 Product & Technology

 Technical Support
 Training & Certification
 Partners
 About H3C
H3C S12500 Switch Series FAQ-R1825P01-6W100
Home Technical Support Technical Documents Switches H3C S12500 Series
Switches H3C S12500 Series Switches Maintenance FAQ

H3C S12500 Switch Series FAQ-R1825P01-6W100

Chapters Download
H3C S12500 Switch Series FAQ-R1825P01-6W100-book.pdf (1.08 MB)

Table of Content
 H3C S12500 Switch Series FAQ-R1825P01-6W100

Related Links
H3C S12500 Series Routing Switches CE DOC-6W103
H3C S12500 Routing Switch Series Installation Guide-6W115
H3C 2RU Slide Rails Installation Guide-6PW103
H3C S12500 Series Routing Switches Documentation Navigator-6W104
About the H3C S12500 Command References
01-Fundamentals Command Reference

H3C S12500 Switch Series (R1825P01) FAQ

Copyright © 2013 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
The information in this document is subject to change without notice.
 Contents
Hardware
Q. What models does the H3C S12500 routing switch series include?
Q. Is power over Ethernet (PoE) supported on the switch?
Q. Does the switch support DC power supplies?
Q. Are the power supplies of the switch hot-swappable?
Q. Is it normal that the power supply fans make a lot of noise?
Q. Is it normal that a power supply has an over-low output current?
Q. Are the switching fabric modules of the switch hot-swappable?
Q. Is active/standby switchover of MPUs supported on the switch?
Q. How do I check the card serial number or manufacture information?
Q. Can the switch automatically adjust the fan speed?
Q. How is the LST2XP32 oversubscribed?

Software
Q. Does the BootWare support forward compatibility?
Q. How do I view the system version information and operation time information?
Q. Why should I upgrade the Comware system software? How should I upgrade the software?
Q. Can I delete the Comware system software image file after the upgrade is completed?
Q. Can I view deleted files?
Q. How can I empty the recycle bin?
Q. Is software patching supported?
Q. Should I remove the old patch file before installing a new patch file?
Q. What is the name of the default configuration file?
Q. What should I do before installing patches?
Q. Why doesn't the switch display the saved configuration file?

System management and maintenance

Q. Information displayed on the console terminal is incorrect sometimes. Why?
Q. What commands should I configure to enable AUX login?
Q. How can I clear a Telnet connection?
Q. Can a Telnet user's username contain the at sign (@)?
Q. I cleared the packet statistics on an interface by using the reset counters interface command. Why does
the MIB browser show that the error packet count is still the same?
Q. How do I format the Flash or CF card from the BootWare?
Q. How do I examine the memory of the switch before the switch starts up?
Q. Will the switch relearn MAC address entries, ARP entries, and FIB entries after an active/standby
switchover?
Q. Why should I wait for all LPUs to operate correctly before I save the running configuration?
Q. Can the management Ethernet interface come up without an IP address?
Q. I was using TFTP to transfer data from the switch. Why did the transfer fail when the amount of
transferred data reached about 32 MB?
Q. Can the switch operate as a TFTP server?
Q. Can I power on the switch immediately after I power off the switch?
Q. How are packets arriving at the standby MPU's management Ethernet interface handled?
Q. Why does the Input interface value or Output interface value field in an sFlow packet have a value of 0?

Network security and attack protection

Q. What attack protection functions does the switch support?
Q. What roles can the switch play when using different SSH versions?
Q. Do the switch support local authentication before RADIUS authentication?
Q. Why cannot a user log in to an ACS authentication server through a console port when the switch uses
RADIUS authentication?
 Q. Why can the level for the RADIUS server (the switch) only be 1 when it connects to an ACS server?
Q. Does the switch support local authentication when HWTACACS authentication fails?
Q. Can the switch be connected to a TACACS server that runs third-party TACACS server software?
Q. Must the server type for the switch configured with a RADIUS scheme be set to extended?
Q. Does the reply from a RADIUS server include the login-service option after the authentication succeeds?
Q. How do I set the user privilege level assigned to users for logging in to the user interface?
Q. What is the relationship between the levels authorized by an S12500 HWTACACS server and the levels
authorized by a Cisco ACS server?
Q. Which one of the user level configured in VTY user interface and the user level configured on a RADIUS
server or a TACACS server prevails for a Telnet user?
Q. How do I prevent gateway spoofing when the switch acts as a gateway?
Q. Which kinds of OAA modules are supported on the switch?

Network access
Q. What is the maximum number of bits of a port count?
Q. Can the interface of the switch suppress unicast packets, broadcast packets, and multicast packets at the
same time?
Q. What are the meanings of the error packet fields for input and output packets in the output from the
display interface command?
Q. Does the switch support jumbo frames?
Q. Are the MAC address tables the same for different cards of the switch?
Q. How long is the aging timer for dynamic MAC address entries? How are the dynamic MAC address entries
aged?
Q. Can frames be correctly forwarded when the MAC address learning limit is set to 0?
Q. Why does a port still have MAC address entries after the mac-address max-mac-count 0 command is
configured on the port?
Q. Why is a MAC address learned into multiple VLANs?
Q. How is the traffic load-shared for link aggregation on the switch?
Q. Does the switch support configuring static MAC address entries on an aggregate interface?
Q. Does the switch support RRPP after link aggregation is configured on the switch?
Q. Does DLDP take effect when one fiber is connected in case that two fibers of a link are both disconnected?
Q. What fields are displayed in the output transceiver module optical power information?
Q. How is the port rate percentage calculated?
Q. How are the Selected ports determined when GE ports and 10-GE ports are added to an aggregation
group?
Q. Why is the peer port down and the local port not down when the port of an S12500 switch is connected
to the port of another device?
Q. What restrictions and guidelines should I follow when I configure loop detection?

Spanning tree protocols

Q. What STP protocols are supported?
Q. What STP protocols are available in the industry?
Q. How are ARP entries and MAC address entries handled when the STP topology changes?
Q. When does an MSTP port send TC BPDUs?
Q. Why are MSTP port states wrong when MSTP configuration is correct on the switch?
Q. Do RSTP and MSTP have TCN BPDUs?
Q. Why are ports on a Cisco device down when MSTP is disabled on the connected ports of the switch?
Q. What STP modes are interoperable between the switch and the third-party devices?
Q. How can I interoperate the switch with a third-party device in MSTP mode?
Q. What are the precautions for configuring digest snooping?

IP forwarding services
Q. Does the switch support configuring an IP address for a physical port?
Q. Does the switch support configuring a secondary IP address for a VLAN interface?
 Q. Is the secondary IP address still valid when the primary IP address is removed?
Q. What is the MAC address of a VLAN interface used for?
Q. Does the switch send trap messages when the maximum size of the ARP table is reached?
Q. How is ECMP load sharing implemented on the switch?
Q. Does the switch support weighted ECMP load sharing?
Q. How does VRRP tracking function?
Q. Does the VRRP module of the switch support associating a track entry with a physical port on the master?
Q. In the FIB table, when a route obtained from the routing table conflicts with a host route obtained from
the ARP table, which route has a higher priority for packet forwarding?
Q. Does the unauthorized DHCP server detection function take effect when the switch operates as a Layer
2 device?
Q. How does the switch handle an ICMP ping packet whose size exceeds 1500 bytes?
Q. Is the sending interval of ICMP ping packets configurable on the switch?
Q. What are the restrictions and guidelines for URPF configuration?
Q. How do I set an MTU value?
Q. I configure an IPv6 address on a trunk port configured on the internal interface of the OAA module on
the switch. Why do I get a prompt that an IP address conflict occurs?
Q. What releases for the switch support IPv6 on the VLAN interface of a super VLAN?

MPLS
Q. What are the restrictions for connecting the switch to a Juniper MX900 device through VPLS?
Q. How do I filter LSPs triggered by routes with non-32 bit masks?
Q. Can the BVLAN and the CVLAN for a PBBN be the same?

IP routing
Q. Does the switch support configuring blackhole routes?
Q. Is the OSPF cost of an interface on the switch relevant to the rate of the corresponding Layer 2 Ethernet
interface?
Q. What are the preferences of different routing protocols?
Q. What are the possible reasons for the OSPF CONFIG ERROR trap?
Q. Why is the LS ACK: BAD ack count a non-zero value when I display OSPF error information?
Q. When the next hop of a static route becomes invalid, route recursion is performed and the blackhole
route applies. How do I resolve this problem?
Q. Why are OSPF router ID conflict logs generated?

IP multicast
Q. Is IGMP supported on the switch?
Q. What IP multicast protocols are supported on the switch?
Q. Is static RP configuration supported on the switch?
Q. Are static multicast routes supported on the switch?
Q. How do I deny multicast packets from an illegal multicast source?
Q. Is multicast group filtering supported on the switch?
Q. How does the switch forward a multicast packet to the receiver after the multicast packet fails RPF check?
Q. The RPF check fails after the MSDP peer switchover in inter-domain multicast routing. What are the
possible reasons?
Q. Does the link-aggregation load-sharing mode command enable load sharing of multicast traffic?
Q. Can the VRRP virtual IP address be the next hop for the switch to reach the multicast source?
Q. Is auto-RP supported on the switch?

