-time 100
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 6
port hybrid untagged vlan 6
voice-vlan 2 enable
#
return
Networking Requirements
Data flows of the HSI, VoIP, and IPTV services are transmitted on a network. Users require
high quality of VoIP services; therefore, voice data flows must be transmitted with a high priority
to ensure the call quality.
As shown in Figure 3-22, after a voice VLAN is configured on the Switch, the Switch checks
whether a data flow received by GigabitEthernet1/0/1 is a voice data flow based on the source
MAC address of the data flow. If the data flow is a voice data flow, the Switch changes the
priority of the flow and transmits it in the voice VLAN. If not, the Switch transmits the flow in
a common VLAN without changing the priority of the flow. GigabitEthernet1/0/1 needs to be
added to or deleted from the voice VLAN manually.
Issue 01 (2011-10-26)
161
3 VLAN Configuration
DHCP Server
Internet
Switch
GE1/0/1
LAN Switch
HSI
VoIP
IPTV
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs.
2.
3.
4.
Set the mode of adding the interface to the voice VLAN to manual.
5.
6.
7.
Data Preparation
To complete the configuration, you need the following data:
l
Voice VLAN and VLAN through which the IP phone applies for an IP address: VLAN 2
and VLAN 6
Procedure
Step 1 Create VLANs and configure the interface on the Switch.
# Create VLAN 2 and VLAN 6.
Issue 01 (2011-10-26)
162
3 VLAN Configuration
<Quidway> system-view
[Quidway] vlan batch 2 6
# Set the mode of adding the interface to the voice VLAN to manual and add the interface to the
voice VLAN.
[Quidway-GigabitEthernet1/0/1] voice-vlan mode manual
[Quidway-GigabitEthernet1/0/1] port hybrid tagged vlan 2
[Quidway-GigabitEthernet1/0/1] quit
Run the display voice-vlan 2 status command to check whether the mode of adding the interface
to the voice VLAN, working mode, and aging time of the voice VLAN are correct.
<Quidway> display voice-vlan 2 status
Voice VLAN Configurations:
--------------------------------------------------Voice VLAN ID
: 2
Voice VLAN status
: Enable
Voice VLAN aging time
: 1440 (minutes)
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark
: 46
---------------------------------------------------------Port Information:
----------------------------------------------------------Port
Add-Mode Security-Mode Legacy
----------------------------------------------------------GigabitEthernet1/0/1
Manual
Security
Disable
----End
Configuration Files
Configuration file of the Switch
Issue 01 (2011-10-26)
163
3 VLAN Configuration
#
sysname Quidway
#
vlan batch 2 6
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 6
port hybrid tagged vlan 2
port hybrid untagged vlan 6
voice-vlan 2 enable
voice-vlan mode manual
#
return
Networking Requirements
A company has multiple subsidiary companies. When the parent company attempts to
communicate with a subsidiary company, data is processed by a core switch before being sent
to the parent company or subsidiary company. If multiple subsidiary companies communicate
with the parent company at the same time, processing capabilities of the core switch deteriorate.
The communication efficiency is adversely affected and communication expenditure increases.
VLAN transparent transport can be configured on the core switch to prevent this problem.
As shown in Figure 3-23, After VLAN transparent transmission is enabled, theSwitch directly
forwards data from the specified VLAN instead of sending the data to its CPU. This improves
processing capabilities of the switch, reduces communication expenditure, and minimizes the
probability of malicious attacks on the switch.
Issue 01 (2011-10-26)
164
3 VLAN Configuration
Parent Company
20
Switch
GE1/0/1
GE1/0/3
AN
f VL
so
ket
Pac
GE1/0/2
VLAN 10
VLAN 20
SwitchA
Eth0/0/1
GE0/0/1
Eth0/0/2
GE0/0/1
Eth0/0/1
Sub Company 1
SwitchB
Eth0/0/2
Sub Company 2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
VLAN 10 and VLAN 20 to which GE 1/0/2 of the Switch is added in tagged mode
VLAN 10 and VLAN 20 to which uplink interfaces of SwitchA and SwitchB are added in
tagged mode
VLAN 10 and VLAN 20 to which downlink interfaces of SwitchA and SwitchB are added
in default mode
Issue 01 (2011-10-26)
165
3 VLAN Configuration
Procedure
Step 1 Configure the Switch.
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 10 20
1/0/1
hybrid tagged vlan 10
1/0/2
hybrid tagged vlan 10 20
1/0/3
hybrid tagged vlan 20
0/0/1
hybrid tagged vlan 10
pvid vlan 10
untagged vlan 10
pvid vlan 10
untagged vlan 10
Issue 01 (2011-10-26)
0/0/1
hybrid tagged vlan 20
pvid vlan 20
untagged vlan 20
pvid vlan 20
untagged vlan 20
166
3 VLAN Configuration
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 10 20
#
vlan 20
protocol-transparent
#
interface GigabitEthernet1/0/1
port hybrid tagged vlan 10
#
interface GigabitEthernet1/0/2
port hybrid tagged vlan 10 20
#
interface GigabitEthernet1/0/3
port hybrid tagged vlan 20
#
return
Issue 01 (2011-10-26)
167
3 VLAN Configuration
interface Ethernet0/0/2
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
interface GigabitEthernet0/0/1
port hybrid tagged vlan 20
#
return
Issue 01 (2011-10-26)
168
Issue 01 (2011-10-26)
169
Single-tag and double-tag VLAN mapping based on the interface and VLAN
Single-tag VLAN mapping based on the interface, 802.1p priority, and VLAN
For the commands related to VLAN mapping of single tag based on the traffic policy, see the
Quidway S9300 Terabit Routing Switch Command Reference - QoS.
Pre-configuration Tasks
Before configuring VLAN mapping, complete the following task:
l
Issue 01 (2011-10-26)
Configuring VLANs
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
170
Data Preparation
To configure VLAN mapping, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
l VLAN mapping can be configured only on a trunk or hybrid interface. In addition, the interface must
be added to the VLAN specified by map-vlan. On S-series boards, the interface must be added to the
VLAN specified by map-vlan in tagged mode.
l Currently, only the E-series and F-series boards support N:1 VLAN mapping. The side with N VLANs
must send packets first.
l Limiting MAC address learning on an interface may affect the N:1 VLAN mapping on the interface.
----End
Issue 01 (2011-10-26)
171
Run the display vlan vlan-id command to check whether the interface is added to the
translated local VLAN.
Run the display current-configuration command to display information about the VLAN
mapping of single VLAN tag on the interface.
Run the preceding command, and you can obtain the following information:
The interface is added to the translated local VLAN.
The information about the VLAN mapping is correct.
----End
Pre-configuration Tasks
l
Data Preparation
To configure double-tag VLAN mapping, you need the following data.
Issue 01 (2011-10-26)
No.
Data
172
Procedure
Step 1 Run:
system-view
The interface is added to the VLAN whose ID will replace the outer VLAN tag of frames.
Step 5 Run:
port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 map-vlan vlan-id3 map-innervlan vlan-id4 [ remark-8021p 8021p-value ]
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
173
The interface is added to the VLAN whose ID will replace the outer VLAN tag of frames.
Step 5 Run:
port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 [ to vlan-id3 ] map-vlan vlanid4 [ remark-8021p 8021p-value ]
Currently, only the E-series and F-series boards supports VLAN mapping of double tags.
VLAN mapping can be configured only on a trunk or hybrid interface. In addition, the interface must be
added to the VLAN specified by map-vlan. On S-series boards, the interface must be added to the VLAN
specified by map-vlan in tagged mode.
----End
Run the display vlan vlan-id command to check whether the interface is added to the
translated local VLAN.
----End
174
device of the public network so that the VLANs of private networks and public network can be
separated. This saves VLAN resources of the public network.
Pre-configuration Tasks
l
Data Preparation
Before configuring VLAN mapping, you need the following data.
No.
Data
Procedure
l
Run:
system-view
Run:
traffic classifier classifier-name1
Run:
if-match vlan-id vlan-id1
The packet matching rule, that is, the original VLAN ID of packets matching the
classifier, is set.
4.
Run:
quit
Run:
traffic behavior behavior-name1
175
6.
Run:
remark vlan-id vlan-id2
The S9300 is configured to replace the original VLAN ID of the packets matching the
traffic classifier with the specified VLAN ID.
7.
Run:
quit
Run:
traffic policy policy-name1
Run:
classifier classifier-name1 behavior behavior-name1
The traffic classifier is bound to the traffic behavior in the traffic policy.
10. Run:
quit
The interface is added to the VLAN specified by the translated VLAN ID.
14. Run:
traffic-policy policy-name1 inbound
Run:
system-view
Run:
traffic classifier classifier-name2
Run:
if-match vlan-id vlan-id2
The packet matching rule, that is, the original VLAN ID of packets matching the
classifier, is set.
4.
Run:
quit
Issue 01 (2011-10-26)
176
Run:
traffic behavior behavior-name2
Run:
remark vlan-id vlan-id1
The S9300 is configured to replace the original VLAN ID of the packets matching the
traffic classifier with the specified VLAN ID.
7.
Run:
quit
Run:
traffic policy policy-name2
Run:
classifier classifier-name2 behavior behavior-name2
The traffic classifier is bound to the traffic behavior in the traffic policy.
10. Run:
quit
Procedure
l
Run:
system-view
Run:
traffic classifier classifier-name1 operator and
Issue 01 (2011-10-26)
177
Run:
if-match vlan-id vlan-id1
The packet matching rule, that is, the outer VLAN ID of packets matching the
classifier, is set.
4.
Run:
if-match cvlan-id vlan-id2
The packet matching rule, that is, the inner VLAN IDs of packets matching the
classifier, is set.
5.
Run:
quit
Run:
traffic behavior behavior-name1
Run:
remark vlan-id vlan-id3
The S9300 is configured to replace the outer VLAN ID of the packets matching the
traffic classifier with the specified VLAN ID.
8.
Run:
remark cvlan-id vlan-id4
The S9300 is configured to replace the inner VLAN ID of the packets matching the
traffic behavior with the specified VLAN ID.
9.
Run:
quit
178
15. Run:
port trunk allow-pass vlan vlan-id3
The interface is added to the VLANs specified by the translated VLAN IDs.
16. Run:
traffic-policy policy-name1 inbound
Run:
system-view
Run:
traffic classifier classifier-name2 operator and
Run:
if-match vlan-id vlan-id3
The packet matching rule, that is, the outer VLAN ID of packets matching the
classifier, is set.
4.
Run:
if-match cvlan-id vlan-id4
The packet matching rule, that is, the inner VLAN IDs of packets matching the
classifier, is set.
5.
Run:
quit
Run:
traffic behavior behavior-name2
Run:
remark vlan-id vlan-id1
The S9300 is configured to replace the outer VLAN ID of the packets matching the
traffic classifier with the specified VLAN ID.
8.
Run:
remark cvlan-id vlan-id2
The S9300 is configured to replace the inner VLAN ID of the packets matching the
traffic classifier with the specified VLAN ID.
9.
Run:
quit
179
11. Run:
classifier classifier-name2 behavior behavior-name2
The traffic classifier is bound to the traffic behavior in the traffic policy.
12. Run:
quit
Procedure
l
Run:
system-view
Run:
traffic classifier classifier-name1 operator and
Run:
if-match vlan-id vlan-id1
The packet matching rule, that is, the outer VLAN ID of packets matching the
classifier, is set.
4.
Run:
if-match cvlan-id vlan-id2
The packet matching rule, that is, the inner VLAN IDs of packets matching the
classifier, is set.
5.
Run:
quit
Run:
traffic behavior behavior-name1
Issue 01 (2011-10-26)
180
Run:
remark vlan-id vlan-id3
The S9300 is configured to replace the outer VLAN ID of the packets matching the
traffic classifier with the specified VLAN ID.
8.
Run:
quit
Run:
traffic policy policy-name1
The interface is added to the VLAN specified by the translated VLAN ID.
15. Run:
traffic-policy policy-name1 inbound
Run:
system-view
Run:
traffic classifier classifier-name2 operator and
Run:
if-match vlan-id vlan-id3
The packet matching rule, that is, the outer VLAN ID of packets matching the
classifier, is set.
4.
Issue 01 (2011-10-26)
Run:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
181
The packet matching rule, that is, the inner VLAN IDs of packets matching the
classifier, is set.
5.
Run:
quit
Run:
traffic behavior behavior-name2
Run:
remark vlan-id vlan-id1
The S9300 is configured to replace the outer VLAN ID of the packets matching the
traffic classifier with the specified VLAN ID.
8.
Run:
quit
Run:
traffic policy policy-name2
The traffic classifier is bound to the traffic behavior in the traffic policy.
11. Run:
quit
----End
Issue 01 (2011-10-26)
182
Pre-configuration Tasks
Before configuring VLAN mapping based on the VLAN priority, complete the following task.
l
Data Preparation
To configure VLAN mapping based on the VLAN priority, you need the following data.
No.
Data
VLAN ID and 802.1p priority of the incoming interface before VLAN mapping is
configured
VLAN ID and internal priority of the incoming interface after VLAN mapping is
configured
Issue 01 (2011-10-26)
183
The internal priority of outgoing packets in a VLAN is mapped to the 802.1p priority on the
interface of the DiffServ domain.
Step 4 Run:
quit
184
Step 6 Run:
port hybrid tagged vlan vlan-id
The interface is bound to the DiffServ domain and the mapping in the DiffServ domain is applied
to the interface.
By default, the priority is not changed when the internal priority is mapped to the external
priority.
----End
Run the display this command in the view of the incoming interface to check the
configuration of VLAN mapping based on the VLAN priority.
Run the display this command in the view of the outgoing interface to check the
configuration of VLAN mapping based on the VLAN priority.
----End
Issue 01 (2011-10-26)
185
Figure 4-1 Networking diagram for configuring VLAN mapping of single VLAN tag
SwitchC
GE1/0/1
Network
VLAN10
SwitchD
GE1/0/1
SwitchA
SwitchB
GE2/0/2
GE1/0/1
VLAN6
GE3/0/1
GE3/0/1
GE3/0/2
VLAN5
GE3/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Add interfaces of SwitchA, SwitchB, SwitchC, and SwitchD to the corresponding VLANs.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create VLANs on the Switches.
# Create VLAN 6 on SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan 6
186
<Quidway> system-view
[Quidway] sysname SwitchB
[SwitchB] vlan 5
3/0/1
link-type trunk
trunk allow-pass vlan 6
3/0/2
link-type trunk
trunk allow-pass vlan 6
3/0/1
link-type trunk
trunk allow-pass vlan 5
3/0/2
link-type trunk
trunk allow-pass vlan 5
187
Port: GigabitEthernet1/0/1
GigabitEthernet3/0/2
---------------QinQ-map
Port: GigabitEthernet1/0/1
---------------Interface
Physical
GigabitEthernet1/0/1
UP
GigabitEthernet3/0/1
UP
GigabitEthernet3/0/2
UP
GigabitEthernet3/0/1
The hosts in VLAN 6 and the hosts in VLAN 5 can ping each other.
----End
Configuration Files
l
#
sysname SwitchA
#
vlan batch 6
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 6
port vlan-mapping vlan 10 map-vlan 6
#
interface GigabitEthernet3/0/1
port link-type trunk
port trunk allow-pass vlan 6
#
interface GigabitEthernet3/0/2
port link-type trunk
port trunk allow-pass vlan 6
#
return
#
sysname SwitchB
#
vlan batch 5
#
interface GigabitEthernet2/0/2
port link-type trunk
port trunk allow-pass vlan 5
port vlan-mapping vlan 10 map-vlan 5
Issue 01 (2011-10-26)
188
#
interface GigabitEthernet3/0/1
port link-type trunk
port trunk allow-pass vlan 5
#
interface GigabitEthernet3/0/2
port link-type trunk
port trunk allow-pass vlan 5
#
return
#
sysname SwitchC
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
return
#
sysname SwitchD
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
return
Issue 01 (2011-10-26)
189
Internet
Switch
VLAN100~200
SwitchA
SwitchB
GE1/0/0
SwitchC
SwitchD
SwitchE
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Add GE 1/0/0 of the Switch to the VLANs before and after mapping in tagged mode.
3.
Data preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the Switch.
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 10 100 to 200
Issue 01 (2011-10-26)
190
Configuration Files
l
#
sysname Quidway
#
vlan batch 10 100 to 200
#
interface GigabitEthernet1/0/0
port hybrid tagged vlan 10 100 to 200
port vlan-mapping vlan 100 to 200 map-vlan 10
#
return
ISP
Outer: VLAN 300
Inner: VLAN 30
SwitchC
GE1/0/1
SwitchA
GE1/0/1
SwitchD
GE1/0/2
SwitchB
GE1/0/2
Enterprise A
Outer: VLAN 100
Inner: VLAN 10
Issue 01 (2011-10-26)
Enterprise B
Outer: VLAN 200
Inner: VLAN 20
191
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Add interfaces of SwitchA, SwitchB, SwitchC, and SwitchD to the corresponding VLANs.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create VLANs on the Switches.
# Create VLAN 100 on SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan 100
192
Configuration Files
l
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
port vlan-mapping vlan 300 inner-vlan 30 map-vlan 100 map-inner-vlan 10
#
return
#
sysname SwitchB
#
vlan batch 200
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 200
port vlan-mapping vlan 300 inner-vlan 30 map-vlan 200 map-inner-vlan 20
#
return
#
sysname SwitchC
#
vlan batch 300
#
interface GigabitEthernet1/0/1
port link-type trunk
Issue 01 (2011-10-26)
193
#
sysname SwitchD
#
vlan batch 300
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 300
#
return
ISP
Outer: VLAN 300
Inner: VLAN 30
SwitchC
SwitchD
GE1/0/2
GE1/0/1
SwitchA
GE1/0/1 GE1/0/2
Enterprise A
Outer: VLAN 100
Inner: VLAN 10
SwitchB
Enterprise B
Outer: VLAN 200
Inner: VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Create traffic classifiers, traffic behaviors, and traffic policies on SwitchA and SwitchB.
3.
Add interfaces of SwitchA, SwitchB, SwitchC, and SwitchD to the corresponding VLANs.
Issue 01 (2011-10-26)
194
4.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create VLANs on the Switches.
# Create VLAN 100 on SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan 100
Issue 01 (2011-10-26)
195
# On SwitchA, configure the traffic classifier, traffic behavior, and traffic policy applied in the
outbound direction.
[SwitchA] traffic classifier name2 operator and
[SwitchA-classifier-name2] if-match vlan-id 100
[SwitchA-classifier-name2] if-match cvlan-id 10
[SwitchA-classifier-name2] quit
[SwitchA] traffic behavior name2
[SwitchA-behavior-name2] remark vlan-id 300
[SwitchA-behavior-name2] remark cvlan-id 30
[SwitchA-behavior-name2] quit
[SwitchA] traffic policy name2
[SwitchA-trafficpolicy-name2] classifier name2 behavior name2
# On SwitchB, configure the traffic classifier, traffic behavior, and traffic policy applied in the
inbound direction.
[SwitchB] traffic classifier name1 operator and
[SwitchB-classifier-name1] if-match vlan-id 300
[SwitchB-classifier-name1] if-match cvlan-id 30
[SwitchB-classifier-name1] quit
[SwitchB] traffic behavior name1
[SwitchB-behavior-name1] remark vlan-id 200
[SwitchB-behavior-name1] remark cvlan-id 20
[SwitchB-behavior-name1] quit
[SwitchB] traffic policy name1
[SwitchB-trafficpolicy-name1] classifier name1 behavior name1
# On SwitchB, configure the traffic classifier, traffic behavior, and traffic policy applied in the
outbound direction.
[SwitchB] traffic classifier name2 operator and
[SwitchB-classifier-name2] if-match vlan-id 200
[SwitchB-classifier-name2] if-match cvlan-id 20
[SwitchB-classifier-name2] quit
[SwitchB] traffic behavior name2
[SwitchB-behavior-name2] remark vlan-id 300
[SwitchB-behavior-name2] remark cvlan-id 30
[SwitchB-behavior-name2] quit
[SwitchB] traffic policy name2
[SwitchB-trafficpolicy-name2] classifier name2 behavior name2
196
<SwitchB> system-view
[SwitchB] interface GigabitEthernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] traffic-policy name1 inbound
[SwitchB-GigabitEthernet1/0/2] traffic-policy name2 outbound
Configuration Files
l
#
sysname SwitchA
#
vlan batch 100
#
traffic classifier name1 operator and precedence 5
if-match 1 vlan-id 300
if-match 2 cvlan-id 30
traffic classifier name2 operator and precedence 10
if-match 1 vlan-id 100
if-match 2 cvlan-id 10
#
traffic behavior name1
remark vlan-id 100
remark cvlan-id 10
traffic behavior name2
remark vlan-id 300
remark cvlan-id 30
#
traffic policy name1
classifier name1 behavior name1
traffic policy name2
classifier name2 behavior name2
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
traffic-policy name1 inbound
traffic-policy name2 outbound
#
return
#
sysname SwitchB
#
vlan batch 200
#
traffic classifier name1 operator and precedence 5
if-match 1 vlan-id 300
if-match 2 cvlan-id 30
traffic classifier name2 operator and precedence 10
if-match 1 vlan-id 200
if-match 2 cvlan-id 20
#
traffic behavior name1
remark vlan-id 200
remark cvlan-id 20
traffic behavior name2
remark vlan-id 300
remark cvlan-id 30
#
traffic policy name1
classifier name1 behavior name1
Issue 01 (2011-10-26)
197
#
sysname SwitchC
#
vlan batch 300
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 300
#
return
#
sysname SwitchD
#
vlan batch 300
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 300
#
return
Issue 01 (2011-10-26)
198
5 QinQ Configuration
QinQ Configuration
Issue 01 (2011-10-26)
199
5 QinQ Configuration
This section describes how to connect sub-interfaces of a PE to a VPLS network so that CEs
can communicate with each other.
5.11 Configuring a Sub-interface to Access an L3VPN
This section describes how to configure a sub-interface to access an L3VPN on the PE so that
user networks between the CEs can communicate with each other.
5.12 Configuration Examples
This section provides several configuration examples of QinQ.
Issue 01 (2011-10-26)
200
5 QinQ Configuration
Selective QinQ
The S9300 supports selective QinQ, which is extended on the basis of QinQ. Selective QinQ
enables an interface to add the outer VLAN tags with different public VLAN IDs to frames
according to the private VLAN IDs in the inner VLAN tags. This can differentiate various types
of users.
The S9300 not only supports selective QinQ based on the interface and VLAN, but also supports
flow-based selective QinQ, 802.1p-based selective QinQ, and selective QinQ for untagged
packets.
For the commands related to flow-based selective QinQ, see the Quidway S9300 Terabit Routing
Switch Command Reference - QoS.
201
5 QinQ Configuration
Applicable Environment
To separate the private network from the public network and save VLAN resources, you can
configure double 802.1q tags on a QinQ interface provided by the S9300. The inner VLAN tag
of the private network is distributed for the internal network such as the intranet; the outer VLAN
tag of the public network is distributed for the external network such as the ISP's network. In
this way, a maximum of 4094 x 4094 VLAN tags are provided to enable transparent transmission
of the packets from different private network users with the same VLAN ID.
Pre-configuration Tasks
None
Data Preparation
To configure QinQ on the interface, you need the following data.
No.
Data
Outer VLAN ID
Procedure
Step 1 Run:
system-view
202
5 QinQ Configuration
Procedure
Step 1 Run:
system-view
----End
203
5 QinQ Configuration
Applicable Environment
To enable users to communicate through the ISP network, user packets are added an outer VLAN
tag.
Pre-configuration Tasks
None
Data Preparation
To configure selective QinQ, you need the following data.
No.
Data
Inner VLAN ID
Outer VLAN ID
Procedure
Step 1 Run:
system-view
204
5 QinQ Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The selective QinQ is configured. The meanings of the parameters are as follows:
l vlan-id1 [ to vlan-id2 ] specifies the C-VLAN IDs of packets to which you need to add an
outer VLAN tag.
l stack-vlan vlan-id3 specifies the VLAN ID in the outer VLAN tag to be added.
l [ remark-8021p 8021p-value ] specifies the internal priority in the stacked outer VLAN tag.
By default, the priority in the stacked outer VLAN tag is 0 on an SA board, and is the same
as the priority in the inner VLAN tag on other boards.
Issue 01 (2011-10-26)
205
5 QinQ Configuration
NOTE
Selective QinQ can also be configured by using the vlan-switch vlan-switch-name interface interfacetype interface-number vlan vlan-id1 [ to vlan-id2 ] interface interface-type interface-number [ stackvlan vlan-id3 ] command in the system view. This command configures the S9300 to add an outer VLAN
tag to packets on the specified inbound interface.
----End
----End
Pre-configuration Tasks
None.
Data Preparation
To configure flow-based selective QinQ, you need the following data.
Issue 01 (2011-10-26)
No.
Data
206
5 QinQ Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The packet matching rule, that is, the range of VLAN IDs of packets matching the classifier, is
set.
----End
207
5 QinQ Configuration
Context
Do as follows on the S9300 where you need to configure selective QinQ.
Procedure
Step 1 Run:
system-view
The S9300 is configured to add an outer VLAN tag with the specified VLAN ID to the packets
matching the traffic classifier.
You must specify an existing VLAN ID on the S9300 in this command. You do not need to
create the VLANs specified by the original VLAN tags of received packets.
----End
Procedure
Step 1 Run:
system-view
The traffic classifier is bound to the traffic behavior in the traffic policy.
----End
208
5 QinQ Configuration
Context
Do as follows on the S9300 where you need to configure selective QinQ.
Procedure
Step 1 Run:
system-view
Pre-configuration Tasks
Before configuring VLAN stacking based on the VLAN priority, complete the following task.
l
Data Preparation
To configure VLAN stacking based on the VLAN priority, you need the following data.
Issue 01 (2011-10-26)
209
5 QinQ Configuration
No.
Data
VLAN ID and 802.1p priority of the incoming interface before VLAN stacking is
configured
VLAN ID and internal priority of the incoming interface after VLAN stacking is
configured
210
5 QinQ Configuration
system-view
The internal priority of outgoing packets in a VLAN is mapped to the 802.1p priority on the
interface of the DiffServ domain.
Step 4 Run:
quit
The interface is bound to the DiffServ domain and the mapping in the DiffServ domain is applied
to the interface.
By default, the priority is not changed when the internal priority is mapped to the external
priority.
----End
Run the display this command in the view of the incoming interface to check the
configuration of VLAN stacking based on the VLAN priority.
Run the display this command in the view of the outgoing interface to check the
configuration of VLAN stacking based on the VLAN priority.
----End
211
5 QinQ Configuration
Applicable Environment
To enable the S9300 to communicate with devices of other vendors, you need to set a protocol
type that can be identified by the peer device in the outer VLAN tag.
Pre-configuration Tasks
None.
Data Preparation
To set the protocol type in the outer VLAN tag, you need the following data.
No.
Data
Interface number
Procedure
Step 1 Run:
system-view
212
5 QinQ Configuration
Procedure
Step 1 Run:
system-view
l To implement the connectivity between the devices of different vendors, the protocol type in the outer
VLAN tag must be identified by the peer device.
l The protocol IDs set by the qinq protocol command cannot be the same as well-known protocol IDs.
Otherwise, the interface cannot distinguish packets of these protocols. For example, protocol-id cannot
be set to 0x0806, which is the ARP protocol ID.
----End
Issue 01 (2011-10-26)
213
5 QinQ Configuration
Applicable Environment
The S9300 forwards packets according to the outer VLAN tags of packets and distinguishes
packets of different services according to the inner tags of packets. Therefore, an untagged packet
must be added double VLAN tags.
Pre-configuration Tasks
None.
Data Preparation
To add double VLAN tags to untagged packets, you need to the following data.
No.
Data
Interface number
Procedure
Step 1 Run:
system-view
214
5 QinQ Configuration
Context
Do as follows on the S9300 that needs to add double VLAN tags to untagged packets.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
215
5 QinQ Configuration
Currently, only the E-series and F-series boards supports the port vlan-stacking untagged
command. In addition, the command cannot be used on an interface enabled with MAC addressbased VLAN.
----End
Pre-configuration Tasks
Before connecting sub-interfaces to a VLL network, complete the following tasks:
l
Configuring the VLAN of the CE and the basic Layer 2 forwarding function to ensure that
the packets sent from the CE to the PE contain one or two tags
Data Preparation
To connect sub-interfaces to a VLL network, you need the following data.
Issue 01 (2011-10-26)
No.
Data
IP addresses of interfaces
216
No.
Data
5 QinQ Configuration
NOTE
The control VLAN ID and encapsulation mode of the sub-interface are set.
Step 4 Run:
dot1q termination vid low-pe-vid [ to high-pe-vid ]
The VLANs whose packets are allowed to pass through the dot1q sub-interface are specified.
----End
The control VLAN ID and encapsulation mode of the sub-interface are set.
Step 4 Run:
qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
Issue 01 (2011-10-26)
217
5 QinQ Configuration
The VLANs whose packets are allowed to pass through the QinQ sub-interface are specified.
----End
Issue 01 (2011-10-26)
218
5 QinQ Configuration
Run the display dot1q information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about a dot1q subinterface.
Run the display qinq information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about a QinQ subinterface.
Run the display vll ccc [ ccc-name | type { local | remote } ] command to check information
about a CCC connection.
Run the display mpls static-l2vc command to check information about an SVC L2VPN
VC.
Run the display mpls l2vc command on the PE to check information about the Martini
VLL on the local PE.
Run the display mpls l2vc remote-info command on the PE to check information about
the Martini VLL on the remote PE.
----End
Issue 01 (2011-10-26)
219
5 QinQ Configuration
Pre-configuration Tasks
Before connecting sub-interfaces to a VPLS network, complete the following tasks:
l
Configuring the VLAN of the CE and the basic Layer 2 forwarding function to ensure that
the packets sent from the CE to the PE contain one or two tags
Data Preparation
To connect sub-interfaces to a VPLS network, you need the following data.
No.
Data
IP addresses of interfaces
NOTE
Issue 01 (2011-10-26)
220
5 QinQ Configuration
The control VLAN ID and encapsulation mode of the sub-interface are set.
Step 4 Run:
dot1q termination vid low-pe-vid [ to high-pe-vid ]
The VLANs whose packets are allowed to pass through the dot1q sub-interface are specified.
----End
The VLANs whose packets are allowed to pass through the QinQ sub-interface are specified.
----End
221
5 QinQ Configuration
Issue 01 (2011-10-26)
222
5 QinQ Configuration
Run the display dot1q information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about a dot1q subinterface.
Run the display qinq information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about a QinQ subinterface.
Run the display vsi [ name vsi-name ] [ verbose ] command to check information about a
VSI.
----End
Pre-configuration Tasks
Before configuring a sub-interface to access an L3VPN, complete the following tasks:
l
Configuring the VLAN that the CEs belong to and basic Layer 2 forwarding functions to
ensure that the packets sent from the CEs to the PEs carry one or two tags
Data Preparation
To configure a sub-interface to access an L3VPN, you need the following data.
Issue 01 (2011-10-26)
No.
Data
IP addresses of interfaces
223
No.
Data
5 QinQ Configuration
NOTE
Procedure
Step 1 Run:
system-view
The VLAN whose packets can pass through the dot1q sub-interface is configured.
When a sub-interface is connected to an L3VPN, you cannot specify multiple VLANs in the
command.
Step 7 Run:
arp broadcast enable
224
5 QinQ Configuration
When you enable or disable the ARP broadcast function on a sub-interface, the routing status
of the sub-interface becomes Down and then Up. This may result in flapping of routes on the
entire network, affecting the normal operation of services.
----End
Procedure
Step 1 Run:
system-view
The VLAN whose packets can pass through the QinQ sub-interface is configured.
When a sub-interface is connected to an L3VPN, you cannot specify multiple VLANs in the
command.
Step 7 Run:
arp broadcast enable
225
5 QinQ Configuration
Run the display dot1q information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about the sub-interface
with the encapsulation mode as dot1q.
Run the display qinq information termination [ interface interface-type interfacenumber [.subinterface-number ] ] command to check information about the sub-interface
with the encapsulation mode as QinQ.
----End
Issue 01 (2011-10-26)
226
5 QinQ Configuration
Enterprise 2
SwitchG
GE1/0/1
GE2/0/1
GE3/0/1
GE4/0/1
SwitchF
GE1/0/1
VLAN2000
GE3/0/1
VLAN3000
VLAN2000
VLAN3000
GE2/0/1
VLAN1000 VLAN1500
Enterprise 1
VLAN2000
VLAN3000
VLAN1000
Enterprise 2
VLAN1500
Enterprise1
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create VLANs.
# Create VLAN 10 and VLAN 20 on SwitchF.
Issue 01 (2011-10-26)
227
5 QinQ Configuration
<Quidway> system-view
[Quidway] sysname SwitchF
[SwitchF] vlan batch 10 20
1/0/1
link-type dot1q-tunnel
default vlan 10
2/0/1
link-type dot1q-tunnel
default vlan 20
3/0/1
link-type dot1q-tunnel
default vlan 10
# Set GE 1/0/1 and GE 2/0/1 of SwitchG as QinQ interfaces; set the VLAN ID of the outer
VLAN tags added by GE 1/0/1 and GE 2/0/1/ to VLAN 20.
[SwitchG] interface gigabitethernet
[SwitchG-GigabitEthernet1/0/1] port
[SwitchG-GigabitEthernet1/0/1] port
[SwitchG-GigabitEthernet1/0/1] quit
[SwitchG] interface gigabitethernet
[SwitchG-GigabitEthernet2/0/1] port
[SwitchG-GigabitEthernet2/0/1] port
[SwitchG-GigabitEthernet2/0/1] quit
1/0/1
link-type dot1q-tunnel
default vlan 20
2/0/1
link-type dot1q-tunnel
default vlan 20
228
5 QinQ Configuration
Ping a host of Enterprise 2 from a host in any office location of Enterprise 1. If it fails to ping
the host of Enterprise 2, the two enterprises are isolated from each other.
----End
Configuration Files
The following lists the configuration files of the Switch.
l
#
sysname SwitchF
#
vlan batch 10 20
#
interface GigabitEthernet1/0/1
port link-type dot1q-tunnel
port default vlan 10
#
interface GigabitEthernet2/0/1
port link-type dot1q-tunnel
port default vlan 20
#
interface GigabitEthernet3/0/1
port link-type dot1q-tunnel
port default vlan 10
#
interface GigabitEthernet4/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
return
#
sysname SwitchG
#
vlan batch 20
#
interface GigabitEthernet1/0/1
port link-type dot1q-tunnel
port default vlan 20
#
interface GigabitEthernet2/0/1
port link-type dot1q-tunnel
port default vlan 20
#
interface GigabitEthernet3/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
return
229
5 QinQ Configuration
SwitchA
SwitchB
GE1/0/2
Carrier
network
GE1/0/1
PC
IPTV
GE1/0/2
GE1/0/1
IPTV
PC
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure types of interfaces on Switch A and Switch B, and add the interfaces to
corresponding VLANs.
3.
Data Preparation
To complete the configuration, you need the following data:
l
VLANs that IPTV terminals belong to: VLAN 300 to VLAN 400
VLAN tag that packets of PCs carry on the carrier network: VLAN 2
VLAN tag that packets of IPTV terminals carry on the carrier network: VLAN 3
Procedure
Step 1 Create VLANs.
# On Switch A, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets on
the carrier network.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan batch 2 3
# On Switch B, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets on
the carrier network.
Issue 01 (2011-10-26)
230
5 QinQ Configuration
<Quidway> system-view
[Quidway] sysname SwitchB
[SwitchB] vlan batch 2 3
1/0/1
link-type hybrid
hybrid untagged vlan 2 3
vlan-stacking vlan 100 to 200 stack-vlan 2
vlan-stacking vlan 300 to 400 stack-vlan 3
1/0/1
link-type hybrid
hybrid untagged vlan 2 3
vlan-stacking vlan 100 to 200 stack-vlan 2
vlan-stacking vlan 300 to 400 stack-vlan 3
Issue 01 (2011-10-26)
231
5 QinQ Configuration
Configuration Files
Only the configuration files of the Switches are provided:
l
#
sysname SwitchA
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 to 200 stack-vlan 2
port vlan-stacking vlan 300 to 400 stack-vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
#
sysname SwitchB
#
vlan batch 2 to 3
#
interface GigabitEthernet1/0/1
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 to 200 stack-vlan 2
port vlan-stacking vlan 300 to 400 stack-vlan 3
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
232
5 QinQ Configuration
VLANs for the Internet access service of different users: VLAN 1000 to VLAN 1100
Each community switch is connected to 50 downstream corridor switches and maps the VLAN
IDs in the packets of the Internet access service from the corridor switches to VLAN 101 to
VLAN 150.
The aggregate switch of the carrier is connected to 50 downstream community switches and
adds outer VLAN IDs 21 to 70 to the packets sent from the community switches.
After user devices are powered on, they send service request packets to the switch of the carrier.
After the user devices pass the authentication, services can be used.
Figure 5-3 Networking for configuring selective QinQ
ME60
Internet
Aggregate switch of carrier SwitchA
GE1/0/0
Community
switch
SwitchB
GE2/0/0
GE1/0/0
Corridor
switch
Home
gateway
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure VLAN mapping on SwitchB and add GE 1/0/0 and GE 2/0/0 to the VLANs.
3.
4.
Add other downlink interfaces of SwitchA and SwitchB to the VLANs. The configurations
are similar to the configurations of their GE 1/0/0 interfaces.
Issue 01 (2011-10-26)
233
5.
5 QinQ Configuration
Data preparation
To complete the configuration, you need the following data:
l
VLANs to which GE 1/0/0 of SwitchB is added in tagged mode: VLAN 1000 to VLAN
1100, VLAN 1101, VLAN 1102, VLAN 1103, and VLAN 101
VLANs to which GE 2/0/0 of SwitchB is added in tagged mode: VLAN 101 to VLAN 150,
VLAN 1101, VLAN 1102, and VLAN 1103
VLANs to which GE 1/0/0 of SwitchA is added in tagged mode: VLAN 1101, VLAN 1102,
and VLAN 1103
Procedure
Step 1 # Configure SwitchA.
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 21 to 70 1101 to 1103
1/0/0
hybrid tagged vlan 101 1000 to 1103
2/0/0
hybrid tagged vlan 101 to 150 1101 to 1103
Issue 01 (2011-10-26)
234
5 QinQ Configuration
Configuration Files
Configuration file of SwitchA
#
sysname Quidway
#
vlan batch 21 to 70 1101 to 1103
#
interface GigabitEthernet1/0/0
port hybrid tagged vlan 1101 to 1103
port hybrid untagged vlan 21
port vlan-stacking vlan 101 to 150 stack-vlan 21
#
return
235
5 QinQ Configuration
Internet
ME60-A
GE3/0/0
GE1/0/0
ME60-B
GE4/0/0
Switch
SwitchA
GE2/0/0
SwitchB
SwitchC
SwitchE
SwitchD
SwitchF
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Traffic classifier, traffic behavior, and traffic policy used to filter packets based on VLAN
IDs and source MAC addresses of packets
3.
Configure GE 1/0/0 and GE 2/0/0 of the Switch as hybrid interfaces and enable selective
QinQ on the two interfaces.
4.
Configure a traffic policy and apply it in the inbound direction of GE 1/0/0 and GE 2/0/0
to prevent PCs from obtaining IP addresses through DHCP packets.
Preparing Data
To complete the configuration, you need the following data:
l
VLANs to which GE 1/0/0 and GE 2/0/0 of the Switch need to be added: VLAN 10 and
VLAN 20 (in untagged mode)
Issue 01 (2011-10-26)
236
5 QinQ Configuration
VLAN to which GE 4/0/0 of the Switch needs to be added: VLAN 20 (in tagged mode)
Traffic classifier: for STB, filtering packets based on VLAN IDs and source MAC
addresses, that is, forwarding packets with the specified MAC address and VLAN ID
Traffic policy: PermitMAC, containing the preceding traffic classifier and traffic behavior
Procedure
Step 1 Configure selective QinQ.
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 10 20
1/0/0
hybrid untagged vlan 10 20
2/0/0
hybrid untagged vlan 10 20
3/0/0
hybrid tagged vlan 10
4/0/0
hybrid tagged vlan 20
1/0/0
vlan-stacking vlan 100 to 999 stack-vlan 10
vlan-stacking vlan 1000 to 1999 stack-vlan 20
2/0/0
vlan-stacking vlan 100 to 999 stack-vlan 10
vlan-stacking vlan 1000 to 1999 stack-vlan 20
Issue 01 (2011-10-26)
237
5 QinQ Configuration
# Apply the traffic policy in the inbound direction of GE 1/0/0 and GE 2/0/0.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] traffic-policy PermitMAC inbound
[Quidway-GigabitEthernet1/0/0] quit
[Quidway] interface gigabitethernet 2/0/0
[Quidway-GigabitEthernet2/0/0] traffic-policy PermitMAC inbound
[Quidway-GigabitEthernet2/0/0] quit
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 10 20
#
acl number 4001
rule 1 permit source-mac 00e0-8e00-0000 ffff-ff00-0000
rule 100 deny
#
traffic classifier STB operator and precedence 5
if-match vlan-id 20
if-match acl 4001
#
traffic behavior PermitMAC
#
traffic policy PermitMAC
classifier STB behavior PermitMAC
#
interface GigabitEthernet1/0/0
port hybrid untagged vlan 10 20
port vlan-stacking vlan 100 to 999 stack-vlan 10
port vlan-stacking vlan 1000 to 1999 stack-vlan 20
traffic-policy PermitMAC inbound
#
interface GigabitEthernet2/0/0
port hybrid untagged vlan 10 20
port vlan-stacking vlan 100 to 999 stack-vlan 10
port vlan-stacking vlan 1000 to 1999 stack-vlan 20
traffic-policy PermitMAC inbound
#
interface GigabitEthernet3/0/0
port hybrid tagged vlan 10
#
interface GigabitEthernet4/0/0
port hybrid tagged vlan 20
#
return
238
5 QinQ Configuration
Networking Requirements
As shown in Figure 5-5, common Internet access users (using PCs) and IPTV users (using IPTV
terminals) connect to the carrier network through Switch A and Switch B and communicate with
each other through the carrier network.
It is required that packets of PCs and IPTV terminals are tagged VLAN 2 and VLAN 3 when
the packets are transmitted through the carrier network.
The Switch can implement selective QinQ through traffic policies.
Figure 5-5 Networking for configuring selective QinQ
SwitchA
SwitchB
GE1/0/2
Carrier
network
GE1/0/1
PC
IPTV
GE1/0/2
GE1/0/1
IPTV
PC
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure traffic classifiers, traffic behaviors, and traffic policies on Switch A and
Switch B.