QACL
Q. Does the switch support multiboard traffic and port mirroring?
Q. Does the switch support multichassis traffic and port mirroring?
Q. What restrictions and guidelines should I follow when I configure port mirroring on the switch?
Q. How many destination ports can I configure for traffic mirroring on the switch?
Q. How many destination ports can I configure for port mirroring on the switch?
 Q. Can I configure both traffic mirroring and port mirroring on the switch?
Q. Does packet filtering configured on the switch affect the port mirroring function?
Q. In which situation will the prompt "Error: Failed to configure port mirroring due to hardware
unsupported!" be displayed when I configure the mirroring function?
Q. Does the switch support multichassis port mirroring and traffic redirection to a port?
Q. Does the switch support a QoS policy for outgoing traffic?
Q. What are the priorities of QoS policies configured on the switch?
Q. What restrictions and guidelines should I follow when I configure VLAN QoS policies on the switch?
Q. What restrictions and guidelines should I follow when I configure global QoS policies on the switch?
Q. What's the match order of ACL rules on the switch?
Q. What are the differences when the permit or deny statement is used in different applications?
Q. Why cannot a device on an external network ping the VLAN interface of the switch configured with PBR?
Q. What's the order in which ACL rules are restored after a card is restarted?
Q. Can the match criteria configured on the switch match Layer 2 or Layer 3 packets?
Q. Does the switch support QoS traffic classification policies that reference basic/advanced ACLs and
Ethernet frame header ACLs at the same time?
Q. Does the switch support packet filtering?
Q. How do I configure packet filtering on the switch?
Q. Does the switch support traffic policing for traffic flows on multiple ports (aggregate CAR)?
Q. Why do interface traffic statistics not change after CAR is configured on an interface on the switch?
Q. Does the switch support traffic redirection?
Q. Does the switch support strong or weak PBR for traffic forwarding?
Q. Why can a tracert response be received from the switch after the switch is configured with PBR?
Q. How do I clear traffic statistics on the switch?
Q. Can an ACL match ICMP packets encapsulated with PPPoE on the switch?
Q. What are the functions of the qos priority dot1p and qos trust dot1p commands configured on an
interface on the switch?
Q. Does the switch trust the priorities of a packet by default?
Q. Does the switch functioning as a P device in an MPLS network trust the EXP value of a packet?
Q. Why is the scheduling inaccurate when both SP and WRR scheduling algorithms are configured in a
queue scheduling profile?
Q. Can WRR be configured together with GTS?
Q. How do I resolve the problem that the switch discards packets because congestion occurs on an interface?
Q. Does the switch support collecting traffic statistics of a VLAN interface?
Q. Do statistics collected by the per-port queue-based accounting include statistics about outgoing packets
that are filtered out on the switch?
Q. What restrictions and guidelines should I follow when I configure traffic mirroring and port mirroring
on the switch in IRF mode?

QinQ
Q. What is QinQ?
Q. How does QinQ work?
Q. What benefits does QinQ provide?
Q. What are the differences between basic QinQ and selective QinQ?
Q. Can QinQ add another tier of VLAN tag to a double-tagged customer frame?
Q. What VLAN tags do the if-match service-vlan-id command and the if-match customer-vlan-id command
match?
Q. What command should I use to match the VLAN ID of a single-tagged customer frame for selective QinQ?
Q. Why can't the if-match customer-vlan-id command match the CVLAN tag for selective QinQ?
Q. How does selective QinQ obtain the 802.1p priority value for an SVLAN tag?
Q. Can the 802.1p priority in a CVLAN tag be modified?
Q. Does the switch learn MAC addresses to the SVLAN or CVLAN on a QinQ port?
 Q. Why can't QinQ frames sent by the switch be correctly identified as tagged on third-party vendors'
devices?

IRF
Q. Can an H3C S12500 switch form an IRF fabric with other series devices?
Q. How many chassis can an H3C S12500 IRF fabric have?
Q. Are there any special requirements for connecting IRF member chassis?
Q. What topologies does IRF support?
Q. Does an IRF fabric support multichassis Ethernet link aggregation?
Q. Can I set up an IRF connection that has multiple links?
Q. Can IRF member chassis use duplicate member IDs?
Q. Are there any software feature consistency requirements for a successful IRF setup?
Q. Why can't I configure a port as a Layer 3 Ethernet interface?
Q. Why can't I disable enhanced IRF?
Q. Can I run LACP MAD on any Ethernet link aggregation?
Q. Why doesn't BFD MAD take effect when the spanning tree feature is enabled globally in IRF mode?
Q. Why are ports that were shut down by MAD still down after an IRF merge?
Q. Why doesn't the running configuration on a re-unified IRF fabric include the configuration that I made
on one chassis after an IRF split?
Q. Why do the subordinate chassis reboot automatically upon IRF merge?
Q. Why can't data traffic be forwarded at the wire speed on IRF links?
Q. Will the Active-state IRF fabric retain configuration for chassis in the Recovery-state IRF fabric after an
IRF split?
 H3C S12500 Switch Series (R1825P01) FAQ
Hardware
This section contains the most frequently asked questions about the switch hardware.

Q. What models does the H3C S12500 routing switch series include?

A. The H3C S12500 Routing Switch Series includes H3C S12504, H3C S12508, and H3C S12518.
 An H3C S12504 switch has slot 0 and slot 1 for main processing units (MPUs), and has slots 2 through 5 for line
processing units (LPUs).
 An H3C S12508 switch has slot 0 and slot 1 for MPUs, and has slots 2 through 9 for LPUs.
 An H3C S12518 switch has slot 0 and slot 1 for MPUs, and has slots 2 through 19 for LPUs.
H3C S12504, H3C S12508, and H3C S12518 switches are illustrated from left to right in Figure 1.
Figure 1 Front views
Q. Is power over Ethernet (PoE) supported on the switch?

A. No. The switch does not support PoE.

Q. Does the switch support DC power supplies?

A. Yes. The switch supports both AC and DC power supplies.

Q. Are the power supplies of the switch hot-swappable?

A. Yes. The power supplies of the switch are hot-swappable. As long as the power provided by the operating power
supplies meets the requirements, the switch runs correctly.
Q. Is it normal that the power supply fans make a lot of noise?

A. An operating power supply adjusts its fan speed based on its temperature. It is normal that the fans operate at
a higher speed for a period of time under the following conditions:
 For an AC power supply:
 Hard switching is performed. When the current of an AC power supply is less than 5 A, the power supply uses hard
switching. When hard switching is performed, a large amount of heat is produced, causing high fan speed. When the
current is greater than 5 A, the power supply uses soft switching. When soft switching is performed, a small amount of
heat is produced, resulting in low fan speed.
 The power supply is under heavy load, producing a large amount of heat.
 For a DC power supply:
The power supply is under a heavy load, producing a large amount of heat.
In these conditions, the power supply does not generate an alarm. If the power supply is faulty, an alarm is generated.

Q. Is it normal that a power supply has an over-low output current?

A. It is normal that a power supply's output current is an over-low value or 0 when the system power load is less
than 25% of the system power capacity. When the load is increased or one or more power supplies are removed,
the power supply monitoring software will automatically adjust the output current of each available power
supply and the output current value will go up accordingly.
If a power supply's output current remains at about 0 when the system power load increases or one or more power supplies
are removed, the power supply might be faulty.

Q. Are the switching fabric modules of the switch hot-swappable?

A. Yes. The switching fabric modules of the switch are hot-swappable.
Q. Is active/standby switchover of MPUs supported on the switch?

A. Yes. The switch supports active/standby switchover of the MPUs. The standby MPU can automatically take over
the responsibility of the failed active MPU, ensuring uninterrupted services. For a successful active/standby
switchover, make sure the software versions on the active and standby MPUs are consistent. You can also use the
slave switchover command to manually perform an active and standby switchover:
In standalone mode:
[Sysname]slave switchover
Caution!!! Confirm to switch slave to master? [Y/N]:y
In IRF mode:
<Sysname>reboot chassis <id> slot <id>
Before manually performing an active and standby switchover, make sure the configuration of the active MPU has been
 backed up to the standby MPU. If the manual switchover takes place during the backup process, the switchover fails and the
system displays an error message. You can use the display switchover state command to view the status of the standby MPU.
<Sysname> display switchover state

Q. How do I check the card serial number or manufacture information?

A. Use the display device manuinfo command on the switch. The following is a sample command output.
<Sysname>display device manuinfo
Chassis self
Slot 0:
DEVICE_NAME : LST1GT48LEC1
DEVICE_SERIAL_NUMBER : 210231A85N0099000041
MAC_ADDRESS : NONE
MANUFACTURING_DATE : 2012-10-21
VENDOR_NAME : H3C
Slot 2:
DEVICE_NAME : LST1GT48LEC1
DEVICE_SERIAL_NUMBER : 210231A85N0099000041
MAC_ADDRESS : NONE
MANUFACTURING_DATE : 2012-10-21
VENDOR_NAME : H3C

Q. Can the switch automatically adjust the fan speed?

A. Yes. The switch can automatically adjust the fan speed based on the temperature in the chassis. You can use the
display fan verbose command to display detailed information about fans. The following is a sample command
output.
<Sysname>display fan verbose
Fan-tray verbose state on chassis 2:
Fan-tray 1:
Software version: 105
Hardware version: Ver.A
CPLD version: 002
Fan number: 12
Temperature: 37 °C
High temperature alarm threshold: 60 °C
Low speed alarm threshold: 750 rpm
Fan Status Speed(rpm)
--- ---------- ----------
1 normal 4320
2 normal 4440
3 normal 4380
4 normal 4740
5 normal 4080
6 normal 4440
7 normal 4320
8 normal 4320
9 normal 4380
10 normal 4560
11 normal 4500
12 normal 4500
Fan-tray 2:
 Software version: 105
Hardware version: Ver.A
CPLD version: 002
Fan number: 12
Temperature: 37 °C
High temperature alarm threshold: 60 °C
Low speed alarm threshold: 750 rpm
Fan Status Speed(rpm)
--- ---------- ----------
1 normal 4320
2 normal 4440
3 normal 4380
4 normal 4740
5 normal 4080
6 normal 4440
7 normal 4320
8 normal 4320
9 normal 4380
10 normal 4560
11 normal 4500
12 normal 4500

Q. How is the LST2XP32 oversubscribed?

The LST2XP32 has a capacity of 80 Gbps and provides thirty-two 10 GE ports. It is oversubscribed at a ratio of 4:1. Every four
ports comprise an oversubscription group and share a 10 G bandwidth, as follows:
 Ports 1, 5, 9, and 13
 Ports 2, 6, 10, and 14
 Ports 3, 7, 11, and 15
 Ports 4, 8, 12, and 16
 Ports 17, 21, 25, and 29
 Ports 18, 22, 26, and 30
 Ports 19, 23, 27, and 31
 Ports 20, 24, 28, and 32

Software
This section contains the most frequently asked questions about the switch software.
Q. Does the BootWare support forward compatibility?

A. Yes. The BootWare supports forward compatibility. After a software upgrade, you can roll back the Comware
system software without rolling back the BootWare.
Q. How do I view the system version information and operation time information?

A. Use the display version command. This command displays information about the current BootWare version,
Comware system software version, and system operation time.
Q. Why should I upgrade the Comware system software? How should I upgrade the software?

A. H3C continually improves the Comware system software to meet customer requirements and solve problems.
By upgrading the Comware system software, you can fix existing software bugs, and obtain more features and
functions, optimized applications, and higher device performance, availability, and attack protection capability.
To make sure the configuration file can operate correctly after an upgrade, do the following:
1. Before the upgrade, use the save command to save the running configuration, and use FTP to save a copy of the file to a PC.
2. After the upgrade is completed, examine that all cards are operating correctly, use the save command to save the running
configuration, and use FTP to save a copy of the file to a PC.
3. Compare the two configuration files and reconfigure the commands that are missing.
H3C recommends that you use a file comparing tool, such as Beyond Compare. The configuration files usually contain a large
quantity of commands.
This procedure applies to upgrades from one Comware V5 version to another Comware V5 version and upgrades from one
Comware V7 version to another Comware V7 version. For information about how to upgrade the software from Comware V5
to Comware V7, see H3C S12500 Comware V5-V7 Migration Guide.

Q. Can I delete the Comware system software image file after the upgrade is completed?

A. No. The file contains the software images for MPUs and the software images for LPUs. MPUs and LPUs read these
images during startup.
Q. Can I view deleted files?

A. Yes if the files were deleted by a delete command without the /unreserved option. A delete command with the
/unreserved option permanently deletes files. A delete command without the /unreserved option moves
commands to the recycle bin.
To view the commands in the recycle bin, use the dir /all command. The name of a file in the recycle bin is placed in brackets
([ ]).
You can use the undelete command to restore commands from the recycle bin.
Q. How can I empty the recycle bin?

A. Use the reset recycle-bin command. If a file in the recycle bin is corrupt, use the reset recycle-bin command with
the force keyword to delete the file.
Q. Is software patching supported?

A. Yes. The switch supports software patching.

Q. Should I remove the old patch file before installing a new patch file?

A. Yes. You must remove the old patch file from the storage media manually before installing a new patch file. A
new patch file contains the patches in the old patch file.
Q. What is the name of the default configuration file?

A. The name of the default configuration file is flash:/config.cfg.

Q. What should I do before installing patches?

A. Before installing patches, do the following:

 Make sure the patch image file is saved to the same type of storage medium (flash or CF card) on the MPUs.
 Make sure the patch image files on the MPUs are located in the same directory.
 Specify the path of the patch image file for the patch file location argument.

Q. Why doesn't the switch display the saved configuration file?

A. The device does not display the saved configuration file at the first startup:
<Sysname>display startup
MainBoard:
Startup saved-configuration file: NULL
Next startup saved-configuration file: flash:/config.cfg
SlaveBoard:
Startup saved-configuration file: NULL
Next startup saved-configuration file: flash:/config.cfg

System management and maintenance

This section contains the most frequently asked questions about system management and maintenance.

Q. Information displayed on the console terminal is incorrect sometimes. Why?

A. If nothing is displayed on the console terminal, examine the following:

 Whether the power system is operating correctly.
 Whether the MPUs are operating correctly.
 Whether the console cable is connected to the console port correctly.
If no problem is found, the reason might be one of the following:
 The access port specified for the terminal is different from the port to which the console cable is connected.
 Settings on the configuration terminal are incorrect.
 The cable has a problem.
If garbled characters are displayed on the terminal, settings on the configuration terminal might be incorrect.
The correct terminal settings are as follows:
 Bits per second—9600 bps
 Flow control—None
 Parity—None
  Stop bits—1
 Data bits—8
 Terminal display type—VT100
If you are running the terminal software SecureCRT, you must deselect the DTR/DSR option and RTS/CTS option for flow
control. By default, the RTS/CTS option is selected for flow control.

Q. What commands should I configure to enable AUX login?

A. You can configure the following commands:

[Sysname] user-interface aux 0
[Sysname-ui-aux0] authentication-mode none
[Sysname-ui-aux0] user privilege level 3

Q. How can I clear a Telnet connection?

A. Use the free user-interface vty number command in user view.

Q. Can a Telnet user's username contain the at sign (@)?

A. The username of a Telnet user that is configured on the switch cannot contain the at (@) sign.
Q. I cleared the packet statistics on an interface by using the reset counters interface

command. Why does the MIB browser show that the error packet count is still the same?

A. The MIB browser shows the values of the hardware counters. The reset counters interface command does not
reset the hardware counters. This command clears only the statistics calculated by software.
Q. How do I format the Flash or CF card from the BootWare?

A. Do the following while the device is starting up:

1. Press Ctrl+B as prompted to enter the BootWare menu.
2. Select the storage medium to be formatted (Flash by default) and press Ctrl+F:
=============<EXTEND-BOOTWARE MENU>===============
|<1> Boot System
|<2> Enter Serial SubMenu
|<3> Enter Ethernet SubMenu
|<4> File Control
|<5> Restore to Factory Default Configuration |
|<6> BootWare Operation Menu
|<7> Clear Super Password
|<8> Storage Device Operation
|<9> Product Special Operation
|<0> Reboot
============================================================================
Ctrl+Z: Access EXTEND-ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9): 8

==============================<DEVICE CONTROL>==============================
|<1> Display All Available Nonvolatile Storage Device(s) |
|<2> Set The Operating Device
|<3> Set The Default Boot Device
|<0> Exit To Main Menu
 ============================================================================
Enter your choice(0-3): 2

Please set the operating device:

============================================================================
|Note:the operating device is cfa0 |
|NO. Device Name File System Total Size Available Space
|1 flash VFS 132909056 132892672
|2 cfa0 FAT 1044549632 282378240
|0 Exit
============================================================================
Enter your choice(0-2):1
Set the operation device successful!

==============================<DEVICE CONTROL>==============================
|<1> Display All Available Nonvolatile Storage Device(s) |
|<2> Set The Operating Device
|<3> Set The Default Boot Device
|<0> Exit To Main Menu
============================================================================
Enter your choice(0-3): 0

===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System
|<2> Enter Serial SubMenu
|<3> Enter Ethernet SubMenu
|<4> File Control
|<5> Restore to Factory Default Configuration |
|<6> BootWare Operation Menu
|<7> Clear Super Password
|<8> Storage Device Operation
|<9> Product Special Operation
|<0> Reboot
============================================================================
Ctrl+Z: Access EXTEND-ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9):
Warning:All files on flash will be lost! Are you sure to format? [Y/N]

Q. How do I examine the memory of the switch before the switch starts up?

A. Power on the switch and press Ctrl+T or Ctrl+Y as prompted.

Press Ctrl+T to start the 5-step memory test procedure:
%Jun 4 10:47:23:092 2013 DEVM/5/SYSTEM_REBOOT: System is rebooting now.
DDR2 SDRAM test successful.
Press Ctrl+T to start five-step full RAM test...
Press Ctrl+Y to start nine-step full RAM test...
Running five-step RAM test...
This operation may take several minutes. Please wait...
DDR2 SDRAM dataline testing... [ PASS ]
DDR2 SDRAM addressline testing... [ PASS ]
Five-step RAM test succeeded.
 System is starting...
Press Ctrl+Y to start the 9-step memory test procedure:
DDR2 SDRAM test successful.
Starting Nine-Step ram test.
DDR2 SDRAM dataline testing... [ PASS ]
DDR2 SDRAM addressline testing... [ PASS ]
DDR2 SDRAM unit testing... [ PASS ]
Nine-Step ram test successful.
System is starting...
Booting Normal Extend BootWare
The Extend BootWare is self-decompressing.....................Done!

Q. Will the switch relearn MAC address entries, ARP entries, and FIB entries after an

active/standby switchover?

A. No, the switch does not relearn MAC address entries and ARP entries, and it differs for FIB entries depending
on whether or not GR and NSR are configured for the routing protocol:
 MAC address entries are saved on LPUs. A switchover does not affect MAC entries or data forwarding based on the
entries.
 ARP entries are backed up on the standby MPU. A switchover does not affect ARP entries or data forwarding based on
the entries.
 FIB entries are also backed up on the standby MPU:
 If GR or NSR is configured for the routing protocol, the routing protocol continues to operate after a switchover, and the
switch has to relearn routes. However, data forwarding based on the existing entries is not affected.
 If both GR and NSR are not configured for the routing protocol, a switchover brings the routing protocol down and causes
the FIB entries to be lost. Data forwarding is stopped and the switch must learn FIB entries again.
Q. Why should I wait for all LPUs to operate correctly before I save the running

configuration?

A. The configuration is saved on the Flash. During startup, the switch configures LPUs by loading the configuration
to memory. If you execute the save command before the process is completed, the incomplete configuration in
memory will be saved to the Flash to replace the complete configuration, resulting in configuration loss.
Q. Can the management Ethernet interface come up without an IP address?

A. Yes. The interface can come up as long as the Layer 2 link is up. In addition, flow control is performed on the
interface by software, and excessive packets arriving at the interface cannot affect system operation.
Q. I was using TFTP to transfer data from the switch. Why did the transfer fail when the

amount of transferred data reached about 32 MB?

A. This problem is caused by the TFTP server. Some TFTP servers have a limit of 32 MB on a transferred data block.
When the amount of transferred data for the block reaches approximately 32 MB, the TFTP server stops
requesting data transfer. If you experience this problem, please change the TFTP server software.
Q. Can the switch operate as a TFTP server?

A. No.
Q. Can I power on the switch immediately after I power off the switch?

A. H3C recommends that you follow these steps to power cycle the device:
1. Power off the device by turning off the power switches one by one.
2. Wait 3 to 5 seconds so electricity is completely released.
3. Power on the device by turning on the power switches one by one.

Q. How are packets arriving at the standby MPU's management Ethernet interface handled?

A. A packet arriving at a management Ethernet interface is always forwarded to the CPU. Then, the software
examines whether or not the MPU that holds the management Ethernet interface is the standby MPU:
 If it is the standby MPU, the switch discards the packet.
 If it is the active MPU, the switch proceeds to process the packet.
The CPU on an MPU processes up to 2000 packets per second.
Q. Why does the Input interface value or Output interface value field in an sFlow packet

have a value of 0?

A. A sample packet in the inbound direction does not carry the outbound packet count. A sample packet in the
outbound direction does not carry the inbound packet count.
Figure 2 Sample in the inbound direction

Figure 3 Sample in the outbound direction

Network security and attack protection

This section contains the most frequently asked questions about network security and attack protection.