3.
Configure types of interfaces on Switch A and Switch B, and add the interfaces to
corresponding VLANs.
4.
Apply the traffic policies to interfaces of Switch A and Switch B to implement selective
QinQ.
Data Preparation
To complete the configuration, you need the following data:
l
VLANs that IPTV terminals belong to: VLAN 300 to VLAN 400
VLAN tag that packets of PCs carry on the carrier network: VLAN 2
VLAN tag that packets of IPTV terminals carry on the carrier network: VLAN 3
Issue 01 (2011-10-26)
239
5 QinQ Configuration
Names of the traffic classifier and traffic behavior applied to common Internet access users:
name1
Names of the traffic classifier and traffic behavior applied to IPTV users: name2
Name of the traffic policy applied to common Internet access users and IPTV users: name1
Procedure
Step 1 Create VLANs.
# On Switch A, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets on
the carrier network.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan batch 2 3
# On Switch B, create VLAN 2 and VLAN 3, that is, the outer VLAN IDs added to packets on
the carrier network.
<Quidway> system-view
[Quidway] sysname SwitchB
[SwitchB] vlan batch 2 3
Step 3 Apply the traffic policies to interfaces of Switch A and Switch B to implement selective QinQ.
# Configure GE 1/0/1 of Switch A.
Issue 01 (2011-10-26)
240
5 QinQ Configuration
241
5 QinQ Configuration
l IPTV terminals can communicate with each other through the carrier network.
----End
Configuration Files
Only the configuration files of the Switches are provided:
l
#
sysname SwitchA
#
vlan batch 2 to 3
#
traffic classifier name1 operator or precedence 5
if-match vlan-id 100 to 200
traffic classifier name2 operator or precedence 10
if-match vlan-id 300 to 400
#
traffic behavior name1
nest top-most vlan-id 2
traffic behavior name2
nest top-most vlan-id 3
#
traffic policy name1
classifier name1 behavior name1
classifier name2 behavior name2
#
interface GigabitEthernet1/0/1
port hybrid untagged vlan 2 to 3
traffic-policy name1 inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
#
sysname SwitchB
#
vlan batch 2 to 3
#
traffic classifier name1 operator or precedence 5
if-match vlan-id 100 to 200
traffic classifier name2 operator or precedence 10
if-match vlan-id 300 to 400
#
traffic behavior name1
nest top-most vlan-id 2
traffic behavior name2
nest top-most vlan-id 3
#
traffic policy name1
classifier name1 behavior name1
classifier name2 behavior name2
#
interface GigabitEthernet1/0/1
port hybrid untagged vlan 2 to 3
traffic-policy name1 inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Issue 01 (2011-10-26)
242
5 QinQ Configuration
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE 2/0/0
PE 1
GE 1/0/0
GE1/0/0
GE 2/0/0
GE1/0/0
GE1/0/0
Martini
CE 1
Loopback1
3.3.3.9/32
PE 2
GE 2/0/0
GE 1/0/0
CE 2
Switch
Interface
Layer 3 interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
10.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.1/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
Loopback1
3.3.3.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.2/24
GigabitEthernet2/0/0
VLANIF 20
10.1.1.2/24
Loopback1
2.2.2.9/32
CE1
GigabitEthernet1/0/0
VLANIF 10
100.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 10
100.1.1.2/24
PE2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Issue 01 (2011-10-26)
Configure the routing protocol on devices (PE and P) of the backbone network to implement
interworking and enable MPLS.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
243
5 QinQ Configuration
2.
Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data
transmission.
3.
4.
Configure the Dot1q sub-interface to access the VLL on the interface connecting the PE
and CE.
Data Preparation
To complete the configuration, you need the following data:
l
VC ID
Procedure
Step 1 Configure the VLANs that interfaces of CEs, PEs and P belong to according to Figure 5-6 and
assign IP addresses to VLANIF interfaces.
Packets sent from CEs to PEs carry a VLAN tag.
The configuration procedure is not mentioned.
Step 2 Configure an IGP on the MPLS backbone network. In this example, OSPF is used.
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PE1, P, and
PE2. The loopback interface addresses are the LSR IDs.
The configuration procedure is not mentioned.
After the configuration, OSPF relations are established between PE1, P, and PE2. Run the
display ospf peer command, and you can see that the status of the OSPF relations is Full. Run
the display ip routing-table command, and you can view that the PEs can learn the routes of
their Loopback1 interfaces.
Step 3 Configure basic MPLS functions and LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
Issue 01 (2011-10-26)
244
5 QinQ Configuration
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on PE1 to view the status
of the LDP session. You can see that an LDP session is set up between PE1 and PE2.
Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU Passive 000:15:29
3717/3717
3.3.3.9:0
Operational DU Passive 000:00:00
2/2
-----------------------------------------------------------------------------TOTAL: 2 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
Issue 01 (2011-10-26)
245
5 QinQ Configuration
----End
Configuration Files
l
Issue 01 (2011-10-26)
246
5 QinQ Configuration
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
Issue 01 (2011-10-26)
247
5 QinQ Configuration
Issue 01 (2011-10-26)
248
5 QinQ Configuration
vlan batch 10
#
interface Vlanif 10
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE2/0/0
GE1/0/0
PE1
GE1/0/0
Loopback1
3.3.3.9/32
GE2/0/0
GE1/0/0
PE2
GE2/0/0
GE2/0/0
GE2/0/0
Switch1
Switch2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0
CE1
CE2
Switch
Interface
VLANIF interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
Issue 01 (2011-10-26)
249
5 QinQ Configuration
GigabitEthernet2/0/0
VLANIF 20
10.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.1/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
Loopback1
3.3.3.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.2/24
GigabitEthernet2/0/0
VLANIF 20
10.1.1.2/24
Loopback1
2.2.2.9/32
CE1
GigabitEthernet1/0/0
VLANIF 10
100.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 10
100.1.1.2/24
PE2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the routing protocol on devices on the backbone network (PE and P) to
implement interworking and enable MPLS.
2.
Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data
transmission.
3.
4.
Configure QinQ sub-interfaces on the PE interfaces connected to the switches and connect
the QinQ sub-interfaces to the VLL network.
5.
Data Preparation
To complete the configuration, you need the following data:
l
VC ID
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Specify the VLANs that the interfaces of CEs, PEs, and P belong to and set the IP addresses of
the corresponding VLANIF interfaces according to Figure 5-7.
After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
The configuration procedure is not mentioned.
Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by
the interfaces.
# Configure Switch1.
[Switch1] vlan 100
[Switch1-vlan100] quit
Issue 01 (2011-10-26)
250
5 QinQ Configuration
2/0/0
hybrid tagged vlan 100
1/0/0
hybrid untagged vlan 100
vlan-stacking vlan 10 stack-vlan 100
# Configure Switch2.
[Switch2] vlan 100
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet2/0/0] port
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 100
1/0/0
hybrid untagged vlan 100
vlan-stacking vlan 10 stack-vlan 100
Step 3 Configure an IGP on the MPLS backbone network. In this example, OSPF is used.
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P,
which are used as the LSR IDs.
The configuration procedure is not mentioned.
After the configuration, OSPF neighbor relations are established between PE1, P, and PE2. By
running the display ospf peer command, you can see that the status of the OSPF neighbor
relations is Full. Run the display ip routing-table command, and you can find that the PEs can
learn the routes of each other's Loopback1 interface.
Step 4 Enable the basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
Issue 01 (2011-10-26)
251
5 QinQ Configuration
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on PE1 to view the status
of the LDP session. You can see that an LDP session is set up between PE1 and PE2.
The display on PE1 is as follows:
<PE1> display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU Passive 000:15:29
3717/3717
3.3.3.9:0
Operational DU Passive 000:00:00
2/2
-----------------------------------------------------------------------------TOTAL: 2 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
252
5 QinQ Configuration
----End
Configuration Files
l
Issue 01 (2011-10-26)
253
5 QinQ Configuration
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
Issue 01 (2011-10-26)
254
5 QinQ Configuration
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
255
5 QinQ Configuration
#
return
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE 2/0/0
GE 2/0/0
PE 1
GE1/0/0
GE 1/0/0
GE1/0/0
P
GE1/0/0
Martini
Issue 01 (2011-10-26)
Interface
PE 2
GE 2/0/0
GE 1/0/0
CE 2
CE 1
Switch
Loopback1
3.3.3.9/32
VLANIF interface
IP address
256
5 QinQ Configuration
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
10.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.1/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
Loopback1
3.3.3.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.2/24
GigabitEthernet2/0/0
VLANIF 20
10.1.1.2/24
Loopback1
2.2.2.9/32
CE1
GigabitEthernet1/0/0
VLANIF 10
100.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 20
100.1.1.2/24
PE2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the routing protocol on devices on the backbone network (PE and P) to
implement interworking and enable MPLS.
2.
Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data
transmission.
3.
4.
Configure VLAN mapping of a single tag on the sub-interface of the PE1 interface
connected to CE1 and connect the sub-interface to the VLL.
5.
Configure a dot1q sub-interface on the PE2 interface connected to CE2 and connect the
dot1q sub-interface to the VLL.
Data Preparation
To complete the configuration, you need the following data:
l
VC ID
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Specify the VLANs that the interfaces of CEs, PEs, and P belong to and set the IP addresses of
the corresponding VLANIF interfaces according to Figure 5-8.
After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
The configuration procedure is not mentioned.
Issue 01 (2011-10-26)
257
5 QinQ Configuration
Step 2 Configure an IGP on the MPLS backbone network. In this example, OSPF is used.
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P,
which are used as the LSR IDs.
The configuration procedure is not mentioned.
After the configuration, OSPF neighbor relations are established between PE1, P, and PE2. By
running the display ospf peer command, you can find that the status of the OSPF neighbor
relations is Full. Run the display ip routing-table command, and you can see that the PEs can
learn the routes of each other's Loopback1 interface.
Step 3 Enable the basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
Issue 01 (2011-10-26)
258
5 QinQ Configuration
After the configuration, run the display mpls ldp session command on PE1 to view the status
of the LDP session. You can see that an LDP session is set up between PE1 and PE2.
Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU Passive 000:15:29
3717/3717
3.3.3.9:0
Operational DU Passive 000:00:00
2/2
-----------------------------------------------------------------------------TOTAL: 2 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
Issue 01 (2011-10-26)
: 0
: 21504
: 1500
259
5 QinQ Configuration
:
:
:
:
:
:
disable
remote control
---primary
1 tunnels/tokens
, TNL ID : 0x10007
: 0 days, 0 hours, 4 minutes,
: 0 days, 0 hours, 3 minutes,
: 0 days, 0 hours, 3 minutes,
word
: none
19 seconds
45 seconds
45 seconds
----End
Configuration Files
l
Issue 01 (2011-10-26)
260
5 QinQ Configuration
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
qinq mapping vid 10 map-vlan vid 20
mpls l2vc 3.3.3.9 101
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
261
5 QinQ Configuration
mpls l2vpn
mpls l2vpn default martini
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
interface Vlanif 30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/0.1
control-vid 2000 dot1q-termination
dot1q termination vid 20
mpls l2vc 1.1.1.9 101
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
262
5 QinQ Configuration
When Switch1 and Switch2 add different VLAN tags to packets, configure VLAN mapping of
double tags on a sub-interface and connect the sub-interface to the VLL. Then CE1 and CE2
can communicate with each other.
When a switch is connected to multiple CEs, the switch can add different VLAN tags to the
packets from different CEs, that is, packets with different VLAN tags. This saves VLAN IDs
on the public network.
Figure 5-9 Networking diagram for configuring a Martini VLL
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE2/0/0
GE1/0/0
PE1
GE1/0/0
Loopback1
3.3.3.9/32
GE2/0/0
GE1/0/0
PE2
GE2/0/0
GE2/0/0
GE2/0/0
Switch1
Switch2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0
CE1
CE2
Switch
Interface
VLANIF interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
10.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.1/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
Loopback1
3.3.3.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.2/24
GigabitEthernet2/0/0
VLANIF 20
10.1.1.2/24
Loopback1
2.2.2.9/32
CE1
GigabitEthernet1/0/0
VLANIF 10
100.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 10
100.1.1.2/24
PE2
Configuration Roadmap
The configuration roadmap is as follows:
Issue 01 (2011-10-26)
263
5 QinQ Configuration
1.
Configure the routing protocol on devices on the backbone network (PE and P) to
implement interworking and enable MPLS.
2.
Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data
transmission.
3.
4.
Configure VLAN mapping of double tags on the sub-interface of the PE1 interface
connected to CE1 and connect the sub-interface to the VLL network.
5.
Configure QinQ sub-interfaces on the PE interfaces connected to the switches and connect
the QinQ sub-interfaces to the VLL network.
6.
Data Preparation
To complete the configuration, you need the following data:
l
VC ID
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Specify the VLANs that the interfaces of CEs, PEs, and P belong to and set the IP addresses of
the corresponding VLANIF interfaces according to Figure 5-9.
After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
The configuration procedure is not mentioned.
Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by
the interfaces.
# Configure Switch1.
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet2/0/0] port
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet1/0/0] port
[Switch1-GigabitEthernet1/0/0] port
[Switch1-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 100
1/0/0
hybrid untagged vlan 100
vlan-stacking vlan 10 stack-vlan 100
# Configure Switch2.
[Switch2] vlan 200
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet2/0/0] port
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 200
1/0/0
hybrid untagged vlan 200
vlan-stacking vlan 10 stack-vlan 200
Step 3 Configure an IGP on the MPLS backbone network. In this example, OSPF is used.
Issue 01 (2011-10-26)
264
5 QinQ Configuration
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P,
which are used as the LSR IDs.
The configuration procedure is not mentioned.
After the configuration, OSPF neighbor relations are established between PE1, P, and PE2. By
running the display ospf peer command, you can find that the status of the OSPF neighbor
relations is Full. Run the display ip routing-table command, and you can see that the PEs can
learn the routes of each other's Loopback1 interface.
Step 4 Enable the basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on PE1 to view the status
of the LDP session. You can see that an LDP session is set up between PE1 and PE2.
Issue 01 (2011-10-26)
265
5 QinQ Configuration
Issue 01 (2011-10-26)
: 0
: 21504
: 1500
: none
266
5 QinQ Configuration
: -: primary
: 1 tunnels/tokens
, TNL ID : 0x10007
: 0 days, 0 hours, 4 minutes, 19 seconds
: 0 days, 0 hours, 3 minutes, 45 seconds
: 0 days, 0 hours, 3 minutes, 45 seconds
----End
Configuration Files
l
Issue 01 (2011-10-26)
267
5 QinQ Configuration
mpls l2vpn
mpls l2vpn default martini
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.9
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
mpls l2vc 3.3.3.9 101
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
Issue 01 (2011-10-26)
268
5 QinQ Configuration
#
return
Issue 01 (2011-10-26)
269
5 QinQ Configuration
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE2/0/0
GE1/0/0
PE1
GE1/0/0
Loopback1
3.3.3.9/32
GE2/0/0
GE1/0/0
GE2/0/0
GE2/0/0
GE2/0/0
Switch1
Switch2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0
CE1
Switch
Issue 01 (2011-10-26)
PE2
CE2
Interface
VLANIF interface
IP address
270
5 QinQ Configuration
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
10.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.1/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
Loopback1
3.3.3.9/32
GigabitEthernet1/0/0
VLANIF 30
10.2.2.2/24
GigabitEthernet2/0/0
VLANIF 20
10.1.1.2/24
Loopback1
2.2.2.9/32
CE1
GigabitEthernet1/0/0
VLANIF 10
100.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 10
100.1.1.2/24
PE2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure the routing protocol on devices on the backbone network (PE and P) to
implement interworking and enable MPLS.
2.
Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data
transmission.
3.
4.
On PE1, configure VLAN stacking on the sub-interface connected to Switch1 and connect
the sub-interface to the VLL.
5.
On PE2, configure a QinQ sub-interface on the interface connected to Switch2 and connect
the sub-interface to VLL.
6.
7.
Data Preparation
To complete the configuration, you need the following data:
l
VC ID
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Specify the VLANs that the interfaces of CEs, PEs, and P belong to and set the IP addresses of
the corresponding VLANIF interfaces according to Figure 5-10.
After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
Issue 01 (2011-10-26)
271
5 QinQ Configuration
2/0/0
hybrid tagged vlan 10
1/0/0
hybrid tagged vlan 10
# Configure Switch2.
[Switch2] vlan 100
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet2/0/0] port
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 100
1/0/0
hybrid untagged vlan 100
vlan-stacking vlan 10 stack-vlan 100
Step 3 Configure an IGP on the MPLS backbone network. In this example, OSPF is used.
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PEs and P,
which are used as the LSR IDs.
The configuration procedure is not mentioned.
After the configuration, OSPF neighbor relations are established between PE1, P, and PE2. By
running the display ospf peer command, you can find that the status of the OSPF neighbor
relations is Full. Run the display ip routing-table command, and you can see that the PEs can
learn the routes of each other's Loopback1 interface.
Step 4 Enable the basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
Issue 01 (2011-10-26)
272
5 QinQ Configuration
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 30
[PE2-Vlanif30] mpls
[PE2-Vlanif30] mpls ldp
[PE2-Vlanif30] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on PE1 to view the status
of the LDP session. You can see that an LDP session is set up between PE1 and PE2.
Take the display on PE1 as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU Passive 000:15:29
3717/3717
3.3.3.9:0
Operational DU Passive 000:00:00
2/2
-----------------------------------------------------------------------------TOTAL: 2 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
Issue 01 (2011-10-26)
273
5 QinQ Configuration
----End
Configuration Files
l
Issue 01 (2011-10-26)
274
5 QinQ Configuration
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
Issue 01 (2011-10-26)
275
5 QinQ Configuration
mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
276
5 QinQ Configuration
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
277
5 QinQ Configuration
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE 2/0/0
GE 2/0/0
PE 1
GE1/0/0
GE 1/0/0
GE1/0/0
P
GE1/0/0
Loopback1
3.3.3.9/32
Martini
PE 2
GE 2/0/0
GE 1/0/0
CE 2
CE 1
Switch
Interface
VLANIF interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
168.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
169.1.1.2/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
Loopback1
3.3.3.9/32
GigabitEthernet1/0/0
VLANIF 20
168.1.1.2/24
GigabitEthernet2/0/0
VLANIF 30
169.1.1.1/24
Loopback1
2.2.2.9/32
CE1
GigabitEthernet1/0/0
VLANIF 10
10.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 10
10.1.1.2/24
PE2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC
interfaces.
6.
Configure dot1q sub-interfaces on the PE interfaces connected to CEs and connect the dot1q
sub-interfaces to the VPLS network.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2011-10-26)
278
5 QinQ Configuration
IP addresses of peers and tunnel policy used for setting up the peer relationship
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Configure the VLANs that the interfaces belong to according to Figure 5-11.
The configuration procedure is not mentioned.
NOTE
l The AC-side physical interface and PW-side physical interface of a PE cannot be added to the same
VLAN; otherwise, a loop occurs.
l After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2, and you
can find that the status of the peer relationship between PE1 and PE2 is Operational. That is, the
peer relationship is set up.
Step 5 Enable MPLS L2VPN on PEs.
# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
Issue 01 (2011-10-26)
279
5 QinQ Configuration
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.9
# Configure PE2.
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] control-vid 2000 dot1q-termination
[PE2-GigabitEthernet2/0/0.1] dot1q termination vid 10
[PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet2/0/0.1] quit
# Configure CE2.
<Quidway> sysname CE2
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.1.1.2 255.255.255.0
[CE2-Vlanif10] quit
Issue 01 (2011-10-26)
:
:
:
:
:
:
:
:
:
:
a2
no
disable
0
ldp
static
unqualify
vlan
1500
uniform
280
5 QinQ Configuration
Service Class
Color
DomainId
Domain Name
VSI State
:
:
:
:
:
--0
VSI ID
*Peer Router ID
VC Label
Peer Type
Session
Tunnel ID
:
:
:
:
:
:
2
3.3.3.9
23552
dynamic
up
0x20021,
Interface Name
State
up
: Vlanif10
: up
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
:
:
:
:
:
:
3.3.3.9
up
23552
23552
label
0x20021,
ms
ms
ms
ms
ms
----End
Configuration Files
l
Issue 01 (2011-10-26)
281
5 QinQ Configuration
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
Issue 01 (2011-10-26)
282
5 QinQ Configuration
Issue 01 (2011-10-26)
283
5 QinQ Configuration
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE2/0/0
GE1/0/0
PE1
GE1/0/0
Loopback1
3.3.3.9/32
GE2/0/0
GE1/0/0
PE2
GE2/0/0
GE2/0/0
GE2/0/0
Switch1
Switch2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0
CE1
CE2
Switch
Interface
VLANIF interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
168.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
169.1.1.2/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
Loopback1
3.3.3.9/32
GigabitEthernet1/0/0
VLANIF 20
168.1.1.2/24
GigabitEthernet2/0/0
VLANIF 30
169.1.1.1/24
Loopback1
2.2.2.9/32
PE2
Issue 01 (2011-10-26)
284
5 QinQ Configuration
CE1
GigabitEthernet1/0/0
VLANIF 10
10.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 10
10.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC
interfaces.
6.
Configure QinQ sub-interfaces on the PE interfaces connected to the switches and connect
the QinQ sub-interfaces to the VPLS network.
7.
Data Preparation
To complete the configuration, you need the following data:
l
IP addresses of peers and tunnel policy used for setting up the peer relationship
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Configure the VLANs that the interfaces belong to according to Figure 5-12.
The configuration procedure is not mentioned.
NOTE
l The AC-side physical interface and PW-side physical interface of a PE cannot be added to the same
VLAN; otherwise, a loop occurs.
l After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by
the interfaces.
# Configure Switch1.
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet2/0/0] port
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet1/0/0] port
[Switch1-GigabitEthernet1/0/0] port
[Switch1-GigabitEthernet1/0/0] quit
Issue 01 (2011-10-26)
2/0/0
hybrid tagged vlan 100
1/0/0
hybrid untagged vlan 100
vlan-stacking vlan 10 stack-vlan 100
285
5 QinQ Configuration
# Configure Switch2.
[Switch2] vlan 100
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet2/0/0] port
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 100
1/0/0
hybrid untagged vlan 100
vlan-stacking vlan 10 stack-vlan 100
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2, and you
can find that the status of the peer relationship between PE1 and PE2 is Operational. That is, the
peer relationship is set up.
Step 6 Enable MPLS L2VPN on PEs.
# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
Issue 01 (2011-10-26)
286
5 QinQ Configuration
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.9
# Configure PE2.
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] control-vid 2000 qinq-termination
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet2/0/0.1] quit
# Configure CE2.
<Quidway> sysname CE2
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.1.1.2 255.255.255.0
[CE2-Vlanif10] quit
Issue 01 (2011-10-26)
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
a2
no
disable
0
ldp
static
unqualify
vlan
1500
uniform
--0
:
:
:
:
:
2
3.3.3.9
23552
dynamic
up
up
287
5 QinQ Configuration
Tunnel ID
: 0x20021,
Interface Name
State
: Vlanif10
: up
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
:
:
:
:
:
:
3.3.3.9
up
23552
23552
label
0x20021,
ms
ms
ms
ms
ms
----End
Configuration Files
l
Issue 01 (2011-10-26)
288
5 QinQ Configuration
#
interface GigabitEthernet2/0/0
port hybrid tagged vlan 100
#
interface GigabitEthernet1/0/0
port hybrid untagged vlan 100
port vlan-stacking vlan 10 stack-vlan 100
#
return
Issue 01 (2011-10-26)
289
5 QinQ Configuration
#
return
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
Issue 01 (2011-10-26)
290
5 QinQ Configuration
Loopback1
2.2.2.9/32
Loopback1
1.1.1.9/32
GE 2/0/0
PE 1
GE 1/0/0
GE 2/0/0
GE1/0/0
Loopback1
3.3.3.9/32
GE1/0/0
P
GE1/0/0
Martini
CE 1
PE 2
GE 2/0/0
GE 1/0/0
CE 2
Switch
Interface
VLANIF interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
168.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
169.1.1.2/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
Loopback1
3.3.3.9/32
PE2
Issue 01 (2011-10-26)
291
5 QinQ Configuration
GigabitEthernet1/0/0
VLANIF 20
168.1.1.2/24
GigabitEthernet2/0/0
VLANIF 30
169.1.1.1/24
Loopback1
2.2.2.9/32
CE1
GigabitEthernet1/0/0
VLANIF 10
10.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 20
10.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC
interfaces.
6.
Configure VLAN mapping of a single tag on the sub-interface of the PE1 interface
connected to CE1 and connect the sub-interface to the VPLS network.
7.
Configure a dot1q sub-interface on the PE2 interface connected to CE2 and connect the
dot1q sub-interface to the VPLS network.
Data Preparation
To complete the configuration, you need the following data:
l
IP addresses of peers and tunnel policy used for setting up the peer relationship
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Configure the VLANs that the interfaces belong to according to Figure 5-13.
The configuration procedure is not mentioned.
NOTE
l The AC-side physical interface and PW-side physical interface of a PE cannot be added to the same
VLAN; otherwise, a loop occurs.
l After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
292
5 QinQ Configuration
After the configuration, run the display ip routing-table command on PE1, P, and PE2. You
can view the routes learned by PE1, P, and PE2 from each other.
Step 3 Configure basic MPLS functions and LDP.
The configuration procedure is not mentioned.
After the configuration, run the display mpls ldp session command on PE1, P and PE2. You
can see that the peer relationship is set up between PE1 and P, and between P and PE2. The
status of the peer relationship is Operational. Run the display mpls lsp command, and you can
see the status of the LSP.
Step 4 Create remote LDP sessions between PEs.
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.9
[PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
[PE1-mpls-ldp-remote-3.3.3.9] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2, and you
can find that the status of the peer relationship between PE1 and PE2 is Operational. That is, the
peer relationship is set up.
Step 5 Enable MPLS L2VPN on PEs.
# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.9
# Configure PE2.
Issue 01 (2011-10-26)
293
5 QinQ Configuration
# Configure CE2.
<Quidway> sysname CE2
[CE2] interface vlanif 20
[CE2-Vlanif20] ip address 10.1.1.2 255.255.255.0
[CE2-Vlanif20] quit
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
a2
no
disable
0
ldp
static
unqualify
vlan
1500
uniform
--0
:
:
:
:
:
:
2
3.3.3.9
23552
dynamic
up
0x20021,
up
: Vlanif10
: up
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
:
:
:
:
:
:
3.3.3.9
up
23552
23552
label
0x20021,
Issue 01 (2011-10-26)
294
5 QinQ Configuration
ttl=255
ttl=255
ttl=255
ttl=255
time=77
time=34
time=46
time=94
ms
ms
ms
ms
----End
Configuration Files
l
Issue 01 (2011-10-26)
295
5 QinQ Configuration
mpls ldp
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
qinq mapping vid 10 map-vlan vid 20
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
Issue 01 (2011-10-26)
296
5 QinQ Configuration
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
interface Vlanif30
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/0.1
control-vid 2000 dot1q-termination
dot1q termination vid 20
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
297
5 QinQ Configuration
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE2/0/0
GE1/0/0
PE1
GE1/0/0
Loopback1
3.3.3.9/32
GE2/0/0
GE1/0/0
PE2
GE2/0/0
GE2/0/0
GE2/0/0
Switch1
Switch2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0
CE1
CE2
Switch
Interface
VLANIF interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
168.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
169.1.1.2/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
Loopback1
3.3.3.9/32
GigabitEthernet1/0/0
VLANIF 20
168.1.1.2/24
GigabitEthernet2/0/0
VLANIF 30
169.1.1.1/24
Loopback1
2.2.2.9/32
CE1
GigabitEthernet1/0/0
VLANIF 10
10.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 10
10.1.1.2/24
PE2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC
interfaces.
Issue 01 (2011-10-26)
298
5 QinQ Configuration
6.
On PE1, configure VLAN mapping of double tags on the sub-interface connected to CE1
and connect the sub-interface to the VPLS network.
7.
On PE2, configure a QinQ sub-interface on the interface connected to Switch2 and connect
the sub-interface to the VPLS network.
8.
Data Preparation
To complete the configuration, you need the following data:
l
IP addresses of peers and tunnel policy used for setting up the peer relationship
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Configure the VLANs that the interfaces belong to according to Figure 5-14.
The configuration procedure is not mentioned.
NOTE
l The AC-side physical interface and PW-side physical interface of a PE cannot be added to the same
VLAN; otherwise, a loop occurs.
l After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by
the interfaces.
# Configure Switch1.
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet2/0/0] port
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet1/0/0] port
[Switch1-GigabitEthernet1/0/0] port
[Switch1-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 100
1/0/0
hybrid untagged vlan 100
vlan-stacking vlan 10 stack-vlan 100
# Configure Switch2.
[Switch2] vlan 200
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet2/0/0] port
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 200
1/0/0
hybrid untagged vlan 200
vlan-stacking vlan 10 stack-vlan 200
299
5 QinQ Configuration
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2, and you
can find that the status of the peer relationship between PE1 and PE2 is Operational. That is, the
peer relationship is set up.
Step 6 Enable MPLS L2VPN on PEs.
# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.9
Issue 01 (2011-10-26)
300
5 QinQ Configuration
# Configure PE2.
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] control-vid 2000 qinq-termination
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 10
[PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet2/0/0.1] quit
# Configure CE2.
<Quidway> sysname CE2
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.1.1.2 255.255.255.0
[CE2-Vlanif10] quit
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
a2
no
disable
0
ldp
static
unqualify
vlan
1500
uniform
--0
:
:
:
:
:
:
2
3.3.3.9
23552
dynamic
up
0x20021,
up
: Vlanif10
: up
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
:
:
:
:
:
:
3.3.3.9
up
23552
23552
label
0x20021,
Issue 01 (2011-10-26)
301
5 QinQ Configuration
ttl=255
ttl=255
ttl=255
ttl=255
ttl=255
time=90
time=77
time=34
time=46
time=94
ms
ms
ms
ms
ms
----End
Configuration Files
l
Issue 01 (2011-10-26)
302
5 QinQ Configuration
#
interface GigabitEthernet1/0/0
port hybrid untagged vlan 200
port vlan-stacking vlan 10 stack-vlan 200
#
return
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
Issue 01 (2011-10-26)
303
5 QinQ Configuration
Issue 01 (2011-10-26)
304
5 QinQ Configuration
Loopback1
1.1.1.9/32
Loopback1
2.2.2.9/32
GE2/0/0
GE1/0/0
PE1
GE1/0/0
Loopback1
3.3.3.9/32
GE2/0/0
GE1/0/0
PE2
GE2/0/0
GE2/0/0
GE2/0/0
Switch1
Switch2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/0
CE1
CE2
Switch
Interface
VLANIF interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
168.1.1.1/24
Loopback1
1.1.1.9/32
GigabitEthernet1/0/0
VLANIF 30
169.1.1.2/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
PE2
Issue 01 (2011-10-26)
305
5 QinQ Configuration
Loopback1
3.3.3.9/32
GigabitEthernet1/0/0
VLANIF 20
168.1.1.2/24
GigabitEthernet2/0/0
VLANIF 30
169.1.1.1/24
Loopback1
2.2.2.9/32
CE1
GigabitEthernet1/0/0
VLANIF 10
10.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 10
10.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Create VSIs on PEs, specify LDP as the signaling protocol, and bind the VSI to related AC
interfaces.
6.
On PE1, configure VLAN stacking on the sub-interface connected to Switch1 and connect
the sub-interface to the VPLS network.
7.
On PE2, configure a QinQ sub-interface on the interface connected to Switch2 and connect
the sub-interface to the VPLS network.
8.
9.
Data Preparation
To complete the configuration, you need the following data:
l
IP addresses of peers and tunnel policy used for setting up the peer relationship
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
Procedure
Step 1 Configure the VLANs that the interfaces belong to according to Figure 5-15.
The configuration procedure is not mentioned.
NOTE
l The AC-side physical interface and PW-side physical interface of a PE cannot be added to the same
VLAN; otherwise, a loop occurs.
l After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
Issue 01 (2011-10-26)
306
5 QinQ Configuration
Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by
the interfaces.
# Configure Switch1.
[Switch1] vlan 10
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet2/0/0] port
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet1/0/0] port
[Switch1-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 10
1/0/0
hybrid tagged vlan 10
# Configure Switch2.
[Switch2] vlan 100
[Switch2-vlan100] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet2/0/0] port
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 100
1/0/0
hybrid untagged vlan 100
vlan-stacking vlan 10 stack-vlan 100
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] remote-ip 1.1.1.9
[PE2-mpls-ldp-remote-1.1.1.9] quit
After the configuration, run the display mpls ldp session command on PE1 or PE2, and you
can find that the status of the peer relationship between PE1 and PE2 is Operational. That is, the
peer relationship is set up.
Step 6 Enable MPLS L2VPN on PEs.
# Configure PE1.
Issue 01 (2011-10-26)
307
5 QinQ Configuration
# Configure PE2.
[PE2] mpls l2vpn
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] pwsignal ldp
[PE2-vsi-a2-ldp] vsi-id 2
[PE2-vsi-a2-ldp] peer 1.1.1.9
# Configure PE2.
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] control-vid 2000 qinq-termination
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE2-GigabitEthernet2/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet2/0/0.1] quit
# Configure CE2.
<Quidway> sysname CE2
[CE2] interface vlanif 10
[CE2-Vlanif10] ip address 10.1.1.2 255.255.255.0
[CE2-Vlanif10] quit
Issue 01 (2011-10-26)
:
:
:
:
:
:
:
a2
no
disable
0
ldp
static
unqualify
308
5 QinQ Configuration
:
:
:
:
:
:
:
:
vlan
1500
uniform
--0
:
:
:
:
:
:
2
3.3.3.9
23552
dynamic
up
0x20021,
up
: Vlanif10
: up
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
:
:
:
:
:
:
3.3.3.9
up
23552
23552
label
0x20021,
ms
ms
ms
ms
ms
----End
Configuration Files
l
Issue 01 (2011-10-26)
309
5 QinQ Configuration
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
return
Issue 01 (2011-10-26)
310
5 QinQ Configuration
interface GigabitEthernet2/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 20
port hybrid tagged vlan 20
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
Issue 01 (2011-10-26)
311
5 QinQ Configuration
mpls ldp
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
interface Vlanif30
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid tagged vlan 30
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/0.1
control-vid 2000 qinq-termination
qinq termination pe-vid 100 ce-vid 10
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
312
5 QinQ Configuration
Figure 5-16 Networking diagram for configuring the dot1q sub-interface to access an L3VPN
AS: 65410
VPN-A
CE1
CE3
GE1/0/0
GE1/0/0
GE1/0/0
Loopback1
2.2.2.9/32
PE1
GE1/0/0
Loopback1
1.1.1.9/32
GE3/0/0
GE2/0/0
PE2
GE2/0/0
GE1/0/0
Loopback1
3.3.3.9/32
GE3/0/0
P
MPLS backbone
AS: 100
GE2/0/0
GE1/0/0
GE1/0/0
CE2
CE4
VPN-B
AS: 65440
VPN-B
AS: 65420
Switch
Interface
Layer 3 interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
10.1.1.2/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
10.2.1.2/24
GigabitEthernet3/0/0
VLANIF 30
172.1.1.1/24
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
10.3.1.2/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
10.4.1.2/24
GigabitEthernet3/0/0
VLANIF 60
172.2.1.2/24
GigabitEthernet1/0/0
VLANIF 30
172.1.1.2/24
GigabitEthernet2/0/0
VLANIF 60
172.2.1.1/24
CE1
GigabitEthernet1/0/0
VLANIF 10
10.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 20
10.2.1.1/24
CE3
GigabitEthernet1/0/0
VLANIF 10
10.3.1.1/24
CE4
GigabitEthernet1/0/0
VLANIF 20
10.4.1.1/24
PE2
Configuration Roadmap
The configuration roadmap is as follows:
Issue 01 (2011-10-26)
313
5 QinQ Configuration
1.
On the backbone network, configure VPN instances on the PEs connected to CEs and bind
related VPNs to the interfaces connected to the CEs. Then, assign IP addresses to the
interfaces connected to the CEs.
2.
3.
Configure basic MPLS functions and MPLS LDP and create MPLS LSPs.
4.
5.
Configure EBGP between the CE and the PE to exchange VPN routing information.
6.
Configure the Dot1q sub-interface to access the L3VPN on the interface connecting the PE
and CE.
Data Preparation
To complete the configuration, you need the following data:
l
IDs of the VLANs that the interfaces belong to, as shown in Figure 5-16
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that the PE and P can interwork with each
other.
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 30
[PE1] interface GigabitEthernet 3/0/0
[PE1-GigabitEthernet3/0/0]port hybrid pvid vlan 30
[PE1-GigabitEthernet3/0/0]port hybrid untagged vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<Quidway> system-view
[Quidway] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface GigabitEthernet 1/0/0
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
Issue 01 (2011-10-26)
314
5 QinQ Configuration
# Configure PE2.
<Quidway> system-view
[Quidway] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 60
[PE2] interface GigabitEthernet 3/0/0
[PE2-GigabitEthernet3/0/0] port hybrid pvid vlan 60
[PE2-GigabitEthernet3/0/0] port hybrid untagged vlan 60
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 60
[PE2-Vlanif20] ip address 172.2.1.2 24
[PE2-Vlanif20] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration, OSPF relations are established between PE1, P, and PE2. Run the
display ospf peer command, and you can view that the status of the OSPF relations is Full. Run
the display ip routing-table command, and you can view that the PEs can learn the routes of
Loopback1 interfaces of each other.
Take the display on PE1 as an example.
[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 9
Routes : 9
Issue 01 (2011-10-26)
Destination/Mask
Proto
Pre
Cost
1.1.1.9/32
2.2.2.9/32
3.3.3.9/32
127.0.0.0/8
127.0.0.1/32
127.255.255.255/32
172.1.1.0/24
172.1.1.1/32
172.1.1.2/32
172.1.1.255/32
172.2.1.0/24
255.255.255.255/32
Direct
OSPF
OSPF
Direct
Direct
Direct
Direct
Direct
Direct
Direct
OSPF
Direct
0
10
10
0
0
0
0
0
0
0
10
0
0
1
2
0
0
0
0
0
0
0
2
0
Flags NextHop
D
D
D
D
D
D
D
D
D
D
D
D
127.0.0.1
172.1.1.2
172.1.1.2
127.0.0.1
127.0.0.1
127.0.0.1
172.1.1.1
127.0.0.1
172.1.1.2
127.0.0.1
172.1.1.2
127.0.0.1
Interface
InLoopBack0
Vlanif30
Vlanif30
InLoopBack0
InLoopBack0
InLoopBack0
Vlanif30
InLoopBack0
Vlanif30
InLoopBack0
Vlanif30
InLoopBack0
315
5 QinQ Configuration
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure the P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] mpls
[PE2-Vlanif60] mpls ldp
[PE2-Vlanif60] quit
After the configuration, LDP sessions should be set up between PE1 and P, and between PE2
and P. Run the display mpls ldp session command, and you can view that Status is
Operational. Run the display mpls ldp lsp command, and you can view the establishment of
LDP LSPs.
Take the display on PE1 as an example:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
------------------------------------------------------------------------------
Issue 01 (2011-10-26)
316
5 QinQ Configuration
2.2.2.9:0
Operational DU
Active
000:00:01
6/6
-----------------------------------------------------------------------------TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
[PE1] display mpls ldp lsp
LDP LSP Information
-----------------------------------------------------------------------------SN
DestAddress/Mask
In/OutLabel
Next-Hop
In/Out-Interface
-----------------------------------------------------------------------------1
1.1.1.9/32
3/NULL
127.0.0.1
Vlanif30/InLoop0
2
2.2.2.9/32
NULL/3
172.1.1.2
-------/Vlanif30
3
3.3.3.9/32
NULL/1025
172.1.1.2
-------/Vlanif30
-----------------------------------------------------------------------------TOTAL: 3 Normal LSP(s) Found.
TOTAL: - Liberal LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
Step 3 Configure VPN instances on the PEs and connect the CEs to the PEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna] vpn-target 111:1 both
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb] vpn-target 222:2 both
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination rt-protocol
[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] arp broadcast enable
[PE1-GigabitEthernet1/0/0.1] quit
[PE1] interface gigabitethernet 2/0/0.1
[PE1-GigabitEthernet2/0/0.1] control-vid 2000 dot1q-termination rt-protocol
[PE1-GigabitEthernet2/0/0.1] dot1q termination vid 20
[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE1-GigabitEthernet2/0/0.1] ip address 10.2.1.2 24
[PE1-GigabitEthernet2/0/0.1] arp broadcast enable
[PE1-GigabitEthernet2/0/0.1] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna] vpn-target 111:1 both
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb] vpn-target 222:2 both
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination rt-protocol
[PE2-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24
[PE2-GigabitEthernet1/0/0.1] arp broadcast enable
[PE2-GigabitEthernet1/0/0.1] quit
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] control-vid 2000 dot1q-termination rt-protocol
[PE2-GigabitEthernet2/0/0.1] dot1q termination vid 20
Issue 01 (2011-10-26)
317
5 QinQ Configuration
ip binding vpn-instance vpnb
ip address 10.4.1.2 24
arp broadcast enable
quit
# Assign IP addresses to the interfaces on the CEs according to Figure 5-16. The configuration
procedure is not mentioned here.
After the configuration, run the display ip vpn-instance verbose command on the PEs, and you
can view the configuration of VPN instances. The PE can ping the connected CE successfully.
NOTE
If multiple interfaces on a PE are bound to the same VPN, you must specify the source IP address when
you run the ping -vpn-instance command to ping the CE connected to the peer PE. That is, specify -a
source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address
command. Otherwise, the ping operation may fail.
Step 4 Set up EBGP peer relations between PEs and CEs to import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
Issue 01 (2011-10-26)
318
5 QinQ Configuration
NOTE
The configurations of CE2, CE3 and CE4 are similar to the configuration of CE1, and are not mentioned
here.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
NOTE
The configuration of PE2 is similar to the configuration of PE1, and is not mentioned here.
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the PE,
and you can see that the BGP peer relation between the PE and CE is in Established state.
Take the peer relation between PE1 and CE1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1
Peer
PrefRcv
118.118.118.2
AS
MsgRcvd
MsgSent
4 65410
11
OutQ
Up/Down
0 00:07:25
State
Established
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command, and
you can view that the BGP peer relation between the PEs is in Established state.