Q. What attack protection functions does the switch support?

A. The switch supports the link layer attack protections, ARP attack protections, network layer attack protections,
and transport layer attack protections, as shown in Table 1.
Table 1 Attack protection types
Attack protection types Description
Link layer attack MAC address attack protect Prevents the attack of packets with different source MAC
protection ion addresses or VLANs by configuring the maximum number
of MAC addresses that an interface can learn.
STP packet attack protectio Provides protection measures such as BPDU guard, root g
n uard, loop guard, TC-BPDU guard, and STP status confusio
n protection.
ARP attack prote ARP source suppression Prevents IP attack packets from fixed sources.
ction ARP black hole routing Prevents IP attack packets from sources that are not fixe
d.
ARP active acknowledgemen Prevents user spoofing.
t
Source MAC-based ARP atta Prevents ARP packet attacks from the same source MAC.
ck detection
 ARP packet source MAC co
nsistency check
Network layer att uRPF check
ack protection ICMP attack protection
TTL attack protection
Transport layer a SYN flood attack protection
ttack protection
Naptha attack protection
Prevents attacks from ARP packets whose source MAC ad
dress in the Ethernet header is different from the sender
MAC address in the message body.
Protects a network against source spoofing attacks.
Prevents ICMP fragments attacks by disabling forwarding
ICMP fragments.
Prevents an attack by disabling sending ICMP time exceed
ed messages.
After receiving a TCP connection request, the server direc
tly returns a SYN ACK message, instead of establishing a
half-open TCP connection.
The device periodically checks the number of TCP connec
tions in each state. If it detects that the number of TCP
connections in a state exceeds the maximum number, it
will accelerate the aging of TCP connections in this state.

Q. What roles can the switch play when using different SSH versions?
A. Table 2 describes roles for the switch according to SSH version.
Table 2 Switch roles and SSH versions
Version/Feature SSH1 SSH2

S12500 Acts as the server. Acts as the server and the client.

Q. Do the switch support local authentication before RADIUS authentication?

A. No. Local authentication can be performed only when no response is received from the RADIUS server.
Q. Why cannot a user log in to an ACS authentication server through a console port when
the switch uses RADIUS authentication?
A. The user can log in to an ACS server through a console port only when you deselect the login-service option for
the ACS server configuration.
Q. Why can the level for the RADIUS server (the switch) only be 1 when it connects to an
ACS server?
A. The symptom might occur when one of the following conditions takes place:
 The server type for the switch is not set to extended.
 The 2011/002 private attributes for the ACS server are not complete.
 The login-service attribute for the ACS server is not configured.

Q. Does the switch support local authentication when HWTACACS authentication fails?
A. The switch supports local authentication when the HWTACACS server is disconnected.
The switch does not support local authentication when the HWTACACS server operates correctly with an authentication
failure due to a wrong username or a wrong password.
To enable local authentication, specify the local keyword in the authentication default command. The command configures
the default authentication mode for an ISP domain to use an HWTACACS scheme and use local authentication as the backup.
The following commands must be executed:
 domain isp-name
 authentication default hwtacacs-scheme hwtacacs-scheme-name local
 Q. Can the switch be connected to a TACACS server that runs third-party TACACS server
software?
A. As long as the TACACS server is configured with the standard RADIUS protocol, the switch can be connected to
the server. The servers include ACS servers from Cisco and TACACS servers open to public (for example, free
TACACS servers).
Q. Must the server type for the switch configured with a RADIUS scheme be set to
extended?
A. Yes. The server type must be set to extended for RADIUS scheme configuration when you need to do one of the
following:
 Specify an accessory path instead of using the default path Flash.
 Assign a privilege level to a Telnet user instead of assigning the default privilege level of 0.

Q. Does the reply from a RADIUS server include the login-service option after the
authentication succeeds?
A. It depends on the server. The login-service option does not matter to the switch, but the switch needs to process
the service-type option.
Q. How do I set the user privilege level assigned to users for logging in to the user
interface?
A. You can set the user privilege level by executing the user privilege level level command in user interface view or
by executing the authorization-attribute level command in local user view.
If the switch acts as a HWTACACS server, set the user privilege level on the switch.

Q. What is the relationship between the levels authorized by an S12500 HWTACACS

server and the levels authorized by a Cisco ACS server?
A. The levels have the following relationships:
 The levels 0 to 2 authorized by an H3C S12500 HWTACACS server correspond to the levels 0 to 2 authorized by a Cisco
ACS server.
 The levels 3 to 16 authorized by a Cisco ACS server correspond to the level 3 authorized by an H3C S12500 HWTACACS
server.

Q. Which one of the user level configured in VTY user interface and the user level
configured on a RADIUS server or a TACACS server prevails for a Telnet user?
A. The user level configured on a RADIUS server or a TACACS server prevails. Both the default levels are 0.
For example, if the user level 3 is configured in VTY user interface, and no user level is configured on the server, the user level
0 takes effect for the Telnet user.
If no user level or any user level is configured in VTY user interface, and user level 3 is configured on the server, user level 3
takes effect for the Telnet user.
The user level configured in VTY user interface takes effect only the authentication-mode one command or the password
command is executed.
 Q. How do I prevent gateway spoofing when the switch acts as a gateway?
A. When receiving an ARP packet from a device that acts as a gateway, the switch (the gateway) sends a gratuitous
ARP packet to modify the spoofed ARP entries. If a large number of attack packets exist, the switch detects the
incoming interface of the attack packets, captures the packets to obtain packet information, and sets an ACL rule
to filter the attack packets.
Q. Which kinds of OAA modules are supported on the switch?
A. The switch can use OAA modules to provide firewall, NetStream, load balancing, IPS, and ACG features.

Network access
This section contains the most frequently asked questions about network access.

Q. What is the maximum number of bits of a port count?

A. On the switch, the port count can be up to 64 bits, and the port count will be reset after it exceeds 64 bits.
Q. Can the interface of the switch suppress unicast packets, broadcast packets, and

multicast packets at the same time?

A. The interface of a switch can suppress unicast packets, broadcast packets, and multicast packets at the same
time. However, the suppression must be configured for unicast packets, broadcast packets, and multicast packets,
respectively, with the same suppression threshold as follows:
[Sysname-GigabitEthernet1/5/0/24] unicast-suppression [pps | kbps] xxx
[Sysname-GigabitEthernet1/5/0/24] multicast-suppression [pps | kbps] xxx
[Sysname-GigabitEthernet1/5/0/24]broadcast-suppression [pps | kbps] xxx

Q. What are the meanings of the error packet fields for input and output packets in the

output from the display interface command?

A. Table 3 and Table 4 describe the meanings of the error packet fields for input and output packets in the output
from the display interface command.
Table 3 Error packet fields for input packets
Field Description

Runts Number of inbound frames shorter than 64 bytes, in correct format, and containi
ng valid CRCs.

Giants Number of inbound frames larger than the maximum frame length supported on t
he interface and containing valid CRCs.

Throttles Number of inbound frames shorter than 64 bytes and containing CRC errors.

CRC Total number of inbound frames that had a normal length, but contained CRC err
ors.
Frame Total number of inbound frames that contained unknown errors.

Overruns Number of packets dropped because the input rate of the port exceeded the queu
ing capability. This problem occurs when the network is congested.
 Aborts Number of inbound frames with input description errors. The type of error frame
s will not occur on the H3C S12500 switches.

Table 4 Error packet fields for output packets

Field Description

Underruns Number of packets dropped because the output rate of the interface exceeded the
output queuing capability. The type of error frames will not occur on the H3C S1
2500 switches.

buffer failures Number of packets dropped because the transmit buffer of the interface ran low.
The type of error frames will not occur on the H3C S12500 switches.

Aborts Packets that failed to be forwarded at the MAC layer due to network congestion.

Deferred Number of frames that the interface operating in half duplex mode deferred to tra
nsmit because of detected collisions.

Collisions Number of frames that the interface stopped transmitting because Ethernet collisio
ns were detected during transmission.

late collisions Number of frames that the interface deferred to transmit and were buffered at th
e MAC layer. The type of error frames will not occur on the H3C S12500 switche
s.
lost carrier Number of carrier losses during transmission. The type of error frames will not o
ccur on the H3C S12500 switches.

no carrier Number of times that the port failed to detect the carrier when attempting to sen
d frames. The type of error frames will not occur on the H3C S12500 switches.

The output packet errors seldom occur. Most packets errors are input packet errors.
 When error frames of the runts, giants, throttles, CRC, and frame types are received, you must verify whether the peer
device or the transmission link in between fails.
 When overruns error frames are received, you must verify whether the link bandwidth of the local end is enough.
Q. Does the switch support jumbo frames?

A. The switch supports setting the maximum jumbo frame size, which is a maximum of 9216 bytes. On
LST1XP16LEB1 and LST1XP16LEC1 cards, the maximum jumbo frame size is a maximum of 8168 bytes.
Q. Are the MAC address tables the same for different cards of the switch?

A. The MAC address tables for different cards might be different. The MAC address table of a card contains the MAC
address entries of VLANs to which the ports belong. When a VLAN spans across multiple cards, the MAC address
entries must be synchronized between cards.
Q. How long is the aging timer for dynamic MAC address entries? How are the dynamic MAC

address entries aged?

A. The aging time for dynamic MAC address entries is 5 minutes by default. The aging time can be modified by
using the mac-address timer aging command.
When a data flow enters a port, the MAC address of the data flow is dynamically learned. When the data flow continues to
send traffic, the aging time of the MAC address entry continues to be refreshed, and the MAC address entry will not be
aged. When the data flow stops sending traffic, the MAC address entry is aged after the aging time expires.
The aging time of a dynamic MAC address entry cannot be queried.
Q. Can frames be correctly forwarded when the MAC address learning limit is set to 0?

A. When the MAC address learning limit is set to 0 on a port, the port does not learn MAC addresses, and frames
are broadcast in VLANs by default. If you do not want to forward the frames, you can use the mac-address max-
mac-count disable-forwarding command to configure the device not to forward frames with unknown source
MAC addresses after the MAC address learning limit is reached.
Q. Why does a port still have MAC address entries after the mac-address max-mac-count 0

command is configured on the port?

A. These MAC address entries are learned before MAC address learning was disabled. When MAC address learning
is disabled, the software does not actively delete these MAC address entries. Instead, the software waits for these
MAC address entries to age out.
Q. Why is a MAC address learned into multiple VLANs?