[PE1] display bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1
Peer
Issue 01 (2011-10-26)
AS
MsgRcvd
OutQ
Up/Down
State
319
5 QinQ Configuration
PrefRcv
3.3.3.9
100
12
0 00:02:21
Established
0
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3
Peer
PrefRcv
AS
MsgRcvd
3.3.3.9
4
100
Peer of vpn instance:
MsgSent
OutQ
Up/Down
State
18
00:09:38
Established
25
25
00:17:57
Established
21
22
00:17:10
Established
12
Proto
Direct
Direct
Direct
BGP
Pre
0
0
0
255
Cost
0
0
0
0
Flags
D
D
D
RD
NextHop
10.2.1.2
127.0.0.1
127.0.0.1
3.3.3.9
Interface
Vlanif20
InLoopBack0
InLoopBack0
Vlanif30
The CEs in the same VPN can ping each other, but the CEs in different VPNs cannot ping each
other.
For example, CE1 can ping CE3 (10.3.1.1) but cannot ping CE4 (10.4.1.1).
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34
--- 10.3.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
Issue 01 (2011-10-26)
ms
ms
ms
ms
ms
320
5 QinQ Configuration
----End
Configuration Files
l
Issue 01 (2011-10-26)
321
5 QinQ Configuration
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
Configuration file of P
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
Issue 01 (2011-10-26)
322
5 QinQ Configuration
Issue 01 (2011-10-26)
323
5 QinQ Configuration
Issue 01 (2011-10-26)
324
5 QinQ Configuration
Issue 01 (2011-10-26)
325
5 QinQ Configuration
Figure 5-17 Networking diagram for configuring the QinQ sub-interface to access an L3VPN
AS: 65410
VPN-A
CE1
CE3
GE1/0/0 GE1/0/0
GE1/0/0
Switch1
Loopback1
2.2.2.9/32
GE2/0/0
GE1/0/0 PE1
GE1/0/0
Loopback1
1.1.1.9/32
GE3/0/0
GE2/0/0
GE2/0/0
Switch2
GE1/0/0
GE1/0/0
Switch3
GE2/0/0
PE2 GE1/0/0
GE2/0/0
Loopback1
3.3.3.9/32
GE3/0/0
P
GE2/0/0
GE2/0/0
MPLS backbone
AS: 100
Switch4
GE1/0/0
GE1/0/0
CE2
GE1/0/0
CE4
VPN-B
AS: 65440
VPN-B
AS: 65420
Switch
Interface
Layer 3 interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
10.1.1.2/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
10.2.1.2/24
GigabitEthernet3/0/0
VLANIF 30
172.1.1.1/24
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
10.3.1.2/24
GigabitEthernet2/0/0
GigabitEthernet2/0/0.1
10.4.1.2/24
GigabitEthernet3/0/0
VLANIF 60
172.2.1.2/24
GigabitEthernet1/0/0
VLANIF 30
172.1.1.2/24
GigabitEthernet2/0/0
VLANIF 60
172.2.1.1/24
CE1
GigabitEthernet1/0/0
VLANIF 10
10.1.1.1/24
CE2
GigabitEthernet1/0/0
VLANIF 20
10.2.1.1/24
CE3
GigabitEthernet1/0/0
VLANIF 10
10.3.1.1/24
CE4
GigabitEthernet1/0/0
VLANIF 20
10.4.1.1/24
PE2
Configuration Roadmap
The configuration roadmap is as follows:
Issue 01 (2011-10-26)
326
5 QinQ Configuration
1.
On the backbone network, configure VPN instances on the PEs connected to CEs and bind
related VPNs to the interfaces connected to the CEs. Then, assign IP addresses to the
interfaces connected to the CEs.
2.
3.
Configure basic MPLS functions and MPLS LDP and create MPLS LSPs.
4.
5.
Configure EBGP between the CE and the PE to exchange VPN routing information.
6.
Configure the QinQ sub-interface to access an L3VPN on the interface connecting the PE
and Switch.
7.
Configure selective QinQ on the interface connecting the Switch and CE.
Data Preparation
To complete the configuration, you need the following data:
l
IDs of the VLANs that the interfaces belong to, as shown in Figure 5-17
Procedure
Step 1 On the interface of the switch, configure selective QinQ and the VLAN whose packets can pass
through the interface.
# Configure Switch1.
[Switch1] vlan 100
[Switch1-vlan100] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet2/0/0] port
[Switch1-GigabitEthernet2/0/0] quit
[Switch1] interface gigabitethernet
[Switch1-GigabitEthernet1/0/0] port
[Switch1-GigabitEthernet1/0/0] port
[Switch1-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 100
1/0/0
hybrid untagged vlan 100
vlan-stacking vlan 10 stack-vlan 100
# Configure Switch2.
[Switch2] vlan 200
[Switch2-vlan200] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet2/0/0] port
[Switch2-GigabitEthernet2/0/0] quit
[Switch2] interface gigabitethernet
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] port
[Switch2-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 200
1/0/0
hybrid untagged vlan 200
vlan-stacking vlan 20 stack-vlan 200
# Configure Switch3.
[Switch3] vlan 100
[Switch3-vlan100] quit
[Switch3] interface gigabitethernet 2/0/0
[Switch3-GigabitEthernet2/0/0] port hybrid tagged vlan 100
Issue 01 (2011-10-26)
327
5 QinQ Configuration
[Switch3-GigabitEthernet2/0/0] quit
[Switch3] interface gigabitethernet 1/0/0
[Switch3-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch3-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[Switch3-GigabitEthernet1/0/0] quit
# Configure Switch4.
[Switch4] vlan 200
[Switch4-vlan200] quit
[Switch4] interface gigabitethernet
[Switch4-GigabitEthernet2/0/0] port
[Switch4-GigabitEthernet2/0/0] quit
[Switch4] interface gigabitethernet
[Switch4-GigabitEthernet1/0/0] port
[Switch4-GigabitEthernet1/0/0] port
[Switch4-GigabitEthernet1/0/0] quit
2/0/0
hybrid tagged vlan 200
1/0/0
hybrid untagged vlan 200
vlan-stacking vlan 20 stack-vlan 200
Step 2 Configure an IGP on the MPLS backbone network so that the PE and P can interwork with each
other.
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] vlan batch 30
[PE1] interface GigabitEthernet 3/0/0
[PE1-GigabitEthernet3/0/0]port hybrid pvid vlan 30
[PE1-GigabitEthernet3/0/0]port hybrid untagged vlan 30
[PE1-GigabitEthernet3/0/0] quit
[PE1] interface vlanif 30
[PE1-Vlanif30] ip address 172.1.1.1 24
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<Quidway> system-view
[Quidway] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface GigabitEthernet 1/0/0
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-GigabitEthernet1/0/0] quit
[P] interface GigabitEthernet 2/0/0
[P-GigabitEthernet2/0/0] port hybrid pvid vlan 60
[P-GigabitEthernet2/0/0] port hybrid untagged vlan 60
[P-GigabitEthernet2/0/0] quit
[P] interface vlanif 30
[P-Vlanif30] ip address 172.1.1.2 24
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] ip address 172.2.1.1 24
[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
Issue 01 (2011-10-26)
328
5 QinQ Configuration
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<Quidway> system-view
[Quidway] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] vlan batch 60
[PE2] interface GigabitEthernet 3/0/0
[PE2-GigabitEthernet3/0/0] port hybrid pvid vlan 60
[PE2-GigabitEthernet3/0/0] port hybrid untagged vlan 60
[PE2-GigabitEthernet3/0/0] quit
[PE2] interface vlanif 60
[PE2-Vlanif20] ip address 172.2.1.2 24
[PE2-Vlanif20] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration, OSPF relations are established between PE1, P, and PE2. Run the
display ospf peer command, and you can view that the status of the OSPF relations is Full. Run
the display ip routing-table command, and you can view that the PEs can learn the routes of
Loopback1 interfaces of each other.
Take the display on PE1 as an example.
[PE1] display ip routing-table
Route Flags: R - relied, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 9
Routes : 9
Destination/Mask
Proto
1.1.1.9/32
Direct
2.2.2.9/32
OSPF
3.3.3.9/32
OSPF
127.0.0.0/8
Direct
127.0.0.1/32
Direct
127.255.255.255/32
Direct
172.1.1.0/24
Direct
172.1.1.1/32
Direct
172.1.1.2/32
Direct
172.1.1.255/32
Direct
172.2.1.0/24
OSPF
255.255.255.255/32
Direct
[PE1] display ospf peer
Pre
Cost
0
10
10
0
0
0
0
0
0
0
10
0
0
1
2
0
0
0
0
0
0
0
2
0
Flags NextHop
D
D
D
D
D
D
D
D
D
D
D
D
127.0.0.1
172.1.1.2
172.1.1.2
127.0.0.1
127.0.0.1
127.0.0.1
172.1.1.1
127.0.0.1
172.1.1.2
127.0.0.1
172.1.1.2
127.0.0.1
Interface
InLoopBack0
Vlanif30
Vlanif30
InLoopBack0
InLoopBack0
InLoopBack0
Vlanif30
InLoopBack0
Vlanif30
InLoopBack0
Vlanif30
InLoopBack0
Step 3 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
Issue 01 (2011-10-26)
329
5 QinQ Configuration
# Configure the P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 30
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P] interface vlanif 60
[P-Vlanif60] mpls
[P-Vlanif60] mpls ldp
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlanif 60
[PE2-Vlanif60] mpls
[PE2-Vlanif60] mpls ldp
[PE2-Vlanif60] quit
After the configuration, LDP sessions should be set up between PE1 and P, and between PE2
and P. Run the display mpls ldp session command, and you can view that Status is
Operational. Run the display mpls ldp lsp command, and you can view the establishment of
LDP LSPs.
Take the display on PE1 as an example:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Active
000:00:01
6/6
-----------------------------------------------------------------------------TOTAL: 1 session(s) Found.
LAM : Label Advertisement Mode
SsnAge Unit : DDD:HH:MM
[PE1] display mpls ldp lsp
LDP LSP Information
-----------------------------------------------------------------------------SN
DestAddress/Mask
In/OutLabel
Next-Hop
In/Out-Interface
-----------------------------------------------------------------------------1
1.1.1.9/32
3/NULL
127.0.0.1
Vlanif30/InLoop0
2
2.2.2.9/32
NULL/3
172.1.1.2
-------/Vlanif30
3
3.3.3.9/32
NULL/1025
172.1.1.2
-------/Vlanif30
------------------------------------------------------------------------------
Issue 01 (2011-10-26)
330
5 QinQ Configuration
Step 4 Configure VPN instances on the PEs and connect the CEs to the PEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna] vpn-target 111:1 both
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb] vpn-target 222:2 both
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] control-vid 1000 qinq-termination rt-protocol
[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] arp broadcast enable
[PE1-GigabitEthernet1/0/0.1] quit
[PE1] interface gigabitethernet 2/0/0.1
[PE1-GigabitEthernet2/0/0.1] control-vid 2000 qinq-termination rt-protocol
[PE1-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 20
[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE1-GigabitEthernet2/0/0.1] ip address 10.2.1.2 24
[PE1-GigabitEthernet2/0/0.1] arp broadcast enable
[PE1-GigabitEthernet2/0/0.1] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 200:1
[PE2-vpn-instance-vpna] vpn-target 111:1 both
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] route-distinguisher 200:2
[PE2-vpn-instance-vpnb] vpn-target 222:2 both
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] control-vid 1000 qinq-termination rt-protocol
[PE2-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24
[PE2-GigabitEthernet1/0/0.1] arp broadcast enable
[PE2-GigabitEthernet1/0/0.1] quit
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] control-vid 2000 qinq-termination rt-protocol
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 20
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0.1] ip address 10.4.1.2 24
[PE2-GigabitEthernet2/0/0.1] arp broadcast enable
[PE2-GigabitEthernet2/0/0.1] quit
# Assign IP addresses to the interfaces on the CEs according to Figure 5-17. The configuration
procedure is not mentioned here.
After the configuration, run the display ip vpn-instance verbose command on the PEs, and you
can view the configuration of VPN instances. The PE can ping the connected CE successfully.
NOTE
If multiple interfaces on a PE are bound to the same VPN, you must specify the source IP address when
you run the ping -vpn-instance command to ping the CE connected to the peer PE. That is, specify -a
source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address
command. Otherwise, the ping operation may fail.
Issue 01 (2011-10-26)
331
5 QinQ Configuration
Step 5 Set up EBGP peer relations between PEs and CEs to import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
NOTE
The configurations of CE2, CE3 and CE4 are similar to the configuration of CE1, and are not mentioned
here.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
NOTE
The configuration of PE2 is similar to the configuration of PE1, and is not mentioned here.
Issue 01 (2011-10-26)
332
5 QinQ Configuration
After the configuration, run the display bgp vpnv4 vpn-instance peer command on the PE,
and you can see that the BGP peer relation between the PE and CE is in Established state.
Take the peer relation between PE1 and CE1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1
Peer
PrefRcv
118.118.118.2
AS
MsgRcvd
MsgSent
4 65410
11
OutQ
Up/Down
0 00:07:25
State
Established
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command, and
you can view that the BGP peer relation between the PEs is in Established state.
[PE1] display bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1
Peer
PrefRcv
3.3.3.9
AS
MsgRcvd
MsgSent
100
12
OutQ
Up/Down
0 00:02:21
State
Established
0
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3
Peer
PrefRcv
AS
3.3.3.9
4
100
Peer of vpn instance:
MsgRcvd
Issue 01 (2011-10-26)
OutQ
Up/Down
State
18
00:09:38
Established
25
25
00:17:57
Established
21
22
00:17:10
Established
12
333
5 QinQ Configuration
Proto
Direct
Direct
Direct
BGP
Pre
0
0
0
255
Cost
0
0
0
0
Flags
D
D
D
RD
NextHop
10.2.1.2
127.0.0.1
127.0.0.1
3.3.3.9
Interface
Vlanif20
InLoopBack0
InLoopBack0
Vlanif30
The CEs in the same VPN can ping each other, but the CEs in different VPNs cannot ping each
other.
For example, CE1 can ping CE3 (10.3.1.1) but cannot ping CE4 (10.4.1.1).
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34
--- 10.3.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
ms
ms
ms
ms
ms
----End
Configuration Files
l
Issue 01 (2011-10-26)
334
5 QinQ Configuration
vlan batch 30
#
ip vpn-instance vpna
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
ip vpn-instance vpnb
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
control-vid 1000 qinq-termination rt-protocol
qinq termination pe-vid 100 ce-vid 10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/0.1
control-vid 2000 qinq-termination rt-protocol
qinq termination pe-vid 200 ce-vid 20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet3/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l
Issue 01 (2011-10-26)
Configuration file of P
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
335
5 QinQ Configuration
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 30
port hybrid untagged vlan 30
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 60
port hybrid untagged vlan 60
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
Issue 01 (2011-10-26)
336
5 QinQ Configuration
Issue 01 (2011-10-26)
337
5 QinQ Configuration
#
return
Issue 01 (2011-10-26)
338
5 QinQ Configuration
#
return
Issue 01 (2011-10-26)
339
6 GVRP Configuration
GVRP Configuration
Issue 01 (2011-10-26)
340
6 GVRP Configuration
GVRP
GVRP is an application of GARP that maintains and propagates VLAN registration information
to other devices.
GARP
GARP enables member switches on a LAN to distribute, transmit, and register information such
as VLAN information and multicast addresses with one another.
GARP is not an entity on a device. GARP-compliant entities are called GARP participants.
GVRP is a GARP application. When a GARP application runs on an interface, the interface is
considered a GARP participant.
l
Issue 01 (2011-10-26)
341
6 GVRP Configuration
Join timer: To ensure reliable transmission of Join messages, a participant can send
each Join message twice. If the participant does not receive the response after
sending the Join message the first time, it sends the Join message again. The Join
timer specifies the interval between the two Join messages.
Leave timer: When a GARP participant expects other participants to deregister its
attribute, it sends Leave messages to other participants. When another participant
receives the Leave message, it starts the Leave timer. If the participant does not
receive any Join message before the Leave timer expires, it deregisters the attributes
of the Leave message sender.
LeaveAll timer: When a GARP participant is enabled, the LeaveAll timer is started.
When the LeaveAll timer expires, the GARP participant sends LeaveAll messages
to request other GARP participants to re-register all its attributes. Then the LeaveAll
timer restarts.
NOTE
l The GARP timers apply to all GARP participants (such as GVRP) on the same LAN.
l The Hold timer, Join timer, and Leave timer must be set individually on each interface,
whereas the LeaveAll timer is set globally and takes effect on all interfaces of a device.
l Devices on a network may have different settings of the LeaveAll timer. In this case, all the
devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of
a device expires, the device sends LeaveAll messages to other devices. After other devices
receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the
LeavelAll timer with the smallest value takes effect even if devices have different settings
of the LeaveAll timer.
Issue 01 (2011-10-26)
342
6 GVRP Configuration
PDU
Ethernet Frame
N
2
Attribute Type
Message structure
Attribute List
N
1
Attribute 1
1
Attribute structure
Issue 01 (2011-10-26)
Field
Description
Value
Protocol ID
The value is 1.
Message
Attribute Type
Attribute List
Attribute
Indicates an attribute,
which consists of the
Attribute Length, Attribute
Event, and Attribute Value
fields.
Attribute Length
343
6 GVRP Configuration
Field
Description
Value
Attribute Event
l 0: LeaveAll event
l 1: JoinEmpty event
l 2: JoinIn event
l 3: LeaveEmpty event
l 4: LeaveIn event
l 5: Empty event
Attribute Value
End Mark
Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,
and transmit dynamic VLAN registration information and static VLAN registration
information.
Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static registration information. If the
registration mode of a trunk interface is set to fixed, the interface allows only the manually
configured VLANs to pass even if it is configured to allow all the VLANs to pass.
Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only information about VLAN 1. If the registration
mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 to pass even
if it is configured to allow all the VLANs to pass.
NOTE
Issue 01 (2011-10-26)
344
6 GVRP Configuration
Pre-configuration Tasks
Before configuring the GVRP function, complete the following task:
l
Data Preparation
To configure the GVRP function, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
345
6 GVRP Configuration
Step 4 Run:
port link-type trunk
----End
Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs,
and transmit dynamic VLAN registration information and static VLAN registration
information.
Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static registration information. If the
registration mode of a trunk interface is set to fixed, the interface allows only the manually
configured VLANs to pass even if it is configured to allow all the VLANs to pass.
Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only information about VLAN 1. If the registration
mode of a trunk interface is set to forbidden, the interface allows only VLAN 1 even if it
is configured to allow all the VLANs.
Procedure
Step 1 Run:
system-view
346
6 GVRP Configuration
Before setting the registration mode of an interface, you need to enable GVRP on the interface.
----End
The undo garp timer command restores the default values of the GARP timers. If the
default value of a timer is out of the valid range, the undo garp timer command does not
take effect.
The value range of each timer changes with the values of the other timers. If a value you
set for a timer is not in the allowed range, you can change the value of the timer that
determines the value range of this timer.
To restore the default values of all the GARP timers, restore the Hold timer to the default
value, and then restore the Join timer, Leave timer, and LeaveAll timer to the default values
in sequence.
NOTE
In actual application, it is recommended that you use the following values of the GVRP timers:
l
When more than 100 dynamic VLANs are created, use the preceding recommended values. When the
number of dynamic VLANs increases, lengths of the GARP timers need to be increased.
Procedure
Step 1 Run:
system-view
347
6 GVRP Configuration
Step 2 Run:
garp timer leaveall timer-value
The value of the Hold timer, Join timer, or Leave timer is set.
By default, the value of the Hold timer is 10 centiseconds, the value of the Join timer is 20
centiseconds, and the value of the Leave timer is 60 centiseconds.
----End
Run the display gvrp status command to view the status of global GVRP is enabled.
Run the display gvrp statistics [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-10> ] command to view the statistics about GVRP on an
interface.
Run the display garp timer [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-10> ] command to view the values of GARP timers.
----End
CAUTION
GARP statistics cannot be restored after being cleared. Therefore, use this command with
caution.
Issue 01 (2011-10-26)
348
6 GVRP Configuration
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type
interface-number ] }&<1-10> ] command in the user view to clear statistics about GARP on the
specified interfaces.
----End
SwitchB
GE1/0/1
GE1/0/2
GE1/0/1 SwitchC
GE1/0/1
SwitchA
Company A
GE1/0/2
GE1/0/2
Branch of
company A
Company A
Company A
Company B
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Issue 01 (2011-10-26)
349
4.
6 GVRP Configuration
Data Preparation
To complete the configuration, you need the following data:
l
Registration modes of GE 1/0/1 and GE 1/0/2 of Switch C: fixed and normal respectively
Procedure
Step 1 Configure Switch A.
# Enable GVRP globally.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] gvrp
# Set the link type of GE 1/0/1 and GE 1/0/2 to trunk and configure the interfaces to allow all
VLANs.
[SwitchA] interface gigabitethernet
[SwitchA-GigabitEthernet1/0/1] port
[SwitchA-GigabitEthernet1/0/1] port
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet
[SwitchA-GigabitEthernet1/0/2] port
[SwitchA-GigabitEthernet1/0/2] port
[SwitchA-GigabitEthernet1/0/2] quit
1/0/1
link-type trunk
trunk allow-pass vlan all
1/0/2
link-type trunk
trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes of the interfaces.
[SwitchA] interface gigabitethernet
[SwitchA-GigabitEthernet1/0/1] gvrp
[SwitchA-GigabitEthernet1/0/1] gvrp
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet
[SwitchA-GigabitEthernet1/0/2] gvrp
[SwitchA-GigabitEthernet1/0/2] gvrp
[SwitchA-GigabitEthernet1/0/2] quit
1/0/1
registration normal
1/0/2
registration normal
The configuration of Switch B is similar to the configuration of Switch A, and is not mentioned
here.
Step 2 Configure Switch C.
# Create VLAN 101 to VLAN 200.
<Quidway> system-view
[Quidway] sysname SwitchC
[SwitchC] vlan batch 101 to 200
# Set the link type of GE 1/0/1 and GE 1/0/2 to trunk and configure the interfaces to allow all
VLANs.
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
Issue 01 (2011-10-26)
350
6 GVRP Configuration
trunk allow-pass vlan all
1/0/2
link-type trunk
trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes of the interfaces.
[SwitchC] interface gigabitethernet
[SwitchC-GigabitEthernet1/0/1] gvrp
[SwitchC-GigabitEthernet1/0/1] gvrp
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC] interface gigabitethernet
[SwitchC-GigabitEthernet1/0/2] gvrp
[SwitchC-GigabitEthernet1/0/2] gvrp
[SwitchC-GigabitEthernet1/0/2] quit
1/0/1
registration fixed
1/0/2
registration normal
Run the display gvrp statistics command on Switch A to view statistics about GVRP on GVRP
interfaces, including the GVRP state of each interface, number of GVRP registration failures,
source MAC address of the last GVRP PDU, and registration type of each interface.
<SwitchA> display gvrp statistics
GVRP statistics on port GigabitEthernet1/0/1
GVRP status
: Enabled
GVRP registrations failed
: 0
GVRP last PDU origin
: 0000-0000-0000
GVRP registration type
: Normal
GVRP
GVRP
GVRP
GVRP
GVRP
Configuration Files
l
#
sysname SwitchA
#
gvrp
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
interface GigabitEthernet1/0/2
port link-type trunk
Issue 01 (2011-10-26)
351
6 GVRP Configuration
#
sysname SwitchB
#
gvrp
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return
#
sysname SwitchC
#
vlan batch 101 to 200
#
gvrp
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
gvrp registration fixed
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return
Issue 01 (2011-10-26)
352
353
Issue 01 (2011-10-26)
354
Definition
A MAC address table is maintained on each Line Processing Unit (LPU) of theS9300. The MAC
address table stores the MAC addresses of other devices learned by the S9300, the VLAN IDs,
and the outbound interfaces that are used to send data. Before forwarding a data packet, the
S9300 searches the MAC address table based on the destination MAC address and the VLAN
ID of the packet to find the outbound interface quickly. This reduces the number of broadcast
packets.
Automatic creation: MAC address entries are learned by the system automatically. The
MAC address table needs to be updated constantly because the network topology always
changes. The automatically created MAC address entries are not always valid. Each entry
has an aging time. If an entry is not updated within the aging time, it is deleted. If the entry
is updated before its aging time expires, the aging timer is reset.
Manual creation: Automatically created MAC address entries cannot distinguish packets
of authorized users from attack packets. If a hacker sets the source MAC address of attack
packets to the MAC address of an authorized user and connects to another interface of the
S9300, the S9300 learns an incorrect MAC address entry. The packets that should be
forwarded to the authorized user are forwarded to the hacker. To improve interface security,
you can manually create MAC address entries to bind MAC addresses of authorized users
to specified interfaces. This prevents hackers from intercepting data of authorized users.
Manually created MAC address entries take precedence over automatically created MAC
address entries.
Dynamic MAC address entries that are learned by an interface after MAC address learning
is enabled.
Static MAC address entries that are configured manually. Static MAC address entries take
precedence over dynamic MAC address entries.
Blackhole MAC address entries that are the manually configured and used to discard data
frames with the specified source or destination MAC addresses. Blackhole MAC address
entries take precedence over dynamic MAC address entries.
355
Unicast mode: If the destination MAC address of a packet can be found in the MAC address
table, the S9300 forwards the packet through the outbound interface specified in the
matching entry.
Create static MAC address entries for MAC addresses of fixed upstream devices or trusted
user devices to improve communication security.
Configure blackhole MAC address entries to protect the S9300 from attacks.
Set a proper aging time for dynamic MAC addresses to prevent sharp increase of dynamic
MAC address entries.
NOTE
The S9300 supports a maximum of 4 K static and blackhole MAC address entries.
You can use the following methods to improve security or meet special requirements:
l
Disable MAC address learning. This method can be used on a network where the topology
seldom changes or forwarding paths are specified in static MAC address entries. This
method prevents users with unknown MAC addresses from accessing the network, protects
the network from MAC address attacks, and improves network security.
Limit the number of MAC addresses that can be learned. MAC address limiting protects
the S9300 from MAC address attacks on an insecure network.
Enable port security. If a network requires high security, port security can be configured
on the interfaces connected to trusted devices. The port security function prevents devices
with untrusted MAC addresses from accessing these interfaces and improves device
security.
Configure MAC address flapping detection. This function reduces impact of loops on the
S9300.
Discard packets with an all-0 MAC address. A faulty device may send packets with an all-0
source or destination MAC address to the S9300. You can configure the S9300 to discard
such packets and send a trap to the network management system (NMS). You can locate
the faulty device according to the trap message.
Enable MAC address triggered ARP entry update. This function enables the S9300 to
update the corresponding ARP entry when the outbound interface in a MAC address entry
changes.
Enable port bridge. This function enables an interface to process packets in which the source
and destination MAC addresses are the same. It can be configured on an S9300 connected
Issue 01 (2011-10-26)
356
Port Security
The port security function changes MAC addresses learned by an interface to secure dynamic
MAC addresses or sticky MAC addresses. It prevents devices with untrusted MAC addresses
from accessing an interface and improves device security.
Differences between secure dynamic MAC addresses and sticky MAC addresses are:
l
Secure dynamic MAC addresses are learned after port security is enabled and will not be
aged out by default. Secure dynamic MAC addresses will be lost after the device restarts
and the device needs to learn the MAC addresses again.
Sticky MAC addresses are learned after the sticky MAC function is enabled. Sticky MAC
addresses will not be aged out and will exist after the S9300 restarts.
NOTE
The S9300 supports a maximum of 4 K sticky and secure dynamic MAC address entries.
357
Applicable Environment
You can configure a static MAC address entry if an interface is connected to an upstream device
or a server, as shown in Figure 7-1. Attackers may set the source MAC address of packets to
the server MAC address and send the packets to the Switch to intercept data of the server. To
protect the server and ensure communication between users and the server, you can configure a
static MAC address entry in which the destination MAC address is the server MAC address and
the outbound interface is the interface connected to the server.
Figure 7-1 Networking diagram of static MAC address entry configurations
Network
Server
Switch
VLAN2
LSW
PC1
VLAN4
PC2
Pre-configuration Tasks
None.
Data Preparation
To configure a static MAC address entry, you need the following data.
Issue 01 (2011-10-26)
No.
Data
Destination MAC address, destination outbound interface number, name of the VSI
and ID of the VLAN which the outbound interface belongs to
358
Procedure
Step 1 Run:
system-view
Static MAC address entries take precedence over dynamic MAC address entries.
----End
Applicable Environment
To protect user devices or network devices from MAC address attacks, you can configure
untrusted MAC addresses as blackhole MAC addresses. Packets with source or destination MAC
addresses matching the blackhole MAC address entries are discarded.
Pre-configuration Tasks
None.
Data Preparation
To configure a blackhole MAC address entry, you need the following data.
No.
Data
Destination or source MAC address, name of the VSI and ID of VLAN to which the
outbound interface belongs to
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
359
Applicable Environment
Dynamical MAC address entries are learned by the S9300 from source MAC addresses of
received packets. The system starts an aging timer for dynamic MAC address entry. If a dynamic
MAC address entry is not updated within a certain period (twice the aging time), this entry is
deleted. If the entry is updated within this period, the aging timer of this entry is reset. A shorter
aging time enables the S9300 to respond to network topology changes more quickly.
The network topology changes frequently, and the S9300 will learn many MAC addresses. After
the aging time of dynamic MAC address entries is set, the S9300 can delete unneeded MAC
address entries to prevent sharp increase of MAC address entries.
Pre-configuration Tasks
None.
Data Preparation
To set the aging time of dynamic MAC address entries, you need the following data.
No.
Data
Aging time
Procedure
Step 1 Run:
system-view
360
Step 2 Run:
mac-address aging-time aging-time
Run the display mac-address aging-time command to check whether the aging time of
dynamic MAC address entries is set properly.
Applicable Environment
As shown in Figure 7-2, an interface of the Switch is connected to a server. To protect the server,
configure the server MAC address as a static MAC address, disable MAC address learning on
the interface, and configure the interface to discard the packets with unknown MAC addresses.
The configuration prevents other servers or terminals from accessing the interface and improves
network stability and security.
Figure 7-2 Disabling MAC address learning
Server
mac-address
learning disable
Switch
Issue 01 (2011-10-26)
361
Pre-configuration Tasks
None.
Data Preparation
To disable MAC address learning, you need the following data.
No.
Data
VLAN ID
Context
When an S9300 enabled with MAC address learning receives an Ethernet frame, it records the
source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When
receiving other Ethernet frames destined for this MAC address, the S9300 forwards the frames
through the corresponding outbound interface according to the MAC address entry. The MAC
address learning function reduces broadcast packets on a network. After MAC address learning
is disabled on an interface, the S9300 does not learn source MAC addresses of packets received
by the interface.
Procedure
Step 1 Run:
system-view
362
NOTE
If you set the action to forward when disabling MAC address learning, untrusted terminals can still access
the network. This action only controls the number of learned MAC address entries.
----End
Context
After MAC address learning is disabled in a VLAN, the S9300 checks source MAC addresses
of packets received by interfaces in the VLAN. If the source MAC address of a packet is in the
MAC address table, the S9300 forwards the packet; otherwise, the S9300 broadcasts the packet.
Procedure
Step 1 Run:
system-view
Procedure
l
----End
363
Applicable Environment
As shown in Figure 7-3, an insecure residential network or enterprise often receives packets
with bogus MAC addresses. The capacity of a MAC address table is limited; therefore, if hackers
forge a large number of packets with different source MAC addresses and send the packets to
the Switch, the MAC address table of the Switch becomes full quickly. When the MAC address
table is full, the Switch cannot learn source MAC addresses of valid packets. A limit can be set
for the number of learned MAC addresses. When the number of learned MAC addresses reaches
the limit, the Switch stops learning MAC addresses. When the Switch receives packets with
unknown source MAC addresses, it can be configured to discard the packets or generate an
alarm. This protects the network from MAC address attacks.
Figure 7-3 Limiting the number of MAC addresses on an insecure network
Internet
Switch
VLAN2
MAC- Limit
VLAN2
LSW1
LSW2
VLAN2
Pre-configuration Tasks
Before limiting the number of learned MAC addresses, complete the following task:
l
Deleting the existing MAC address entries from the interface, VLAN, slot, or VSI where
you want to limit the number of learned MAC addresses
Data Preparation
To limit the number of learned MAC addresses, you need the following data.
Issue 01 (2011-10-26)
364
No.
Data
Context
The MAC address limiting rule applies to all MAC addresses, including trusted MAC addresses.
If a user from an enterprise or a family uses bogus MAC addresses to attack the network, users
in the enterprise or family are not allowed to access the network, but other users on the network
are not affected.
Procedure
Step 1 Run:
system-view
The action to be taken on the packets with unknown source MAC addresses when the number
of learned MAC addresses reaches the limit is configured.
By default, packets with unknown source MAC addresses are discarded after the number of
learned MAC addresses reaches the limit.
Step 5 Run:
mac-limit alarm { disable | enable }
The S9300 is configured to (or not to) send a trap to the NMS when the number of learned MAC
addresses reaches the limit.
Issue 01 (2011-10-26)
365
By default, the S9300 sends a trap to the NMS when the number of learned MAC addresses
reaches the limit.
----End
Context
The MAC address limiting rule applies to all MAC addresses, including trusted MAC addresses.
If a user from an enterprise or a family uses bogus MAC addresses to attack the network, users
in the enterprise or family are not allowed to access the network, but other users on the network
are not affected.
Procedure
Step 1 Run:
system-view
The action to be taken on the packets with unknown source MAC addresses when the number
of learned MAC addresses reaches the limit is configured.
By default, packets with unknown source MAC addresses are discarded after the number of
learned MAC addresses reaches the limit.
S-series boards do not support the discard action.
Step 5 Run:
mac-limit alarm { disable | enable }
The S9300 is configured to (or not to) send a trap to the NMS when the number of learned MAC
addresses reaches the limit.
By default, the S9300 sends a trap to the NMS when the number of learned MAC addresses
reaches the limit.
----End
Issue 01 (2011-10-26)
366
Context
The MAC address limiting rule applies to all MAC addresses, including trusted MAC addresses.
If a user from an enterprise or a family uses bogus MAC addresses to attack the network, users
in the enterprise or family are not allowed to access the network, but other users on the network
are not affected.
NOTE
The X40SFC board does not support MAC address limiting in VSIs.
Procedure
Step 1 Run:
system-view
The action to be taken on the packets with unknown source MAC addresses when the number
of learned MAC addresses reaches the limit is configured.
By default, packets with unknown source MAC addresses are discarded after the number of
learned MAC addresses reaches the limit.
Step 5 Run:
mac-limit alarm { disable | enable }
The S9300 is configured to (or not to) send a trap to the NMS when the number of learned MAC
addresses reaches the limit.
By default, the S9300 sends a trap to the NMS when the number of learned MAC addresses
reaches the limit.
----End
Issue 01 (2011-10-26)
367
Context
If no action is specified, the S9300 discards packets with unknown source MAC addresses and
sends a trap to the NMS when the number of learned MAC addresses reaches the limit.
Procedure
Step 1 Run:
system-view
The action to be taken on the packets with unknown source MAC addresses when the number
of learned MAC addresses reaches the limit is configured.
By default, packets with unknown source MAC addresses are discarded after the number of
learned MAC addresses reaches the limit.
Step 4 Run:
mac-limit slot slot-id alarm { disable | enable }
The S9300 is configured to (or not to) send a trap to the NMS when the number of learned MAC
addresses reaches the limit.
By default, the S9300 sends a trap to the NMS when the number of learned MAC addresses
reaches the limit.
----End
Issue 01 (2011-10-26)
368
Procedure
Step 1 Run the display mac-limit [ interface-type interface-number | vlan vlan-id | vsi vsi-name |
slot slot-id ] command to view the MAC address limiting rule.
----End
Applicable Environment
If a network requires high access security, you can configure port security on specified interfaces.
MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky
MAC addresses. When the number of learned MAC addresses reaches the limit, the interface
does not learn new MAC addresses and allows only the devices with the learned MAC addresses
to communicate with the S9300. This prevents devices with untrusted MAC addresses from
accessing these interfaces, improving security of the S9300 and the network.
Pre-configuration Tasks
Before configuring port security on an interface, complete the following tasks:
l
Data Preparation
To configure port security on an interface, you need the following data.
Issue 01 (2011-10-26)
No.
Data
Secure dynamic MAC: interface type and number, limit on the number of learned
MAC addresses, action to perform when the limit is exceeded
Sticky MAC: interface type and number, limit on the number of learned MAC
addresses, and action to perform when the limit is exceeded
369
Context
By default, secure dynamic MAC addresses will not be aged out. Secure dynamic MAC
addresses will be lost after the device restarts and the device needs to learn the MAC addresses
again.
Procedure
Step 1 Run:
system-view
You can set the limit on the number of secure dynamic MAC addresses and protection action only when
port security is enabled.
370
l shutdown: shuts down the interface when the number of learned MAC addresses exceeds
the limit.
----End
Context
The sticky MAC function changes MAC addresses learned by an interface to sticky MAC
addresses. Sticky MAC addresses will not be aged out and will exist after the S9300 restarts.
Procedure
Step 1 Run:
system-view
371
l protect: discards packets with new source MAC addresses when the number of learned MAC
addresses reaches the limit.
l restrict: discards packets with new source MAC addresses and sends a trap message when
the number of learned MAC addresses exceeds the limit.
l shutdown: shuts down the interface when the number of learned MAC addresses exceeds
the limit.
Step 7 (Optional) Run:
port-security mac-address sticky mac-address vlan vlan-id
Procedure
l
----End
Applicable Environment
As shown in Figure 7-4, an interface of the Switch is connected to a server. To prevent
unauthorized users from using the server MAC address to intercept data of the server, you can
set a high MAC address learning priority on the interface. When the same MAC address is
learned by the server-side interface and other interfaces, the entry learned by the server-side
interface overrides the MAC address entries learned by other interfaces. Therefore, the Switch
will not learn MAC addresses of unauthorized users and only authorized users can access the
server and use network resources.
Issue 01 (2011-10-26)
372
MAC:11-22-33
Switch
Pre-configuration Tasks
None.
Data Preparation
To configure MAC address anti-flapping, you need the following data.
No.
Data
Context
Setting different MAC address learning priorities for interface prevents MAC address flapping.
If an attacker uses the MAC address of an unauthorized network device to connect to the
S9300 after the network device is powered off, the S9300 learns the bogus MAC address. After
the network device is powered on, the S9300 can learn the correct MAC address entry.
Procedure
Step 1 Run:
system-view
373
Step 2 Run:
interface interface-type interface-number
Context
When MAC address flapping between interfaces with the same priority is prohibited, these
interfaces cannot learn the same MAC addresses simultaneously. If an attacker uses the MAC
address of an unauthorized network device to connect to the S9300 after the network device is
powered off, the S9300 learns the bogus MAC address. After the network device is powered on,
the S9300 cannot learn the correct MAC address entry.
Procedure
Step 1 Run:
system-view
MAC address flapping between the interfaces with a specified priority is prohibited.
By default, MAC address flapping between interfaces with the same priority is allowed.
----End
374
Applicable Environment
As shown in Figure 7-5, a loop occurs on the network, which will cause MAC address flapping.
After MAC address flapping detection is configured in a VLAN, the Switch checks all MAC
addresses in the VLAN to detect MAC address flapping.
The Switch checks whether a MAC address moves from one interface to another in the VLAN.
If MAC address flapping occurs, it performs the configured action, for example, blocks the
interface to remove the loop. This function reduces MAC address flapping caused by loops and
broadcast storms. You can also configure the Switch only to send trap messages to the network
management system when the S9300 detects MAC address flapping.
Figure 7-5 Networking diagram for MAC address flapping detection
Switch
Pre-configuration Tasks
None.
Data Preparation
To configure MAC flapping detection, you need the following data.
Issue 01 (2011-10-26)
375
No.
Data
Blocking time for the interface where MAC address flapping occurs
Procedure
Step 1 Run:
system-view
Context
After MAC address flapping detection is configured in a VLAN, the system checks all MAC
addresses in the VLAN to detect MAC address flapping. If MAC address flapping occurs on an
interface, the system blocks the interface. After a specified period of time, the system unblocks
the interface. If no MAC address flapping is detected within 20 seconds, the system completely
Issue 01 (2011-10-26)
376
unblocks the interface and starts detection. If MAC address flapping is detected again within 20
seconds, the system blocks the interface. This process repeats for a specified number of times.
If MAC address flapping persists, the interface is permanently blocked.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run the display loop-detect eth-loop [ vlan vlan-id ] command to check information about
MAC address flapping detection on a VLAN.
----End
Applicable Environment
A faulty network device may send packets with an all-0 source or destination MAC address to
the S9300. You can configure the S9300 to discard such packets and send a trap to the network
management system (NMS). You can locate the faulty device according to the trap message.
Pre-configuration Tasks
l
Data Preparation
None.
Issue 01 (2011-10-26)
377
Procedure
Step 1 Run:
system-view
The S9300 is configured to send a trap to the NMS when receiving packets with an all-0 MAC
address.
By default, the S9300 does not send a trap to the NMS when receiving packets with an all-0
MAC address.
NOTE
The S9300 sends only one trap after receiving packets with an all-0 MAC address. To enable the S9300 to
send a trap again, run the drop illegal-mac alarm command.
----End
Applicable Environment
Each network device uses an IP address to communicate with other devices. On an Ethernet
network, a device sends and receives Ethernet data frames based on MAC addresses. The ARP
protocol maps IP addresses to MAC addresses. When a device communicates with a device on
a different network segment, it finds the MAC address and outbound interface of a packet
according to the corresponding ARP entry.
If a user host moves from one interface to another, the MAC address of the host is learned by
the new interface, so the outbound interface mapping the MAC address changes. The
corresponding ARP entry, however, is updated until the aging time expires. Before the ARP
entry aging time expires, the device sends data frames based on the original ARP entry. This
causes data frame loss. The MAC address triggered ARP entry update function enables the
S9300 to update the corresponding ARP entry when the outbound interface in a MAC address
entry changes.
Issue 01 (2011-10-26)
378
Pre-configuration Tasks
None.
Data Preparation
None.
Procedure
Step 1 Run:
system-view
l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when
the corresponding MAC address entries change.
l The mac-address update arp command does not take effect after ARP anti-spoofing is enabled by
using the arp anti-attack entry-check enable command.
l After the mac-address update arp command is run, the S9300 updates an ARP entry only if the
outbound interface in the corresponding MAC address entry changes.
----End
Applicable Environment
By default, an interface does not forward frames whose source and destination MAC addresses
are both learned by this interface. When the interface receives such a frame, it discards the frame
as an invalid frame. After the port bridge function is enabled on the interface, the interface
forwards such a frame if the destination MAC address of the frame is in the MAC address table.
The port bridge function is used in the following scenarios:
Issue 01 (2011-10-26)
379
The S9300 connects to a device that does not support Layer 2 forwarding. When users
connected to this device communicate with each other, user packets are sent to the S9300
and forwarded by the S9300. In this scenario, the port bridge function must be enabled.
The S9300 is used as an access switch in a data center and is connected to servers. Each
server is configured with multiple virtual machines. The virtual machines need to transmit
data to each other. To improve the data transmission rate and server performance, enable
the port bridge functions on the interfaces connected to the servers so that the S9300
forwards data packets between the virtual machines.
Data Preparation
No.
Data
Procedure
Step 1 Run:
system-view
380
through the LSW. The LSW is connected to GE 1/0/1 of the Switch. Interface GE 1/0/1 belongs
to VLAN 2. The MAC address of the server is 0004-0004-0004. The server is connected to GE
1/0/2 of the Switch. Interface GE 1/0/2 belongs to VLAN 2.
l
To prevent hackers from attacking the network with MAC addresses, you need to add a
static entry to the MAC table of the Switch for each user host. When sending packets
through GE 1/0/1, the Switch changes the VLAN ID to VLAN 4 to which the LSW belongs.
In addition, you need to set the aging time of the dynamic entries in the MAC address table
to 500 seconds.
To prevent hackers from forging the MAC address of the server and stealing user
information, you can configure the packet forwarding based on static MAC address entries
on the Switch.
Figure 7-6 Networking diagram for configuring the MAC address table
Server
Network
Switch
GE1/0/1
LSW
PC1
VLAN4
PC2
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-10-26)
381
VLAN ID required to be changed to when the Switch sends packets through the outgoing
interface: VLAN 4
Aging time of dynamic entries in the MAC address table of the Switch: 500 seconds
Procedure
Step 1 Add static MAC address entries.
# Create VLAN 2; add GE 1/0/1 1/0/2 to VLAN 2; configure VLAN mapping on GE 1/0/1.
<Quidway> system-view
[Quidway] vlan 2
[Quidway-vlan2] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet1/0/1] port
[Quidway-GigabitEthernet1/0/1] port
[Quidway-GigabitEthernet1/0/1] port
[Quidway-GigabitEthernet1/0/1] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet1/0/2] port
[Quidway-GigabitEthernet1/0/2] port
[Quidway-GigabitEthernet1/0/2] quit
1/0/1
hybrid pvid vlan 2
hybrid untagged vlan 2
vlan-mapping vlan 4 map-vlan 2
1/0/2
hybrid pvid vlan 2
hybrid untagged vlan 2
# Run the display mac-address aging-time command in any view. You can check whether the
aging time of dynamic entries is set successfully.
[Quidway] display mac-address aging-time
Aging time: 500 seconds
----End
Configuration Files
The following lists the configuration file of the Switch.
Issue 01 (2011-10-26)
382
#
sysname Quidway
#
vlan batch 2
#
mac-address aging-time 500
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
port vlan-mapping vlan 4 map-vlan
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
mac-address static 0002-0002-0002
mac-address static 0003-0003-0003
mac-address static 0004-0004-0004
#
return
GigabitEthernet1/0/1 vlan 2
GigabitEthernet1/0/1 vlan 2
GigabitEthernet1/0/2 vlan 2
Network
Switch
GE1/0/1
GE2/0/1
LSW
User
network 1
Issue 01 (2011-10-26)
LSW
VLAN 2
User
network 2
383
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure the limitation on MAC address learning.
# Add GE 1/0/1 and GE 2/0/1 to VLAN 2.
<Quidway> system-view
[Quidway] vlan 2
[Quidway-vlan2] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet1/0/1] port
[Quidway-GigabitEthernet1/0/1] port
[Quidway-GigabitEthernet1/0/1] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet2/0/1] port
[Quidway-GigabitEthernet2/0/1] port
[Quidway-GigabitEthernet2/0/1] quit
1/0/1
hybrid pvid vlan 2
hybrid untagged vlan 2
2/0/1
hybrid pvid vlan 2
hybrid untagged vlan 2
# Configure the rule of limiting MAC address learning in VLAN 2: A maximum of 100 MAC
addresses can be learned; packets are still forwarded and an alarm is generated when the number
of learned MAC addresses reaches the limit, but new MAC addresses are not added to the MAC
address table.
[Quidway] vlan 2
[Quidway-vlan2] mac-limit maximum 100 action forward alarm enable
[Quidway-vlan2] quit
----End
Configuration Files
The following lists the configuration file of the Switch.
Issue 01 (2011-10-26)
384
#
sysname Quidway
#
vlan batch 2
#
vlan 2
mac-limit maximum 100 action forward
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
interface GigabitEthernet2/0/1
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
return
VSI : huawei
VSI : huawei
Simulated
VLAN
User
network 1
User
network 2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VSI.
2.
Issue 01 (2011-10-26)
385
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create a VSI.
# Create a VSI named huawei.
<Quidway> system-view
[Quidway] vsi huawei static
----End
Configuration Files
The following lists the configuration file of the Switch.
#
sysname Quidway
#
vsi huawei static
mac-limit maximum 300
#
return
386
Internet
Switch
GE1/0/1
VLAN 10
SwitchA
PC1
PC2
PC3
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN and set the link type of the interface to trunk.
2.
3.
4.
5.
Set the maximum number of MAC addresses that can be learned by the interface.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Create a VLAN and set the link type of the interface to trunk.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] quit
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] port link-type trunk
[Quidway-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
Issue 01 (2011-10-26)
387
# Set the maximum number of MAC addresses that can be learned by the interface.
[Quidway-GigabitEthernet1/0/1] port-security max-mac-num 4
To enable the interface security function on other interfaces, repeat the preceding steps.
Step 3 Verify the configuration.
If PC1 is replaced by another PC, this PC cannot access the intranet of the company.
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 10
port-security enable
port-security protect-action protect
port-security mac-address sticky
port-security max-mac-num 4
#
return
Networking Requirements
As shown in Figure 7-10, employees of an enterprise need to access the server connected to a
Switch interface. If an attacker uses the server MAC address as the source MAC address to send
packets to another interface, the server MAC address is learned on the interface. Employees
cannot access the server, and important data will be intercepted by the attacker.
MAC address anti-flapping can be configured to protect the server from attacks.
Issue 01 (2011-10-26)
388
VLAN 10
Switch
GE1/0/2
PC4
MAC:11-22-33
LSW
PC1
PC2
PC3
VLAN10
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
VLAN that the server-side and user-side interfaces belong to: VLAN 10
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Add GigabitEthernet1/0/1 and GigabitEthernet1/0/2 to VLAN 10.
<Quidway> system-view
[Quidway] vlan 10
[Quidwayvlan10] quit
[Quidway] interface gigabitethernet 1/0/2
[Quidway-GigabitEthernet1/0/2] port link-type trunk
[Quidway-GigabitEthernet1/0/2] port trunk allow-pass vlan 10
[Quidway-GigabitEthernet1/0/2] quit
Issue 01 (2011-10-26)
389
----End
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 10
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
mac-learning priority 2
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Issue 01 (2011-10-26)
390
8 STP/RSTP Configuration
STP/RSTP Configuration
Issue 01 (2011-10-26)
391
8 STP/RSTP Configuration
Introduction
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and thus damages MAC address
entries.
The devices running STP discover loops on the network by exchanging information with each
other and trim the ring topology into a loop-free tree topology by blocking a certain interface.
In this manner, replication and circular propagation of packets are prevented on the network. In
addition, it is prevented that the processing performance of devices is degraded when
continuously processing repeated packets.
STP, however, converges the network topology slowly. In 2001, the IEEE published document
802.1w to introduce an evolution of the Spanning Tree Protocol: Rapid Spanning Tree Protocol
(RSTP). RSTP is developed based on STP but outperforms STP.
Concepts
l
Root bridge
A tree topology must have a root. Therefore, the root bridge is introduced by STP/RSTP.
There is only one root bridge on the entire STP/RSTP-capable network. The root bridge is
the logical center but is unnecessarily the physical center of the entire network. The root
bridge may be served by another switching device along with the network topology change.
ID
There are Bridge IDs (BIDs) and port IDs (PIDs).
BID
IEEE 802.1D defines that a BID is composed of a 2-bit bridge priority and a bridge
MAC address. That is, BID (8 bits) = Bridge priority (2 bits) + Bridge MAC address (6
bits).
On the STP-capable network, the device with the smallest BID is selected as the root
bridge. The bridge priority that is allowed to be configured on a Huawei device ranges
from 0 to 61440. By default, the bridge priority is 32768.
PID
Issue 01 (2011-10-26)
392
8 STP/RSTP Configuration
A 16-bit PID is composed of a 4-bit port priority and a 12-bit port number.
The PID is used when the designated port needs to be selected. That is, when the root
path costs and the sender BIDs of two ports are the same, the port with a smaller PID
is selected as the designated port. As shown in Figure 8-1, the root path costs and sender
BIDs of port A and port B on S2 are the same. Port A has a smaller PID, and is thus
selected as the designated port on the local segment. The port priority that can be
configured on a Huawei device ranges from 0 to 240, with the step 16. That is, the port
priority can be 0, 16, or 32. By default, the port priority is 128.
l
Path cost
A path cost is port-specific, which is used by STP/RSTP as a reference to select a link.
STP/RSTP calculates the path cost to select the robust link and blocks redundant links to
trim the network into a loop-free tree topology.
On an STP/RSTP-capable network, the accumulative cost of the path from a certain port
to the root bridge is the sum of the costs of the segment paths into which the path is separated
by the ports on the transit bridges.
Port roles
STP-capable port
Root port
The root port is the port that is nearest to the root bridge. The root port is determined
based on the path cost. Among all the ports where STP is enabled on the network
bridge, the port with the smallest root path cost is the root port. There is only one
root port on an STP-capable device, but there is no root port on the root bridge.
Designated Port
The designated port on a switching device forwards bridge protocol data units
(BPDUs) to the downstream switching device. All ports on the root bridge are
designated ports. A designated port is selected on each network segment. The device
where the designated port resides is called the designated bridge on the network
segment.
RSTP-capable port
Compared with STP, RSTP has two additional types of ports, namely, the alternate port
and backup port. More port roles are defined to simplify the knowledge and deployment
of STP.
Issue 01 (2011-10-26)
393
8 STP/RSTP Configuration
S2
S3
S1
Root bridge
S2
A
B
b
S3
Root port
Designated port
Alternate port
Backup port
As shown in Figure 8-1, RSTP defines four port roles: root port, designated port,
alternate port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The description of the alternate port and backup port is as follows:
From the perspective of configuration BPDU transmission:
The alternate port is blocked after learning the configuration BPDUs sent by
other bridges.
The backup port is blocked after learning the configuration BPDUs sent by itself.
From the perspective of user traffic:
The alternate port backs up the root port and provides an alternate path from the
designated bridge to the root bridge.
The backup port backs up the designated port and provides an alternate path from
the root node to the leaf node.
After all ports are assigned roles, topology convergence is completed.
Issue 01 (2011-10-26)
394
8 STP/RSTP Configuration
Port status
STP port state
Table 8-1 shows the port status of an STP-capable port.
Table 8-1 STP port state
Port
state
Purpose
Description
Forward
ing
Learnin
g
Listenin
g
Blockin
g
Disabled
Description
Forwarding
Learning
Discarding
Issue 01 (2011-10-26)
395
8 STP/RSTP Configuration
CAUTION
A Huawei datacom device is in MSTP mode by default. After a device experiences the
transition from the MSTP mode to the STP mode, an STP-capable port supports the same
port states as those supported by an MSTP-capable port, including the Forwarding,
Learning, and Discarding states. For details, see Table 8-2.
l
Three timers
Hello Timer
Sets the interval at which BPDUs are sent.
Forward Delay Timer
Sets the time spent in the Listening and Learning states.
Max Age
Sets the maximum lifetime of a BPDU on the network. When the Max Age time expires,
the connection to the root bridge fails.
Characteristics
Applicable
Environment
Precautions
STP
A loop-free tree is
generated. Thus, broadcast
storms are prevented and
redundancy is
implemented.
Irrespective of different
users or services, all
VLANs share one
spanning tree.
NOTE
RSTP
l A loop-free tree is
generated. Thus,
broadcast storms are
prevented and
redundancy is
implemented.
l A feedback mechanism
is provided to confirm
topology convergence.
Thus, rapid
convergence is
implemented.
Issue 01 (2011-10-26)
l If the current
switching device
supports STP and
RSTP, RSTP is
recommended.
l If the current
switching device
supports STP or
RSTP, and MSTP,
MSTP is
recommended. See
MSTP
Configuration.
396
8 STP/RSTP Configuration
Spanning
Tree
Protocol
Characteristics
Applicable
Environment
MSTP
l In an MSTP region, a
loop-free tree is
generated. Thus,
broadcast storms are
prevented and
redundancy is
implemented.
User or service-specific
load balancing is
required. Traffic for
different VLANs is
forwarded through
different spanning
trees, which are
independent of each
other.
l A feedback mechanism
is provided to confirm
topology convergence.
Thus, rapid
convergence is
implemented.
Precautions
l MSTP implements
load balancing among
VLANs. Traffic in
different VLANs is
transmitted along
different paths.
Select a switching device (functioning as a root bridge) from switching devices for each
spanning tree. You can configure the priorities of the switching devices to preferentially
select a root bridge.
2.
In each spanning tree, calculate the shortest paths from the other switching devices to the
root bridge, and select a root port for each non-root switching device. You can configure
the cost of the path from a switching device to the root bridge to preferentially select a root
port.
3.
In each spanning tree, select a designated port for each connection according to the bridge
ID, the cost of path and port IDs. If the devices have the same bridge ID and the cost of
path, You can configure the port priorities to preferentially select a designated port.
STP/RSTP also supports the following features to meet requirements of special applications and
extended functions:
l
Issue 01 (2011-10-26)
397
8 STP/RSTP Configuration
Issue 01 (2011-10-26)
Protection
Function
Scenario
Configuration Impact
BPDU
protection
TC
protection
TC protection is used to suppress TCBPDUs. The number of times that TCBPDUs are processed by a switching
device within a given time period is
configurable. If the number of TC-BPDUs
that the switching device receives within a
given time exceeds the specified threshold,
the switching device handles TC-BPDUs
only for the specified number of times.
Excess TC-BPDUs are processed by the
switching device as a whole for once after
the timer (that is, the specified time period)
expires. This protects the switching device
from frequently deleting MAC entries and
ARP entries, thus avoiding over-burdened.
Root
protection
Due to incorrect
configurations or
malicious attacks on the
network, a root bridge may
receive BPDUs with a
higher priority.
Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge, and the
network topology is
illegitimately changed,
triggering spanning tree
recalculation. This may
transfer traffic from highspeed links to low-speed
links, causing traffic
congestion.
398
8 STP/RSTP Configuration
Protection
Function
Scenario
Configuration Impact
Loop
protection
Setting a priority for a switching device: The lower the numerical value, the higher the
priority of the switching device and the more likely the switching device becomes a root
bridge; the higher the numerical value, the lower the priority of the switching device and
the less likely that the switching device becomes a root bridge.
Setting a path cost for a port: With the same calculation method, the lower the numerical
value, the smaller the cost of the path from the port to the root bridge and the more likely
the port becomes a root port; the higher the numerical value, the larger the cost of the path
from the port to the root bridge and the less likely that the port becomes a root port.
Setting a priority for a port: The lower the numerical value, the more likely the port becomes
a designated port; the higher the numerical value, the less likely that the port becomes a
designated port.
Applicable Environment
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Issue 01 (2011-10-26)
399
8 STP/RSTP Configuration
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and thus damages MAC address
entries.
STP/RSTP can be deployed on a network to eliminate loops. If a loop is detected, STP/RSTP
blocks one port to eliminate the loop.
As shown in Figure 8-2, Switch A, Switch B, Switch C, and Switch D form a ring network, and
STP/RSTP is enabled on the ring network to eliminate loops.
Figure 8-2 Diagram of a ring network
Network
Root
Bridge
SwitchA
SwitchB
SwitchC
SwitchD
PC1
PC2
Blocked port
NOTE
If the current switching device supports STP and RSTP, RSTP is recommended.
Pre-configuration Tasks
Before configuring basic STP/RSTP functions, complete the following task:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
Data Preparation
To configure basic STP/RSTP functions, you need the following data.
Issue 01 (2011-10-26)
400
No.
Data
8 STP/RSTP Configuration
Procedure
Step 1 Run:
system-view
Context
On an STP/RSTP-capable network, there is only one root bridge and it is the logic center of the
entire spanning tree. In root bridge selection, the switching device with high performance and
network hierarchy is generally selected as a root bridge; however, the priority of such a device
may be not that high. Thus setting a high priority for the switching device is necessary so that
the device can function as a root bridge.
Other devices with low performance and network hierarchy are not fit to be a root bridge.
Therefore, set low priorities for these devices.
CAUTION
If an S9300 is configured as the root switch or secondary root switch, the priority of the
S9300 cannot be set. If you want to set the priority of the S9300, you must disable the root switch
or secondary root switch.
Issue 01 (2011-10-26)
401
8 STP/RSTP Configuration
Procedure
Step 1 Run:
system-view
priority
l To configure a switching device as a primary root bridge, you can run the stp root primary command
directly. The priority value of this switching device is 0.
l To configure a switching device as a secondary root bridge, run the stp root secondary command. The
priority value of this switching device is 4096.
A switching device cannot act as a primary root bridge and a secondary root bridge at the same time.
----End
Context
A path cost is port-specific, which is used by STP/RSTP as a reference to select a link.
The range of the path cost value is determined by the calculation method. After the calculation
method is determined, you are recommended to set a relatively small path cost value for the port
at a high link rate.
Use the Huawei proprietory calculation method as an example. Different link rates correspond
to default path cost values of ports. For details, see Table 8-5.
Table 8-5 Mappings between link rates and path cost values
Issue 01 (2011-10-26)
Link Rate
Recommended
value
Recommended
Value Range
Value Range
10 Mbit/s
2000
200-20000
1-200000
100 Mbit/s
200
20-2000
1-200000
1 Gbit/s
20
2-200
1-200000
10 Gbit/s
2-20
1-200000
Over 10 Gbit/s
1-2
1-200000
402
8 STP/RSTP Configuration
On a network where loops occur, you are recommended to set a relatively large path cost for the
port at a low link rate. STP/RSTP puts the port with the large path cost in the Blocking state and
blocks the link where this port resides.
Procedure
Step 1 Run:
system-view
Context
Whether a port on a switching device will be selected as a designated port is determined by its
priority. For details, see 8.1.1 STP/RSTP Overview.
If you expect to block a port on a switching device to eliminate loops, set the port priority value
to be larger than the default value when the devices have the same bridge ID and the cost of
path. This port will be blocked in designated port selection.
Procedure
Step 1 Run:
system-view
403
8 STP/RSTP Configuration
Step 2 Run:
interface interface-type interface-number
Context
After STP/RSTP is enabled on a ring network, STP/RSTP immediately calculates spanning trees
on the network. Configurations on the switching device, such as the switching device priority
and port priority, will affect spanning tree calculation. Any change of the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform
basic configurations on the switching device and its ports and enable STP/RSTP.
Procedure
Step 1 Run:
system-view
Prerequisite
All configurations of basic STP/RSTP functions are complete.
Procedure
l
----End
Issue 01 (2011-10-26)
404
8 STP/RSTP Configuration
Issue 01 (2011-10-26)
Paramete
r
Parameter
Description
Commands
Description
System
parameter
network
diameter, timer
value (Hello
Time, Forward
Delay period,
Max Age time),
and timeout
period for
waiting for
BPDUs from
the upstream (3
x hello time x
time factor)
l stp bridge-diameter
diameter
405
8 STP/RSTP Configuration
Paramete
r
Parameter
Description
Commands
Description
Port
parameter
Link type of a
port
Port transition
to the RSTP
mode
l stp mcheck
On a switching device
running RSTP, if an
interface is connected to a
device running STP, the
interface automatically
transitions to the STP
mode.
Enabling MCheck on the
interface is required When
the interface fail to
automatically transition to
the RSTP mode.
Maximum
number of
BPDUs sent by
the interface
within each
Hello time
Issue 01 (2011-10-26)
406
Paramete
r
8 STP/RSTP Configuration
Parameter
Description
Commands
Description
Edge ports
l error-down auto-recovery
cause cause-item interval
interval-value
Applicable Environment
On some specific networks, RSTP parameters will affect the speed of network convergence.
Configuring proper RSTP parameters is required.
NOTE
The default configurations of the parameters described in this section help implement RSTP rapid
convergence. Therefore, the configuration process and all involved procedures described in this section
are optional. You can perform some of the configurations as required.
Pre-configuration Tasks
Before configuring STP/RSTP parameters, complete the following task:
l
Data Preparation
To configure STP/RSTP parameters, you need the following data.
Issue 01 (2011-10-26)
No.
Data
Network diameter
Hello time, forwarding delay time, maximum aging time, and timeout period for
waiting for BPDUs from the upstream (3 x hello time x time factor)
407
8 STP/RSTP Configuration
No.
Data
Whether auto recovery needs to be configured for an edge port being shut down
10
Procedure
Step 1 Run:
system-view
The timeout period for waiting for BPDUs from the upstream of a switching device is set.
By default, the timeout period of a switching device is 9 times as long as the Hello time.
Step 4 (Optional) To set the Forward Delay period, Hello time, and Max Age period, perform the
following operations:
l Run the stp timer forward-delay forward-delay command to set the Forward Delay period
for a switching device.
Issue 01 (2011-10-26)
408
8 STP/RSTP Configuration
The values of the Hello time, Forward Delay period, and Max Age period must comply with the following
formulas. Otherwise, networking flapping occurs.
l 2 (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 (Hello Time + 1.0 second)
----End
Procedure
Step 1 Run:
system-view
MCheck is enabled.
On a switching device running RSTP, if a port is connected to a device running STP, the port
automatically transitions to the STP interoperable mode.
Enabling MCheck on the port is required because the port may fail to automatically transition
to the RSTP mode in the following situations:
Issue 01 (2011-10-26)
409
8 STP/RSTP Configuration
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
Step 5 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port within each Hello time is set.
By default, the maximum number of BPDUs that a port sends within each Hello time is 147.
Step 6 (Optional) Run:
stp edged-port enable
The auto recovery function on an edge port is configured. That is, enable the port in the errordown state to automatically go Up, and set the delay for the transition from Down to Up.
There is no default value for the recovery time. Therefore, you must specify a delay when
configuring this command.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. Then, ARP entries corresponding to those VLANs on the switching device need to be
updated. STP/RSTP processes ARP entries in either fast or normal mode.
l
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the STP/RSTP convergence is configured as normal.
Issue 01 (2011-10-26)
410
8 STP/RSTP Configuration
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping frequently occurs.
Prerequisite
The parameters that affect the topology convergence have been configured.
Procedure
l
----End
Applicable Environment
RSTP provides the following protection functions, as listed in Table 8-7.
Table 8-7 RSTP Protection Function
Issue 01 (2011-10-26)
Protection
Function
Scenario
Configuration Impact
BPDU
protection
411
8 STP/RSTP Configuration
Protection
Function
Scenario
Configuration Impact
TC protection
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority. Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge, and the network
topology is illegitimately
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
Loop
protection
Pre-configuration Tasks
Before configuring basic RSTP functions, complete the following task:
Issue 01 (2011-10-26)
412
8 STP/RSTP Configuration
Configuring an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure basic RSTP functions, you need the following data.
No.
Data
Context
Edge ports are directly connected to user terminals and normally, the edge ports will not receive
BPDUs. Some attackers may send pseudo BPDUs to attach the switching device. If the edge
ports receive the BPDUs, the switching device automatically configures the edge ports as nonedge ports and triggers new spanning tree calculation. Network flapping then occurs. BPDU
protection can be used to protect switching devices against malicious attacks.
NOTE
Procedure
Step 1 Run:
system-view
Follow-up Procedure
To allow an edge port to automatically start after being shut down, you can run the error-down
auto-recovery cause cause-item interval interval-value command to configure the auto
recovery function and set the delay on the port. After the delay expires, the port automatically
goes Up. interval interval-value ranges from 30 to 86400, in seconds. Note the following when
setting this parameter:
Issue 01 (2011-10-26)
413
8 STP/RSTP Configuration
The smaller the interval-value is set, the sooner the edge port becomes Up, and the more
frequently the edge port alternates between Up and Down.
The larger the interval-value is set, the later the edge port becomes Up, and the longer the
service interruption lasts.
Context
An attacker may send pseudo TC BPDUs to attack switching devices. Switching devices receive
a large number of TC BPDUs in a short time and delete entries frequently, which burdens system
processing and degrades network stability.
TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are processed
by a switching device within a given time period is configurable. If the number of TC BPDUs
that the switching device receives within a given time exceeds the specified threshold, the
switching device handles TC BPDUs only for the specified number of times. Excess TC-BPDUs
are processed by the switching device as a whole for once after the specified time period expires.
This protects the switching device from frequently deleting MAC entries and ARP entries, thus
avoiding overburden.
Procedure
Step 1 Run:
system-view
The threshold of the number of times the switching device handles the received TC BPDUs and
updates forwarding entries within a given time is set.
NOTE
The value of the given time is consistent with the RSTP Hello time set by using the stp timer hello hellotime command.
----End
414
8 STP/RSTP Configuration
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
as the root bridge, and the network topology is incorrectly changed, triggering spanning tree
recalculation. This also may cause the traffic that should be transmitted over high-speed links
to be transmitted over low-speed links, leading to network congestion. The root protection
function on a switching device is used to protect the root bridge by preserving the role of the
designated port.
NOTE
Root protection is configured on a designated port. Root protection takes effect only on a designated port.
Procedure
Step 1 Run:
system-view
Context
On a network running RSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream because of link congestion or unidirectional-link
failure, the switching device re-selects a root port. The original root port becomes a designated
port and the original blocked ports change to the Forwarding state. This may cause network
loops. To address such a problem, configure loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This prevents loops on the network. The root port restores the
Forwarding state after receiving new BPDUs.
Issue 01 (2011-10-26)
415
8 STP/RSTP Configuration
NOTE
An alternate port is a backup port of a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Procedure
Step 1 Run:
system-view
Loop protection for the root port or the alternate port is configured on the switching device.
By default, loop protection is disabled.
----End
Prerequisite
All configurations of RSTP protection functions are complete.
Procedure
l
----End
416
8 STP/RSTP Configuration
tasks, and obtain the required data. This will help you complete the configuration task quickly
and accurately.
Applicable Environment
On a network running STP/RSTP, inconsistent protocol packet formats and BPDU keys may
lead to a communication failure. Configuring proper STP/RSTP parameters on Huawei devices
ensures interoperability between Huawei devices and non-Huawei devices.
Pre-configuration Tasks
Before configuring STP/RSTP interoperability between Huawei devices and non-Huawei
devices, complete the following task:
l
Data Preparation
To configure STP/RSTP interoperability between Huawei devices and non-Huawei devices, you
need the following data.
No.
Data
BPDU format
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching
devices currently support the following modes:
l
Enhanced mode: The current interface counts a root port when it counts the synchronization
flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device to a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device responds the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
downstream device as a designated port. The designated port then transitions to the
Forwarding state.
Issue 01 (2011-10-26)
Common mode: The current interface ignores the root port when it counts the
synchronization flag bit.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
417
8 STP/RSTP Configuration
Procedure
Step 1 Run:
system-view
Prerequisite
Parameters have been configured to ensure MSTP interoperability between Huawei devices and
non-Huawei devices.
Procedure
l
----End
Issue 01 (2011-10-26)
418
8 STP/RSTP Configuration
Context
CAUTION
STP/RSTP statistics cannot be restored after you clear them. Therefore, exercise caution when
using the reset commands.
After you confirm that STP/RSTP statistics need to be cleared, run the following command in
the user view.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End
Networking Requirements
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and damages MAC address entries.
STP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 8-3, after SwitchA, SwitchB, SwitchC, and SwitchD running STP discover
loops on the network by exchanging information with each other, they trim the ring topology
into a loop-free tree topology by blocking a certain port. In this manner, replication and circular
propagation of packets are prevented on the network and the switching devices are released from
processing duplicated packets, thereby improving their processing performance.
Issue 01 (2011-10-26)
419
8 STP/RSTP Configuration
Network
GE1/0/3
SwitchD
GE1/0/3
Root
GE1/0/1 GE1/0/1
Bridge
GE1/0/2 SwitchA
GE1/0/2
STP
GE1/0/3
GE1/0/3
SwitchC
GE1/0/1
SwitchB
GE1/0/1
GE1/0/2
GE1/0/2
PC1
PC2
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1.
STP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in STP calculation.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-10-26)
420
8 STP/RSTP Configuration
Procedure
Step 1 Configure basic STP functions.
1.
Configure the STP mode for the devices on the ring network.
# Configure the STP mode on SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] stp mode stp
2.
3.
Set path costs for ports in each spanning tree to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 20000.
l All switching devices on a network must use the same path cost calculation method.
4.
Issue 01 (2011-10-26)
421
8 STP/RSTP Configuration
Role
DESI
DESI
STP State
FORWARDING
FORWARDING
Protection
NONE
NONE
After SwitchA is configured as a root bridge, GE 1/0/2 and GE 1/0/1 connected to SwitchB and
SwitchD respectively are elected as designated ports in spanning tree calculation.
# Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to view status
of GE 1/0/1. The displayed information is as follows:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
MSTID Port
Role STP State
Protection
0
GigabitEthernet1/0/1
DESI FORWARDING
NONE
GE 1/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding
state.
# Run the display stp brief command on SwitchC to view the interface status and protection
type. The displayed information is as follows:
[SwitchC] display stp brief
MSTID Port
0
GigabitEthernet1/0/1
0
GigabitEthernet1/0/3
Role
ALTE
ROOT
STP State
DISCARDING
FORWARDING
Protection
NONE
NONE
GE 1/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.
GE 1/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.
----End
Configuration Files
l
Issue 01 (2011-10-26)
422
8 STP/RSTP Configuration
#
stp mode
stp
stp enable
#
interface GigabitEthernet1/0/2
stp disable
#
return
Networking Requirements
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and damage MAC address entries.
RSTP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 8-4, after SwitchA, SwitchB, SwitchC, and SwitchD running RSTP discover
loops on the network by exchanging information with each other, they trim the ring topology
into a loop-free tree topology by blocking a certain port. In this manner, replication and circular
propagation of packets are prevented on the network and the switching devices are released from
processing duplicated packets, thereby improving their processing performance.
Issue 01 (2011-10-26)
423
8 STP/RSTP Configuration
Network
GE1/0/3
SwitchD
GE1/0/3
Root
GE1/0/1 GE1/0/1
Bridge
GE1/0/2 SwitchA
GE1/0/2
RSTP
GE1/0/3
GE1/0/3
SwitchC
GE1/0/1
SwitchB
GE1/0/1
GE1/0/2
GE1/0/2
PC1
PC2
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1.
RSTP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in RSTP calculation.
2.
Configure RSTP protection functions, for example, root protection on a designated port of
a root bridge in each MSTI.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-10-26)
424
8 STP/RSTP Configuration
D
l
Procedure
Step 1 Configure basic RSTP functions.
1.
Configure the RSTP mode for the devices on the ring network.
# Configure the RSTP mode on SwitchA.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] stp mode rstp
2.
3.
Set path costs for ports in each MSTI to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 20000.
l All switching devices on a network must use the same path cost calculation method.
4.
425
8 STP/RSTP Configuration
Step 2 Configure RSTP protection functions, for example, root protection on a designated port of a root
bridge in each MSTI.
# Enable root protection on GE 1/0/1 on SwitchA.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] stp root-protection
[SwitchA-GigabitEthernet1/0/1] quit
Role
DESI
DESI
STP State
FORWARDING
FORWARDING
Protection
ROOT
ROOT
After SwitchA is configured as a root bridge, GE 1/0/2 and GE 1/0/1 connected to SwitchB and
SwitchD respectively are elected as designated ports in spanning tree calculation. The root
protection function is enabled on the designated ports.
# Run the display stp interface gigabitethernet 1/0/1 brief command on SwitchB to view status
of GE 1/0/1. The displayed information is as follows:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
MSTID Port
Role STP State
Protection
0
GigabitEthernet1/0/1
DESI FORWARDING
NONE
GE 1/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding
state.
# Run the display stp brief command on SwitchC to view the interface status and protection
type. The displayed information is as follows:
[SwitchC] display stp brief
MSTID Port
0
GigabitEthernet1/0/1
0
GigabitEthernet1/0/3
Role
ALTE
ROOT
STP State
DISCARDING
FORWARDING
Protection
NONE
NONE
GE 1/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.
GE 1/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.
----End
Issue 01 (2011-10-26)
426
8 STP/RSTP Configuration
Configuration Files
l
Issue 01 (2011-10-26)
427
8 STP/RSTP Configuration
#
return
Issue 01 (2011-10-26)
428
9 MSTP Configuration
MSTP Configuration
429
9 MSTP Configuration
Issue 01 (2011-10-26)
430
9 MSTP Configuration
Background
STP and RSTP are used in a LAN to prevent loops. The devices running STP/RSTP discover
loops on the network by exchanging information with each other and trim the ring topology into
a loop-free tree topology by blocking a certain interface. Replication and circular propagation
of packets are thus prevented on the network and the processing performance of devices is
improved by avoiding repeated packets on the network.
STP and RSTP both have a defect: All VLANs on a LAN use one spanning tree, and thus interVLAN load balancing cannot be performed. Once a link is blocked, the link will no longer
transmit traffic, wasting bandwidth and causing a failure in forwarding certain VLAN packets.
To fix the defect of STP and RSTP, the IEEE released the 802.1s standard in 2002, defining
MSTP. MSTP compatible with STP and RSTP implements rapid convergence and provides
multiple paths to load balance VLAN traffic.
Table 9-1 shows the comparison between STP, RSTP, and MSTP.
Issue 01 (2011-10-26)
431
9 MSTP Configuration
Characteristics
Application Scenarios
Precautions
STP
A loop-free tree is
generated. Thus,
broadcast storms are
prevented and
redundancy is
implemented.
Irrespective of different
users or services, all
VLANs share one
spanning tree.
NOTE
RSTP
l A loop-free tree is
generated. Thus,
broadcast storms are
prevented and
redundancy is
implemented.
l If the current
switching device
supports both STP
and RSTP, RSTP is
recommended. For
details, see STP/
RSTP
Configuration.
l A feedback
mechanism is
provided to confirm
topology
convergence. Thus,
rapid convergence is
implemented.
MSTP
l A loop-free tree or
some loop-free trees
are generated. Thus,
broadcast storms are
prevented and
redundancy is
implemented.
l A feedback
mechanism is
provided to confirm
topology
convergence. Thus,
rapid convergence is
implemented.
l If the current
switching device
supports only STP,
STP is
recommended. For
details, see STP/
RSTP
Configuration.
l If the current
switching device
supports STP or
RSTP, and MSTP,
MSTP is
recommended.
User or service-specific
load balancing is
required. Traffic for
different VLANs is
forwarded through
different spanning trees,
which are independent of
each other.
l MSTP implements
load balancing among
VLANs. Traffic in
different VLANs is
transmitted along
different paths.
Introduction
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
Issue 01 (2011-10-26)
432
9 MSTP Configuration
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and thus damages MAC address
entries.
MSTP, compatible with STP and RSTP, isolates service traffic and user traffic by using multiple
instances and provides multiple paths to load balance VLAN traffic.
If MSTP is deployed in the LAN shown in Figure 9-1, MSTIs are generated, as shown in Figure
9-1.
Figure 9-1 Multiple spanning trees in an MST region
SwitchD
SwitchA
VLAN3
VLAN2
VLAN2
VLAN2
VLAN3
VLAN3
Host C
(VLAN3)
Host A
(VLAN2)
SwitchB
SwitchE
VLAN2
Host B
(VLAN2)
VLAN2
VLAN2
VLAN3
VLAN2
VLAN3
Host D
(VLAN3)
VLAN3
SwitchC
VLAN3
SwitchF
MSTI 1 uses Switch D as the root switching device to forward packets of VLAN 2.
MSTI 2 uses Switch F as the root switching device to forward packets of VLAN 3.
Devices within the same VLAN can communicate with each other and packets of different
VLANs are load-balanced along different paths.
MST region
An MST region contains multiple switching devices and network segments between them.
The switching devices have the following characteristics:
MSTP-enabled
Same region name
Same VLAN-to-instance mapping
Same MSTP revision number
Issue 01 (2011-10-26)
433
9 MSTP Configuration
A LAN can comprise several MST regions that are directly or indirectly connected.
Multiple switching devices can be grouped into an MST region by using MSTP
configuration commands.
As shown in Figure 9-2, the MST region D0 contains the switching devices S1, S2, S3,
and S4, and has three MSTIs.
Figure 9-2 MST region
AP1
D0
Master Bridge
MSTI1
root switch:S3
S1
MSTI2
root switch:S2
S2
S3
S4
MSTI0 (IST)
root switch:S1
VLAN1
MSTI1
VLAN2,VLAN3 MSTI2
other VLANs MSTI0
Regional root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 9-4, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI
regional root is the root of the MSTI. On the network shown in Figure 9-3, each MSTI has
its own regional root.
Issue 01 (2011-10-26)
434
9 MSTP Configuration
MST Region
VLA
N
VLAN
10&20&30
10&
20
VLAN 20&30
VLAN
10&30
VLAN
30
VLAN
20
VLAN
10&30
VLAN 10
Root
Root
MSTI
corresponding to
VLAN 10
MSTI
corresponding to
VLAN 20
MSTI Root
corresponding to
VLAN 30
MSTI links
MSTI links blocked by the protocol
MSTIs are independent of each other. An MSTI can correspond to one or more VLANs,
but a VLAN can be mapped to only one MSTI.
l
Issue 01 (2011-10-26)
CIST root
435
9 MSTP Configuration
A0
CIST Root
D0
Region Root
B0
Region Root
C0
Region Root
IST
CST
On the network shown in Figure 9-4, the CIST root is the root bridge of a CIST. The CIST
root is a device in A0.
l
CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
Each MST region can be considered a node. A CST is calculated by using STP or RSTP
based on all the nodes.
As shown in Figure 9-4, the MST regions are connected to form a CST.
IST
An IST resides within an MST region.
An IST is a special MSTI with the MSTI ID of 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 9-4, the switching devices in an MST region are connected to form an
IST.
CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 9-4, the ISTs and the CST form a complete spanning tree, that is, CIST.
SST
A Single Spanning Tree (SST) is formed in either of the following situations:
Issue 01 (2011-10-26)
436
9 MSTP Configuration
A switching device running STP or RSTP belongs to only one spanning tree.
An MST region has only one switching device.
As shown in Figure 9-4, the switching device in B0 is an SST.
l
Port roles
Compared with RSTP, MSTP has two additional port types. MSTP ports can be root ports,
designated ports, alternate ports, backup ports, edge ports, master ports, and regional edge
ports.
The functions of root ports, designated ports, alternate ports, backup ports, and edge ports
have been defined in RSTP. Table 9-2 lists all port roles in MSTP.
NOTE
Description
Root port
A root port is the non-root bridge port closest to the root bridge. Root bridges
do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in Figure 9-5, S1 is the root; CP1 is the root port on S3; BP1 is
the root port on S2; DP1 is the root port on S4.
Designat
ed port
Alternate
port
Backup
port
Issue 01 (2011-10-26)
437
9 MSTP Configuration
Port
Roles
Description
Master
port
A master port is on the shortest path connecting MST regions to the CIST
root.
BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on
ISTs or CISTs and master ports in instances.
As shown in Figure 9-5, S1, S2, S3, and S4 form an MST region. AP1 on
S1, being the nearest port in the region to the CIST root, is the master port.
Regional
edge port
A regional edge port is located at the edge of an MST region and connects
to another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port
in the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 9-5, AP1, DP2, and DP3 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of
the MST region.
As shown in Figure 9-5, AP1 is a regional edge port and also a master port
in the CIST. Therefore, AP1 is the master port in every MSTI in the MST
region.
Edge
port
An edge port is located at the edge of an MST region and does not connect
to any switching device.
Generally, edge ports are directly connected to terminals.
As shown in Figure 9-5, BP3 is an edge port.
AP1
AP4
MST Region
AP2
Root port
AP3
Designated port
S1
Root Bridge
CP1
S3
CP2
Alternate port
BP1
S2
BP2
CP3
Backup port
Regional edge port
BP3
Master port
Edge port
DP1
DP2
Issue 01 (2011-10-26)
S4
DP4
PC
DP3
438
9 MSTP Configuration
Port status
Table 9-3 lists the MSTP port status, which is the same as the RSTP port status.
Table 9-3 Port status
Port
Status
Description
Forwardi
ng
A port in the Forwarding state can send and receive BPDUs as well as
forward user traffic.
Learning
This is a transition state. A port in the Learning state learns MAC addresses
from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but cannot
forward user traffic.
Discardi
ng
There is no necessary link between the port status and the port role. Table 9-4 lists the
relationships between port roles and port status.
Table 9-4 Relationships between port roles and port status
Port
Status
Root Port/
Master
Port
Designate
d Port
Regional
Edge Port
Alternate
Port
Backup
Port
Forwardi
ng
Yes
Yes
Yes
No
No
Learning
Yes
Yes
Yes
No
No
Discardi
ng
Yes
Yes
Yes
Yes
Yes
439
9 MSTP Configuration
1.
In a ring network, divide regions and create different instances for regions.
2.
Select a switching device functioning as a root bridge from switching devices for each
instance.
3.
In each instance, calculate the shortest paths from the other switching devices to the root
bridge, and select a root port for each non-root switching device.
4.
In each instance, select a designated port for each connection according to port IDs.
According to current networking, master ports and backup ports may be involved. For details,
see 9.1.1 MSTP Introduction.
MSTP also supports the following features to meet requirements of special applications and
extended functions:
l
Supports MSTP multi-process in the scenario where MSTP and STP/RSTP are used
together. MSTP multi-process implements independent spanning tree calculation for every
access rings.
Supports MSTP interoperability between Huawei devices and non-Huawei devices. Proper
parameters are required on Huawei devices running MSTP to ensure nonstop
communication.
Issue 01 (2011-10-26)
MSTP
Protection
Scenario
Configuration Impact
BPDU
protection
TC protection
440
9 MSTP Configuration
MSTP
Protection
Scenario
Configuration Impact
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority. Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge, and the network
topology is illegitimately
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
Loop
protection
Share-link
protection
MSTP Multi-process
l
Background
As shown in Figure 9-6, SwitchA, SwitchB, and SwitchC are connected through Layer 2
links, and are all enabled with MSTP. The CEs on the rings support only STP/RSTP.
Multiple access rings exist and these rings access the MST region by using different
interfaces on SwitchA and SwitchB.