A. The switch learns MAC address entries in the MAC+VLAN method. When multiple VLANs receive packets with
the same MAC address, all these VLANs will learn the MAC address.
Q. How is the traffic load-shared for link aggregation on the switch?

A. You can use the link-aggregation load-sharing mode command to change the load sharing criteria and flexibly
load-share the traffic across the member ports of aggregation groups. The system uses the hash algorithm to
calculate the load sharing criteria. The algorithm can calculate the load sharing criteria based on the MPLS label,
service port number, IP address, MAC address, ingress port, and any combination of the fields.
Q. Does the switch support configuring static MAC address entries on an aggregate interface?

A. The switch supports configuring static MAC address entries on an aggregate interface.
Q. Does the switch support RRPP after link aggregation is configured on the switch?

A. Yes.
Q. Does DLDP take effect when one fiber is connected in case that two fibers of a link are

both disconnected?

A. When both ends of a link are down, DLDP neighborship cannot be established. As a result, DLDP does not take
effect.
Q. What fields are displayed in the output transceiver module optical power information?

A. The switch supports diagnosing transceiver modules. When the Rx or Tx optical power of a transceiver module
is not within the normal range, the ports might go down. In this case, you can verify that the transceiver module
models at both end match and whether the link is operating correctly. The optical power fields are as follows:
 RX power is high!
 RX power is low!
 RX power is normal!
  TX power is high!
 TX power is low!
 TX power is normal!

Q. How is the port rate percentage calculated?

A. The port rate percentage is the ratio of the actual traffic to the total port bandwidth and describes the actual
port bandwidth usage. When you calculate the port rate percentage, the inter-frame gap and the preamble must
be added as follows:
(ulActualSpeed + 20 (preamble + inter-frame gap) * ulPktSpeed) * 8/ulRatedSpeed
 ulActualSpeed—Rate in kbps (the field in red) in the output.
 ulPktSpeed—Rate in pps (the field in blue) in the output.
 ulRatedSpeed—Port rate. For example, the port rate of a 10-GE port is 10000000000 bps.
[Sysname-Ten-GigabitEthernet5/0/2]display interface Te5/0/2
Ten-GigabitEthernet5/0/2 current state: DOWN
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 00e0-fc00-0000
Description: Ten-GigabitEthernet5/0/2 Interface
Loopback is not set
……
Peak value of input: 0 bytes/sec, at 2000-04-26 12:00:32
Peak value of output: 0 bytes/sec, at 2000-04-26 12:00:32
Last 300 seconds input: 0 packets/sec 0 bytes/sec 0%
Last 300 seconds output: 0 packets/sec 0 bytes/sec 0%
Input (total): 0 packets, 0 bytes
- unicasts, - broadcasts, - multicasts
Input (normal): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts
Input: 0 input errors, 0 runts, 0 giants, 0 throttles
0 CRC, 0 frame, 0 overruns, - aborts
- ignored, - parity errors
Output (total): 0 packets, 0 bytes
- unicasts, - broadcasts, - multicasts, - pauses
Output (normal): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses
Output: 0 output errors, - underruns, - buffer failures
0 aborts, 0 deferred, 0 collisions, 0 late collisions
- lost carrier, - no carrier

Q. How are the Selected ports determined when GE ports and 10-GE ports are added to an

aggregation group?

A. Link aggregation has dynamic and static modes. The following section describes how the Selected ports are
determined in static mode and dynamic mode when the ports have the same aggregation priority.
 Static aggregation
The candidate ports are sorted in the following order: Full duplex/high speed > Full duplex/low speed > Half duplex/high
speed > Half duplex/low speed. The candidate port at the top and with the same class-two configurations as the aggregate
interface is chosen as the reference port. As a result, a 10-GE port will be selected as the reference port, the 10-GE port
becomes a Selected port, and the GE port becomes an Unselected port.. For more information about class-two configurations,
see Layer 2—LAN Switching Configuration Guide.
 Dynamic aggregation
 Dynamic aggregation chooses the port with the smallest port number as the reference port. The port number is not the port
number used for configuration. Instead, the port number is a 16-bit index. To view the port number of a port, use the display
link-aggregation member-port command. The port number determines which port becomes a Selected port.
[Sysname-Ten-GigabitEthernet15/0/1]dis link-aggregation member-port Ten-GigabitEther
net 15/0/1
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Ten-GigabitEthernet15/0/1:
Aggregation Interface: Bridge-Aggregation5
Local:
Port Number: 105
Port Priority: 32768
Oper-Key: 4
Flag: {AC}
Remote:
System ID: 0x8000, 3822-d659-7c00
Port Number: 112
Port Priority: 32768
Oper-Key: 1
Flag: {AC}
Received LACP Packets: 3 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 3 packet(s)

NOTE:
IRF physical ports are assigned to and removed from aggregation groups by the switch, and GE ports and 10
GE ports are not differentiated. When IRF physical ports include both GE ports and 10-GE ports, make sure
he traffic passing through any IRF physical port does not exceed the rate of 1 Gbps. Otherwise, packet loss m
ight occur when traffic passes through GE ports.

Q. Why is the peer port down and the local port not down when the port of an S12500

switch is connected to the port of another device?

A. When fiber GE ports are connected and the local port is manually configured with a speed and duplex mode, the
local port can go up only if the port can receive fiber signals. When the speed and duplex mode of the local port
are autonegotiated, the local port goes down when the peer port goes down.
When fiber 10-GE ports of two S12500 switches are connected, the MAC layer will negotiate the port status. If one end detects
local faults, the port will go down and send remote faults to notify the remote end. When the remote end detects remote
faults, the remote port will go down.
When the port of an S12500 switch connects to the port of a device other than an S12500 switch, the local port does not go
down if both of the following are true:
 The remote port is down but sends out fiber signals correctly.
 The remote port does not send remote faults.
Q. What restrictions and guidelines should I follow when I configure loop detection?

A. When you configure loop detection, follow these restrictions and guidelines:
 Configure loop detection for only the suspicious VLANs or the VLANs where loops might occur because many devices
are attached. To save system resources, H3C recommends not configuring loop detection for all VLANs. If link
redundancy and backup are planned for the links, you can configure STP rather than loop detection.
 Loop detection and STP do not conflict with each other. However, it is a good practice to configure STP separately.
 Typically, H3C recommends that you use STP to detect the loops in the network. When troubleshooting the network,
you can use loop detection to rapidly locate the looped ports.
 When you use loopback detection together with STP, do not set the loop protection action to shutdown. Otherwise, the
ports shut down by loop detection might affect the actions of STP.
 If loop detection has been enabled for a VLAN, do not configure port mirroring on the ports in the VLAN. Otherwise, the
loop detection function might fail.
 When the loopback-detection action none command is configured, the system generates logs and traps on detecting
loops, but the system does not perform actions to eliminate the loops. If loops are not eliminated for a long time, the
loop detection frames might increase the broadcast traffic within the loops.
 Within the VLANs with loop detection enabled, a port is shut down to eliminate loops when the following are true:
 The port receive a packet with the source MAC address as the local bridge MAC address
 The loopback protection action is set to shutdown.
If you use STP in this situation, STP shuts down a small number of ports to eliminate loops in the network.
 A port shut down by the loop detection action stays down until you use the undo shutdown command to manually
bring up the port. This mechanism might cause traffic interruption on the ports. When the loop detection feature is
used, H3C recommends that you manually bring up the looped ports after eliminating the loops.
 In Release 1825 and later versions, the MAC address moving notification function is supported. This function can also
detect possible Layer 2 loops and does not have influence on the traffic.

Spanning tree protocols

This section contains the most frequently asked questions about spanning tree protocols.

Q. What STP protocols are supported?

A. The switch supports the following STP protocols:

 STP.
 RSTP—Compatible with STP.
 MSTP—The default one. MSTP is compatible with STP and RSTP.
 PVST—Allows each VLAN to build a separate spanning tree. PVST improves link bandwidth usage in network
environments where multiple VLANs exist.

Q. What STP protocols are available in the industry?

A. Table 5 shows a complete list of STP protocols.

Table 5 STP protocols
Protocol name Standard Destination MA Advantages Disadvantages
C
Spanning Tree Prot IEEE 802.1d 01-80-c2-00-00-0 Eliminates loops, prevents bro Network convergence is slower.
ocol (STP) 0 adcast storms, and backs up li
nks.
Protocol name Standard Destination MA Advantages Disadvantages
C
Rapid Spanning Tre IEEE 802.1w 01-80-c2-00-00-0  Compared with STP, RSTP  An RSTP network maintains only one
e Protocol (RSTP) 0 improves the network con spanning tree. A small topology chang
vergence speed. e might affect the whole network.
 Alternate port, backup por  Loops exist on trunk ports.
t, edge port, and point-to-  Link efficiency is reduced by blocking
point link are introduced. links.

Per VLAN Spanning Cisco 01-00-0c-cc-cc-cd Allows each VLAN to build a  A large amount of PVST BPDUs are s
Tree (PVST) separate spanning tree. ent, which might reduce the system p
erformance.
 Incompatible with STP and RSTP.

Per VLAN Spanning Cisco 01-00-0c-cc-cc-cd PVST+ runs STP in VLAN 1 a Abundant PVST+ BPDUs are sent, which
Tree+ (PVST+) nd PVST in other VLANs, whi might reduce the system performance.
ch allows CST and PVST exist
in the same network.

Multi-Instance Span Cisco 01-80-c2-00-00-0  Maps a range of VLANs to Incompatible with STP, RSTP, and PVST.
ning Tree Protocol 0 an instance and allows ea
(MISTP) ch instance to build a sep
arate spanning tree.
 Lower CPU usage.

Multi-Instance Span Cisco
ning Tree Protocol
-- Per VLAN Spanni
ng Tree+ (MISTP-PV
ST+)
01-80-c2-00-00-0 Intermediate mode of MISTP a Proprietary protocol, not popular.
0 nd PVST+.
This mode is compatible with
MISTP and PVST+.