Issue 01 (2011-10-26)
441
9 MSTP Configuration
SwitchC
PE1
CE
PE2
SwitchB
SwitchA
CE
Ring1
Ring3
Ring2
CE
CE
Instance1:VLAN2~100
Process 1
Instance3:VLAN201~300
Process 3
CE
CE
Instance2:VLAN101~200
Process 2
On the network shown in Figure 9-6, multiple Layer 2 rings, Ring 1, Ring 2, and Ring 3
exists. STP must be enabled on these rings to prevent loops. SwitchA and SwitchB are
connected to multiple access rings and these rings are isolated from each other and do not
need intercommunication. STP then will not calculate out one spanning tree for all these
access rings. Instead, STP on each access ring calculates the trees independently.
MSTP supports multiple spanning tree instances (MSTIs) only when all devices support
MSTP and the devices are configured with the same MST region. In the networking, the
CEs connected to switching devices, however, support only STP/RSTP. According to
MSTP, switching devices consider that they are in different regions with CEs after receiving
STP/RSTP messages sent from the CEs. Therefore, only one spanning tree is calculated
for the ring formed by switching devices and CEs and the access rings are not independent
of each other.
In this case, MSTP multi-process can be used. Multiple MSTP processes can be configured
on SwitchA and SwitchB. Each MSTP process has the same function and supports MSTIs.
Each MSTP process corresponds to one access ring.
After MSTP multi-process is enabled, each MSTP process can manage some interfaces on
a device. That is, Layer 2 interfaces on the device are divided and managed by multiple
MSTP processes. Each MSTP process runs the standard MSTP.
NOTE
CEs that support MSTP can also be configured with MSTP multi-process.
After a device properly starts, there is a default MSTP process with the ID 0. MSTP configurations
in the system view and interface view both belong to this process.
Issue 01 (2011-10-26)
Share link
As shown in Figure 9-6, the link between SwitchA and SwitchB is a Layer 2 link running
MSTP. The share link between SwitchA and SwitchB is different from the links connecting
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
442
9 MSTP Configuration
switching devices to CEs. The ports on the share link need to participate in the calculation
for multiple access rings and MSTP processes. This allows SwitchA and SwitchB to
identify from which MST BPDUs are sent.
In addition, a port on the share link participates in the calculation for multiple MSTP
processes, and obtains different status. As a result, the port cannot determine its status.
To prevent this situation, it is defined that a port on a share link always adopts its status in
MSTP process 0 when participating in the calculation for multiple MSTP processes.
NOTE
The S9300 does not support the Per-VLAN Spanning Tree (PVST) protocol and cannot process PVST
packets. You can configure the S9300 to transparently transmit PVST packets. For details, see 11 Layer
2 Protocol Transparent Transmission Configuration.
Setting a priority for a switching device in an MSTI: The lower the numerical value, the
higher the priority of the switching device and the more likely the switching device becomes
a root bridge; the higher the numerical value, the lower the priority of the switching device
and the less likely that the switching device becomes a root bridge.
Setting a path cost for a port in an MSTI: With the same calculation method, the lower the
numerical value, the smaller the cost of the path from the port to the root bridge and the
more likely the port becomes a root port; the higher the numerical value, the larger the cost
of the path from the port to the root bridge and the less likely that the port becomes a root
port.
Setting a priority for a port in an MSTI: The lower the numerical value, the more likely the
port becomes a designated port; the higher the numerical value, the less likely that the port
becomes a designated port.
Applicable Environment
On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and thus damages MAC address
entries.
Issue 01 (2011-10-26)
443
9 MSTP Configuration
MSTP can be deployed on a network to eliminate loops. If a loop is detected, MSTP blocks one
or more ports to eliminate the loop. In addition, MSTIs can be configured to load-balance VLAN
traffic.
As shown in Figure 9-7, Switches A, B, C, and D all support MSTP. It is required to create
MSTI 1 and MSTI 2, configure a root bridge for each MSTI, and set the ports to be blocked to
load-balance traffic of VLANs 1 to 10 and VLANs 11 to 20 among different paths.
Figure 9-7 Networking diagram of configuring basic MSTP functions
Network
MST Region
SwitchA
SwitchB
SwitchC
SwitchD
PC1
PC2
VLAN1~10
VLAN11~20
MSTI1
MSTI2
MSTI1:
Root Switch:SwitchA
Blocked port
MSTI2:
Root Switch:SwitchB
Blocked port
Issue 01 (2011-10-26)
444
9 MSTP Configuration
NOTE
Pre-configuration Tasks
Before configuring basic MSTP functions, complete the following task:
l
Connecting interfaces and setting physical parameters for the interfaces to ensure that the
physical status of the interfaces is Up
After a hybrid interface is added to the default VLAN in tagged mode, SEP packets sent by the
interface contain VLAN tags. In this case, configure the peer interface to allow packets of the default
VLAN to pass.
Data Preparation
To configure basic MSTP functions, you need the following data.
No.
Data
(Optional) ID of an MSTI
Procedure
Step 1 Run:
system-view
The working mode of the switching device is configured as MSTP. By default, the working
mode is MSTP.
STP and MSTP cannot recognize packets of each other but MSTP and RSTP can. If a switching
device is configured to work in MSTP mode and is connected to some switching devices running
STP, the switching device automatically transits the working mode of the interfaces connected
Issue 01 (2011-10-26)
445
9 MSTP Configuration
to the switching devices running STP to STP and other interfaces still run MSTP. This enables
devices running different spanning tree protocols to interwork with each other.
----End
Context
An MST region contains multiple switching devices and network segments between them. These
switching devices are directly connected and have the same region name, same VLAN-toinstance mapping, same configuration revision number after MSTP is enabled. One switching
network can have multiple MST regions and multiple switching devices can be grouped into
one MST region by using MSTP configuration commands.
CAUTION
Two switching devices belong to the same MST region when they have the same:
l
Procedure
Step 1 Run:
system-view
446
9 MSTP Configuration
l The instance instance-id vlan { vlan-id [ to vlan-id ] }&<1-10> command is recommended because
VLAN-to-instance mapping assignments cannot meet actual mapping requirements.
l In the command, vlan-mapping modulo indicates that the formula (VLAN ID-1)%modulo+1 is used.
In the formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1) divided by the value of
modulo. This formula is used to map a VLAN to the corresponding MSTI. The calculation result of
the formula is ID of the mapping MSTI.
The change of related MST region configurations (especially change of the VLAN mapping table) causes
the recalculation of spanning trees and the route flapping in a network. Therefore, after an MST region
name, VLAN-to-instance mappings, and an MSTP revision number is configured, activating the MST
region is necessary. You can run the check region-configuration command in the MST region view to check
whether region configurations are correct. After confirming that region configurations are correct, run the
active region-configuration command to activate MST region configurations.
Step 6 Run:
active region-configuration
MST region configurations are activated so that the configured region name, VLAN-to-instance
mappings, and revision number can take effect.
If this step is not done, the preceding configurations cannot take effect.
If you have changed MST region configurations on the switching device after MSTP starts, run
the active region-configuration command to activate the MST region so that the changed
configurations can take effect.
----End
Context
In an MSTI, there is only one root bridge and it is the logic center of the MSTI. In root bridge
selection, the switching device with high performance and network hierarchy is generally
selected as a root bridge; however, the priority of such a device may be not that high. Thus setting
a high priority for the switching device is necessary so that the device can function as a root
bridge.
Other devices with low performance and network hierarchy are not fit to be a root bridge.
Therefore, set low priorities for these devices.
Issue 01 (2011-10-26)
447
9 MSTP Configuration
CAUTION
If an S9300 is configured as the root switch or secondary root switch, the priority of the
S9300 cannot be set. If you want to set the priority of the S9300, you must disable the root switch
or secondary root switch.
Procedure
Step 1 Run:
system-view
l To configure a switching device as a primary root bridge, you can run the stp [ instance instance-id ]
root primary command directly. The priority value of this switching device is 0.
l To configure a switching device as a secondary root bridge, run the stp [ instance instance-id ] root
secondary command. The priority value of this switching device is 4096.
In an MSTI, a switching device cannot act as a primary root bridge and a secondary root bridge at the
same time.
----End
Context
A path cost is port-specific, which is used by MSTP as a reference to select a link.
Path costs of a port are an important basis for calculating spanning trees. If you set different path
costs for a port in different MSTIs, you can make VLAN traffic be transmitted along different
physical links and thus carry out VLAN load balancing.
On a network where loops occur, you are recommended to set a relatively large path cost for the
port at a low link rate. MSTP puts the port with the large path cost in the Blocking state and
blocks the link where this port resides.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
448
9 MSTP Configuration
Context
In spanning tree calculation, priorities of ports on switching devices in MSTIs determine
designated port selection.
If you expect to block a port on a switching device in an MSTI to eliminate loops, set the port
priority value to be larger than the default value. This port will be blocked in designated port
selection.
Procedure
Step 1 Run:
system-view
449
9 MSTP Configuration
The value range of the priority is from 0 to 240, with the step 16. That is, the port priority can
be 0, 16, or 32.
----End
Context
After MSTP is enabled on a ring network, MSTP immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and port
priority, will affect spanning tree calculation. Any change of the configurations may cause
network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic
configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run:
system-view
Prerequisite
All configurations of basic MSTP functions are complete.
Procedure
l
Run the display stp [ instance instance-id ][ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
Run the display stp region-configuration [ digest ] command to view the digest
configurations of activated MST regions.
----End
Issue 01 (2011-10-26)
450
9 MSTP Configuration
Applicable Environment
On the networking with both Layer 2 single-access rings and multi-access rings deployed,
switching devices bear both Layer 2 and Layer 3 services. To enable different rings to bear
different services, deploy MSTP multi-process. Spanning trees of different processes are
calculated independently and do not affect each other.
As shown in Figure 9-8, Switches A, B, and C are connected through Layer 2 links, and are all
enabled with MSTP. The CEs on the on rings support only STP/RSTP. Multiple access rings
exist and these rings access the MSTP region through different interfaces on Switches A and B.
Figure 9-8 Networking diagram of MSTP multi-process
SwitchC
PE1
CE
PE2
SwitchB
SwitchA
CE
Ring1
Ring3
Ring2
CE
CE
Instance1:VLAN2~100
Process 1
Instance3:VLAN201~300
Process 3
CE
CE
Instance2:VLAN101~200
Process 2
Issue 01 (2011-10-26)
451
9 MSTP Configuration
Pre-configuration Tasks
Before configuring MSTP multi-process, complete the following task:
l
Data Preparation
To configure MSTP multi-process, you need the following data.
No.
Data
Context
Do as follows on the devices connected to access rings:
Procedure
Step 1 Run:
system-view
l After a device starts, there is a default MSTP process with the ID 0. MSTP configurations in the system
view and interface view belong to this process. The default working mode of this process is MSTP.
l To add an interface to an MSTP process with the ID of non-zero, run the stp process command and
then the stp binding process command.
----End
Issue 01 (2011-10-26)
452
9 MSTP Configuration
Context
Do as follows on the devices connected to access rings:
Procedure
Step 1 Run:
system-view
If the interface added to the MSTP process has sub-interfaces configured with features other than MSTP
such as VPLS, run the stp vpls-subinterface enable command on the main interface. The main interface
can then notify its sub-interfaces to update MAC entries and ARP entries after receiving a TC-BPDU. This
prevents services from being interrupted. In addition, root protection needs to be configured on the main
interface.
----End
Context
Do as follows on the devices connected to access rings:
Procedure
Step 1 Run:
system-view
453
9 MSTP Configuration
The interface specified in this command must be an interface on the share link between the
devices configured with MSTP multi-process but not the interfaces that connect an access ring
and a device.
Step 3 Run:
stp binding process process-id [ to process-id ] link-share
For a process with share links, you must run the stp enable command globally. For an interface that is
added to the process in link-share mode, you must run the stp enable command in the interface view.
----End
Context
To prevent loops over the access ring after the share links fails, configure priorities and root
protection in MSTP multi-process.
Root protection is configured on the access interface of a device with second highest priority.
l
For detailed configuration of root protection in MSTP multi-process, see 9.5.4 Configuring
Root Protection on an Interface.
NOTE
The MSTP priority of a downstream device must be lower than that of a UPE.
Context
Do as follows on the devices connected to access rings:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
454
9 MSTP Configuration
Prerequisite
All configurations of MSTP multi-process are complete.
Procedure
Step 1 Run the display stp [ process process-id ] [ instance instance-id ] [ interface interface-type
interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and statistics.
----End
Applicable Environment
In some specific networks, MSTP parameters will affect the speed of network convergence.
Configuring proper MSTP parameters is required.
NOTE
The default parameters also can be used to complete MSTP rapid convergence. Therefore, the configuration
procedures and steps in this command task are all optional.
Pre-configuration Tasks
Before configuring MSTP parameters, complete the following task:
l
Issue 01 (2011-10-26)
455
9 MSTP Configuration
Data Preparation
To configure MSTP parameters, you need the following data.
No.
Data
Network diameter
Hello time, forwarding delay time, maximum aging time, and timeout period for
waiting for BPDUs from the upstream (3 x hello time x time factor)
Whether auto recovery needs to be configured for an edge port being shut down
10
11
Procedure
Step 1 Run:
system-view
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If you
perform configurations in the MSTP process 0, skip is step.
Step 3 Run:
stp bridge-diameter diameter
456
9 MSTP Configuration
l RSTP uses a single spanning tree instance on the entire network, which cannot prevent the
performance from deteriorating when the network scale grows. Therefore, the network
diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay period,
Hello time, and Max Age period based on the set network diameter.
Step 4 Run:
stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream of a switching device is set.
By default, the timeout period of a switching device is 9 times as long as the Hello time.
Step 5 (Optional) To set the Forward Delay period, Hello time, and Max Age period, perform the
following operations:
l Run the stp timer forward-delay forward-delay command to set the Forward Delay period
for a switching device.
The default Forward Delay period of a switching device is 1500, in centiseconds.
l Run the stp timer hello hello-time command to set the Hello time for a switching device.
The default Hello time of a switching device is 200, in centiseconds.
l Run the stp timer max-age max-age command to set the Max Age period for a switching
device.
The default Max Age period of a switching device is 2000, in centiseconds.
NOTE
The values of the Hello time, Forward Delay period, and Max Age period must comply with the following
formulas. Otherwise, networking flapping occurs.
l 2 (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 (Hello Time + 1.0 second)
Step 6 Run:
stp max-hops hop
MCheck is enabled.
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
Enabling MCheck on the interface is required because the interface may fail to automatically
transition to the MSTP mode in the following situations:
l The switching device running STP is shut down or moved.
l The switching device running STP transitions to the MSTP mode.
Issue 01 (2011-10-26)
457
9 MSTP Configuration
NOTE
If you run the stp mcheck command in the system view, the MCheck operation is performed on all the
interfaces.
----End
Procedure
Step 1 Run:
system-view
MCheck is enabled.
On a switching device running MSTP, if an interface is connected to a device running STP, the
interface automatically transitions to the STP mode.
Enabling MCheck on the interface is required because the interface may fail to automatically
transition to the MSTP mode in the following situations:
l The switching device running STP is shut down or moved.
l The switching device running STP transitions to the MSTP mode.
Step 5 Run:
stp transmit-limit packet-number
The maximum number of BPDUs sent by a port within each Hello time is set.
By default, the maximum number of BPDUs that a port sends within each Hello time is 147.
Issue 01 (2011-10-26)
458
9 MSTP Configuration
The auto recovery function on an edge port is configured. That is, enable the port in the errordown state to automatically go Up, and set the delay for the transition from Down to Up.
There is no default value for the recovery time. Therefore, you must specify a delay when
configuring this command.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. Then, ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
l
You can run the stp converge { fast | normal } command in the system view to configure the
MSTP convergence mode.
By default, the MSTP convergence is configured as normal.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on the MPU or LPU to reach 100%. As a result, network flapping frequently occurs.
Prerequisite
The configurations of MSTP parameters are complete.
Issue 01 (2011-10-26)
459
9 MSTP Configuration
Procedure
l
Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
Applicable Environment
MSTP provides the following protection functions, as listed in Table 9-6.
Table 9-6 MSTP protection
Issue 01 (2011-10-26)
MSTP
Protection
Scenario
Configuration Impact
BPDU
protection
TC protection
460
9 MSTP Configuration
MSTP
Protection
Scenario
Configuration Impact
Root
protection
Due to incorrect
configurations or malicious
attacks on the network, a
root bridge may receive
BPDUs with a higher
priority. Consequently, the
legitimate root bridge is no
longer able to serve as the
root bridge, and the network
topology is illegitimately
changed, triggering
spanning tree recalculation.
This may transfer traffic
from high-speed links to
low-speed links, causing
traffic congestion.
Loop
protection
Share-link
protection
NOTE
l After a device normally starts, there is a default MSTP process with the ID 0. MSTP configurations in
the system view and interface view both belong to this process.
l For more information about MSTP multi-process configuration, see 9.3 Configuring MSTP Multiprocess.
Pre-configuration Tasks
Before configuring MSTP protection functions on a switching device, complete the following
task:
l
Issue 01 (2011-10-26)
461
9 MSTP Configuration
NOTE
Configuring an edge port on the switching device before configuring BPDU protection.
Data Preparation
To configure MSTP protection functions on a switching device, you need the following data.
No.
Data
Context
Edge ports are directly connected to user terminals and normally, the edge ports will not receive
BPDUs. Some attackers may send pseudo BPDUs to attach the switching device. If the edge
ports receive the BPDUs, the switching device automatically sets the edge ports as non-edge
ports and triggers new spanning tree calculation. Network flapping then occurs. BPDU
protection can be used to protect switching devices against network attacks.
NOTE
Procedure
Step 1 Run:
system-view
462
9 MSTP Configuration
Context
An attacker may send pseudo TC-BPDUs to attack switching devices. Switching devices receive
a large number of TC BPDUs in a short time and delete entries frequently, which burdens system
processing and degrades network stability.
TC protection is used to suppress TC-BPDUs. The number of times that TC-BPDUs are
processed by a switching device within a given time period is configurable. If the number of
TC-BPDUs that the switching device receives within a given time exceeds the specified
threshold, the switching device handles TC-BPDUs only for the specified number of times.
Excessive TC-BPDUs are processed by the switching device as a whole for once after the timer
(that is, the specified time period) expires. This protects the switching device from frequently
deleting MAC entries and ARP entries, thus avoiding over-burdened.
Procedure
Step 1 Run:
system-view
This step is needed only when you perform configurations in an MSTP process with a non-zero ID. If you
perform configurations in the MSTP process 0, skip is step.
Step 3 Run:
stp tc-protection
The threshold of the number of times the MSTP process handles the received TC-BPDUs and
updates forwarding entries within a given time is set.
NOTE
The value of the given time is consistent with the MSTP Hello time set by using the stp timer hello hellotime command.
----End
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve
Issue 01 (2011-10-26)
463
9 MSTP Configuration
as the root bridge, and the network topology is illegitimately changed, triggering spanning tree
recalculation. This also may cause the traffic that should be transmitted over high-speed links
to be transmitted over low-speed links, leading to network congestion. The root protection
function on a switching device is used to protect the root bridge by preserving the role of the
designated port.
NOTE
Root protection is configured on a designated port. It takes effect only when being configured on the port
that functions as a designated port on all MSTIs. If root protection is configured on other types of ports, it
does not take effect.
Procedure
Step 1 Run:
system-view
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero ID.
If the interface belongs to process 0, skip this step.
Step 4 Run:
stp root-protection
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching device
cannot receive BPDUs from the upstream because of link congestion or unidirectional-link
failure, the switching device re-selects a root port. The original root port becomes a designated
port and the original blocked ports change to the Forwarding state. This may cause network
loops. To address such a problem, configure loop protection.
After loop protection is configured, if the root port or alternate port does not receive BPDUs
from the upstream switching device, the root port is blocked and the switching device notifies
Issue 01 (2011-10-26)
464
9 MSTP Configuration
the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state
and no longer forwards packets. This prevents loops on the network. The root port restores the
Forwarding state after receiving new BPDUs.
NOTE
An alternate port is a backup port of a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Do as follows on a root port and an alternate port on a switching device in an MST region:
Procedure
Step 1 Run:
system-view
This step is performed only when the interface needs to be bound to an MSTP process with a non-zero ID.
If the interface belongs to process 0, skip this step.
Step 4 Run:
stp loop-protection
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
----End
Context
Share-link protection is used in the scenario where a switching device is dual homed to a network.
When a share link fails, share-link protection forcibly changes the working mode of a local
switching device to RSTP. This function can also be used together with root protection to avoid
network loops.
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
465
9 MSTP Configuration
Prerequisite
All configurations of MSTP protection functions are complete.
Procedure
l
Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
Applicable Environment
On an MSTP network, inconsistent protocol packet formats and BPDU keys may lead to a
communication failure. Configuring proper MSTP parameters on Huawei devices ensures
interoperability between Huawei devices and non-Huawei devices.
Pre-configuration Tasks
Before configuring MSTP interoperability between Huawei devices and non-Huawei devices,
complete the following task:
Issue 01 (2011-10-26)
466
9 MSTP Configuration
Data Preparation
To configure MSTP interoperability between Huawei devices and non-Huawei devices, you
need the following data.
No.
Data
BPDU format
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. Switching
devices currently support the following modes:
l
Enhanced mode: The current interface counts a root port when it computes the
synchronization flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device as a root port and blocks all non-edge ports.
The upstream device then sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the Forwarding
state.
The downstream device then responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected to
the downstream device as a designated port, and the designated port transitions to the
Forwarding state.
Common mode: The current interface ignores the root port when it computes the
synchronization flag bit.
An upstream device sends a Proposal message to a downstream device, requesting rapid
status transition. After receiving the message, the downstream device sets the port
connected to the upstream device as a root port and blocks all non-edge ports. The root
port then transitions to the Forwarding state.
The downstream device responds to the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the
downstream device as a designated port. The designated port then transitions to the
Forwarding state.
When Huawei Datacom devices are interworking with non-Huawei devices, select either mode
depending on the Proposal/Agreement mechanism on non-Huawei devices.
Issue 01 (2011-10-26)
467
9 MSTP Configuration
Procedure
Step 1 Run:
system-view
This step binds an interface to an MSTP process with a non-zero ID. If the interface belongs to process 0,
skip this step.
Step 4 Run:
stp no-agreement-check
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets). The auto mode is introduced to allow an interface to automatically
use the format of MSTP protocol packets sent from the remote interface. In this manner, the two
interfaces use the same MSTP protocol packet format.
Do as follows on a switching device in an MST region:
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
468
9 MSTP Configuration
This step binds an interface to an MSTP process with a non-zero ID. If the interface belongs to process 0,
skip this step.
Step 4 Run:
stp compliance { auto | dot1s | legacy }
If the format of MSTP packets is set to dot1s on one end and legacy on the other end, the negotiation fails.
----End
Context
Do as follows on a switching device in an MST region:
Procedure
Step 1 Run:
system-view
This step binds an interface to an MSTP process with a non-zero ID. If the interface belongs to process 0,
skip this step.
Step 4 Run:
stp config-digest-snoop
469
9 MSTP Configuration
Prerequisite
All the configurations for the interoperability between Huawei devices and non-Huawei devices
are complete.
Procedure
l
Run the display stp [ instance instance-id ] [ interface { interface-type interfacenumber } ] [ brief ] command to view spanning-tree status and statistics.
----End
Context
CAUTION
MSTP statistics cannot be restored after you clear them. Therefore, exercise caution when using
the reset commands.
After you confirm that MSTP statistics need to be cleared, run the following command in the
user view.
Procedure
Step 1 Run the reset stp [ interface interface-type interface-number ] statistics command to clear
spanning-tree statistics.
----End
470
9 MSTP Configuration
Networking Requirements
SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. In this example, MSTP runs on Layer 2
interfaces of the Switches.
Figure 9-9 Networking diagram of basic MSTP configurations
SwitchA
GE1/0/2
GE1/0/2
SwitchB
GE1/0/1
GE1/0/1
GE2/0/1
GE2/0/1
SwitchC
SwitchD
GE1/0/2
GE1/0/1
GE1/0/2
GE1/0/1
Configuration Roadmap
The configuration roadmap is as follows:
1.
Add SwitchA and SwitchC to MST region RG1, and create MSTI1.
2.
Add SwitchB and SwitchD to MST region RG2, and create MSTI1.
3.
4.
In RG1, configure SwitchA as the CIST regional root and regional root of MSTI1.
Configure the root protection function on GE 1/0/2 and the GE 1/0/1 on SwitchA.
5.
In RG2, configure SwitchB as the CIST regional root and SwitchD as the regional root of
MSTI1.
6.
7.
Configure the Switches to calculate the path cost by using the algorithm of Huawei.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Configure SwitchA.
Issue 01 (2011-10-26)
471
9 MSTP Configuration
# Set the priority of SwitchA in MSTI0 to 0 to ensure that SwitchA functions as the CIST root.
[SwitchA] stp instance 0 priority 0
# Set the priority of SwitchA in MSTI1 to 1 to ensure that SwitchA functions as the regional
root of MSTI1.
[SwitchA] stp instance 1 priority 0
# Configure SwitchA to use Huawei private algorithm to calculate the path cost.
[SwitchA] stp pathcost-standard legacy
# Enable MSTP.
[SwitchA] stp enable
472
9 MSTP Configuration
# Set the priority of SwitchB in MSTI0 to 4096 to ensure that SwitchB functions as the CIST
root.
[SwitchB] stp instance 0 priority 4096
# Configure SwitchB to use Huawei private algorithm to calculate the path cost.
[SwitchB] stp pathcost-standard legacy
# Enable MSTP.
[SwitchB] stp enable
# Configure SwitchC to use Huawei private algorithm to calculate the path cost.
[SwitchC] stp pathcost-standard legacy
Issue 01 (2011-10-26)
473
9 MSTP Configuration
# Enable MSTP.
[SwitchC] stp enable
# Set the priority of SwitchD in MSTI1 to 0 to ensure that SwitchD functions as the regional
root of MSTI1.
[SwitchD] stp instance 1 priority 0
# Configure SwitchD to use Huawei private algorithm to calculate the path cost.
[SwitchD] stp pathcost-standard legacy
# Enable MSTP.
Issue 01 (2011-10-26)
474
9 MSTP Configuration
Role
DESI
DESI
DESI
DESI
STP State
FORWARDING
FORWARDING
FORWARDING
FORWARDING
Protection
ROOT
ROOT
ROOT
ROOT
The priority of SwitchA is the highest in the CIST; therefore, SwitchA is elected as the CIST
root and regional root of RG1. GE 1/0/2 and GE 1/0/1 of SwitchA are designated ports in the
CIST.
The priority of SwitchA in MSTI1 is the highest in RG1; therefore, SwitchA is elected as the
regional root of SwitchA. GE 1/0/2 and GE 1/0/1 of SwitchA are designated ports in MSTI1.
# Run the display stp interface brief commands on SwitchC. The displayed information is as
follows:
<SwitchC> display stp interface GigabitEthernet 2/0/1 brief
MSTID
Port
Role STP State
Protection
0
GigabitEthernet2/0/1
ROOT FORWARDING
NONE
1
GigabitEthernet2/0/1
ROOT FORWARDING
NONE
<SwitchC> display stp interface GigabitEthernet 1/0/2 brief
MSTID
Port
Role STP State
Protection
0
GigabitEthernet1/0/2
DESI FORWARDING
NONE
1
GigabitEthernet1/0/2
DESI FORWARDING
NONE
GE 2/0/1 of SwitchC is the root port in the CIST and MSTI1. GE 1/0/2 of SwitchC is a designated
port in the CIST and MSTI1.
# Run the display stp brief command on SwitchB. The displayed information is as follows:
<SwitchB> display stp brief
MSTID
Port
0
GigabitEthernet1/0/2
0
GigabitEthernet1/0/1
1
GigabitEthernet1/0/2
1
GigabitEthernet1/0/1
Role
ROOT
DESI
MAST
ROOT
STP State
FORWARDING
FORWARDING
FORWARDING
FORWARDING
Protection
NONE
NONE
NONE
NONE
The priority of SwitchB in the CIST is lower than that of SwitchA; therefore, GE 1/0/2 of
SwitchB functions as the root port in the CIST. SwitchA and SwitchB belong to different regions;
therefore, GE 1/0/2 of SwitchB functions as the master port in MSTI1. In MSTI1, the priority
of SwitchB is lower than that of SwitchD; therefore, GE 1/0/1 of SwitchB functions as the root
port. The priority of SwitchB in the CIST is higher than that of SwitchB; therefore, GE 1/0/1 of
SwitchB functions as the designated port in the CIST.
# Run the display stp interface brief commands on SwitchD. The displayed information is as
follows:
<SwitchD> display stp interface GigabitEthernet 2/0/1 brief
MSTID
Port
Role STP State
Protection
0
GigabitEthernet2/0/1
ROOT FORWARDING
NONE
1
GigabitEthernet2/0/1
DESI FORWARDING
NONE
<SwitchD> display stp interface GigabitEthernet 1/0/2 brief
MSTID
Port
Role STP State
Protection
0
GigabitEthernet1/0/2
ALTE DISCARDING
NONE
1
GigabitEthernet1/0/2
ALTE DISCARDING
NONE
Issue 01 (2011-10-26)
475
9 MSTP Configuration
On SwitchD, GE 1/0/2 functions as the alternate port in the CIST. SwitchD and SwitchC are in
different regions; therefore, GE 1/0/2 of SwitchD also functions as the alternate port in MSTI1.
GE 2/0/1 of SwitchD is the root port in the CIST. The priority of SwitchD is higher than that of
SwitchB in MSTI1; therefore, GE 2/0/1 also functions as the designated port in MSTI1.
----End
Configuration Files
l
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp instance 0 priority 0
stp instance 1 priority 0
stp pathcost-standard legacy
stp region-configuration
region-name RG1
instance 1 vlan 1 to 10
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
return
#
sysname SwitchB
#
vlan batch 2 to 20
#
stp instance 0 priority 4096
stp pathcost-standard legacy
stp region-configuration
region-name RG2
instance 1 vlan 1 to 10
active region-configuration
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
return
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection
stp pathcost-standard legacy
Issue 01 (2011-10-26)
476
9 MSTP Configuration
stp region-configuration
region-name RG1
instance 1 vlan 1 to 10
active region-configuration
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 20
port hybrid untagged vlan 20
stp edged-port enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
return
#
sysname SwitchD
#
vlan batch 2 to 20
#
stp instance 1 priority 0
stp bpdu-protection
stp pathcost-standard legacy
stp region-configuration
region-name RG2
instance 1 vlan 1 to 10
active region-configuration
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 10
port hybrid untagged vlan 10
stp edged-port enable
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
interface GigabitEthernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
return
Issue 01 (2011-10-26)
477
9 MSTP Configuration
Figure 9-10 Network diagram for connecting CEs to the VPLS in dual-homing mode
1.1.1.1/32
2.2.2.2/32
PE2
PE1
GE1/0/0
GE1/0/0
GE2/0/0
CE1
PC1
GE1/0/1
10.1.1.1/24
GE1/0/0
PE4
GE2/0/0 GE2/0/0
GE3/0/0
GE3/0/0
VPLS
GE2/0/0
GE3/0/0
GE2/0/0 GE3/0/0
4.4.4.4/32
GE1/0/0
GE1/0/0
GE2/0/0
CE2
GE1/0/1
PC2
GE1/0/0
10.1.1.2/24
PE3
3.3.3.3/32
Switch
Interface
VLANIF interface
IP address
PE1
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 10
172.1.1.1/24
GigabitEthernet3/0/0
VLANIF 40
172.4.1.2/24
Loopback1
1.1.1.1/32
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 10
172.1.1.2/24
GigabitEthernet3/0/0
VLANIF 20
172.2.1.1/24
Loopback1
2.2.2.2/32
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 20
172.2.1.2/24
GigabitEthernet3/0/0
VLANIF 30
172.3.1.1/24
Loopback1
3.3.3.3/32
GigabitEthernet1/0/0
GigabitEthernet1/0/0.1
GigabitEthernet2/0/0
VLANIF 30
172.3.1.2/24
GigabitEthernet3/0/0
VLANIF 40
172.4.1.1/24
Loopback1
4.4.4.4/32
GigabitEthernet1/0/0
VLANIF 100
GigabitEthernet1/0/1
VLANIF 100
GigabitEthernet2/0/0
VLANIF 100
GigabitEthernet1/0/0
VLANIF 100
GigabitEthernet1/0/1
VLANIF 100
GigabitEthernet2/0/1
VLANIF 100
PE2
PE3
PE4
CE1
CE2
Issue 01 (2011-10-26)
478
9 MSTP Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Configure MSTP. Configure PE1 and PE2 as the primary roots, and configure PE3 and
PE4 as the secondary roots.
Data Preparation
To complete the configuration, you need the following data:
l
IP addresses of peers and tunnel policy used for setting up the peer relationship
Encapsulation mode of the sub-interfaces and VLANs that the sub-interfaces belong to
When associating VPLS with MSTP, you can bind a dot1q sub-interface, QinQ sub-interface, or VLANIF
interface to a VSI. Dot1q sub-interfaces are used in this example.
Procedure
Step 1 Configure the VLAN to which each interface belongs according to Figure 9-10.
The configuration procedure is not mentioned.
NOTE
l Do not add AC-side physical interface and PW-side physical interface of a PE to the same VLAN;
otherwise, a loop occurs.
l Packets sent from the CEs to the PEs must contain VLAN tags.
479
9 MSTP Configuration
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 4.4.4.4
[PE2-mpls-ldp-remote-4.4.4.4] remote-ip 4.4.4.4
[PE2-mpls-ldp-remote-4.4.4.4] quit
# Configure PE3.
[PE3] mpls ldp remote-peer 1.1.1.1
[PE3-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE3-mpls-ldp-remote-1.1.1.1] quit
# Configure PE4.
[PE4] mpls ldp remote-peer 2.2.2.2
[PE4-mpls-ldp-remote-2.2.2.2] remote-ip 2.2.2.2
[PE4-mpls-ldp-remote-2.2.2.2] quit
After the configuration, run the display mpls ldp session command on the PEs. You can see
that the status of the remote LDP peer relationship is Operational. This indicates that remote
LDP sessions are set up. Take the display on PE1 as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
-----------------------------------------------------------------------------Peer-ID
Status
LAM SsnRole SsnAge
KA-Sent/Rcv
-----------------------------------------------------------------------------2.2.2.2:0
Operational DU
Passive 000:00:08
33/33
3.3.3.3:0
Operational DU
Passive 000:00:07
29/29
4.4.4.4:0
Operational DU
Passive 000:00:00
1/1
-----------------------------------------------------------------------------TOTAL: 3 session(s) Found. LAM : Label Advertisement Mode
SsnAge Unit :
DDD:HH:MM
# Configure PE2.
[PE2] mpls l2vpn
# Configure PE3.
[PE3] mpls l2vpn
# Configure PE4.
[PE4] mpls l2vpn
# Configure PE2.
Issue 01 (2011-10-26)
480
9 MSTP Configuration
Configurations of PE3 and PE3 are similar to configurations of PE1 and PE2, and are not
mentioned.
Step 7 Bind the VSI to interfaces on the PEs.
# Configure PE1.
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination
[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 100
[PE1-GigabitEthernet1/0/0.1] l2 binding vsi a2
[PE1-GigabitEthernet1/0/0.1] quit
# Configure PE2.
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination
[PE2-GigabitEthernet1/0/0.1] dot1q termination vid 100
[PE2-GigabitEthernet1/0/0.1] l2 binding vsi a2
[PE2-GigabitEthernet1/0/0.1] quit
# Configure PE3.
[PE3] interface gigabitethernet 1/0/0.1
[PE3-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination
[PE3-GigabitEthernet1/0/0.1] dot1q termination vid 100
[PE3-GigabitEthernet1/0/0.1] l2 binding vsi a2
[PE3-GigabitEthernet1/0/0.1] quit
# Configure PE4.
[PE4] interface gigabitethernet 1/0/0.1
[PE4-GigabitEthernet1/0/0.1] control-vid 1000 dot1q-termination
[PE4-GigabitEthernet1/0/0.1] dot1q termination vid 100
[PE4-GigabitEthernet1/0/0.1] l2 binding vsi a2
[PE4-GigabitEthernet1/0/0.1] quit
# Configure PE4.
[PE4] stp region-configuration
[PE4-mst-region] region-name RG1
[PE4-mst-region] active region-configuration
[PE4-mst-region] quit
# Configure CE1.
[CE1] stp region-configuration
[CE1-mst-region] region-name RG1
[CE1-mst-region] active region-configuration
[CE1-mst-region] quit
# Configure PE2.
[PE2] stp region-configuration
[PE2-mst-region] region-name RG1
Issue 01 (2011-10-26)
481
9 MSTP Configuration
# Configure PE3.
[PE3] stp region-configuration
[PE3-mst-region] region-name RG1
[PE3-mst-region] active region-configuration
[PE3-mst-region] quit
# Configure CE2.
[CE2] stp region-configuration
[CE2-mst-region] region-name RG1
[CE2-mst-region] active region-configuration
[CE2-mst-region] quit
2.
Configure the priorities of the PEs to make PE1 and PE2 the primary roots and PE3 and
PE4 the secondary roots.
# Configure PE1.
[PE1] stp instance 0 priority 0
# Configure PE2.
[PE2] stp instance 0 priority 0
# Configure PE3.
[PE3] stp instance 0 priority 4096
# Configure PE4.
[PE4] stp instance 0 priority 4096
3.
Enable association between MSTP and VPLS on the CEs and PEs, and configure root
protection on the secondary roots.
# Configure CE1.
[CE1] stp enable
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] stp enable
[CE1-GigabitEthernet1/0/1] quit
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] stp enable
[CE1-GigabitEthernet1/0/0] quit
# Configure CE2.
[CE2] stp enable
[CE2] interface gigabitethernet 1/0/1
[CE2-GigabitEthernet1/0/1] stp enable
[CE2-GigabitEthernet1/0/1] quit
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] stp enable
[CE2-GigabitEthernet1/0/0] quit
# Configure PE1.
[PE1] stp enable
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] stp vpls-subinterface enable
[PE1-GigabitEthernet1/0/0] stp enable
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] stp disable
[PE1-GigabitEthernet2/0/0] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] stp disable
[PE1-GigabitEthernet3/0/0] quit
# Configure PE2.
[PE2] stp enable
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] stp vpls-subinterface enable
Issue 01 (2011-10-26)
482
9 MSTP Configuration
# Configure PE3.
[PE3] stp enable
[PE3] interface gigabitethernet 1/0/0
[PE3-GigabitEthernet1/0/0] stp vpls-subinterface enable
[PE3-GigabitEthernet1/0/0] stp root-protection
[PE3-GigabitEthernet1/0/0] stp enable
[PE3-GigabitEthernet1/0/0] quit
[PE3] interface gigabitethernet 2/0/0
[PE3-GigabitEthernet2/0/0] stp disable
[PE3-GigabitEthernet2/0/0] quit
[PE3] interface gigabitethernet 3/0/0
[PE3-GigabitEthernet3/0/0] stp disable
[PE3-GigabitEthernet3/0/0] quit
# Configure PE4.
[PE4] stp enable
[PE4] interface gigabitethernet 1/0/0
[PE4-GigabitEthernet1/0/0] stp vpls-subinterface enable
[PE4-GigabitEthernet1/0/0] stp root-protection
[PE4-GigabitEthernet1/0/0] stp enable
[PE4-GigabitEthernet1/0/0] quit
[PE4] interface gigabitethernet 2/0/0
[PE4-GigabitEthernet2/0/0] stp disable
[PE4-GigabitEthernet2/0/0] quit
[PE4] interface gigabitethernet 3/0/0
[PE4-GigabitEthernet3/0/0] stp disable
[PE4-GigabitEthernet3/0/0] quit
Issue 01 (2011-10-26)
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
a2
no
disable
0
ldp
static
unqualify
vlan
1500
uniform
--0
:
:
:
:
:
:
:
:
:
:
:
2
2.2.2.2
27648
dynamic
up
0x10001,
3.3.3.3
27649
dynamic
up
0x10002,
up
483
9 MSTP Configuration
:
:
:
:
:
4.4.4.4
27650
dynamic
up
0x10003,
: GigabitEthernet 1/0/0.1
: up
**PW Information:
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
*Peer Ip Address
PW State
Local VC Label
Remote VC Label
PW Type
Tunnel ID
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
2.2.2.2
up
27648
27648
label
0x10001,
3.3.3.3
up
27649
27649
label
0x10002,
4.4.4.4
up
27650
27650
label
0x10003,
ms
ms
ms
ms
ms
When the link between CE1 and PE1 fails or PE1 is faulty, PE4 becomes the primary root. In
this case, PC1 and PE2 can still ping each other.
----End
Configuration Files
l
Issue 01 (2011-10-26)
484
9 MSTP Configuration
Issue 01 (2011-10-26)
485
9 MSTP Configuration
interface GigabitEthernet1/0/0.1
control-vid 1000 dot1q-termination
dot1q termination vid 100
l2 binding vsi a2
#
interface GigabitEthernet2/0/0
port hybrid pvid vlan 10
port hybrid tagged vlan 10
stp disable
#
interface GigabitEthernet3/0/0
port hybrid pvid vlan 40
port hybrid tagged vlan 40
stp disable
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.4.1.0 0.0.0.255
#
return
Issue 01 (2011-10-26)
486
9 MSTP Configuration
Issue 01 (2011-10-26)
487
9 MSTP Configuration
Issue 01 (2011-10-26)
488
9 MSTP Configuration
Networking Requirements
On the network with both Layer 2 single-access rings and multi-access rings deployed, switching
devices transmit both Layer 2 and Layer 3 services. To enable different rings to transmit different
services, configure MSTP multi-process. Spanning trees of different processes are calculated
independently.
As shown in Figure 9-11, both Layer 2 single-access rings and dual-access rings are deployed
and switches A and B carry both Layer 2 and Layer 3 services. In this networking, switches A
and B connected to dual-access rings are also connected to a single-access ring.
NOTE
In the ring where MSTP multi-process is configured, you are advised not to block the interface directly
connected to the root protection-enabled designated port.
Issue 01 (2011-10-26)
489
9 MSTP Configuration
Figure 9-11 Networking for MSTP multi-process for Layer 2 single-access rings and multiaccess rings
Network
SwitchC
GE1/0/5
GE1/0/5
Region name:RG1
PE1
CE
SwitchA
GE1/0/4
GE1/0/3
GE1/0/1
GE1/0/2
SwitchB
GE1/0/1
PE2
GE1/0/4
CE
GE1/0/3
GE1/0/2
CE
CE
Instance1:VLAN2~100
Process 1
Instance3:VLAN201~300
Process 3
CE
CE
Instance2:VLAN101~200
Process 2
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure basic MSTP functions, add devices to MST regions, and create MSTIs.
NOTE
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2011-10-26)
490
9 MSTP Configuration
Name of an MST region and names of MSTIs (MSTI 1, MSTI 2, and MSTI 3)
Procedure
Step 1 Configure basic MSTP functions, add devices to an MST region, and create MSTIs.
1.
2.
Enable MSTP.
# Configure Switch A.
[SwitchA] stp enable
# Configure Switch B.
[SwitchB] stp enable
# Add GE 1/0/3 and GE 1/0/4 on Switch A to MSTP process 1 and GE 1/0/2 to MSTP
process 2.
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] stp binding process 1
[SwitchA-GigabitEthernet1/0/4] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] stp binding process 1
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] stp binding process 2
Issue 01 (2011-10-26)
491
9 MSTP Configuration
[SwitchA-GigabitEthernet1/0/2] quit
# Add GE 1/0/3 and GE 1/0/4 on Switch B to MSTP process 3 and GE 1/0/2 to MSTP
process 2.
[SwitchB] interface gigabitethernet 1/0/4
[SwitchB-GigabitEthernet1/0/4] stp binding process 3
[SwitchB-GigabitEthernet1/0/4] quit
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] stp binding process 3
[SwitchB-GigabitEthernet1/0/3] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] stp binding process 2
[SwitchB-GigabitEthernet1/0/2] quit
2.
Configure a share-link.
# Configure Switch A.
[SwitchA] interface gigabitethernet1/0/1
[SwitchA-GigabitEthernet1/0/1] stp binding process 2 link-share
[SwitchA-GigabitEthernet1/0/1] quit
# Configure Switch B.
[SwitchB] interface gigabitethernet1/0/1
[SwitchB-GigabitEthernet1/0/1] stp binding process 2 link-share
[SwitchB-GigabitEthernet1/0/1] quit
3.
stp enable
quit
stp enable
quit
# Configure Switch B.
[SwitchB] stp process 3
[SwitchB-stp-process-3]
[SwitchB-stp-process-3]
[SwitchB] stp process 2
[SwitchB-stp-process-2]
[SwitchB-stp-process-2]
stp enable
quit
stp enable
quit
# Configure Switch B.
[SwitchB] stp process 3
[SwitchB-stp-process-3]
[SwitchB-stp-process-3]
[SwitchB-stp-process-3]
[SwitchB] stp process 2
[SwitchB-stp-process-2]
[SwitchB-stp-process-2]
Issue 01 (2011-10-26)
492
9 MSTP Configuration
[SwitchB-stp-process-2] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] stp root-protection
[SwitchB-GigabitEthernet1/0/2] quit
NOTE
l In each ring, the priority of the MSTP process on the downstream CE must be lower than the priority
of the MSTP process on the switching device.
l For switches A and B on the dual-access ring, you are recommended to configure them as the
primary root bridges of different MSTIs.
# Configure Switch B.
[SwitchB] stp process 2
[SwitchB-stp-process-2] stp link-share-protection
[SwitchB-stp-process-2] quit
1/0/3
link-type trunk
trunk allow-pass vlan 2 to 100
1/0/4
link-type trunk
trunk allow-pass vlan 2 to 100
1/0/1
link-type trunk
trunk allow-pass vlan 101 to 200
1/0/2
link-type trunk
trunk allow-pass vlan 101 to 200
# Create VLANs 101 to 300 on Switch B. Add GE 1/0/3 and GE 1/0/4 to VLANs 201 to 300,
and add GE 1/0/1 and GE 1/0/2 to VLANs 101 to 200.
[SwitchB] vlan batch 101 to 300
[SwitchB] interface gigabitethernet
[SwitchB-GigabitEthernet1/0/3] port
[SwitchB-GigabitEthernet1/0/3] port
[SwitchB-GigabitEthernet1/0/3] quit
[SwitchB] interface gigabitethernet
[SwitchB-GigabitEthernet1/0/4] port
[SwitchB-GigabitEthernet1/0/4] port
[SwitchB-GigabitEthernet1/0/4] quit
[SwitchB] interface gigabitethernet
[SwitchB-GigabitEthernet1/0/1] port
[SwitchB-GigabitEthernet1/0/1] port
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet
[SwitchB-GigabitEthernet1/0/2] port
[SwitchB-GigabitEthernet1/0/2] port
[SwitchB-GigabitEthernet1/0/2] quit
Issue 01 (2011-10-26)
1/0/3
link-type trunk
trunk allow-pass vlan 201 to 300
1/0/4
link-type trunk
trunk allow-pass vlan 201 to 300
1/0/1
link-type trunk
trunk allow-pass vlan 101 to 200
1/0/2
link-type trunk
trunk allow-pass vlan 101 to 200
493
9 MSTP Configuration
l Run the display stp interface brief command on Switch B, and you can view the following
information:
# GE 1/0/4 is a designated port in the CIST of MSTP process 3 and in MSTI 3.
[SwitchB] display stp process 3 interface giabitethernet 1/0/4 brief
MSTID
Port
Role STP State
Protection
0
GigabitEthernet1/0/4
DESI FORWARDING
NONE
3
GigabitEthernet1/0/4
DESI FORWARDING
NONE
----End
Configuration Files
Only the MSTP-related configuration files are listed.
l
Issue 01 (2011-10-26)
494
9 MSTP Configuration
vlan 101 to
link-
vlan 101 to
vlan 2 to
vlan 2 to
Issue 01 (2011-10-26)
495
Issue 01 (2011-10-26)
9 MSTP Configuration
vlan 101 to
link-
vlan 101 to
vlan 201 to
vlan 201 to
496
10 SEP Configuration
10
SEP Configuration
497
10 SEP Configuration
Issue 01 (2011-10-26)
498
10 SEP Configuration
Introduction
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result, the
communication quality deteriorates, and communication services may even be interrupted.
To solve the loop problem, Huawei datacom devices support the ring network protocols shown
in Table 10-1.
Table 10-1 Ring Network Protocol
Issue 01 (2011-10-26)
Ring
Network
Protocol
Advantage
Disadvantage
Deployment Scenario
STP/
RSTP/
MSTP
The network
convergence time
is at the second
level, which
cannot meet the
requirements of
some real-time
services. The
convergence time
is affected by the
network topology.
499
Issue 01 (2011-10-26)
10 SEP Configuration
Ring
Network
Protocol
Advantage
Disadvantage
Deployment Scenario
RRPP
l A Huawei
device running
RRPP cannot
communicate
with any nonHuawei
device.
l RRPP has a
high
requirement on
network
topologies.
Logical
topologies
need to be
configured for
a physical
topology, and
primary rings
and sub-rings
need to be
defined for
these logical
topologies.
Therefore,
RRPP is not
applicable to
complex
networks.
500
10 SEP Configuration
Ring
Network
Protocol
Advantage
Disadvantage
Deployment Scenario
SEP
l SEP is a private
protocol of Huawei.
It boasts short
convergence time
(less than 50 ms).
Huawei devices
running SEP can
communicate with
non-huawei devices
running other types
of ring protocols.
l The devices on
a SEP-enabled
network must
be Huawei
datacom
devices.
It is applicable to Layer 2
networks that have a high
requirement on convergence
time.
l SEP supports
various types of
networking modes.
For example, a
network running
SEP can
communicate with a
network running
STP, RSTP, MSTP,
or RRPP. SEP
supports all
topologies and the
display of network
topologies.
l On a SEP
network, after
network
convergence, a
specified
interface is
blocked to
prevent data
traffic from
passing
through the
interface, even
if the link
where the
interface
resides is a
direct link.
The blocked
interface, therefore,
can be quickly
located. When a
fault occurs, SEP
can quickly locate
the fault, improving
network
maintainability.
l SEP supports
various policies for
specifying an
interface to block.
This allows the
implementation of
traffic load
balancing.
Definitions
The SEP protocol is a dedicated link layer protocol for use on Ethernet ring networks. A SEP
segment is the basic unit of the protocol. A SEP segment is composed of multiple interconnected
Issue 01 (2011-10-26)
501
10 SEP Configuration
Layer 2 switching devices that are configured with the same SEP segment ID and control VLAN
ID.
Only two interfaces on a Layer 2 switching device can be added to the same SEP segment. In a
SEP segment, loops can be prevented by starting a protection mechanism to selectively block
certain interfaces and eliminate Ethernet redundant links. When a fault occurs on a ring network,
a device running SEP can quickly unblock the blocked interface to perform link switching. This
maintains normal communication between nodes on the ring network.
Figure 10-1 shows a typical SEP application. CE1 is connected to NPEs through a closed-ring
formed by switches. A VRRP backup group is deployed on the NPEs. Initially, the status of
NPE1 is master and the status of NPE2 is backup. When the link between NPE1 and LSW5 or
a node on the link becomes faulty (it is assumed that the link between LSW1 and LSW5 becomes
faulty), the following situations occur:
l
If SEP is not deployed on the closed-ring, CE1 still forwards traffic along the original path,
causing traffic interruption.
If SEP is deployed on the closed-ring, the blocked interface on LSW5 becomes unblocked
and enters the forwarding state. In addition, it sends Link Status Advertisements (LSAs)
to instruct other nodes on the SEP segment to refresh their LSA databases. CE1 sends traffic
along the backup link LSW5->LSW2->LSW4->LSW3->NPE1. This ensures proper traffic
transmission.
Issue 01 (2011-10-26)
502
10 SEP Configuration
Aggregation
LSW1
CE1
LSW3
IP/MPLS
Core
LSW5
LSW4
Backup
Access
LSW1
LSW3
Master
SEP
NPE1
Segment VRRP+peer BFD
NPE2
IP/MPLS
Core
LSW5
LSW2
Access
LSW4
Backup
Aggregation
LSW1
SEP
Segment
CE1
Master
NPE1
VRRP+peer BFD
NPE2
LSW2
CE1
Core
Core
LSW3
Master
NPE1
VRRP+peer BFD
NPE2
IP/MPLS
Core
LSW5
LSW2
LSW4
Backup
Basic Concepts
Basic SEP concepts are introduced by using Figure 10-1 and Figure 10-2.
Issue 01 (2011-10-26)
503
10 SEP Configuration
VLAN/VPLS
VLAN/VPLS
LSW1
LSW5
SEP
Segment
SEP
Segment
LSW2
LSW5
LSW1
LSW4
LSW4
LSW2
LSW3
LSW3
CE
CE
SEP segment
A SEP segment is the basic unit of SEP. A SEP segment is composed of multiple
interconnected Layer 2 switching devices configured with the same SEP segment ID and
the same control VLAN ID.
A SEP segment corresponds to a ring-shaped or line-shaped Ethernet topology. Each SEP
segment has a control VLAN, edge interfaces, and common interfaces.
Control VLAN
In a SEP segment, the control VLAN is used to transmit only SEP packets.
Each SEP segment must be configured with a control VLAN. After being added to a SEP
segment configured with a control VLAN, an interface is added to the control VLAN
automatically.
Different SEP segments can use the same control VLAN.
Unlike a control VLAN, a data VLAN is used to transmit data packets.
Node
A node is a Layer 2 switching device added to a SEP segment. Only two interfaces on a
node can be added to the same SEP segment.
Interface role
As defined by SEP, interfaces are classified into common interfaces and edge interfaces.
Issue 01 (2011-10-26)
504
10 SEP Configuration
As shown in Table 10-2, edge interfaces are further classified into primary edge interfaces,
secondary edge interfaces, no-neighbor primary edge interfaces, and no-neighbor
secondary edge interfaces.
NOTE
Normally, an edge interface and a no-neighbor edge interface belong to different SEP segments.
Sub-role
Description
Deployment
Scenario
Common
port
Primary
Edge Port
Secondary
edge port
Open ring
network
Closed ring
network
Multiple-ring
networking
Hybrid SEP
+RRPP ring
networking
Hybrid SEP
+MSTP ring
networking
Issue 01 (2011-10-26)
505
Interfac
e roles
10 SEP Configuration
Sub-role
Description
Noneighbor
secondary
edge port
Deployment
Scenario
Blocked interface
In a SEP segment, an interface is blocked to prevent loops.
If you do not specify the interface as a blocked interface, any interface in a SEP segment
may be blocked. Only one interface is blocked in a SEP segment that works properly.
Description
Forwarding
An interface in the forwarding state can forward user traffic, and receive
and send SEP packets.
Discarding
An interface in the discarding state only receives and sends SEP packets.
The interface status does not depend on the interface role. An interface may be in forwarding
or discarding state regardless of its role.
After a SEP segment is created, the interfaces on each node of the ring network are added
to the SEP segment, and a role is configured for each interface.
2.
The neighbor negotiation mechanism is started after the interfaces are added to the SEP
segment. One of the last two interfaces that complete neighbor negotiation becomes a
blocked interface.
3.
The blocked interface sends LSAs to instruct other nodes in the SEP segment to update
their LSA databases.
The blocked interface does not allow data packets but SEP protocol packets to pass through.
4.
After receiving the LSAs, the nodes update their LSA databases, and then determine
forwarding paths. The loop is successfully broken.
506
10 SEP Configuration
NPE2
NPE1
Core
IP/MPLS Core
Aggregation
VRRP+peer BFD
PE-AGG1
PE-AGG2
VLAN/VPLS
LSW1
LSW5
Access
SEP
Segment
LSW2
LSW4
LSW3
CE
Primary Edge Node
Secondary Edge Node
Block Port
As shown in Figure 10-3, the networking consists of the access layer, aggregation layer,
and core layer. The CE is dual-homed to the upstream Layer 2 network through LSW1 to
LSW5. LSW1 to LSW5 form an open ring network. The open ring network is deployed at
the access layer to implement Layer 2 transparent transmission of unicast and multicast
packets. SEP runs at the access layer to implement link redundancy.
On a closed ring network, an edge interface is deployed on each of the two edge devices.
l
Issue 01 (2011-10-26)
507
10 SEP Configuration
Core
IP/MPLS Core
NPE1
NPE2
VRRP+peer BFD
Aggregation
LSW1
LSW5
SEP
Segment
LSW2
LSW4
Access
LSW3
CE1
CE2
CE3
As shown in Figure 10-4, the CEs are dual-homed to the upstream Layer 2 network through
LSW1 to LSW5. The edge devices LSW1 and LSW5 are directly connected to each other.
LSW1 to LSW5 form a closed ring network. The closed ring network is deployed at the
aggregation layer to aggregate unicast and multicast services. SEP runs at the aggregation
layer to implement link redundancy.
On a closed ring network, two edge interfaces are deployed on one edge device.
l
Issue 01 (2011-10-26)
Multiple-ring networking
508
10 SEP Configuration
Core
IP/MPLS Core
NPE1
NPE2
VRRP+peer BFD
Aggregation
LSW1
LSW5
SEP
Segment 1
LSW2
LSW4
LSW3
Access
Se
S
gm EP
en
t2
P t3
SE en
gm
Se
LSW6
LSW8
LSW12
SEP
Segment 5
SEP
Segment 4
LSW9
LSW14
LSW13
LSW7
LSW10
LSW11
Block Port
As shown in Figure 10-5, LSW1 to LSW14 form multiple rings. LSW1 to LSW5 are at
the aggregation layer, and LSW6 to LSW14 are at the access layer. Layer 2 services are
transparently transmitted at the access layer and the aggregation layer. SEP runs at the
aggregation layer and access layer to implement link redundancy. If the topology of a SEP
segment at the access layer changes, a node in the SEP segment sends a Flush-FDB packet
to instruct the other nodes in the SEP segment to refresh their MAC address forwarding
tables and ARP tables. The edge devices in the SEP segment send TC packets to notify
devices at the upper layer that the topology of the SEP segment has changed.
In multi-ring networking, topology change notification among ring networks needs to be
configured.
l
Hybrid networking
Hybrid SEP+MSTP ring networking
Issue 01 (2011-10-26)
509
10 SEP Configuration
Core
IP/MPLS Core
Aggregation
NPE1
NPE2
VRRP+peer BFD
PE4
PE3
MSTP
PE1
PE2
Access
LSW2
LSW3
As shown in Figure 10-6, LSW1 to LSW3 form a SEP segment to access an MSTP
ring. The networking is called hybrid SEP+MSTP ring networking. LSW1 to LSW3
are at the access layer to transparently transmit Layer 2 unicast and multicast packets.
SEP runs at the access layer to implement link redundancy. If the topology of the SEP
segment at the access layer changes, a node in the SEP segment sends a Flush-FDB
packet to instruct the other nodes in the SEP segment to refresh their MAC forwarding
tables and ARP tables. LSW1 and LSW2 in the SEP segment send TC packets to notify
devices at the upper-layer that the topology of the SEP segment has changed.
In hybrid SEP+MSTP ring networking, no-neighbor edge interfaces need to be deployed
on the edge devices of SEP networks, and the SEP networks need to report topology
changes to STP networks.
Hybrid SEP+RRPP ring networking
Issue 01 (2011-10-26)
510
10 SEP Configuration
Core
IP/MPLS Core
Aggregation
NPE1
NPE2
VRRP+peer BFD
PE4
PE3
RRPP
PE1
PE2
Access
SEP
Segment
LSW1
LSW2
LSW3
Primary Edge Node
Secondary Edge Node
Block Port
As shown in Figure 10-7, PE1, PE2 and LSW1 to LSW3 form a SEP segment to access
an RRPP ring. The networking is called hybrid SEP+RRPP ring networking. PE1, PE2
and LSW1 to LSW3 are at the access layer to transparently transmit Layer 2 unicast
and multicast packets. SEP runs at the access layer to implement link redundancy. If
the topology of the SEP segment at the access layer changes, a node in the SEP segment
sends a Flush-FDB packet to instruct the other nodes in the SEP segment to refresh their
MAC forwarding tables and ARP tables. PE1 and PE2 in the SEP segment send TC
packets to notify devices at the upper-layer that the topology of the SEP segment has
changed.
In hybrid SEP+RRPP ring networking, the SEP networks need to report topology
changes to RRPP networks on the edge devices of SEP networks.
NOTE
The basic SEP configurations in the preceding topologies are the same, except for the locations and
configurations of the primary edge interface, no-neighbor primary edge interface, secondary edge interface,
and no-neighbor secondary edge interface. For details about these interfaces, see Table 10-2.
Issue 01 (2011-10-26)
511
10 SEP Configuration
After basic SEP functions are configured on devices, the devices start the SEP negotiation.
One of the last two interfaces that complete neighbor negotiation is blocked to eliminate
redundant links.
NOTE
When logging in to nodes on a SEP semi-ring through Telnet to configure them, note the following
points:
l VLANIF interfaces and their IP address need to be configured, because these nodes are Layer 2
devices. The VLANs to which these VLANIF interfaces correspond must be mapped to the SEP
protection instance.
l Basic SEP functions need to be configured from the node at one end of the semi-ring to the node
at the other end of the semi-ring.
2.
In some cases, however, the blocked interface obtained through the SEP calculation may
not be the one you expect to be blocked. You can specify an interface to block as needed.
3.
To implement load balancing and make efficient use of bandwidth, protected instances
need to be deployed on a network running SEP and mappings between protected instances
and VLANs need to be worked out.
4.
A SEP network usually needs to work together with another network deployed with other
features. To ensure network reliability, if the topology of either of the networks changes,
the other network must be able to detect the topology change and take measures to
implement reliable data transmission. Therefore, the topology change notification function
needs to be enabled on the network running SEP.
Issue 01 (2011-10-26)
Interface Blocking
Mode
Description
512
10 SEP Configuration
Interface Blocking
Mode
Description
Preemption
After the interface blocking mode is specified, whether the specified interface will be
blocked is determined by the preemption mode. Table 10-5 lists the preemption modes.
Table 10-5 Preemption mode
Preemption
Mode
Advantage
Disadvantage
Non-preemption
mode
Issue 01 (2011-10-26)
Delaye
d
preemp
tion
513
Preemption
Mode
Manual
preemp
tion
10 SEP Configuration
Advantage
Disadvantage
NOTE
SEP Multi-Instance
As shown in Figure 10-8, in regular SEP networking, a physical ring network can be configured
with only one SEP segment in which only one interface can be blocked. If an interface in the
SEP segment in the complete state is blocked, all user data is transmitted only along the path
where the primary edge interface is located. The path where the secondary edge interface is
located is idle, which leads to a waste of bandwidth.
Issue 01 (2011-10-26)
514
10 SEP Configuration
Core
IP/MPLS Core
group 2:Master
group 1:Backup
NPE2
group 1:Master
group 2:Backup
NPE1
Access
Aggregation
VRRP+peer BFD
LSW2
LSW4
SEP
Segment1
LSW1
LSW3
VLAN 201~400
VLAN 100~200
CE1
CE2
Primary Edge Node
Secondary Edge Node
Block Port
SEP multi-instance allows two SEP segments to be configured on one physical ring network.
All devices, interface roles, and control VLANs in each SEP segment must be configured by
conforming to basic SEP configurations principles. Each SEP segment has one blocked interface.
Each blocked interface detects whether the physical ring network is complete. The blocked
interfaces in the two SEP segments are independent of each other.
A physical ring network can be configured with one or two SEP segments. Each SEP segment
needs to be configured with a protected instance and each protected instance represents a VLAN
range. The topology calculated by a SEP segment is valid only for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between
protected instances and VLANs is set, a blocked interface is valid only for the VLANs protected
by the SEP segment where the blocked interface resides. Data traffic of different VLANs can
be transmitted along different paths. This implements traffic load balancing and link backup.
Issue 01 (2011-10-26)
515
10 SEP Configuration
Core
IP/MPLS Core
group 2:Master
group 1:Backup
NPE2
group 1:Master
group 2:Backup
NPE1
Aggregation
VRRP+peer BFD
LSW2
LSW4
SEP
Segment2
Access
P2
P1
SEP Segment1
Instance1:
VLAN 100~200
LSW1
CE1
LSW3
Instance2:
VLAN 201~400
CE2
Primary Edge Node
Secondary Edge Node
Block Port
As shown in Figure 10-9, the SEP multi-instance ring network that consists of LSW1 to LSW4
has two SEP segments. P1 is the blocked interface in SEP segment 1, and P2 is the blocked
interface in SEP segment 2.
l
Protected instance 1 is configured in SEP segment 1 to protect the data of VLAN 100 to
VLAN 200. The data is transmitted along path LSW1->LSW2->NPE1. As the blocked
interface in SEP segment 2, P2 blocks only the data of VLAN 201 to VLAN 400.
Protected instance 2 is configured in SEP segment 2 to protect the data of VLAN 201 to
VLAN 400. The data is transmitted along path LSW3->LSW4->NPE2. As the blocked
interface in SEP segment 1, P1 blocks only the data of VLAN 100 to VLAN 200.
In the case of a node or a link failure, each SEP segment calculates its own topology
independently, and the nodes in each SEP segment update their LSA databases.
Issue 01 (2011-10-26)
516
10 SEP Configuration
Description
Topology
change caused
by an interface
fault
Topology
change caused
by a fault being
rectified and the
preemption
function taking
effect
One or more faults occur in the SEP segment. When the last fault is rectified
and the blocked interface is preempted, the topology is considered
changed.
Table 10-7 list the situations in which topology changes are reported.
Table 10-7 SEP topology change notification
SEP
Topology
Change
Notification
Scenario
Description
Solution
Topology
change
notification
from a lowerlayer network
to an upperlayer network
Networking where a
SEP network is
connected to an
upper-layer network
running other
features such as
SEP, STP, RRPP
and SmartLink
Configure
the SEP
topology
change
notification
function.
l If an interface in a lower-layer
SEP network becomes faulty,
the topology of the SEP segment
changes but the upper-layer
network cannot detect the
change. As a result, traffic is
interrupted.
Issue 01 (2011-10-26)
517
SEP
Topology
Change
Notification
10 SEP Configuration
Scenario
Description
Solution
Networking
scenario where a
host is connected to
a SEP network by
using a SmartLink
group
During an active/standby
switchover of member interfaces in
the SmartLink group, the host sends
a SmartLink Flush packet to notify
the connected devices in the SEP
segment of the switchover.
Enable the
edge devices
in the SEP
segment to
process
SmartLink
Flush
packets.
Networking
scenario where a
SEP network is
connected to an
upper-layer network
configured with
CFM.
Configure
association
between SEP
and CFM.
Applicable Environment
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer
network to provide link backup and enhance network reliability. The use of redundant links,
however, may produce loops, causing broadcast storms and rendering the MAC address table
unstable. As a result, the communication quality deteriorates, and communication services may
even be interrupted. SEP can be deployed on the ring network to block redundant links and
unblock them if a link fault occurs.
Issue 01 (2011-10-26)
518
10 SEP Configuration
Pre-configuration Tasks
Before configuring basic SEP functions, complete the following tasks:
l
Ensuring that the devices are powered on correctly and operate properly
Data Preparation
To configure basic SEP functions, you need the following data.
No.
Data
SEP segment ID
Procedure
Step 1 Run:
system-view
An SEP segment is created and the view of the SEP segment is displayed.
Before deleting a created SEP segment, you need to check whether there is any interface added
to the SEP segment. If there is an interface added to the SEP segment, run the undo sep
segment segment-id command in the interface view to delete the interface from the SEP segment.
Otherwise, the SEP segment cannot be deleted.
----End
Issue 01 (2011-10-26)
519
10 SEP Configuration
Context
NOTE
On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot be
added to the control VLAN of the SEP segment. Otherwise, a loop will be caused on the network.
Procedure
Step 1 Run:
system-view
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
control-vlan vlan-id
The control VLAN of the SEP segment is configured for transmitting SEP packets.
The control VLAN specified by vlan-id must be newly created and must not have been used by
RRPP or used in port trunk, default, mapping, or stacking mode.
l Different SEP segments can use the same control VLAN.
l If there is an interface added to the SEP segment, you cannot directly delete the control VLAN
of the SEP segment. To delete the control VLAN, run the undo sep segment segment-id
command in the interface view to delete the interface from the SEP segment, and then run
the undo control-vlan command to delete the control VLAN.
l If there is no interface added to the SEP segment, you can run the control-vlan vlan-id
command for multiple times. Only the latest configuration takes effect.
l After the control VLAN is created successfully, the command used to create a common
VLAN will be displayed in the configuration file.
Each SEP segment must be configured with a control VLAN. After an interface is added to
a SEP segment configured with a control VLAN, the interface will be automatically added
to the control VLAN.
If the interface type is Trunk, in the configuration file, the port trunk allow-pass vlan
command is displayed in the view of the interface added to the SEP segment.
If the interface type is Hybrid, in the configuration file, the port hybrid tagged vlan
command is displayed in the view of the interface added to the SEP segment.
----End
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
520
10 SEP Configuration
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
Context
After an interface is added to SEP segment, the interface sets its interface role to the primary
edge interface if the interface has the right to participate in the election of the primary edge
interface. Then, the interface periodically sends a primary edge interface-election packet without
waiting for the success of neighbor negotiation.
The primary edge interface-election packet contains the role of the interface (primary edge
interface, secondary edge interface, or common interface), the bridge MAC address of the
interface, interface ID, and the status of the topology database.
Table 10-8 lists interface roles.
Table 10-8 Interface roles
Interface
roles
Sub-role
Description
Deployment
Scenario
Common
port
Issue 01 (2011-10-26)
521
10 SEP Configuration
Interface
roles
Sub-role
Description
Deployment
Scenario
Edge port
Primary
Edge Port
Open ring
network
Closed ring
network
Multiple-ring
networking
Hybrid SEP
+RRPP ring
networking
The primary edge interface initiates blockedinterface preemption, terminates packets, and
sends packets about topology changes to other
networks.
Secondary
edge port
Noneighbor
primary
edge port
Hybrid SEP
+MSTP ring
networking
NOTE
Normally, an edge interface and a no-neighbor edge interface belong to different SEP segments.
Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the interface.
Before adding an interface to a SEP segment,configure a protected instance or a range of protected
instances .
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
522
10 SEP Configuration
The Ethernet interface is added to a specified SEP segment and a role is configured for it.
NOTE
----End
Prerequisite
The configurations of basic SEP functions are complete.
Procedure
l
Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
523
10 SEP Configuration
Applicable Environment
In general, a blocked interface is one of the last two interfaces that complete neighbor negotiation.
In some cases, however, the negotiated blocked interface may not be the one you expect to be
blocked. You specify an interface to block as needed. The designated blocking does not,
however, become effective immediately. A preemption mechanism allows a designated interface
to be blocked instead of a previously blocked interface.
Pre-configuration Tasks
Before specifying an interface to block, complete the following task:
l
Data Preparation
To specify an interface to block, you need the following data.
No.
Data
Context
In a SEP segment, an interface is blocked to prevent loops.
You can configure an interface blocking mode in order to specify the location of a blocked
interface. Table 10-9 lists interface blocking modes.
Table 10-9 Interface blocking mode
Issue 01 (2011-10-26)
Interface Blocking
Mode
Description
524
10 SEP Configuration
Interface Blocking
Mode
Description
Do as follows on the device where the primary edge interface or the no-neighbor primary edge
interface is located:
Procedure
Step 1 Run:
system-view
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
block port { optimal | middle | hop hop-id | sysname sysname interface interfacetype interface-number }
525
10 SEP Configuration
For information on how to select an interface blocking mode, see the preceding table.
----End
Follow-up Procedure
If the interface that has the highest priority is specified to block, run the sep segment segmentid priority priority command in the view of the interface to be blocked to increase its priority.
When a fault is rectified, the specified interface will be blocked.
The default priority of an interface added to a SEP segment is 64. The priority value of an
interface is an integer ranging from 1 to 128. The greater the priority value, the higher the priority.
Context
After the interface blocking mode is specified, whether the specified interface will be blocked
is determined by the preemption mode. Table 10-10 lists the preemption modes.
Table 10-10 Preemption mode
Preemption
Mode
Advantage
Disadvantage
Non-preemption
mode
Delayed
preempt
ion
Issue 01 (2011-10-26)
526
Preemption
Mode
Manual
preempt
ion
10 SEP Configuration
Advantage
Disadvantage
The primary edge interface or no-neighbor primary edge interface has been elected in the
SEP segment.
The function of flexibly specifying a blocked interface is enabled on the device where the
primary edge interface or no-neighbor primary edge interface resides.
Do as follows on the Layer 2 switching device where the primary edge interface or the noneighbour primary edge interface is elected.
Procedure
Step 1 Run:
system-view
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
preempt { manual | delay seconds }
527
10 SEP Configuration
Prerequisite
The configurations of specifying an interface to block are complete.
Procedure
l
Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
Applicable Environment
in regular SEP networking, a physical ring network can be configured with only one SEP segment
in which only one interface can be blocked. If an interface in the SEP segment in the complete
state is blocked, all user data is transmitted only along the path where the primary edge interface
is located. The path where the secondary edge interface is located is idle, which leads to a waste
of bandwidth.
Issue 01 (2011-10-26)
528
10 SEP Configuration
Core
IP/MPLS Core
group 2:Master
group 1:Backup
NPE2
group 1:Master
group 2:Backup
NPE1
Aggregation
VRRP+peer BFD
LSW2
LSW4
SEP
Segment2
Access
P2
P1
SEP Segment1
Instance1:
VLAN 100~200
LSW1
CE1
LSW3
Instance2:
VLAN 201~400
CE2
Primary Edge Node
Secondary Edge Node
Block Port
To solve the problem of bandwidth waste and to implement traffic load balancing and link
backup, multi-instance can be deployed in the SEP network and mappings between protected
instances and user VLANs need to be set, as shown in Figure 10-10. Data traffic of different
VLANs can be transmitted along different paths.
NOTE
Currently, SEP multi-instance allows two SEP segments to be configured on a physical ring network.
Pre-configuration Tasks
Before configuring SEP multi-instance, complete the following tasks:
l
Data Preparation
To configure SEP multi-instance, you need the following data.
Issue 01 (2011-10-26)
529
No.
Data
10 SEP Configuration
Context
After mappings between protected instances and VLANs are configured, the mappings need to
be activated to implement load balancing and link backup.
Procedure
Step 1 Run:
system-view
530
10 SEP Configuration
Prerequisite
The configurations of SEP multi-instance are complete.
Procedure
l
Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
Applicable Environment
Currently, the S9300 can report topology changes in two modes, as shown in Table 10-11. You
can select a mode as needed.
Issue 01 (2011-10-26)
531
10 SEP Configuration
Scenario
Description
Solution
Topology
change
notification
from a lowerlayer network
to an upperlayer network
Networking where a
SEP network is
connected to an
upper-layer network
running other
features such as
SEP, STP, RRPP
and SmartLink
Configure
the SEP
topology
change
notification
function.
l If an interface in a lower-layer
SEP network becomes faulty,
the topology of the SEP segment
changes but the upper-layer
network cannot detect the
change. As a result, traffic is
interrupted.
Networking
scenario where a
host is connected to
a SEP network by
using a SmartLink
group
During an active/standby
switchover of member interfaces in
the SmartLink group, the host sends
a SmartLink Flush packet to notify
the connected devices in the SEP
segment of the switchover.
If the connected devices in the SEP
segment cannot identify the
SmartLink Flush packet (that is, if
these connected devices in the SEP
segment cannot detect any topology
change of the lower-layer network),
traffic will be interrupted.
Topology
change
notification
from an upperlayer network
to a lower-layer
network
Networking
scenario where a
SEP network is
connected to an
upper-layer network
configured with
CFM.
Enable the
edge devices
in the SEP
segment to
process
SmartLink
Flush
packets.
Configure
association
between SEP
and CFM.
Pre-configuration Tasks
Before configuring the topology change notification function, complete the following tasks:
l
Issue 01 (2011-10-26)
532
10 SEP Configuration
Data Preparation
To configure the topology change notification function, you need the following data.
No.
Data
SEP segment ID
Names of the Maintenance Domain (MD) and the Maintenance Association (MA),
ID and type of a MEP, name of the interface on which the Maintenance association
End Point (MEP) resides, name of the interface enabled with Ethernet CFM, and name
of the interface associated with Ethernet CFM
10.5.2 Reporting Topology Changes of a Lower-Layer Network SEP Topology Change Notification
SEP runs at the access layer. To help an upper-layer network to detect whether the topology of
the network at the access layer changes, configure the SEP topology change notification function
on the device connecting the lower-layer network to the upper-layer network.
Context
If the topology of a specified SEP segment changes but the topology change is not reported to
the upper-layer network in time, the MAC address tables of the devices on the upper-layer
network retain the MAC address entries generated before the topology of the lower-layer
network changes. As a result, user traffic is interrupted. To ensure nonstop traffic forwarding,
configure the device on the lower-layer network to report topology changes to the upper-layer
network. The objects that are notified of topology changes can be specified as needed.
NOTE
Currently, topology changes of a SEP segment can be reported to other SEP segments, STP networks,
RRPP networks and SmartLink networks
Procedure
Step 1 Run:
system-view
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
Issue 01 (2011-10-26)
533
10 SEP Configuration
tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp | rrpp | smartlink send-packet vlan vlan-id }
The topology change of a specified SEP segment is reported to another SEP segment or a network
running other ring protocols such as STP or RRPP.
By default, the topology change of a SEP segment is not reported.
----End
Follow-up Procedure
In the networking scenario where three or more SEP ring networks exist, when a TC notification
packet is sent through multiple links, the upper-layer network will receive it multiple times. This
reduces the efficiency for processing packets on the upper-layer network. Therefore, TC
notification packets need to be suppressed. Suppressing TC notification packets frees the upperlayer network from processing multiple duplicate packets and protects the devices in the SEP
segment against TC notification packet attacks.
Run the tc-protection interval interval-value command in the SEP-segment view to set the
interval for suppressing TC notification packets.
By default, the interval for suppressing TC notification packets is 2s, and three TC notification
packets with different source addresses are processed within 2s.
NOTE
l In the networking scenario where three or more SEP ring networks exist, this command must be run.
If this command is not run, the default interval for suppressing TC notification packets is used.
l A longer interval ensures stable SEP operating but deteriorates the convergence performance.
10.5.3 Reporting Topology Changes of a Lower-Layer Network Enabling the Edge Devices in a SEP Segment to Process SmartLink
Flush Packets
In the networking where a host is connected to a SEP network by using a SmartLink group , if
the active/standby switchover of member interfaces in the SmartLink group occurs, the host
sends SmartLink Flush packets to inform the edge devices in the SEP segment of the switchover.
Therefore, the edge devices in the SEP segment must be able to process SmartLink Flush packets.
Procedure
Step 1 Run:
system-view
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run:
deal smart-link-flush
534
10 SEP Configuration
After receiving a SmartLink Flush packet, the edge device in a SEP segment floods FLUSHFDB packets to notify the other devices in the SEP segment of topology changes.
By default, no device in a SEP segment is enabled to process SmartLink Flush packets.
----End
10.5.4 Reporting Topology Changes of an Upper-Layer Network Configuring Association Between SEP and CFM
SEP runs at the access layer or aggregation layer. To help SEP networks to detect whether the
topology of an upper-layer network changes, you must configure association between SEP and
CFM on the device connecting the lower-layer network to the upper-layer network.
Context
When CFM detects a fault on the upper-layer network, the edge device notifies the OAM module
of the fault by sending a CFM packet. Then, on the edge device, the SEP status of the interface
associated with CFM changes to Down.
After the SEP status of the interface associated with CFM on the edge device is Down, an
interface on the peer device of the edge device in the SEP segment needs to send a Flush-FDB
packet to notify other nodes that the topology changes. After a device in the SEP segment
receives the Flush-FDB packet, the blocked interface on the device is unblocked and enters the
Forwarding state. Then, the interface sends a Flush-FDB packet to instruct the other nodes in
the SEP segment to refresh the MAC address forwarding table and the ARP table. Therefore,
the lower-layer network can sense the fault of the upper-layer network, and the reliable
transmission of services is ensured.
NOTE
IEEE 802.1ag defines protocols and practices for Operations, Administration and Maintenance (OAM).
IEEE 802.1ag Ethernet CFM protocols comprise three protocols that work together to help administrators
debug Ethernet networks. These protocols are continuity check, link trace and loopback protocols. CFM
provides network-level OAM and is applicable to large-scaled end-to-end networking.
Procedure
Step 1 Run:
system-view
535
10 SEP Configuration
l ma ma-name: specifies a maintenance association (MA). The total length of md-name and
ma-name cannot be greater than 44 characters.
l interface must have been added to the SEP segment.
----End
Prerequisite
The configurations of the topology change notification function are complete.
Procedure
l
Run the display sep interface verbose command to check the configuration of reporting
changes in the lower-layer network topology.
Run the display this command in the OAM management view to check the configuration
of reporting changes in the upper-layer network topology.
----End
Context
CAUTION
SEP statistics cannot be restored after being cleared. Therefore, perform the action with caution.
Procedure
Step 1 Run the reset sep interface interface-type interface-number statistics command in the user view
to clear SEP statistics.
----End
536
10 SEP Configuration
Context
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
Procedure
Step 1 Run the debugging sep { all | common | error | machine | message | pdu [ [ epa | lsa | nbr |
preempt ] [ transmit | receive ] ] } [ segment segment-id | interface interface-type interfacenumber ] command in the user view to debug SEP.
----End
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer
network to provide link backup and enhance network reliability. The use of redundant links,
however, may produce loops, causing broadcast storms and rendering the MAC address table
unstable. As a result, the communication quality deteriorates, and communication services may
even be interrupted. SEP can be deployed on the ring network to block redundant links and
unblock them if a link fault occurs.
As shown in Figure 10-11, Layer 2 switching devices LSW1 to LSW5 form a ring network. In
this networking mode:
l
Issue 01 (2011-10-26)
SEP runs at the aggregation layer. When the ring network is functioning properly, SEP
blocks the redundant Ethernet links. When a link on the ring fails, SEP can quickly restore
communication between the nodes on the ring.
537
10 SEP Configuration
GE1/0/3
GE1/0/2
Aggregation
LSW1
GE1/0/1
GE1/0/3
GE1/0/2
LSW5
GE1/0/1
SEP
Segment1
GE1/0/1
GE1/0/1
LSW2
LSW4
GE1/0/2
GE1/0/1
LSW3
GE1/0/2
GE1/0/2
GE1/0/3
Access
GE1/0/1
CE1
VLAN
100
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Data Preparation
To complete the configuration, you need the following data:
l
SEP segment ID
Issue 01 (2011-10-26)
538
Preemption mode
10 SEP Configuration
Procedure
Step 1 Configure basic SEP functions.
1.
Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN
of SEP segment 1.
# Configure LSW1.
<Quidway> system-view
[Quidway] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
<Quidway> system-view
[Quidway] sysname LSW2
[LSW2] sep segment 1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] protected-instance all
[LSW2-sep-segment1] quit
# Configure LSW3.
<Quidway> system-view
[Quidway] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] protected-instance all
[LSW3-sep-segment1] quit
# Configure LSW4.
<Quidway> system-view
[Quidway] sysname LSW4
[LSW4] sep segment 1
[LSW4-sep-segment1] control-vlan 10
[LSW4-sep-segment1] protected-instance all
[LSW4-sep-segment1] quit
# Configure LSW5.
<Quidway> system-view
[Quidway] sysname LSW5
[LSW5] sep segment 1
[LSW5-sep-segment1] control-vlan 10
[LSW5-sep-segment1] protected-instance all
[LSW5-sep-segment1] quit
NOTE
l The control VLAN must be a VLAN that has not been created or used, but the configuration file
automatically displays the command for creating the VLAN.
l Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the control
VLAN.
2.
Add all devices on the ring to SEP segment 1 and configure port roles on the devices.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to the SEP segment,
disable STP on the interface.
# On LSW1, configure GE1/0/1 as the primary edge port and GE1/0/3 as the secondary
edge port.
Issue 01 (2011-10-26)
539
10 SEP Configuration
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] stp disable
[LSW2-GigabitEthernet1/0/1] sep segment 1
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] stp disable
[LSW2-GigabitEthernet1/0/2] sep segment 1
[LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment 1
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment 1
[LSW3-GigabitEthernet1/0/2] quit
# Configure LSW4.
[LSW4] interface gigabitethernet 1/0/1
[LSW4-GigabitEthernet1/0/1] stp disable
[LSW4-GigabitEthernet1/0/1] sep segment 1
[LSW4-GigabitEthernet1/0/1] quit
[LSW4] interface gigabitethernet 1/0/2
[LSW4-GigabitEthernet1/0/2] stp disable
[LSW4-GigabitEthernet1/0/2] sep segment 1
[LSW4-GigabitEthernet1/0/2] quit
# Configure LSW5.
[LSW5] interface gigabitethernet 1/0/1
[LSW5-GigabitEthernet1/0/1] stp disable
[LSW5-GigabitEthernet1/0/1] sep segment 1
[LSW5-GigabitEthernet1/0/1] quit
[LSW5] interface gigabitethernet 1/0/3
[LSW5-GigabitEthernet1/0/3] stp disable
[LSW5-GigabitEthernet1/0/3] sep segment 1
[LSW5-GigabitEthernet1/0/3] quit
3.