Multiple Spanning T Cisco 01-80-c2-00-00-0  Maps a range of VLANs to Incompatible with the MSTP BPDU forma
ree (MST) 0 an instance and allows ea t defined by IEEE 802.1s.
ch instance to build a sep
arate spanning tree.
 Lower CPU usage.
 Rapid port role and state
transition.
 Compatible with STP, RST
P, and PVST+.
 Sends Cisco-defined BPDUs.
 Protocol name Standard Destination MA Advantages Disadvantages
C
Multiple Spanning T IEEE 802.1s 01-80-c2-00-00-0  Maps a range of VLANs to N/A
ree Protocol (MSTP) 0 an instance and allows ea
ch instance to build a sep
arate spanning tree.
 Lower CPU usage.
 Rapid port role and state
transition.
 Compatible with STP, RST
P, and PVST+.
 Sends standard BPDUs.

Q. How are ARP entries and MAC address entries handled when the STP topology changes?

A. When the STP topology changes, the MAC address entries on the changed ports are removed.
The ARP entries of these MAC addresses are set as invalid entries, and ARP requests are sent out. If the corresponding ARP
response reaches the device, the ARP entry status is updated. Otherwise, the ARP entry is removed.
If a new MAC address is learned after the STP topology changes, the ARP entry related to the MAC address is also updated.

Q. When does an MSTP port send TC BPDUs?

A. According to IEEE 802.1s MSTP, a port generates TC BPDUs when all of the following requirements are met:
 The port is not an edge port.
 The port role transits from alternate, backup, or disabled to root, designated, or master.
 The port state transits from discarding or learning to forwarding.
A port running STP or RSTP also generates TC BPDUs when the above requirements are met.
The TC BPDU generation might result from STP recalculation. STP recalculation is caused by the following reasons:
 Device failure or recovery.
 Link state change.
 Device configuration change.
 Abnormal BPDU sending or receiving.
Q. Why are MSTP port states wrong when MSTP configuration is correct on the switch?

A. When the switch is operating in MSTP mode, its ports can operate in STP compatibility mode or MSTP mode. If
a port is connected to another switch enabled with STP, the port transits to STP compatibility mode automatically.
However, when the connected switch is changed to one enabled with MSTP, the port cannot transit back to MSTP
mode automatically. In this case, MSTP calculation errors occur. To make MSTP operate correctly, use the stp
mcheck command in interface view.
Q. Do RSTP and MSTP have TCN BPDUs?

A. RSTP does not have TCN BPDUs. When network topology changes, RSTP sets the TC bit to 1 in configuration
BPDUs and sends the BPDUs to the root port.
Q. Why are ports on a Cisco device down when MSTP is disabled on the connected ports of

the switch?

A. The switch will transparently transmit the STP BPDUs sent by the Cisco device. The Cisco device considers that
it has received BPDUs sent by itself and a loop exists, so it shuts down the port receiving the BPDUs.
Q. What STP modes are interoperable between the switch and the third-party devices?

A. The switch can interoperate with Cisco devices in MSTP mode and in instance 0 of the PVST+ mode. The switch
cannot interoperate with Cisco devices in PVST mode.
Q. How can I interoperate the switch with a third-party device in MSTP mode?

A. In MSTP mode, the switch and its connected Cisco device each considers itself as the regional root, even if they
have the same region configuration. They cannot be in the same region.
To make the switch interoperate with the Cisco device in MSTP mode, execute the stp config-digest-snooping command on
the ports connected to the Cisco device in interface view.
The switch sends and receives standard-format MSTP BPDUs, while the Cisco device might send and receive MSTP BPDUs in
a different format.
 If the Cisco device sends non-standard-format BPDUs, execute the stp compliance auto command on the switch to
configure the ports to recognize the MSTP BPDU format automatically and determine the format of MSTP BPDUs to
send.
 If the Cisco device sends and receives standard-format MSTP BPDUs, execute the stp compliance dot1s command on
the switch. The switch will send and receive standard-format MSTP BPDUs on the ports.

Q. What are the precautions for configuring digest snooping?

A. When you configure digest snooping, follow these restrictions and guidelines:
 Enable digest snooping on all the ports that connect the switch to the third-party devices in the same MST region. The
switch and the third-party devices must have the same MST region configuration. Otherwise, inconsistent VLAN-to-
instance mapping on neighbor devices can cause broadcast storms.
 To avoid loops, do not enable digest snooping on MST region edge ports.
 To make digest snooping take effect, you must enable digest snooping both globally and on associated ports.
 Enable digest snooping on all associated ports first and then globally.
 When digest snooping is enabled globally, do not modify the MST region configuration. To modify the region
configuration, disable digest snooping on all devices in the MST region first. Otherwise, inconsistent VLAN-to-instance
mapping on neighbor devices can cause broadcast storms.
  When digest snooping is enabled globally and on a port, the switch saves the most recent configuration digest received
by the port. The configuration digest takes effect even if digest snooping is disabled on the port.

IP forwarding services
This section contains the most frequently asked questions about IP forwarding services.

Q. Does the switch support configuring an IP address for a physical port?

A. You can configure an IP address for a physical Ethernet port on the switch. Before the configuration, you must
use the port link-mode route command to configure the Ethernet port to operate in Layer 3 mode. By default, an
Ethernet port operates in Layer 2 mode.
Q. Does the switch support configuring a secondary IP address for a VLAN interface?

A. Yes. You can configure a secondary IP address for the VLAN interface of the switch. The secondary IP address
has a similar function as the primary IP address. The secondary IP address cannot be used for multicast. The
users on the network segment to which the secondary IP address belongs cannot receive any multicast packets
or establish OSPF neighbor relationship.
In addition, you can configure secondary IP addresses for any Layer 3 interface, including Layer 3 Ethernet interfaces
(subinterfaces) and Layer 3 aggregation interfaces (subinterfaces).

Q. Is the secondary IP address still valid when the primary IP address is removed?

A. No. To delete the primary IP address of a VLAN interface or a Layer 3 interface, you must delete all of its
secondary IP addresses first. Otherwise, the primary address cannot be deleted.
[Sysname-Vlan-interface1]undo ip address 1.1.1.1 24
Warning: Must delete sub address before deleting primary address!

Q. What is the MAC address of a VLAN interface used for?

A. When an Ethernet interface operates in bridge mode (configured with the port link-mode bridge command),
the switch examines the MAC address of a packet received on the interface. If the MAC address of the packet
matches the MAC address of the VLAN interface, the switch forwards the packet at Layer 3 or sends the packet
through MPLS network. If not, the switch forwards the packet at Layer 2.
Q. Does the switch send trap messages when the maximum size of the ARP table is reached?

A. No. But the following log is generated:

%Oct 5 09:53:33:655 2010 H3C DRVL3/3/DRVL3_LOG_EMERG: No enough resource!

Q. How is ECMP load sharing implemented on the switch?

A. The switch supports ECMP load sharing based on destination MAC address, source MAC address, source IP
address, destination IP address, destination TCP/UDP port, and source TCP/UDP port. You can configure ECMP
load sharing as required, and you can configure it in the same way link aggregation load sharing is configured.
For more information, see Layer 2—LAN Switching Configuration Guide.
When you use the link-aggregation load-sharing mode command to configure the load sharing criteria, follow these
restrictions and guidelines:
 All criteria except mpls-label1, mpls-label2, mpls-label3, and per-packet apply to ECMP load sharing for unicast traffic.
 Per-packet load sharing applies to Ethernet link aggregation, but not to ECMP.
Q. Does the switch support weighted ECMP load sharing?

A. No.
Q. How does VRRP tracking function?

A. You can configure a VRRP group to track the status of an interface on the master. If the interface is down or
removed, the priority of the master automatically decreases by a specific value, and the backup with higher
priority takes over. The switch can only track Layer 3 Ethernet interfaces, VLAN interfaces, and Layer 3 aggregate
interfaces. If a VLAN interface is tracked, the priority of the switch is not decreased as long as one of the physical
ports in the VLAN is up.
Q. Does the VRRP module of the switch support associating a track entry with a physical

port on the master?

A. Yes. You can associate a track entry with a VRRP group to monitor the status of a physical port and change the
priority of the master in the VRRP group.
Q. In the FIB table, when a route obtained from the routing table conflicts with a host route

obtained from the ARP table, which route has a higher priority for packet forwarding?

A. The route with a 32-bit mask obtained from the routing table has a higher priority.
Q. Does the unauthorized DHCP server detection function take effect when the switch

operates as a Layer 2 device?

A. No. You must use the DHCP module to provide the unauthorized DHCP server detection function. If the switch
operates as a Layer 2 device, the DHCP requests received cannot be delivered to the CPU for processing, so the
switch cannot check for unauthorized DHCP servers.
Q. How does the switch handle an ICMP ping packet whose size exceeds 1500 bytes?

A. When sending an ICMP echo request whose size (including the IP header) exceeds 1500 bytes (the default MTU
value), the switch fragments the packet. If the Don't fragment flag is set, the packet fails to be sent out.
When receiving an ICMP echo request exceeding 1500 bytes, the switch, if configured with jumbo frame support, can process
the request and respond with an ICMP echo reply. The switch also fragments the reply if its size exceeds 1500 bytes.

Q. Is the sending interval of ICMP ping packets configurable on the switch?

A. Upon receiving an ICMP echo request, the CPU of the switch responds with an ICMP echo reply.
Upon receiving an ICMP echo reply, the switch sends the next request by default. If no reply is received, the switch sends the
next request when the aging timer expires. By default, the aging timer is 2 seconds.
If you specify the -m interval option in the ping command, the switch sends the next ICMP echo request at the specified
interval after receiving an ICMP echo reply.

Q. What are the restrictions and guidelines for URPF configuration?

A. When configuring URPF, follow these restrictions and guidelines:

 URPF is only configurable in VLAN interface view.
  The switch does not support URPF check by using an ECMP route that has more than eight next hops.
 Do not configure URPF on a private VLAN interface bound to a VPN instance that has no reserved VLAN configured
when the system operates in standard mode.
 URPF check takes effect on only incoming packets on the interface.

Q. How do I set an MTU value?

A. MTU value setting takes effect on IPv4 software forwarding, but not on hardware forwarding. IPv6 supports
setting MTU values on both software and hardware forwarding, and you can set a maximum of 14 MTU values.
You can set the MTU value for IPv4 and IPv6 as follows:
[Sysname-Vlan-interface30]mtu ?
INTEGER<64-9198> MTU value
[Sysname-Vlan-interface30]ipv6 mtu ?
INTEGER<1280-9198> MTU (bytes)

Q. I configure an IPv6 address on a trunk port configured on the internal interface of the

OAA module on the switch. Why do I get a prompt that an IP address conflict occurs?