4.
5.
Issue 01 (2011-10-26)
540
10 SEP Configuration
NOTE
l You must set the preemption delay when delayed preemption is adopted because there is no
default delay time.
l After all the faulty ports recover, the edge ports no longer receive fault notification packets. If
the primary edge port does not receive any fault notification packet, it starts the delay timer.
When the delay timer expires, nodes in the SEP segment start blocked port preemption.
To implement delayed preemption in this example, you need to simulate a port fault and then
rectify the fault. For example:
Run the shutdown command on GE1/0/2 of LSW2 to simulate a port fault, and then run the
undo shutdown command on GE1/0/2 to rectify the fault.
Step 2 Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
For details about the configuration, see the configuration files.
Step 3 Verify the configuration.
l Run the shutdown command on GE1/0/1 of LSW3 to simulate a port fault, and then run the
display sep interface command on LSW3 to check whether GE1/0/2 of LSW3 has switched
from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
---------------------------------------------------------------Interface
Port Role
Neighbor Status
Port Status
---------------------------------------------------------------GE1/0/2
common
up
forwarding
----End
Configuration Files
l
Issue 01 (2011-10-26)
541
10 SEP Configuration
Issue 01 (2011-10-26)
542
10 SEP Configuration
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer
network to provide link backup and enhance network reliability. The use of redundant links,
however, may produce loops, causing broadcast storms and rendering the MAC address table
unstable. As a result, the communication quality deteriorates, and communication services may
even be interrupted. SEP can be deployed on the ring network to block redundant links and
unblock them if a link fault occurs.
As shown in Figure 10-12, multiple Layer 2 switching devices form ring networks at the access
layer and aggregation layer. In this networking mode:
l
Issue 01 (2011-10-26)
SEP runs at the access layer and aggregation layer. When the ring network is functioning
properly, SEP blocks the redundant Ethernet links. When a link on the ring fails, SEP can
quickly restore communication between the nodes on the ring.
543
10 SEP Configuration
GE1/0/3 GE1/0/3
LSW1
Aggregation
GE1/0/1
GE1/0/1
LSW2
GE1/0/2
LSW6
GE1/0/2
GE1/0/1
GE1/0/3
LSW4
GE1/0/1
G
GE1/0/2
E1
/0 LSW3
/3
GE1/0/4
GE1/0/2
GE1/0/1
Se S
gm EP
GE1/0/2
en
t3
LSW8
GE1/0/2
Se S
gm EP
en
t2
GE1/0/1
GE1/0/1
GE1/0/2
GE1/0/1
Access
SEP
Segment 1
LSW5
LSW11
GE1/0/1
LSW9 GE1/0/1
GE1/0/1
GE1/0/2
LSW7 GE1/0/3
LSW10 GE1/0/3
GE1/0/1
GE1/0/1
CE2
VLAN
200
CE1
VLAN
100
Control VLAN 10
Control VLAN 20
Block Port
Control VLAN 30
Configuration Roadmap
The configuration roadmap is as follows:
1.
Issue 01 (2011-10-26)
544
10 SEP Configuration
l On LSW1 to LSW5, add the interfaces on the ring at the access layer to SEP
segment 1. Configure the roles of GE1/0/1 and GE1/0/3 of LSW1 in SEP segment
1.
l Add GE1/0/2 of LSW2, GE1/0/1 and GE1/0/2 of LSW6 to LSW8, and GE1/0/2
of LSW3 to SEP segment 2. Configure the roles of GE1/0/2 of LSW2 and GE1/0/2
of LSW3 in SEP segment 2.
l Add GE1/0/1 of LSW3, GE1/0/1 and GE1/0/2 of LSW9 to LSW11, and GE1/0/1
of LSW4 to SEP segment 3. Configure the roles of GE1/0/1 of LSW2 and GE1/0/1
of LSW3 in SEP segment 3.
(3) Specify the port to block on the device where the primary edge port is located.
l In SEP segment 1, specify that the port with the highest priority will be blocked.
l In SEP segment 2, specify the device name and port name to block the specified
port.
l In SEP segment 3, specify that the blocked port be selected according to the
configured hop counts of ports.
(4) Configure the preemption mode on the device where the primary edge port is located.
Configure delayed preemption in SEP segment 1 and manual preemption in SEP
segment 2 and SEP segment 3.
(5) Configure the topology change notification function on the edge devices between SEP
segments, namely, LSW2, LSW3, and LSW4.
2.
Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW11.
Data Preparation
To complete the configuration, you need the following data:
l
SEP segment ID
Preemption mode
Procedure
Step 1 Configure basic SEP functions.
1.
Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as their
control VLANs, as shown in Figure 10-12.
# Configure LSW1.
<Quidway> system-view
[Quidway] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
<Quidway> system-view
[Quidway] sysname LSW2
[LSW2] sep segment 1
Issue 01 (2011-10-26)
545
10 SEP Configuration
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] protected-instance all
[LSW2-sep-segment1] quit
[LSW2] sep segment 2
[LSW2-sep-segment2] control-vlan 20
[LSW2-sep-segment2] protected-instance all
[LSW2-sep-segment2] quit
# Configure LSW3.
<Quidway> system-view
[Quidway] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] protected-instance all
[LSW3-sep-segment1] quit
[LSW3] sep segment 2
[LSW3-sep-segment2] control-vlan 20
[LSW3-sep-segment2] protected-instance all
[LSW3-sep-segment2] quit
[LSW3] sep segment 3
[LSW3-sep-segment3] control-vlan 30
[LSW3-sep-segment3] protected-instance all
[LSW3-sep-segment3] quit
# Configure LSW4.
<Quidway> system-view
[Quidway] sysname LSW4
[LSW4] sep segment 1
[LSW4-sep-segment1] control-vlan 10
[LSW4-sep-segment1] protected-instance all
[LSW4-sep-segment1] quit
[LSW4] sep segment 3
[LSW4-sep-segment3] control-vlan 30
[LSW4-sep-segment3] protected-instance all
[LSW4-sep-segment3] quit
# Configure LSW5.
<Quidway> system-view
[Quidway] sysname LSW5
[LSW5] sep segment 1
[LSW5-sep-segment1] control-vlan 10
[LSW5-sep-segment1] protected-instance all
[LSW5-sep-segment1] quit
l The control VLAN must be a VLAN that has not been created or used, but the configuration file
automatically displays the command for creating the VLAN.
l Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the control
VLAN.
2.
Add devices on the rings to the SEP segments and configure port roles according to Figure
10-12.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to the SEP segment,
disable STP on the interface.
# On LSW1, configure GE1/0/1 as the primary edge port and GE1/0/3 as the secondary
edge port.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] stp disable
Issue 01 (2011-10-26)
546
10 SEP Configuration
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] stp disable
[LSW2-GigabitEthernet1/0/1] sep segment 1
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/3
[LSW2-GigabitEthernet1/0/3] stp disable
[LSW2-GigabitEthernet1/0/3] sep segment 1
[LSW2-GigabitEthernet1/0/3] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] stp disable
[LSW2-GigabitEthernet1/0/2] sep segment 2 edge primary
[LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/3
[LSW3-GigabitEthernet1/0/3] stp disable
[LSW3-GigabitEthernet1/0/3] sep segment
[LSW3-GigabitEthernet1/0/3] quit
[LSW3] interface gigabitethernet 1/0/4
[LSW3-GigabitEthernet1/0/4] stp disable
[LSW3-GigabitEthernet1/0/4] sep segment
[LSW3-GigabitEthernet1/0/4] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment
[LSW3-GigabitEthernet1/0/2] quit
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment
[LSW3-GigabitEthernet1/0/1] quit
2 edge secondary
3 edge secondary
# Configure LSW4.
[LSW4] interface gigabitethernet 1/0/2
[LSW4-GigabitEthernet1/0/2] stp disable
[LSW4-GigabitEthernet1/0/2] sep segment 1
[LSW4-GigabitEthernet1/0/2] quit
[LSW4] interface gigabitethernet 1/0/3
[LSW4-GigabitEthernet1/0/3] stp disable
[LSW4-GigabitEthernet1/0/3] sep segment 1
[LSW4-GigabitEthernet1/0/3] quit
[LSW4] interface gigabitethernet 1/0/1
[LSW4-GigabitEthernet1/0/1] stp disable
[LSW4-GigabitEthernet1/0/1] sep segment 3 edge primary
[LSW4-GigabitEthernet1/0/1] quit
# Configure LSW5.
[LSW5] interface gigabitethernet 1/0/1
[LSW5-GigabitEthernet1/0/1] stp disable
[LSW5-GigabitEthernet1/0/1] sep segment 1
[LSW5-GigabitEthernet1/0/1] quit
[LSW5] interface gigabitethernet 1/0/3
[LSW5-GigabitEthernet1/0/3] stp disable
[LSW5-GigabitEthernet1/0/3] sep segment 1
[LSW5-GigabitEthernet1/0/3] quit
547
3.
10 SEP Configuration
# On LSW3, set the priority of GE1/0/4 to 128, which is the highest priority among the
ports so that GE1/0/4 will be blocked.
[LSW3] interface gigabitethernet 1/0/4
[LSW3-GigabitEthernet1/0/4] sep segment 1 priority 128
[LSW3-GigabitEthernet1/0/4] quit
Use the default priority for the other ports in SEP segment 1.
# On LSW2 where the primary edge port of SPE segment 2 is located, specify the device
name and port name so that the specified port will be blocked.
Before specifying the port to block, you can use the display sep topology command to
view the current topology information and obtain information about all the ports in the
topology. Then you can select the device name and port name.
[LSW2] sep segment 2
[LSW2-sep-segment2] block port sysname LSW7 interface gigabitethernet 1/0/1
[LSW2-sep-segment2] quit
# On LSW4 where the primary edge port of SEP segment 3 is located, specify that the
blocked port be selected according to the configured hop counts of ports.
[LSW4] sep segment 3
[LSW4-sep-segment3] block port hop 5
[LSW4-sep-segment3] quit
NOTE
SEP sets the hop count of the primary edge port to 1 and the hop count of the secondary edge port
to 2. Hop counts of other ports increase at a step of 1 in the downstream direction of the primary port.
4.
l You must set the preemption delay when delayed preemption is adopted because there is no
default delay time.
l After all the faulty ports recover, the edge ports no longer receive fault notification packets. If
the primary edge port does not receive any fault notification packet, it starts the delay timer.
When the delay timer expires, nodes in the SEP segment start blocked port preemption.
To implement delayed preemption in this example, you need to simulate a port fault and then
rectify the fault. For example:
Run the shutdown command on GE1/0/2 of LSW2 to simulate a port fault, and then run the
undo shutdown command on GE1/0/2 to rectify the fault.
5.
Issue 01 (2011-10-26)
548
10 SEP Configuration
# Configure LSW2.
[LSW2] sep segment 2
[LSW2-sep-segment2] tc-notify segment 1
[LSW2-sep-segment2] quit
# Configure LSW3.
[LSW3] sep segment 2
[LSW3-sep-segment2] tc-notify segment 1
[LSW3-sep-segment2] quit
# Configure LSW4.
[LSW4] sep segment 3
[LSW4-sep-segment3] tc-notify segment 1
[LSW4-sep-segment3] quit
NOTE
The topology change notification function is configured on edge devices between SEP segments so
that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and LSW1 to LSW11.
For details about the configuration, see the configuration files.
Step 3 Verify the configuration.
After completing the preceding configurations, do as follows to verify the configuration. LSW1
is used as an example.
l Run the shutdown command on GE1/0/1 of LSW2 to simulate a port fault, and then run the
display sep interface command on LSW3 to check whether GE1/0/4 of LSW3 has switched
from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/4
SEP segment 1
---------------------------------------------------------------Interface
Port Role
Neighbor Status
Port Status
---------------------------------------------------------------GE1/0/4
common
up
forwarding
----End
Configuration Files
l
Issue 01 (2011-10-26)
549
10 SEP Configuration
#
interface GigabitEthernet1/0/2
port hybrid pvid vlan 300
port hybrid tagged vlan 100 200
port hybrid untagged vlan 300
#
interface GigabitEthernet1/0/3
port hybrid tagged vlan 10 100 200 300
stp disable
sep segment 1 edge secondary
#
return
Issue 01 (2011-10-26)
550
10 SEP Configuration
stp disable
sep segment 2 edge secondary
#
interface GigabitEthernet1/0/3
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
#
interface GigabitEthernet1/0/4
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
sep segment 1 priority 128
#
return
Issue 01 (2011-10-26)
551
10 SEP Configuration
#
interface GigabitEthernet1/0/3
port hybrid tagged vlan 10 100 200 300
stp disable
sep segment 1
#
return
Issue 01 (2011-10-26)
552
10 SEP Configuration
interface GigabitEthernet1/0/2
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
return
Issue 01 (2011-10-26)
553
10 SEP Configuration
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer
network to provide link backup and enhance network reliability. The use of redundant links,
however, may produce loops, causing broadcast storms and rendering the MAC address table
unstable. As a result, the communication quality deteriorates, and communication services may
even be interrupted. SEP can be deployed on the ring network to block redundant links and
unblock them if a link fault occurs.
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
As shown in Figure 10-13, multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. In this case, SEP needs to run
at the access layer to implement the following functions:
l
When there is no faulty link on the ring network, SEP helps to eliminate loops.
When a link fault occurs on the ring network, SEP helps to rapidly restore the
communication between nodes.
554
10 SEP Configuration
MAC addresses and relearn MAC addresses after the topology of the lower-layer network
changes. This ensures nonstop traffic forwarding.
Figure 10-13 Networking diagram of a hybrid-ring SEP network
GE1/0/2
Aggregation
GE1/0/3
PE3
GE1/0/1
MSTP
PE2 GE1/0/2
PE1
GE1/0/2
GE1/0/3
Do not Support SEP
GE1/0/1
GE1/0/1
SEP
Segment1
LSW1
GE1/0/1
GE1/0/1
LSW2
GE1/0/2
GE1/0/2
Access
GE1/0/3
PE4
GE1/0/1
GE1/0/2
GE1/0/2
GE1/0/1
GE1/0/3LSW3
GE1/0/1
CE
VLAN100
Configuration Roadmap
The configuration roadmap is as follows:
1.
PE1 and PE2 do not support the SEP protocol; therefore, the ports of LSW1 and LSW2
connected to the PEs must be no-neighbor edge ports.
(3) On the device where the no-neighbor primary edge port is located, specify the port in
the middle of the SEP segment as the port to block.
(4) Configure manual preemption.
Issue 01 (2011-10-26)
555
10 SEP Configuration
(5) Configure the topology change notification function so that the upper-layer network
running MSTP can be notified of topology changes in the SEP segment.
2.
3.
Data Preparation
To complete the configuration, you need the following data:
l
SEP segment ID
Preemption mode
MST region name, MSTI ID, and priorities of the PEs in the region
Procedure
Step 1 Configure basic SEP functions.
1.
Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN
of SEP segment 1.
# Configure LSW1.
<Quidway> system-view
[Quidway] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
<Quidway> system-view
[Quidway] sysname LSW2
[LSW2] sep segment 1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] protected-instance all
[LSW2-sep-segment1] quit
# Configure LSW3.
<Quidway> system-view
[Quidway] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] protected-instance all
[LSW3-sep-segment1] quit
NOTE
l The control VLAN must be a VLAN that has not been created or used, but the configuration file
automatically displays the command for creating the VLAN.
l Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the control
VLAN.
2.
Issue 01 (2011-10-26)
556
10 SEP Configuration
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to the SEP segment,
disable STP on the interface.
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/2
[LSW1-GigabitEthernet1/0/2] stp disable
[LSW1-GigabitEthernet1/0/2] sep segment 1
[LSW1-GigabitEthernet1/0/2] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor secondary
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] stp disable
[LSW2-GigabitEthernet1/0/2] sep segment 1
[LSW2-GigabitEthernet1/0/2] quit
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment 1
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment 1
[LSW3-GigabitEthernet1/0/2] quit
3.
4.
5.
# Configure LSW2.
[LSW2] sep segment 1
[LSW2-sep-segment1] tc-notify stp
[LSW2-sep-segment1] quit
Issue 01 (2011-10-26)
557
10 SEP Configuration
# Configure PE2.
<Quidway> system-view
[Quidway] sysname PE2
[PE2] stp region-configuration
[PE2-mst-region] region-name RG1
[PE2-mst-region] active region-configuration
[PE2-mst-region] quit
# Configure PE3.
<Quidway> system-view
[Quidway] sysname PE3
[PE3] stp region-configuration
[PE3-mst-region] region-name RG1
[PE3-mst-region] active region-configuration
[PE3-mst-region] quit
# Configure PE4.
<Quidway> system-view
[Quidway] sysname PE4
[PE4] stp region-configuration
[PE4-mst-region] region-name RG1
[PE4-mst-region] active region-configuration
[PE4-mst-region] quit
2.
1/0/1
hybrid tagged vlan 100
1/0/2
hybrid tagged vlan 100
1/0/3
hybrid tagged vlan 100
# On PE2, PE3, and PE4, create VLAN 100 and add GE1/0/1, GE1/0/2, and GE1/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE3 are similar to the configuration of PE1, and are
not mentioned here. For details about the configuration, see the configuration files.
3.
Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
4.
Configure PE3 as the root bridge and PE4 as the backup root bridge.
# Set the priority of PE3 to 0 in MSTI0 to ensure that PE3 functions as the root bridge.
[PE3] stp instance 0 priority 0
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTI0 to ensure that PE4 functions as the backup root
bridge.
Issue 01 (2011-10-26)
558
10 SEP Configuration
Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.
For details about the configuration, see the configuration files.
Step 4 Verify the configuration.
After the configurations are complete and network become stable, run the following commands
to verify the configuration. LSW1 is used as an example.
l Run the shutdown command on GE1/0/1 of LSW2 to simulate a port fault, and then run the
display sep interface command on LSW3 to check whether GE1/0/2 of LSW3 has switched
from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
---------------------------------------------------------------Interface
Port Role
Neighbor Status
Port Status
---------------------------------------------------------------GE1/0/2
common
up
forwarding
----End
Configuration Files
l
Issue 01 (2011-10-26)
559
10 SEP Configuration
interface GigabitEthernet1/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1 no-neighbor edge secondary
#
return
Issue 01 (2011-10-26)
560
10 SEP Configuration
561
10 SEP Configuration
changes on an edge device in a SEP segment. This helps an upper-layer network to detect
topology changes of a lower-layer network in time.
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer
network to provide link backup and enhance network reliability. The use of redundant links,
however, may produce loops, causing broadcast storms and rendering the MAC address table
unstable. As a result, the communication quality deteriorates, and communication services may
even be interrupted. SEP can be deployed on the ring network to block redundant links and
unblock them if a link fault occurs.
Figure 10-14 Networking diagram for hybrid rings running SEP+RRPP
Network
NPE1
NPE2
GE1/0/2
Aggregation
GE1/0/3
GE1/0/3
PE4
GE1/0/1
GE1/0/2
PE3
GE1/0/1
RRPP
PE1
GE1/0/2
PE2 GE1/0/2
GE1/0/3
GE1/0/1
GE1/0/1
SEP
Segment1
LSW1
LSW2
GE1/0/2
GE1/0/2
Access
GE1/0/1
GE1/0/1
GE1/0/2
GE1/0/1
GE1/0/3LSW3
GE1/0/1
CE
VLAN100
Issue 01 (2011-10-26)
562
10 SEP Configuration
As shown in Figure 10-14, Multiple Layer 2 switching devices at the access layer and
aggregation layer form a ring network to access the core layer. RRPP has been configured at the
aggregation layer to eliminate loops. In this case, SEP needs to run at the access layer to
implement the following functions:
l
When there is no faulty link on the ring network, SEP helps to eliminate loops.
When a link fault occurs on the ring network, SEP helps to rapidly restore the
communication between nodes.
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
Configure a VLAN on PE3 and PE4 to transmit VRRP packets and BFD packets.
Data Preparation
To complete the configuration, you need the following data.
l
SEP segment ID, control VLAN ID, roles of interfaces added to the SEP segment, interface
blocking mode, and SEP preemption mode.
Issue 01 (2011-10-26)
563
10 SEP Configuration
Procedure
Step 1 Configure basic SEP functions.
1.
Configure a SEP segment with the ID being 1 and a control VLAN with the ID being 10.
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1] sep segment 1
[PE1-sep-segment1] control-vlan 10
[PE1-sep-segment1] protected-instance all
[PE1-sep-segment1] quit
# Configure PE2.
<Quidway> system-view
[Quidway] sysname PE2
[PE2] sep segment 1
[PE2-sep-segment1] control-vlan 10
[PE2-sep-segment1] protected-instance all
[PE2-sep-segment1] quit
# Configure LSW1.
<Quidway> system-view
[Quidway] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
<Quidway> system-view
[Quidway] sysname LSW2
[LSW2] sep segment 1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] protected-instance all
[LSW2-sep-segment1] quit
# Configure LSW3.
<Quidway> system-view
[Quidway] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] protected-instance all
[LSW3-sep-segment1] quit
2.
Add PE1, PE2 and LSW1 to LSW3 to Segment1 and configure roles of interfaces.
NOTE
By default, STP is enabled on a interface. Before adding an interface to a SEP segment, disable STP
on the interface.
# Configure PE1.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] stp disable
[PE1-GigabitEthernet1/0/1] sep segment 1 edge primary
[PE1-GigabitEthernet1/0/1] quit
# Configure LSW1.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/2
[LSW1-GigabitEthernet1/0/2] stp disable
[LSW1-GigabitEthernet1/0/2] sep segment 1
[LSW1-GigabitEthernet1/0/2] quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
Issue 01 (2011-10-26)
564
10 SEP Configuration
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment 1
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment 1
[LSW3-GigabitEthernet1/0/2] quit
# Configure PE2.
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] stp disable
[PE2-GigabitEthernet1/0/1] sep segment 1 edge secondary
[PE2-GigabitEthernet1/0/1] quit
After completing the preceding configurations, run the display sep topology command on
PE1 to view the topology of the SEP segment. You can see that the blocked interface is
one of the last two interfaces that complete neighbor negotiation.
[PE1] display sep topology
SEP segment 1
----------------------------------------------------------------System Name
Port Name
Port Role
Port Status
----------------------------------------------------------------PE1
GE1/0/1
primary
forwarding
LSW1
GE1/0/1
common
forwarding
LSW1
GE1/0/2
common
forwarding
LSW3
GE1/0/2
common
forwarding
LSW3
GE1/0/1
common
forwarding
LSW2
GE1/0/2
common
forwarding
LSW2
GE1/0/1
common
forwarding
PE2
GE1/0/1
secondary
discarding
3.
4.
5.
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
[PE2-sep-segment1] quit
After the preceding configurations are successful, perform the following operations to verify the
configurations. Take PE1 as an example.
Issue 01 (2011-10-26)
565
10 SEP Configuration
l Run the display sep topology command on PE1 to view the information about the topology
of the SEP segment.
The command output shows that the forwarding status of GE 1/0/2 on LSW3 is
discarding and the forwarding status of the other interfaces is forwarding.
[PE1] display sep topology
SEP segment 1
----------------------------------------------------------------System Name
Port Name
Port Role
Port Status
----------------------------------------------------------------PE1
GE1/0/1
primary
forwarding
LSW1
GE1/0/1
common
forwarding
LSW1
GE1/0/2
common
forwarding
LSW3
GE1/0/2
common
discarding
LSW3
GE1/0/1
common
forwarding
LSW2
GE1/0/2
common
forwarding
LSW2
GE1/0/1
common
forwarding
PE2
GE1/0/1
secondary
forwarding
l Run the display sep interface verbose command on PE1 to view the detailed information
about the interfaces added to the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan
:10
Preempt Delay Timer
:0
TC-Notify Propagate to :rrpp
---------------------------------------------------------------Interface
:GE1/0/1
Port Role
:Config = primary / Active = primary
Port Priority
:64
Port Status
:forwarding
Neighbor Status
:up
Neighbor Port
:LSW1 - GE1/0/1 (00e0-0829-7c00.0000)
NBR TLV
rx :2124
tx :2126
LSP INFO TLV
rx :2939
tx :135
LSP ACK TLV
rx :113
tx :768
PREEMPT REQ TLV
rx :0
tx :3
PREEMPT ACK TLV
rx :3
tx :0
TC Notify
rx :5
tx :3
EPA
rx :363
tx :397
Add PE1 to PE4 to a rrpp domain with the ID of 1, create a control VLAN with the ID of
5 on PE1 to PE4, and configure a protected VLAN.
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] control-vlan 100
[PE1-rrpp-domain-region1] protected-vlan reference-instance all
# Configure PE2.
<Quidway> system-view
[Quidway] sysname PE2
[PE2] rrpp domain 1
[PE2-rrpp-domain-region1] control-vlan 100
[PE2-rrpp-domain-region1] protected-vlan reference-instance all
# Configure PE3.
<Quidway> system-view
[Quidway] sysname PE3
[PE3] rrpp domain 1
[PE3-rrpp-domain-region1] control-vlan 100
[PE3-rrpp-domain-region1] protected-vlan reference-instance all
# Configure PE4.
Issue 01 (2011-10-26)
566
10 SEP Configuration
<Quidway> system-view
[Quidway] sysname PE4
[PE4] rrpp domain 1
[PE4-rrpp-domain-region1] control-vlan 100
[PE4-rrpp-domain-region1] protected-vlan reference-instance all
2.
Create a VLAN and add interfaces on the ring network to the VLAN.
# Create VLAN 100 on PE1, and then add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to VLAN
100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] stp disable
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] stp disable
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/2] quit
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] stp disable
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/3] quit
# Create VLAN 100 on PE2, and then add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to VLAN
100.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] stp disable
[PE2-GigabitEthernet1/0/1] port link-type trunk
[PE2-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] stp disable
[PE2-GigabitEthernet1/0/2] port link-type trunk
[PE2-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE2-GigabitEthernet1/0/2] quit
[PE2] interface gigabitethernet 1/0/3
[PE2-GigabitEthernet1/0/3] stp disable
[PE2-GigabitEthernet1/0/3] port link-type trunk
[PE2-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE2-GigabitEthernet1/0/3] quit
# Create VLAN 100 on PE3, and then add GE 1/0/1 and GE 1/0/2 to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit
[PE3] interface gigabitethernet 1/0/1
[PE3-GigabitEthernet1/0/1] stp disable
[PE3-GigabitEthernet1/0/1] port link-type trunk
[PE3-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[PE3-GigabitEthernet1/0/1] quit
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] stp disable
[PE3-GigabitEthernet1/0/2] port link-type trunk
[PE3-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE3-GigabitEthernet1/0/2] quit
# Create VLAN 100 on PE4, and then add GE 1/0/1 and GE 1/0/2 to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit
[PE4] interface gigabitethernet 1/0/1
[PE4-GigabitEthernet1/0/1] stp disable
[PE4-GigabitEthernet1/0/1] port link-type trunk
[PE4-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
Issue 01 (2011-10-26)
567
10 SEP Configuration
[PE4-GigabitEthernet1/0/1] quit
[PE4] interface gigabitethernet 1/0/2
[PE4-GigabitEthernet1/0/2] stp disable
[PE4-GigabitEthernet1/0/2] port link-type trunk
[PE4-GigabitEthernet1/0/2] port trunk allow-pass vlan 100
[PE4-GigabitEthernet1/0/2] quit
3.
Configure PE1 as the master node and PE2 to PE4 as the transmit node of the major ring,
and configure the primary interface and secondary interface of the nodes.
# Configure PE1.
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitEthernet1/0/2 secondary-port gigabitEthernet1/0/3 level 0
[PE1-rrpp-domain-region1] ring 1 enable
# Configure PE2.
[PE2] rrpp domain 1
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitEthernet1/0/2 secondary-port gigabitEthernet1/0/3 level 0
[PE2-rrpp-domain-region1] ring 1 enable
# Configure PE3.
[PE3] rrpp domain 1
[PE3-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitEthernet1/0/1 secondary-port gigabitEthernet1/0/2 level 0
[PE3-rrpp-domain-region1] ring 1 enable
# Configure PE4.
[PE4] rrpp domain 1
[PE4-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitEthernet1/0/1 secondary-port gigabitEthernet1/0/2 level 0
[PE4-rrpp-domain-region1] ring 1 enable
4.
Enable RRPP.
# Configure PE1.
[PE1] rrpp enable
# Configure PE2.
[PE2] rrpp enable
# Configure PE3.
[PE3] rrpp enable
# Configure PE4.
[PE4] rrpp enable
After completing the preceding configurations, run the display rrpp brief or display rrpp
verbose domain command on PE1 to check the RRPP configuration.
[PE1] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
RRPP Protocol Status: Enable
RRPP Working Mode: HW
RRPP Linkup Delay Timer: 0 sec (0 sec default)
Number of RRPP Domains: 1
Domain Index
: 1
Control VLAN
: major 5
sub 6
Protected VLAN : Reference Instance 1
Hello Timer
: 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring
Node Primary/Common
Secondary/Edge
Is
ID
Level Mode Port
Port
Enabled
---------------------------------------------------------------------------1
0
M
GigabitEthernet1/0/2
GigabitEthernet1/0/3
Yes
Issue 01 (2011-10-26)
568
10 SEP Configuration
You can view that RRPP is enabled on PE1. In domain 1, VLAN 5 is the major control VLAN,
VLAN 6 is the sub-control VLAN, Instance1 is the protected VLAN, and PE1 is the master node
in major ring 1 with the primary interface and secondary interface respectively as
GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.
[PE1] display rrpp verbose domain 1
Domain Index
: 1
Control VLAN
: major 5
sub 6
Protected VLAN : Reference Instance 1
Hello Timer
: 1 sec(default is 1 sec)
RRPP Ring
Ring Level
Node Mode
Ring State
Is Enabled
Primary port
Secondary port
:
:
:
:
:
:
:
1
0
Master
Complete
Enable
GigabitEthernet1/0/2
GigabitEthernet1/0/3
Is Active: Yes
Port status: UP
Port status: BLOCKED
You can view that in domain 1, VLAN 5 is the major control VLAN, VLAN 6 is the sub-control
VLAN, Instance1 is the protected VLAN, and PE1 is the master node in major ring 1 with the
primary interface and secondary interface respectively as GigabitEthernet 1/0/2 and
GigabitEthernet 1/0/3, and the node status is Complete.
Step 3 Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3 and PE1 to PE4.
The configuration details are not mentioned here. For details, see configuration files in this
example.
Step 4 Verify the configuration.
After the previous configurations, run the following commands to verify the configuration after
the network is stable. Take LSW1 as an example.
l Run the shutdown command on GE 1/0/1 on LSW2 to simulate an interface fault, and then
run the display sep interface command on LSW3 to check whether the status of GE 1/0/2
changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 1/0/2
SEP segment 1
---------------------------------------------------------------Interface
Port Role
Neighbor Status
Port Status
---------------------------------------------------------------GE1/0/2
common
up
forwarding
----End
Configuration Files
l
Issue 01 (2011-10-26)
569
10 SEP Configuration
sep segment 1
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 10 100
stp disable
sep segment 1
#
return
Issue 01 (2011-10-26)
570
10 SEP Configuration
Issue 01 (2011-10-26)
571
10 SEP Configuration
ring 1 enable
#
sep segment 1
control-vlan 10
tc-notify rrpp
protected-instance 0 to 48
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
stp disable
sep segment 1 edge secondary
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 5 to 6 100
stp disable
#
return
Issue 01 (2011-10-26)
572
10 SEP Configuration
#
return
Networking Requirements
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in the SEP segment in the complete state
is blocked, all user data is transmitted only along the path where the primary edge interface is
Issue 01 (2011-10-26)
573
10 SEP Configuration
located. The path where the secondary edge interface is located is idle, which leads to a waste
of bandwidth.
To solve the problem of bandwidth waste and to implement traffic load balancing, Huawei
develops SEP multi-instance.
Figure 10-15 Networking diagram for configuring SEP multi-instance on a closed ring network
Aggregation
Network
/0/3
GE1
GE1/0/2
LSW1
GE1/0/1
GE1/0/1
LSW2
GE1/0/3
GE1
/0/3
GE1/0/2
LSW4
GE1/0/1
P2
P1
GE
1/0
/2
/0/2
GE1
GE1/0/3
GE1/0/1
GE1/0/1
Access
GE1/0/1
LSW3
CE1
Instance1:
VLAN
100~300
CE2
Instance2:
VLAN
301~500
SEP Segment1
SEP Segment2
Primary Edge Node
Secondary Edge Node
Block Port
As shown in Figure 10-15, a ring network comprising Layer 2 switches LSW1 to LSW5 is
connected to the network. SEP runs at the aggregation layer. SEP multi-instance is configured
on LSW1 to LSW4. This allows two SEP segments to solve the problem of bandwidth waste,
implement load balancing, and provide link backup.
Issue 01 (2011-10-26)
574
10 SEP Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create two SEP segments and one control VLAN on LSW1 to LSW4.
Different SEP segments can use the same control VLAN.
2.
Configure SEP protected instances, and set mappings between SEP protected instances and
user VLANs to ensure that topology changes affect only corresponding VLANs.
3.
Add all the devices on the ring network to the SEP segments, and configure GE 1/0/1 as
the primary edge interface and GE 1/0/3 as the secondary edge interface on LSW1.
4.
Enable the function of specifying an interface to block on the device where the primary
edge interface resides.
5.
Configure the SEP preemption mode to ensure that the specified blocked interface takes
effect when a fault is rectified.
6.
Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
Data Preparation
To complete the configuration, you need the following data:
l
ID of a control VLAN
preemption mode
Procedure
Step 1 Configure basic SEP functions.
l Configure a SEP segment with the ID of 1 and a control VLAN with the ID of 10.
# Configure LSW1.
<Quidway> system-view
[Quidway] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] quit
# Configure LSW2.
<Quidway> system-view
[Quidway] sysname LSW2
[LSW2] sep segment1
[LSW2-sep-segment1] control-vlan 10
[LSW2-sep-segment1] quit
# Configure LSW3.
<Quidway> system-view
[Quidway] sysname LSW3
[LSW3] sep segment 1
[LSW3-sep-segment1] control-vlan 10
[LSW3-sep-segment1] quit
# Configure LSW4.
<Quidway> system-view
[Quidway] sysname LSW4
[LSW4] sep segment 1
Issue 01 (2011-10-26)
575
10 SEP Configuration
[LSW4-sep-segment1] control-vlan 10
[LSW4-sep-segment1] quit
l Configure a SEP segment with the ID of 2 and a control VLAN with the ID of 10.
# Configure LSW1.
[LSW1] sep segment 2
[LSW1-sep-segment2] control-vlan 10
[LSW1-sep-segment2] quit
# Configure LSW2.
[LSW2] sep segment2
[LSW2-sep-segment2] control-vlan 10
[LSW2-sep-segment2] quit
# Configure LSW3.
[LSW3] sep segment 2
[LSW3-sep-segment2] control-vlan 10
[LSW3-sep-segment2] quit
# Configure LSW4.
[LSW4] sep segment 2
[LSW4-sep-segment2] control-vlan 10
[LSW4-sep-segment2] quit
NOTE
Step 2 Configure SEP protected instances, and then configure mappings between SEP protected
instances and user VLANs.
# Configure LSW1.
[LSW1] vlan batch 100 to 500
[LSW1] sep segment 1
[LSW1-sep-segment1] protected-instance 1
[LSW1-sep-segment1] quit
[LSW1] sep segment 2
[LSW1-sep-segment2] protected-instance 2
[LSW1-sep-segment2] quit
[LSW1] stp region-configuration
[LSW1-mst-region] instance 1 vlan 100 to 300
[LSW1-mst-region] instance 2 vlan 301 to 500
[LSW1-mst-region] active region-configuration
[LSW1-mst-region] quit
The configurations of LSW2 to LSW4 are similar to those of LSW1, and are not provided here.
For details, see configuration files in this configuration example.
Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# On LSW1, configure GE 1/0/1 as the primary edge interface and GE 1/0/3 as the secondary
edge interface.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] stp disable
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge primary
[LSW1-GigabitEthernet1/0/1] sep segment 2 edge primary
[LSW1-GigabitEthernet1/0/1] quit
[LSW1] interface gigabitethernet 1/0/3
Issue 01 (2011-10-26)
576
10 SEP Configuration
stp disable
sep segment 1 edge secondary
sep segment 2 edge secondary
quit
# Configure LSW2.
[LSW2] interface gigabitethernet 1/0/1
[LSW2-GigabitEthernet1/0/1] stp disable
[LSW2-GigabitEthernet1/0/1] sep segment
[LSW2-GigabitEthernet1/0/1] sep segment
[LSW2-GigabitEthernet1/0/1] quit
[LSW2] interface gigabitethernet 1/0/2
[LSW2-GigabitEthernet1/0/2] stp disable
[LSW2-GigabitEthernet1/0/2] sep segment
[LSW2-GigabitEthernet1/0/2] sep segment
[LSW2-GigabitEthernet1/0/2] quit
1
2
1
2
# Configure LSW3.
[LSW3] interface gigabitethernet 1/0/1
[LSW3-GigabitEthernet1/0/1] stp disable
[LSW3-GigabitEthernet1/0/1] sep segment
[LSW3-GigabitEthernet1/0/1] sep segment
[LSW3-GigabitEthernet1/0/1] quit
[LSW3] interface gigabitethernet 1/0/2
[LSW3-GigabitEthernet1/0/2] stp disable
[LSW3-GigabitEthernet1/0/2] sep segment
[LSW3-GigabitEthernet1/0/2] sep segment
[LSW3-GigabitEthernet1/0/2] quit
1
2
1
2
# Configure LSW4.
[LSW4] interface gigabitethernet 1/0/1
[LSW4-GigabitEthernet1/0/1] stp disable
[LSW4-GigabitEthernet1/0/1] sep segment
[LSW4-GigabitEthernet1/0/1] sep segment
[LSW4-GigabitEthernet1/0/1] quit
[LSW4] interface gigabitethernet 1/0/3
[LSW4-GigabitEthernet1/0/3] stp disable
[LSW4-GigabitEthernet1/0/3] sep segment
[LSW4-GigabitEthernet1/0/3] sep segment
[LSW4-GigabitEthernet1/0/3] quit
1
2
1
2
l In this configuration example, an interface fault needs to be simulated and then rectified to implement
delayed preemption. To ensure that delayed preemption takes effect on the two SEP segments, simulate
an interface fault in the two SEP segment. For example:
l In SEP segment 1, run the shutdown command on GE 1/0/1 of LSW2 to simulate an interface
fault. Then, run the undo shutdown command on GE 1/0/1 to simulate interface fault recovery.
l In SEP segment 2, run the shutdown command on GE 1/0/1 of LSW3 to simulate an interface
fault. Then, run the undo shutdown command on GE 1/0/1 to simulate interface fault recovery.
Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
Issue 01 (2011-10-26)
577
10 SEP Configuration
The configuration details are not provided here. For details, see configuration files in this
example.
Step 6 Verify the configuration.
Simulate a fault, and then check whether the status of the blocked interface changes from blocked
to forwarding.
Run the shutdown command on GE 1/0/1 of LSW2 to simulate an interface fault.
Run the display sep interface command on LSW3 to check whether the status of GE1/0/1 in
SEP segment 1 changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 1/0/1
SEP segment 1
---------------------------------------------------------------Interface
Port Role
Neighbor Status
Port Status
---------------------------------------------------------------GE1/0/1
common
up
forwarding
SEP segment 2
---------------------------------------------------------------Interface
Port Role
Neighbor Status
Port Status
---------------------------------------------------------------GE1/0/1
common
up
forwarding
The preceding command output shows that the status of GE 1/0/1 changes from blocked to
forwarding and the forwarding path change in SEP segment 1 does not affect the forwarding
path in SEP segment 2.
----End
Configuration Files
l
Issue 01 (2011-10-26)
578
10 SEP Configuration
#
return
Issue 01 (2011-10-26)
579
10 SEP Configuration
#
return
Issue 01 (2011-10-26)
580
11
Issue 01 (2011-10-26)
581
This section provides examples for configuring interface, VLAN, and QinQ based Layer 2
protocol transparent transmission.
Issue 01 (2011-10-26)
582
Background
In certain network environments, packets of Layer 2 protocols such as MSTP, HGMP, and LACP
need to be transmitted between user networks across the backbone network to complete
calculation of the protocols.
As shown in Figure 11-1, user network 1 and user network 2 run Layer 2 protocols, for example,
MSTP. Layer 2 protocol packets of user network 1 must traverse the backbone network to reach
user network 2 so that the spanning tree can be calculated. Packets of a Layer 2 protocol usually
use the same destination MAC address. For example, MSTP packets are BPDUs that use 0180C200-0000 as the destination MAC address. Therefore, when the BPDUs reach a PE on the
backbone network, the PE cannot identify whether the BPDUs are sent from a user network or
the backbone network. As a result, the PE sends the BPDUs to the CPU for spanning tree
calculation.
In this case, the spanning tree is calculated between the devices of user network 1 and PE1, and
the devices of user network 2 are not involved in the calculation. Therefore, BPDUs of user
network 1 cannot be sent to user network 2 through the backbone network.
Figure 11-1 Transparent transmission of Layer 2 protocol packets on an ISP network
ISP
network
PE1
PE2
CE1
CE2
User
network1
User
network2
583
Each site on a user network can receive Layer 2 protocol packets from other sites.
Layer 2 protocol packets sent from a user network are not processed by CPUs of devices
on the backbone network.
Layer 2 protocol packets of different user networks are separated from each other.
A user-side device on the backbone network replaces the multicast destination MAC
address of Layer 2 protocol packets with a specified multicast MAC address.
Devices on the backbone network determine whether to add an outer VLAN tag to the
packet according to the transparent transmission mode.
The egress device on the backbone network restores the original multicast destination MAC
address of the packet according to the mappings between multicast destination MAC
addresses and Layer 2 protocols. The egress device also determines whether to remove the
outer VLAN tag, and then forwards the packet to the user network.
Currently, the S9300 can transparently transmit packets of the following Layer 2 protocols:
l
User-defined protocols
Issue 01 (2011-10-26)
584
Port based
VLAN 200
LAN-B
MSTP
LAN-B
MSTP
ISP Network
PE1
Port based
VLAN 300
LAN-A
MSTP
PE2
Port based
VLAN 300
PE3
LAN-A
MSTP
Port based
VLAN 200
LAN-B
MSTP
As shown in Figure 11-2, each interface of a PE is connected to one user network. The user
networks connected to the same PE belong to different LANs, namely, LAN-A and LAN-B.
BPDUs sent from user networks are not tagged, but the PE needs to identify the LAN that each
BPDU belongs to. BPDUs of a user network on LAN-A must be forwarded to other user networks
on LAN-A, but cannot be forwarded to user networks on LAN-B. In addition, BPDUs cannot
be processed by network devices of the ISP.
The following methods can be used to meet the proceeding requirements:
l
Issue 01 (2011-10-26)
Replace the default multicast MAC address of Layer 2 protocol packets that can be
identified by PEs on the backbone network with another multicast MAC address.
1.
Configure all PEs as providers. Then the multicast destination MAC address of
BPDUs sent from the backbone network is changed from 01-80-C2-00-00-00 to
01-80-C2-00-00-08.
2.
Configure all devices on user networks as customers. Then the multicast destination
MAC address of BPDUs sent from user networks is 01-80-C2-00-00-00.
3.
On PEs, add the interfaces connected to the same user network to the same VLAN.
Then PEs add VLAN tags to received BPDUs according to default VLANs of the
interfaces.
4.
PEs (providers) do not consider these packets as Layer 2 protocol BPDUs and do not
send them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets
according to the default VLANs of interfaces.
5.
Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
585
6.
The egress device on the backbone network forwards the packets to user networks
without modifying the packets.
NOTE
l This method is applicable only to STP, RSTP, and MSTP. To configure a device as the provider,
run the bpdu-tunnel stp bridge role provider command.
Replace the original multicast MAC address of Layer 2 protocol packets from user networks
with a specified multicast MAC address.
NOTE
1.
PEs identify the type (such as STP) of the Layer 2 protocol packets sent from user
networks and tag the packets with corresponding VLAN IDs according to default
VLANs of interfaces.
2.
PEs replace the standard multicast destination MAC address of Layer 2 protocol
packets with a specified multicast MAC address according to the mappings between
multicast destination MAC addresses and Layer 2 protocols.
3.
Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
4.
The egress device of the backbone network restores the original destination MAC
address of the packets according to the mappings between multicast destination MAC
addresses and Layer 2 protocols, and then forwards the packets to user networks.
LAN-B
MSTP
LAN-B
MSTP
CE-VLAN 100
CE-VLAN 100
PE 1
ISP Network
PE 2
BPDU Tunnel
CE-VLAN 200
Trunk
100-200
Trunk
100-200
PE 3
CE-VLAN 200
CE-VLAN 100
LAN-A
MSTP
LAN-A
MSTP
LAN-B
MSTP
Issue 01 (2011-10-26)
586
Replace the default multicast MAC address of the Layer 2 protocol that can be identified
by PEs with another multicast MAC address.
1.
Configure all PEs as providers. Then the multicast destination MAC address of
BPDUs sent from the backbone network is changed from 01-80-C2-00-00-00 to
01-80-C2-00-00-08.
2.
Configure all devices on user networks as customers. Then the multicast destination
MAC address of BPDUs sent from user networks is 01-80-C2-00-00-00.
3.
Configure devices on user networks to send Layer 2 protocol packets with the specified
VLAN IDs to the backbone network.
4.
Enable PEs to identify Layer 2 protocol packets with the specified VLAN IDs and
allow these packets to pass.
5.
PEs (providers) do not consider these packets as Layer 2 protocol BPDUs and do not
send them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets
according to the default VLANs of interfaces.
6.
Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
7.
The egress device on the backbone network forwards the packets to user networks
without modifying the packets.
NOTE
l This method is applicable only to STP, RSTP, and MSTP. To configure a device as the provider,
run the bpdu-tunnel stp bridge role provider command.
Replace the original multicast MAC address of Layer 2 protocol packets from user networks
with a specified multicast MAC address.
NOTE
Issue 01 (2011-10-26)
1.
Configure devices on user networks to send Layer 2 protocol packets with the specified
VLAN IDs to the backbone network.
2.
Enable PEs to identify Layer 2 protocol packets with the specified VLAN IDs and
allow these packets to pass.
3.
PEs replace the standard multicast destination MAC address of Layer 2 protocol
packets with a specified multicast MAC address according to the mappings between
multicast destination MAC addresses and Layer 2 protocols.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
587
4.
Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
5.
The egress device of the backbone network restores the original destination MAC
address of the packets according to the mappings between multicast destination MAC
addresses and Layer 2 protocols, and then forwards the packets to user networks.
QinQ overview
The QinQ protocol is a Layer 2 tunneling protocol based on IEEE 802.1Q. The QinQ
technology improves utilization of VLANs by adding another 802.1Q tag to a packet. In
this manner, services on a private VLAN can be transparently transmitted to the public
network. A packet transmitted on the backbone network is called a QinQ packet because
it has two 802.1Q tags (a public tag and a private tag), that is, 802.1Q-in-802.1Q.
Figure 11-4 shows the format of a QinQ packet. Compared with an 802.1Q packet, a QinQ
packet contains an additional tag following the source address (SA) field. This tag is called
an outer tag or a public tag and contains the VLAN ID of the public network. The inner tag
is known as the private tag and contains the VLAN ID of the private network.
NOTE
0x8100
Issue 01 (2011-10-26)
Priority
CFI VLAN ID
588
LAN-B
MSTP
LAN-B
MSTP
PE-VLAN20:CE-VLAN 100~199
PE 1
CE-VLAN 100
ISP Network
PE 2
BPDU Tunnel
CE-VLAN 100
BPDU Tunnel
CE-VLAN 200
CE-VLAN 200
PE-VLAN30:CE-VLAN 200~299
LAN-A
MSTP
LAN-A
MSTP
When a great number of user networks are connected to the backbone network, considerable
VLAN IDs of the ISP are required if packets are transparently transmitted based on VLANs.
In this case, BPDUs can be forwarded in QinQ mode on the backbone network.
As shown in Figure 11-5, QinQ-based Layer 2 protocol transparent transmission is
configured on aggregation interfaces of PEs. Packets from different user networks are
encapsulated in different outer VLAN tags. QinQ-based Layer 2 protocol transparent
transmission is implemented as follows:
1.
Configure devices on user networks to send Layer 2 protocol packets with the specified
VLAN IDs to the backbone network.
2.
Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the ingress
device on the backbone network.
3.
Configure PEs to add different outer VLAN tags (public VLAN IDs) to packets
according to customer VLAN IDs.
4.
PEs select different Layer 2 tunnels according to outer VLAN tags of packets. Then
the Layer 2 protocol packets are forwarded by internal nodes on the backbone network
as common Layer 2 packets.
5.
Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the egress
device on the backbone network.
6.
The egress device removes outer VLAN tags of the packets and forwards the packets
to user networks according to customer VLAN IDs.
As shown in Figure 11-5, PEs add outer VLAN 20 to Layer 2 protocol packets of VLAN
100 to VLAN 199 and add outer VLAN 30 to Layer 2 protocol packets of VLAN 200 to
VLAN 299, and then forward the packets to other devices on the backbone network. In this
Issue 01 (2011-10-26)
589
way, Layer 2 protocol packets of different user networks can be transparently transmitted
on the backbone network, and VLAN IDs of the carrier are saved.
Pre-configuration Tasks
Before configuring interface-based Layer 2 protocol transparent transmission, complete the
following tasks:
l
Data Preparation
To configure interface-based Layer 2 protocol transparent transmission, you need the following
data.
No.
Data
Destination MAC address of Layer 2 protocol packets and multicast MAC address
that replaces the destination MAC address
590
Context
When non-standard Layer 2 protocol packets with a certain multicast destination address need
to be transparently transmitted on the backbone network, you can define characteristic
information about the Layer 2 protocol.
Do as follows on PEs.
Procedure
Step 1 Run:
system-view
The characteristic information about the Layer 2 protocol is defined, including the protocol
name, Ethernet encapsulation format and destination MAC address of Layer 2 protocol packets,
and MAC address that replaces the destination MAC address.
When defining characteristic information about a Layer 2 protocol, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
----End
Procedure
l
Replace the default multicast MAC address of the Layer 2 protocol that can be identified
by PEs with another multicast MAC address.
1.
Run:
system-view
Issue 01 (2011-10-26)
591
Run:
bpdu-tunnel stp bridge role provider
Replace the original multicast MAC address of Layer 2 protocol packets from user networks
with a specified multicast MAC address.
1.
Run:
system-view
Run:
l2protocol-tunnel protocol-type group-mac group-mac
----End
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
592
The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets from
user networks.
Step 6 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }
enable
l For details on how to add an interface to VLANs, see the VLAN configuration in the S9300
Configuration Guide- Ethernet.
l Before specifying a user-defined protocol in the l2protocol-tunnel command, run the l2protocoltunnel user-defined-protocol command to define characteristic information about the Layer 2
protocol. STP packets have a default MAC address for replacing the original destination MAC address.
For packets of other Layer 2 protocols, you need to configure a global MAC address to replace the
destination MAC address. For details, see l2protocol-tunnel group-mac.
l The l2protocol-tunnel and l2protocol-tunnel vlan commands cannot specify the same protocol type
on the same interface; otherwise, the configurations conflict.
----End
Procedure
l
Run the display l2protocol-tunnel group-mac { all | protocol-type | user-definedprotocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
593
VLAN-based Layer 2 protocol transparent transmission so that Layer 2 protocol packets are
transparently transmitted on the backbone network.
Pre-configuration Tasks
Before configuring VLAN-based Layer 2 protocol transparent transmission, complete the
following task:
l
Data Preparation
To configure VLAN-based Layer 2 protocol transparent transmission, you need the following
data.
No.
Data
Destination MAC address of Layer 2 protocol packets and multicast MAC address
that replaces the destination MAC address
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
594
The characteristic information about the Layer 2 protocol is defined, including the protocol
name, Ethernet encapsulation format and destination MAC address of Layer 2 protocol packets,
and MAC address that replaces the destination MAC address.
When defining characteristic information about a Layer 2 protocol, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
----End
Procedure
l
Replace the default multicast MAC address of the Layer 2 protocol that can be identified
by PEs with another multicast MAC address.
1.
Run:
system-view
Run:
bpdu-tunnel stp bridge role provider
Replace the original multicast MAC address of Layer 2 protocol packets from user networks
with a specified multicast MAC address.
1.
Run:
system-view
Issue 01 (2011-10-26)
595
Run:
l2protocol-tunnel protocol-type group-mac group-mac
----End
Procedure
Step 1 Run:
system-view
The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets from
user networks.
Step 4 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }
{ vlan low-id [ to high-id ] } &<1-10>
596
NOTE
l For details on how to add an interface to VLANs in tagged mode, see the VLAN configuration in the
S9300 Configuration Guide- Ethernet.
l Before specifying a user-defined protocol in the l2protocol-tunnel vlan command, run the l2protocoltunnel user-defined-protocol command to define characteristic information about the Layer 2
protocol. STP packets have a default MAC address for replacing the original destination MAC address.
For packets of other Layer 2 protocols, you need to configure a global MAC address to replace the
destination MAC address. For details, see l2protocol-tunnel group-mac.
l The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type
on the same interface; otherwise, the configurations conflict.
----End
Procedure
l
Run the display l2protocol-tunnel group-mac { all | protocol-type | user-definedprotocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
Pre-configuration Tasks
Before configuring QinQ-based Layer 2 protocol transparent transmission, complete the
following task:
Issue 01 (2011-10-26)
597
Data Preparation
To configure QinQ-based Layer 2 protocol transparent transmission, you need the following
data.
No.
Data
Destination MAC address and group MAC address of Layer 2 protocol packets
Names of user-side interfaces on PEs, default VLAN IDs, and VLANs allowed by
user-side interfaces
Procedure
Step 1 Run:
system-view
The characteristic information about the Layer 2 protocol is defined, including the protocol
name, Ethernet encapsulation format and destination MAC address of Layer 2 protocol packets,
and MAC address that replaces the destination MAC address.
When defining characteristic information about a Layer 2 protocol, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
Issue 01 (2011-10-26)
598
l Common multicast MAC addresses that have been used on the device
----End
Procedure
l
Replace the default multicast MAC address of the Layer 2 protocol that can be identified
by PEs with another multicast MAC address.
1.
Run:
system-view
Run:
bpdu-tunnel stp bridge role provider
Replace the original multicast MAC address of Layer 2 protocol packets from user networks
with a specified multicast MAC address.
1.
Run:
system-view
Run:
l2protocol-tunnel protocol-type group-mac group-mac
When configuring Layer 2 protocol transparent transmission, do not use the following multicast
MAC addresses to replace the destination MAC address of Layer 2 protocol packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
l Destination MAC address of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the device
----End
Issue 01 (2011-10-26)
599
Procedure
Step 1 Run:
system-view
The interface is configured to add an outer VLAN tag to the Layer 2 protocol packets.
Step 5 Run:
l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name }
{ vlan low-id [ to high-id ] } &<1-10>
l The outer VLAN tag (vlan-id3) specified in step 5 must be included in the VLAN range specified in
step 6.
l For details on how to add an interface to VLANs in untagged mode, see the VLAN configuration in
the S9300 Configuration Guide- Ethernet.
l Before specifying a user-defined protocol in the l2protocol-tunnel vlan command, run the l2protocoltunnel user-defined-protocol command to define characteristic information about the Layer 2
protocol. STP packets have a default MAC address for replacing the original destination MAC address.
For packets of other Layer 2 protocols, you need to configure a global MAC address to replace the
destination MAC address. For details, see l2protocol-tunnel group-mac.
l The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type
on the same interface; otherwise, the configurations conflict.
----End
600
Procedure
l
Run the display l2protocol-tunnel group-mac { all | protocol-type | user-definedprotocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging
all command to disable it immediately.
When a fault occurs during Layer 2 protocol transparent transmission, run the following
debugging command in the user view to locate the fault.
Procedure
l
Run the debugging l2protocol-tunnel [ msg | error | event ] command in the user view
to enable Layer 2 protocol transparent transmission.
----End
601
In this example, PEs on the backbone network transparently transmit STP packets sent from CEs
by replacing the original multicast destination MAC address of STP packets with a specified
MAC address. By default, the destination MAC address of STP packets is 0180-C200-0000.
Figure 11-6 Networking of interface-based Layer 2 protocol transparent transmission
VLAN100
VLAN100
CE1
CE2
GE 1/0/0
PE1
GE 1/0/0
PE2
GE 1/0/2
GE 1/0/1
GE 1/0/2
GE 1/0/0
CE3
GE 1/0/0
GE 1/0/0
GE 1/0/1
GE 1/0/0
CE4
VLAN200
VLAN200
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Configure network-side interfaces of PEs to allow packets of VLAN 100 and VLAN 200
to pass.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Enable STP on CEs and PEs.
# Configure CE1.
<Quidway> system-view
[Quidway] sysname CE1
Issue 01 (2011-10-26)
602
# Configure CE2.
<Quidway> system-view
[Quidway] sysname CE2
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] stp enable
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port hybrid pvid vlan 100
[CE2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
# Configure CE3.
<Quidway> system-view
[Quidway] sysname CE3
[CE3] vlan 200
[CE3-vlan200] quit
[CE3] stp enable
[CE3] interface gigabitethernet 1/0/0
[CE3-GigabitEthernet1/0/0] port hybrid pvid vlan 200
[CE3-GigabitEthernet1/0/0] port hybrid untagged vlan 200
# Configure CE4.
<Quidway> system-view
[Quidway] sysname CE4
[CE4] vlan 200
[CE4-vlan200] quit
[CE4] stp enable
[CE4] interface gigabitethernet 1/0/0
[CE4-GigabitEthernet1/0/0] port hybrid pvid vlan 200
[CE4-GigabitEthernet1/0/0] port hybrid untagged vlan 200
# Configure PE1.
<Quidway> system-view
[Quidway] sysname PE1
[PE1]
# Configure PE2.
<Quidway> system-view
[Quidway] sysname PE2
[PE2]
Step 2 On PE1 and PE2, add GE 1/0/0 to VLAN 100, add GE 1/0/1 to VLAN 200, and enable Layer 2
protocol transparent transmission.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface GigabitEthernet 1/0/0
[PE1-GigabitEthernet1/0/0] port hybrid pvid vlan 100
[PE1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[PE1-GigabitEthernet1/0/0] l2protocol-tunnel stp enable
[PE1-GigabitEthernet1/0/0] quit
[PE1] vlan 200
[PE1-vlan200] quit
[PE1] interface GigabitEthernet 1/0/1
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 200
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 200
Issue 01 (2011-10-26)
603
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] interface GigabitEthernet 1/0/0
[PE2-GigabitEthernet1/0/0] port hybrid pvid vlan 100
[PE2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[PE2-GigabitEthernet1/0/0] l2protocol-tunnel stp enable
[PE2-GigabitEthernet1/0/0] quit
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] interface GigabitEthernet 1/0/1
[PE2-GigabitEthernet1/0/1] port hybrid pvid vlan 200
[PE2-GigabitEthernet1/0/1] port hybrid untagged vlan 200
[PE2-GigabitEthernet1/0/1] l2protocol-tunnel stp enable
[PE2-GigabitEthernet1/0/1] quit
Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
# Configure PE2.
[PE2] l2protocol-tunnel stp group-mac 0100-5e00-0011
Step 4 On PE1 and PE2, configure network-side interface GE 1/0/2 to allow packets of VLAN 100 and
VLAN 200 to pass.
# Configure PE1.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port hybrid tagged vlan 100 200
[PE1-GigabitEthernet1/0/2] quit
# Configure PE2.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port hybrid tagged vlan 100 200
[PE2-GigabitEthernet1/0/2] quit
Run the display stp command on CE1 and CE2 to view the root in the MST region. You can
find that a spanning tree is calculated between CE1 and CE2. GE 1/0/0 of CE1 is a root port,
and CE 1/0/0 of CE2 is a designated port.
<CE1> display stp
-------[CIST Global
CIST Bridge
Bridge Times
CIST Root/ERPC
Issue 01 (2011-10-26)
604
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :6
TC count per hello :6
STP Converge Mode
:Normal
Share region-configuration :enabled
Time since last TC received :0 days 2h:24m:36s
----[Port1(GigabitEthernet1/0/0)] [FORWARDING] ---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type
:Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:6
TCN: 0, Config: 0, RST: 0, MST: 6
BPDU Received
:4351
TCN: 0, Config: 0, RST: 0, MST: 4351
<CE2> display stp
-------[CIST Global Info] [Mode MSTP] ------CIST Bridge
:32768.00e0-fc9a-4315
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
TC or TCN received :3
TC count per hello :3
STP Converge Mode
:Normal
Time since last TC received :0 days 2h:26m:42s
----[Port1(GigabitEthernet1/0/0)] [FORWARDING] ---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type
:Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:4534
TCN: 0, Config: 0, RST: 0, MST: 4534
BPDU Received
:6
TCN: 0, Config: 0, RST: 0, MST: 6
Run the display stp command on CE3 and CE4 to view the root in the MST region. You can
find that a spanning tree is calculated between CE3 and CE4. GE 1/0/0 of CE3 is a root port,
and CE 1/0/0 of CE4 is a designated port.
<CE3> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-0967-58a0
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Issue 01 (2011-10-26)
605
CIST Root/ERPC
:32768.000b-0952-f13e / 199999
CIST RegRoot/IRPC
:32768.000b-0967-58a0 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :0
TC count per hello :0
STP Converge Mode
:Normal
Time since last TC received :0 days 10h:54m:37s
----[Port1(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.000b-0952-f13e / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type
:Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:114
TCN: 0, Config: 0, RST: 0, MST: 114
BPDU Received
:885
TCN: 0, Config: 0, RST: 0, MST: 885
<CE4> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-0952-f13e
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.000b-0952-f13e / 0
CIST RegRoot/IRPC
:32768.000b-0952-f13e / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
TC or TCN received :4
TC count per hello :4
STP Converge Mode
:Normal
Time since last TC received :0 days 8h:59m:18s
----[Port1(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.000b-0952-f13e / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type
:Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:1834
TCN: 0, Config: 0, RST: 0, MST: 1834
BPDU Received
:1
TCN: 0, Config: 0, RST: 0, MST: 1
----End
Configuration Files
l
Issue 01 (2011-10-26)
606
#
vlan batch 100
#
stp enable
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
return
Issue 01 (2011-10-26)
607
In this example, PEs transparently transmit STP packets sent from user networks by replacing
the original multicast destination MAC address of STP packets with a specified multicast MAC
address. By default, the destination MAC address of STP packets is 0180-C200-0000.
Issue 01 (2011-10-26)
608
PE1
PE2
GE1/0/0
GE1/0/0
GE1/0/0
GE1/0/1
GE1/0/2
GE1/0/1
GE1/0/0
GE1/0/1
GE1/0/0
CE1
CE3
VLAN 100
GE1/0/2
GE1/0/0
GE1/0/0
CE4
CE2
VLAN 200
VLAN 100
VLAN 200
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure CEs to send STP packets with specified VLAN tags to PEs.
3.
4.
Configure network-side interfaces of PEs to allow packets of VLAN 100 and VLAN 200
to pass.
5.
Configure the Layer 2 forwarding function on the P device so that packets sent from PEs
can be transmitted on the backbone network.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Enable STP on CEs and PEs.
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Issue 01 (2011-10-26)
609
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 100
[CE1-GigabitEthernet1/0/0] stp bpdu vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port hybrid tagged vlan 100
[CE2-GigabitEthernet1/0/0] stp bpdu vlan 100
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
[CE3] interface gigabitethernet 1/0/0
[CE3-GigabitEthernet1/0/0] port hybrid tagged vlan 200
[CE3-GigabitEthernet1/0/0] stp bpdu vlan 200
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
[CE4] interface gigabitethernet 1/0/0
[CE4-GigabitEthernet1/0/0] port hybrid tagged vlan 200
[CE4-GigabitEthernet1/0/0] stp bpdu vlan 200
Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the P device.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] vlan 200
[PE1-vlan200] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port hybrid tagged vlan 100 200
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port hybrid tagged vlan 100
[PE1-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 100
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port hybrid tagged vlan 200
[PE1-GigabitEthernet1/0/2] l2protocol-tunnel stp vlan 200
[PE1-GigabitEthernet1/0/2] quit
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 100 200
[PE2-GigabitEthernet1/0/0] quit
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port hybrid tagged vlan 100
[PE2-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 100
[PE2-GigabitEthernet1/0/1] quit
[PE2] interface gigabitethernet 1/0/2
Issue 01 (2011-10-26)
610
Step 4 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
# Configure PE2.
[PE2] l2protocol-tunnel stp group-mac 0100-5e00-0011
Step 5 Configure the Layer 2 forwarding function on the P device and configure it to allow packets of
VLAN 100 and VLAN 200 to pass.
[P] vlan 100
[P-vlan100] quit
[P] vlan 200
[P-vlan200] quit
[P] interface gigabitethernet
[P-GigabitEthernet1/0/0] port
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet
[P-GigabitEthernet1/0/1] port
[P-GigabitEthernet1/0/1] quit
1/0/0
hybrid tagged vlan 100 200
1/0/1
hybrid tagged vlan 100 200
Run the display stp command on CE1 and CE2 to view the root in the MST region. You can
find that a spanning tree is calculated between CE1 and CE2. GE 1/0/0 of CE1 is a root port,
and CE 1/0/0 of CE2 is a designated port.
<CE1> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-09f0-1b91
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.000b-09d4-b66c / 199999
CIST RegRoot/IRPC
:32768.000b-09f0-1b91 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :2
TC count per hello :2
STP Converge Mode
:Normal
Share region-configuration :enabled
Time since last TC received :0 days 3h:53m:43s
----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Issue 01 (2011-10-26)
611
Run the display stp command on CE3 and CE4 to view the root in the MST region. You can
find that a spanning tree is calculated between CE3 and CE4. GE 1/0/0 of CE3 is a root port,
and CE 1/0/0 of CE4 is a designated port.
<CE3> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.00e0-fc9f-3257
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :4
TC count per hello :4
STP Converge Mode
:Normal
Time since last TC received :0 days 3h:57m:0s
----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Issue 01 (2011-10-26)
612
----End
Configuration Files
l
Issue 01 (2011-10-26)
613
#
interface GigabitEthernet1/0/0
port hybrid tagged vlan 100
stp bpdu vlan 100
#
return
Configuration file of P
#
sysname P
#
vlan batch 100 200
#
interface GigabitEthernet1/0/0
port hybrid tagged vlan 100 200
#
interface GigabitEthernet1/0/1
port hybrid tagged vlan 100 200
#
return
Issue 01 (2011-10-26)
614
To save VLAN IDs on the public network, configure VLAN stacking on PEs to add outer VLAN
tag 10 to STP packets with VLAN tag 100 and VLAN tag 200. Then STP packets contain double
tags and are transparently transmitted on the backbone network.
In this example, PEs transparently transmit STP packets sent from user networks by replacing
the original multicast destination MAC address of STP packets with a specified multicast MAC
address. By default, the destination MAC address of STP packets is 0180-C200-0000.
Issue 01 (2011-10-26)
615
VLAN100
VLAN100
GE1/0/0
GE1/0/0
GE1/0/1
CE1
PE1
CE3
GE1/0/1
GE1/0/0
GE1/0/0
GE1/0/2
CE2
PE2
CE4
GE1/0/2
GE1/0/0
GE1/0/0
VLAN200
VLAN200
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
Configure CEs to send STP packets with specified VLAN tags to PEs.
3.
4.
Configure QinQ (VLAN stacking) on PEs so that PEs add outer VLAN tag 10 to STP
packets sent from CEs.
Data Preparation
To complete the configuration, you need the following data:
l
Procedure
Step 1 Enable STP on CEs and PEs.
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
Issue 01 (2011-10-26)
616
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 100
[CE1-GigabitEthernet1/0/0] stp bpdu vlan 100
[CE1-GigabitEthernet1/0/0] quit
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] port hybrid tagged vlan 100
[CE2-GigabitEthernet1/0/0] stp bpdu vlan 100
[CE2-GigabitEthernet1/0/0] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
[CE3] interface gigabitethernet 1/0/0
[CE3-GigabitEthernet1/0/0] port hybrid tagged vlan 200
[CE3-GigabitEthernet1/0/0] stp bpdu vlan 200
[CE3-GigabitEthernet1/0/0] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
[CE4] interface gigabitethernet 1/0/0
[CE4-GigabitEthernet1/0/0] port hybrid tagged vlan 200
[CE4-GigabitEthernet1/0/0] stp bpdu vlan 200
[CE4-GigabitEthernet1/0/0] quit
Step 3 Configure QinQ-based transparent transmission on PEs so that PEs add outer VLAN tag 10 to
STP packets with VLAN tag 100 and VLAN tag 200.
# Configure PE1.
[PE1] vlan 10
[PE1-Vlan10] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] port hybrid tagged vlan 10
[PE1-GigabitEthernet1/0/0] quit
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[PE1-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 10
[PE1-GigabitEthernet1/0/1] l2protocol-tunnel stp vlan 10
[PE1-GigabitEthernet1/0/1] quit
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port hybrid untagged vlan 10
[PE1-GigabitEthernet1/0/2] port vlan-stacking vlan 200 stack-vlan 10
[PE1-GigabitEthernet1/0/2] l2protocol-tunnel stp vlan 10
[PE1-GigabitEthernet1/0/2] quit
# Configure PE2.
[PE2] vlan 10
[PE2-Vlan10] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] port hybrid tagged vlan 10
[PE2-GigabitEthernet1/0/0] quit
Issue 01 (2011-10-26)
617
Step 4 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
# Configure PE2.
[PE2] l2protocol-tunnel stp group-mac 0100-5e00-0011
Run the display stp command on CE1 and CE2 to view the root in the MST region. You can
find that a spanning tree is calculated between CE1 and CE2. GE 1/0/0 of CE1 is a root port,
and CE 1/0/0 of CE2 is a designated port.
<CE1> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-09f0-1b91
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.000b-09d4-b66c / 199999
CIST RegRoot/IRPC
:32768.000b-09f0-1b91 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :2
TC count per hello :2
STP Converge Mode
:Normal
Share region-configuration :enabled
Time since last TC received :0 days 3h:53m:43s
----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type
:Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
Issue 01 (2011-10-26)
618
BPDU Sent
:237
TCN: 0, Config: 0, RST: 0, MST: 237
BPDU Received
:9607
TCN: 0, Config: 0, RST: 0, MST: 9607
<CE2> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.000b-09d4-b66c
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.000b-09d4-b66c / 0
CIST RegRoot/IRPC
:32768.000b-09d4-b66c / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
TC or TCN received :1
TC count per hello :1
STP Converge Mode
:Normal
Time since last TC received :0 days 5h:29m:6s
----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.000b-09d4-b66c / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type
:Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:7095
TCN: 0, Config: 0, RST: 0, MST: 7095
BPDU Received
:2
TCN: 0, Config: 0, RST: 0, MST: 2
Run the display stp command on CE3 and CE4 to view the root in the MST region. You can
find that a spanning tree is calculated between CE3 and CE4. GE 1/0/0 of CE3 is a root port,
and CE 1/0/0 of CE4 is a designated port.
<CE3> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.00e0-fc9f-3257
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC
:32768.00e0-fc9f-3257 / 0
CIST RootPortId
:128.82
BPDU-Protection
:disabled
TC or TCN received :4
TC count per hello :4
STP Converge Mode
:Normal
Time since last TC received :0 days 3h:57m:0s
----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol
:enabled
Port Role
:Root Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type
:Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
Issue 01 (2011-10-26)
619
BPDU Sent
:238
TCN: 0, Config: 0, RST: 0, MST: 238
BPDU Received
:9745
TCN: 0, Config: 0, RST: 0, MST: 9745
<CE4> display stp
-------[CIST Global Info][Mode MSTP]------CIST Bridge
:32768.00e0-fc9a-4315
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:32768.00e0-fc9a-4315 / 0
CIST RegRoot/IRPC
:32768.00e0-fc9a-4315 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
TC or TCN received :2
TC count per hello :2
STP Converge Mode
:Normal
Time since last TC received :0 days 5h:33m:17s
----[Port17(GigabitEthernet1/0/0)][FORWARDING]---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:128
Port Cost(Dot1T )
:Config=auto / Active=200000000
Desg. Bridge/Port
:32768.00e0-fc9a-4315 / 128.82
Port Edged
:Config=disabled / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
Port Stp Mode
:MSTP
Port Protocol Type
:Config=auto / Active= dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes
:Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send
:0
TC or TCN received :0
BPDU Sent
:7171
TCN: 0, Config: 0, RST: 0, MST: 7171
BPDU Received
:2
TCN: 0, Config: 0, RST: 0, MST: 2
Run the display vlan command on PEs to view the QinQ configuration.
Take the output on PE1 as an example.
<PE1> display vlan 10 verbose
VLAN ID
: 10
VLAN Type
: Common
Description : VLAN 0010
Status
: Enable
Broadcast
: Enable
MAC learning : Enable
Statistics
: Disable
---------------Tagged
Port: GigabitEthernet1/0/0
---------------QinQ-stack Port: GigabitEthernet1/0/1
GigabitEthernet1/0/2
----End
Configuration Files
l
Issue 01 (2011-10-26)
620
Issue 01 (2011-10-26)
621
Issue 01 (2011-10-26)
622
12 HVRP Configuration
12
HVRP Configuration
Issue 01 (2011-10-26)
623
12 HVRP Configuration
Background of HVRP
When constructing a metropolitan area network (MAN), carriers usually adopt the ring topology
or tree topology. Regardless of the topology, devices on the convergence layer must support a
large number of MAC address entries to meet the requirements of users. The number of users
on the network increases quickly, and the MAC addresses supported by a switch may be
insufficient for the users connected to the switch. As a result, the switch cannot learn the MAC
addresses of some users. In this case, packets are broadcast in the VLAN, which wastes network
bandwidth and degrades the network performance.
The HVRP protocol can be used when the number of MAC addresses supported by a switch is
smaller than the total number of users connected to the switch. HVRP can identify user VLANs
(that is, local VLANs) and non-user VLANs. In special networking, HVRP can dynamically
register and age VLANs to save MAC addresses and increase the number of users that the switch
supports.
Terms of HVRP
l
HVRP interface
An HVRP interface is an interface that is configured with HVRP attributes and can send,
receive, and process HVRP packets.
Local VLAN
A local VLAN is a VLAN that does not contain any HVRP interface.
VLAN registration
VLAN registration is a process of adding HVRP interfaces to VLANs meeting certain
conditions in tagged mode.
VLAN aging
VLAN aging is a process of deleting a VLAN from an HVRP interface.
Permanent VLAN
A permanent VLAN is a VLAN that are never aged by an HVRP interface.
Issue 01 (2011-10-26)
624
12 HVRP Configuration
STP is enabled on the entire network, and the HVRRP root interface and HVRRP
designated interfaces are calculated through STP.
The Switches are connected through trunk interfaces. The trunk interfaces are all enabled
with HVRP and can forward packets of VLAN 101 to VLAN 500.
HVRRP is disabled on the interfaces outside the STP network, that is, edge interfaces.
ME60
VLAN:101-500
VLAN:301-400
VLAN:401-500
SwitchA
SwitchB
SwitchC
SwitchD
SwitchE
VLAN:101-200
Issue 01 (2011-10-26)
VLAN:201-300
625
12 HVRP Configuration
Registering VLANs
l Each Switch periodically sends the local VLAN information through the HVRP root
interface.
l Each Switch forwards the received local VLAN information through the HVRP root
interface. In addition, each Switch registers local VLANs on the HVRP designated
interface according to the local VLAN information received from the HVRP designated
interface.
l VLAN registration and aging can be performed only on HVRP designated interfaces.
l A VLAN can be registered on an interface only after the interface is added to the VLAN
statically. For example, if an HVRP designated interface does not belong to VLAN 999,
VLAN 999 cannot be registered on the HVRP designated interface even if the interface
receives an HVRP packet with local VLAN 999.
2.
Aging VLANs
If an HVRP designated interface does not receive any VLAN registration packet within the
aging time, the VLANs on the HVRP designated interface are aged.
By default, only local VLANs are aged. You can configure the S9300 to age all the VLANs.
3.
4.
5.
6.
7.
Issue 01 (2011-10-26)
626
12 HVRP Configuration
ME60
SwitchA
SwitchB
SwitchC
SwitchD
SwitchE
SwitchA is the root bridge and other Switches connect to the Layer 3 device through
SwitchA.
Issue 01 (2011-10-26)
627
12 HVRP Configuration
ME60
SwitchA
SwitchB
SwitchC
SwitchN
SwitchN+1
MSTP is enabled on the entire network. Each ring maps an MSTP instance, and all the
devices on the ring belong to the same region.
SwitchA is the root bridge and other Switches connect to the Layer 3 device (the ME60)
through SwitchA.
628
12 HVRP Configuration
ME60
VLAN:101-500
VLAN:301-400
VLAN:401-500
SwitchA
SwitchB
SwitchC
SwitchD
SwitchE
VLAN:101-200
VLAN:201-300
Pre-configuration Tasks
Before enabling HVRP, complete the following tasks:
l
Data Preparation
To enable HVRP, you need the following data.
Issue 01 (2011-10-26)
No.
Data
629
12 HVRP Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
630
12 HVRP Configuration
NOTE
----End
Procedure
Step 1 Run:
system-view
l The value of the VLAN registration timer must be smaller than the aging time of registered VLANs.
It is recommended that the aging time of registered VLANs be three times the value of the VLAN
registration timer or larger.
l In a ring topology, the same VLAN registration timer and the same aging time of registered VLANs
must be set for all the devices on the ring.
----End
Procedure
Step 1 Run:
system-view
Issue 01 (2011-10-26)
631
12 HVRP Configuration
The value of the VLAN registration timer must be smaller than the aging time of registered VLANs. It is
recommended that the aging time of registered VLANs be three times the value of the VLAN registration
timer or larger.
----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
632
12 HVRP Configuration
Run the display hvrp verbose command to view detailed information about HVRP.
Run the display hvrp local-vlan command to view information about local VLANs.
----End
Example
Run the display hvrp verbose command, and you can heck whether HVRP is enabled, whether
the function of aging all VLANs is enabled, whether permanent VLANs are configured, and
whether HVRP is enabled on each interface. In addition, you can view the VLAN registration
timer and aging timer of registered VLANs.
<Quidway> display hvrp verbose
HVRP is enabled globally.
HVRP registervlan timer
:5s.
HVRP registervlan age timer
:15s.
HVRP age all VLAN
:Disabled.
HVRP Permanent-vlan :
HVRP statistics on port GigabitEthernet1/0/0
Mstp Role
:
0 - designated
HVRP statistics on port GigabitEthernet2/0/0
Mstp Role
:
0 - root
(PORT_LINK_UP)
(PORT_LINK_UP)
Run the display hvrp local-vlan command, and you can view information about the local
VLANs.
<Quidway> display hvrp local-vlan
Local Vlan : 3 7 10 40 64
633
12 HVRP Configuration
Procedure
l
Run the debugging hvrp error command to enable the debugging of HVRP errors.
Run the debugging hvrp info command to enable the debugging of HVRP-enabled
VLANs.
----End
ME60
VLAN:101-500
VLAN:301-400
SwitchB
SwitchC
GE2/0/0 SwitchD
SwitchE
VLAN:101-200
Issue 01 (2011-10-26)
VLAN:401-500
SwitchA
GE1/0/0
GE3/0/0
VLAN:201-300
634
12 HVRP Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enable STP globally. Then SwitchA, which is connected to a Layer 3 device, becomes the
root bridge. The link between SwitchD and SwitchE is blocked by STP.
2.
Configure interfaces on SwitchD as trunk interfaces and add the interfaces to VLANs.
3.
Data Preparation
To complete the configuration, you need the following data:
l
VLANs that GE 1/0/0 and GE 2/0/0 belong to: VLAN 101 to VLAN 500
Procedure
Step 1 Configure SwitchD.
# Enable STP globally.
<Quidway> system-view
[Quidway] stp enable
# Create VLANs.
<Quidway> system-view
[Quidway] vlan batch 101 to 500
# Configure the interfaces as trunk interfaces and add the interfaces to VLANs.
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet1/0/0] port
[Quidway-GigabitEthernet1/0/0] port
[Quidway-GigabitEthernet1/0/0] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet2/0/0] port
[Quidway-GigabitEthernet2/0/0] port
[Quidway-GigabitEthernet2/0/0] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet3/0/0] port
[Quidway-GigabitEthernet3/0/0] port
[Quidway-GigabitEthernet3/0/0] quit
1/0/0
link-type trunk
trunk allow-pass vlan 101 to 500
2/0/0
link-type trunk
trunk allow-pass vlan 101 to 500
3/0/0
link-type trunk
trunk allow-pass vlan 101 to 200
# Enable HVRP.
[Quidway] hvrp enable
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet1/0/0] hvrp
[Quidway-GigabitEthernet1/0/0] quit
[Quidway] interface gigabitethernet
[Quidway-GigabitEthernet2/0/0] hvrp
[Quidway-GigabitEthernet2/0/0] quit
1/0/0
enable
2/0/0
enable
Configure the other Switches on the STP ring in the same manner.
Step 2 Verify the configuration.
Run the display hvrp verbose command to view detailed information about HVRP.
<Quidway> display hvrp verbose
HVRP is enabled globally.
Issue 01 (2011-10-26)
635
12 HVRP Configuration
(PORT_LINK_UP)
(PORT_LINK_UP)
----End
Configuration Files
Configuration file of SwitchD
#
sysname Quidway
#
vlan batch 101 to 500
#
stp enable
#
hvrp enable
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 500
hvrp enable
#
interface GigabitEthernet2/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 500
hvrp enable
#
interface GigabitEthernet3/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 200
#
return
Issue 01 (2011-10-26)
636
13
Issue 01 (2011-10-26)
637
Issue 01 (2011-10-26)
GE2/0/0
638
Pre-configuration Tasks
Loop detection and STP are mutual exclusive. To enable loop detection on an interface, you
need to disable STP first.
Data Preparation
To configure loop detection, you need the following data.
No.
Data
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
639
Step 2 Run:
loop-detection enable vlan { { vlan-id1 [ to vlan-id2 ] } & <1-10> | all }
----End
Procedure
Step 1 Run:
system-view
STP is disabled.
Step 4 Run the following commands as required to add the interface to VLANs.
l To add the hybrid interface to VLANs in tagged mode, run port hybrid tagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }.
l To add the hybrid interface to VLANs in untagged mode, run port hybrid untagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }.
Step 5 Run:
loop-detection mode { port-trap | port-blocking | port-nolearning | port-shutdown }
Loop detection control is enabled on the interface. When a loop is detected on the interface, the
S9300 sets the state of the interface to Trap, Blocking, No learning, or Shutdown.
l Trap: The S9300 sends a trap message but does not perform any operation on the interface.
l Blocking: The interface is blocked and allows only BPDUs to pass through.
l No learning: The interface does not learn MAC addresses of packets.
l Shutdown: The interface is disabled.
By default, an interface turns to the Blocking state when a loop is detected on the interface.
----End
Issue 01 (2011-10-26)
640
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
641
Procedure
Step 1 Run:
system-view
The recovery time of the blocked interface is set. The blocked interface is unblocked after the
recovery time.
By default, the recovery time of a blocked interface is 255 seconds.
NOTE
The recovery time of an interface must be longer than or equal to the loop detection interval on the interface.
----End
Example
Run the display loop-detection, and you can check whether loop detection is enabled. If loop
detection is enabled, the system displays the interval for detecting loops, ID of the VLAN where
loop detection is enabled, loops detected, and information about the ports that turn to the
Shutdown state because of the loops.
<Quidway> display loop-detection
Loop Detection is enable.
Detection interval time is 5 seconds.
Following vlans enable loop-detection:
vlan 17
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
NULL
Following ports are nolearning for loop:
NULL
If you run the display loop-detection command on a single port, the following information is
displayed:
<Quidway> display loop-detection interface GigabitEthernet 1/0/0
The port is enable.
The port's status list:
Status
WorkMode
Recovery-time
EnabledVLAN
Issue 01 (2011-10-26)
642
----------------------------------------------------------------------Normal
Shutdown
0
17
GE2/0/0
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
Data Preparation
To complete the configuration, you need the following data:
l
Issue 01 (2011-10-26)
643
Procedure
Step 1 Enable loop detection globally.
<Quidway> system-view
[Quidway] loop-detection enable
Configuration Files
Configuration file of the Switch
#
sysname Quidway
#
vlan batch 200
#
loop-detection enable
loop-detection interval-time 50
loop-detection enable vlan 200
#
interface GigabitEthernet1/0/0
port hybrid pvid vlan 200
port hybrid untagged vlan 200
stp disable
loop-detection mode port-shutdown
loop-detection recovery-time 20
#
return
Issue 01 (2011-10-26)
644