A. When you configure an IPv6 address on the VLAN interface, the VLAN interface sends an NS message for
Duplicate Address Detection (DAD). Upon receiving the NS message, the front subcard sends it to the rear
subcard for processing. The rear subcard processes the message and sends it back to the CPU. Upon receiving
the same NS message, the CPU considers that an NA message is received and an IP address conflict occurs.
Q. What releases for the switch support IPv6 on the VLAN interface of a super VLAN?

A. The 17XX and 18XX releases support IPv6 on the VLAN interface of a super VLAN.

MPLS
This section contains the most frequently asked questions about MPLS.

Q. What are the restrictions for connecting the switch to a Juniper MX900 device through
VPLS?
A. The restrictions are as follows:
 Set the PW encapsulation type to bgp-vpls.
 Set the initial site ID to 1.
 Configure the port at the public side as a trunk port when the switch is directly connected to the Juniper MX900 device.

Q. How do I filter LSPs triggered by routes with non-32 bit masks?

A. You can configure label acceptance policies on the switch to achieve the purpose. A label acceptance policy uses
an IP prefix list to control the label mappings received from a peer. This example uses LDP peer 1.1.1.9:
[Sysname]ip ip-prefix host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal 32
[Sysname]mpls ldp
[Sysname-mpls-ldp]accept-label peer 1.1.1.9 ip-prefix host
After the configuration, the switch accepts only the FEC-label mappings containing 32-bit prefixes from LDP peer 1.1.1.9.
To remove the label acceptance policy and accept non-32 bit prefixes from the LDP peer, execute the undo accept-label
command and then the reset mpls ldp peer command. More LSPs will be created as a result, using up the LSP resources on
the switch.
 Q. Can the BVLAN and the CVLAN for a PBBN be the same?
A. Do not configure a VLAN as both the BVLAN and the CVLAN. Otherwise, the customer network will receive non-
PBB broadcasts with the BVLAN tag from the public network.
For example, when both the BVLAN and the CVLAN are VLAN 20, a broadcast frame is processed as follows:
 When receiving a non-PBB broadcast with VLAN tag 20 from the PNP, the BEB forwards the frame to the CNP that
matches packets with outer VLAN ID 20. The CNP broadcasts the frame in the customer network.
 When receiving a PBB broadcast with VLAN tag 20 from the PNP, the BEB de-encapsulates the frame, restores it to a
standard Ethernet frame, and forwards the frame out of the corresponding CNP to the customer network according to
the VLAN tag that is carried in the de-encapsulated frame.
H3C recommends that you configure the B-VLAN and the CVLAN as different VLANs, and configure the CNP on the BEB to
deny frames from the BVLAN.

IP routing
This section contains the most frequently asked questions about IP routing.

Q. Does the switch support configuring blackhole routes?

A. Yes. A blackhole route is a static route whose output interface is Null 0. The switch discards the matching packets
without sending ICMP messages to notify the source host. To prevent IP attacks, you can configure blackhole
routes to discard packets destined for specific destinations. The following example shows how to configure a
blackhole route:
<Sysname>system-view
[Sysname]ip route-static 1.1.1.1 32 null 0 preference 1

Q. Is the OSPF cost of an interface on the switch relevant to the rate of the corresponding

Layer 2 Ethernet interface?

A. No. The OSPF cost is configured on a VLAN interface. The default OSPF cost is 10.
Q. What are the preferences of different routing protocols?

A. Routing protocols, including static routing, each have a preference by default. If they find multiple routes to the
same destination, the router selects the route with the highest preference as the optimal route. The preference
of a direct route is always 0 and cannot be changed. You can configure a preference for each static route and each
dynamic routing protocol. Table 6 lists the route types and default preferences. The smaller the value, the higher
the preference.
Table 6 Route types and default route preferences
Route type Preference
Direct route 0
OSPF 10
IS-IS 15
Static route 60
RIP 100
OSPF ASE 150
OSPF NSSA 150
IBGP 255
EBGP 255
 Unknown (route from an untrusted sourc 256
e)

Q. What are the possible reasons for the OSPF CONFIG ERROR trap?

A. The following configuration errors cause the switch to output the OSPF CONFIG ERROR trap:
 The switch is configured with an IP address on the same network segment as a device that is in the same VLAN as the
switch but in a different area.
 The virtual link configuration is performed on the peer device but not on the switch. When the switch receives packets
sent from the peer device through the virtual link, the switch outputs the OSPF CONFIG ERROR trap.

Q. Why is the LS ACK: BAD ack count a non-zero value when I display OSPF error

information?

A. For example, in daisy chain networking Switch A—Switch B—Switch C (Switch A, Switch B, and Switch C are
called A, B, and C in this example):
1. A sends LSA-1 to B. B stores a copy of LSA-1 in the retransmission list, and B forwards LSA-1 to C. When receiving LSA-1, C
uses the LSA to update its LSDB. Before C sends an LSAck packet to acknowledge LSA-1, the next step occurs.
2. A updates LSA-1 and sends the updated LSA to B. B stores a copy of the updated LSA in the retransmission list, and B
forwards the updated LSA to C. The copy of updated LSA replaces the copy of LSA-1 because LSA-1 has not been
acknowledged.
3. Before receiving the updated LSA, C sends an LSAck packet to acknowledge LSA-1.
4. B examines the LSAck packet by using the LSA in the retransmission list and finds that they do not match. This error
increases the count of LS ACK: BAD ack by one.

Q. When the next hop of a static route becomes invalid, route recursion is performed and

the blackhole route applies. How do I resolve this problem?

A. The problem might occur if the following configurations are performed:

ip route-static 110.75.4.0 23 Null0 preference 240 description HZCM4_T18_VIP_BGP_Advertise
ip route-static 110.75.4.0 24 110.75.0.234 description HZCM4_T18_VIP
ip route-static 110.75.4.0 24 110.75.0.254 preference 240 description HZCM4_T18_VIP
When the next hop 110.75.0.234 becomes invalid, the output interface to 110.75.4.0 becomes Null 0:
dis fib 110.75.4.0
Destination count: 1 FIB entry count: 1
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay
Destination/Mask Nexthop Flag OutInterface InnerLabel Token
110.75.4.0/24 110.75.0.234 USB NULL0 Null Invalid
To avoid route recursion, specify an output interface for the static route with next hop 110.75.0.254:
ip route-static 110.75.4.0 24 vlan-interface 100 110.75.0.254 preference 240 description HZCM4_T18_VIP
When the next hop 110.75.0.234 becomes invalid, the static route with next hop 110.75.0.254 applies.

Q. Why are OSPF router ID conflict logs generated?

A. If an OSPF router ID conflict or network flapping occurs, the switch frequently generates OSPF router ID conflict
logs such as:
#Sep 14 11:28:58:993 2012 H3C OSPF/6/ORIGINATE_LSA: OSPF TrapID1.3.6.1.2.1.14.16.2.12<ospfOriginateLsa>: Originate new LSA AreaId 0.0.0.0
LsdbType 1 LsdbLsid 11.11.11.11 LsdbRouterId 11.11.11.11 Router 11.11.11.11.
 Trap format:
Originate new LSA AreaId [STRING] LsdbType [STRING] LsdbLsid [STRING] LsdbRouterId [STRING] Router [STRING] .
Variable fields:
 $1: Area ID
 $2: LSDB type
 $3: LSDB link state ID
 $4: LSDB router ID
 $5: Router ID
If the switch and its directly connected peer device have the same router ID, the switch generates the OSPF router ID conflict log
such as:
#Sep 17 10:59:49:558 2012 H3C OSPF/4/IF_BAD_RX: OSPF TrapID1.3.6.1.2.1.14.16.2.8
<ospfIfRxBadPacket>: Non-virtual Interface 10.10.30.2 index 0 Router 11.11.11.11 received error packet from 10.10.30.1 PacketType 1.
Trap format:
Non-virtual Interface [STRING] index 0 Router [STRING] received error packet from [STRING] PacketType 1.
Variable fields:
 $1: Interface ID
 $2: Router ID
 $3: Peer interface ID
The trap shows that the switch receives error packets of type 1 (hello packets).

IP multicast
This section contains the most frequently asked questions about IP multicast.

Q. Is IGMP supported on the switch?

A. Yes. The switch supports IGMPv1, IGMPv2, and IGMPv3.

Q. What IP multicast protocols are supported on the switch?

A. The switch supports IGMP, IGMP snooping, PIM-DM, PIM-SM, MSDP, and MBGP.
Q. Is static RP configuration supported on the switch?
A. Yes. You can use the static-rp rp-address [ acl-number ] [ preferred ] [ bidir ] command to configure a static RP
in PIM view and apply the ACL rule to filter multicast groups to which the RP is designated.
When you configure the static RP, follow these restrictions and guidelines:
 Up to 10 static RPs are supported on each switch.
 All switches in the PIM domain must be configured with the static-rp command and the static RP addresses must be the
same.
 If the BSR mechanism is used to dynamically elect the RP for the network, the configured static RP does not take effect.

Q. Are static multicast routes supported on the switch?

A. Yes. You can use static multicast routes to change or create reverse path forwarding (RPF) routes.
Q. How do I deny multicast packets from an illegal multicast source?

A. You can configure ACL rules to permit multicast packets only from legal sources. For example, to establish a
multicast forwarding entry with the multicast source address 99.100.100.4 and the multicast group address
225.1.1.1, you can perform the following configurations:
1. Configure an ACL rule.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 permit ip source 99.100.100.4 0 destination 225.1.1.1 0
 [Sysname-acl-adv-3000] rule 1 deny ip
2. Use the source-policy command in PIM view to reference the configured ACL rule.
[Sysname-pim] source-policy 3000

Q. Is multicast group filtering supported on the switch?

A. Yes. You can use the igmp-snooping group-policy acl-number [ vlan vlan-list ] command on a Layer 2 Ethernet
port or Layer 2 aggregation interface to filter multicast groups.
When you configure a multicast group filter, follow these restrictions and guidelines:
 A host joins only the multicast groups that match the permit statement in the specified ACL. If the specified ACL does
not exist or the ACL does not have any rules configured, the host cannot join any multicast groups.
 The multicast group filtering takes effect on all ports in the specified VLAN.
 The multicast group filtering does not take effect on static member ports.

Q. How does the switch forward a multicast packet to the receiver after the multicast packet

fails RPF check?

Figure 4 Network diagram

A. As shown in Figure 4, because Switch B acts as the DR, a multicast packet from the source is forwarded along
the path to the receiver: Switch A to Switch B and then to Switch A. Because the RPF interface on Switch A for
the multicast packet is VLAN-interface 10, the multicast packet will fail the RPF check and be dropped.
To solve this problem, use one of the following methods:
 Make sure VLAN-interface 20 on Switch A has a higher IP address than the IP address of VLAN-interface 20 on Switch B,
so Switch A can win the DR election. Multicast packets from the source are forwarded to the receiver directly by Switch
A.
The VRRP virtual IP addresses configured on the VLAN-interface 20 on Switch A and VLAN-interface 20 on Switch B do not
participate in the DR election.
 Perform the following configurations on Switch A:
a. Use the multicast rpf-fail-pkt bridging command in system view to enable forwarding of multicast packets that have
failed RPF checks.
b. Use the multicast forwarding on-demand in VLAN view of VLAN 20 to enable the multicast forwarding on-demand
function in this VLAN.
After the configuration, multicast packets that fail RPF checks are multicast in VLAN 20.
Q. The RPF check fails after the MSDP peer switchover in inter-domain multicast routing.

What are the possible reasons?

A. If the configuration for the static RPF peer is not correct, such as an incorrect filtering policy for the static RPF
peer, the RPF check fails.
The RPF check might fail in a correct network. When a packet is received on a non-RPF interface, RPF check fails if loops exist
between MSDP peers.

Q. Does the link-aggregation load-sharing mode command enable load sharing of multicast

traffic?

A. No.
Q. Can the VRRP virtual IP address be the next hop for the switch to reach the multicast

source?

A. No.
Q. Is auto-RP supported on the switch?

A. After the switch is enabled with auto-RP, it receives automatic RP announcement and discovery messages, but
it cannot advertise RP information.

QACL
This section contains the most frequently asked questions about QACL.

Q. Does the switch support multiboard traffic and port mirroring?

A. Yes.
Q. Does the switch support multichassis traffic and port mirroring?

A. The switch does not support multichassis port mirroring. In IRF mode, the source port of port mirroring must
be on the same IRF member device as the destination port or the ports of the destination VLAN.
The switch does not support multichassis traffic mirroring. In IRF mode, the source port of traffic mirroring must be on the
same IRF member device as the destination port, the ports of the destination VLAN, or the CPU. However, the switch supports
multichassis traffic mirroring that mirrors traffic to the port of an OAA module or an aggregate interface on another IRF
member device. (When two aggregate group member ports are on different IRF member devices, traffic is mirrored to the
local aggregate group member port but not the remote one. This is the case even if the local aggregate group member port
goes down.)

Q. What restrictions and guidelines should I follow when I configure port mirroring on the

switch?
A. Follow these restrictions and guidelines when you configure port mirroring on the switch:
 Packets from multiple source ports can be mirrored to the same destination port (monitor port).
 A source port and its destination port can be located on different LPUs.
 A port cannot function as a source port and monitor port at a time for different mirroring groups.
Q. How many destination ports can I configure for traffic mirroring on the switch?

A. The switch supports mirroring only inbound traffic to common ports, aggregate interfaces, VLANs, and the CPU.
Traffic mirroring to the CPU uses one destination port resource regardless of whether traffic mirroring to the
CPU is configured. You can configure a maximum of six destination ports in total for traffic mirroring to common
ports, aggregate interfaces, and VLANs on the switch.
The LST1XP16LEB1, LST1XP16LEC1, and LST1XP16LEC2 cards do not support mirroring traffic to VLANs.

Q. How many destination ports can I configure for port mirroring on the switch?

A. The limits on the number of destination ports for port mirroring in one direction are described as follows:
 A 48-port GE card supports two destination ports, with one destination port for every 24 ports in their sequential
order.
 Except LST1XP32REB1, LST1XP32REC1, LST2XP32REC2, LST1XP16LEB1, LST1XP16LEC1, and LST1XP16LEC2 cards, a
10 GE card supports one destination port for every two 10 GE ports in their sequential order.
 An LST1XP32REB1, LST1XP32REC1, or LST2XP32REC2 card supports four destination ports.
 An LST1XP16LEB1, LST1XP16LEC1, or LST1XP16LEC2 card supports eight destination ports, with one destination port
for every two odd-numbered ports and one destination port for every two even-numbered ports.
Q. Can I configure both traffic mirroring and port mirroring on the switch?

A. Yes. However, traffic mirroring and port mirroring cannot use the same destination port.
Q. Does packet filtering configured on the switch affect the port mirroring function?

A. No. All packets received on a port are mirrored to the destination port regardless of the packet filtering function.
Q. In which situation will the prompt "Error: Failed to configure port mirroring due to

hardware unsupported!" be displayed when I configure the mirroring function?

A. In IRF mode, the switch does not support multichassis port mirroring. This prompt is displayed when you try
to configure the source and destination ports on different IRF member devices.
Q. Does the switch support multichassis port mirroring and traffic redirection to a port?

A. In IRF mode, the switch does not support mirroring or redirecting traffic to a common destination port on a
different IRF member device. The switch supports using traffic mirroring to mirror inbound traffic to the
interface of an OAA module on a different IRF member device.
Q. Does the switch support a QoS policy for outgoing traffic?

A. Yes. On the switch, a QoS policy for outgoing traffic supports only the packet filtering, traffic policing, traffic
accounting, colored and uncolored dscp/dot1p/exp priority marking, and the outer VLAN tag adding actions.
Q. What are the priorities of QoS policies configured on the switch?

A. Global QoS policies, interface QoS policies, and VLAN QoS policies are in descending order of priority.
Q. What restrictions and guidelines should I follow when I configure VLAN QoS policies on

the switch?
A. VLAN QoS policies are used to match packets only when the packets fail to match global QoS policies and
interface QoS policies. When you apply a QoS policy to VLANs, the QoS policy is applied to the specified VLANs
on all interface cards. If the hardware resources of an interface card are insufficient, the QoS policy fails to be
applied to the VLANs on the interface card.
The system does not automatically roll back the QoS policy configuration already applied to the main processing unit or other
interface cards. To ensure consistency, use the undo qos vlan-policy vlan command to manually remove the QoS policy
configuration applied to them. Similarly, if VLAN QoS policies on an interface card cannot be updated because of insufficient
hardware resources, you also need to use the undo qos vlan-policy vlan command to manually remove the QoS policy
configuration applied to the main processing unit or other interface cards to ensure consistency.

Q. What restrictions and guidelines should I follow when I configure global QoS policies on

the switch?
A. Global QoS policies are used to match packets preferentially. After packets match a global QoS policy, interface
QoS policies and VLAN QoS policies do not take effect.
Global QoS policies are applied to all interface cards. If the hardware resources of an interface card are insufficient, the QoS
policy fails to be applied to the interface card. The system does not automatically roll back the QoS policy configuration
 already applied to the main processing unit or other interface cards. To ensure consistency, use the undo qos apply policy
global command to manually remove the QoS policy configuration applied to them. Similarly, if global QoS policies on an
interface card cannot be updated because of insufficient hardware resources, you also need to use the undo qos apply policy
global command to manually remove the QoS policy configuration applied to the main processing unit or other interface
cards.

Q. What's the match order of ACL rules on the switch?

A. The following ACL match orders are available on the switch:

 config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID.
This match order is the default order.
 auto—Sorts ACL rules in depth-first order. Depth-first order makes sure any subset of a rule is always matched before
the rule.
The match order of user-defined ACLs can only be config.
The ACL rules are displayed in the actual match order in the display acl acl-number command output.
[Sysname]display acl 3000
Advanced ACL 3000, named -none-, 3 rules, match-order is auto,
ACL's step is 5
rule 10 permit tcp source 10.11.0.0 0.0.255.255
rule 5 permit ip source 10.11.113.0 0.0.0.255
rule 0 permit ip

Q. What are the differences when the permit or deny statement is used in different

applications?

A. The differences when the permit or deny statement is used in different applications are as follows:
 When an ACL is used for QoS traffic classification, the deny statement disables QoS from executing the behavior
associated with the class, and the permit statement enables QoS to execute the behavior associated with the class.
 When an ACL is used for packet filtering, packets matching the deny statement are dropped, and packets that do not
match the deny statement are allowed to pass through.
 When an ACL is used for policy-based routing (PBR), the ACL is used to identify traffic, and the permit or deny action
does not take effect.
 When an ACL is used for other applications, packets that do not match the permit statement are denied.

Q. Why cannot a device on an external network ping the VLAN interface of the switch

configured with PBR?

A. ICMP ping packets need to be forwarded to the CPU for processing based on the FIB. The packets matching an
ACL will be forwarded to the next hop based on PBR. Therefore, the packets cannot be forwarded to the CPU and
the ping fails.
H3C recommends that you configure packet filtering to reference an ACL rule with the permit statement to forward packets
with the destination MAC address as the VLAN interface MAC address to the CPU.
Q. What's the order in which ACL rules are restored after a card is restarted?

A. The order in which ACL rules are displayed in the display acl acl-number command output is the order in which
the ACL rules are restored after a card is restarted.
Q. Can the match criteria configured on the switch match Layer 2 or Layer 3 packets?

A. Only the if-match forwarding-layer { bridge | route } command can match Layer 2 or Layer 3 packets.
The if-match forwarding-layer bridge and if-match forwarding-layer route commands are mutually exclusive in a class.
You must use a forwarding-layer match criterion together with other match criteria. The other match criteria in the class
cannot conflict with the forwarding-layer match criterion, regardless of the operator of the class.

Q. Does the switch support QoS traffic classification policies that reference basic/advanced

ACLs and Ethernet frame header ACLs at the same time?

A. If a traffic class uses the OR operator, QoS policies that reference basic/advanced ACLs and Ethernet frame
header ACLs can be configured on the switch at the same time. If a traffic class uses the AND operator, either QoS
policies that reference basic/advanced ACLs or those reference Ethernet frame header ACLs are supported. In
traffic classification, either QoS policies that reference basic/advanced ACLs or those reference Ethernet frame
header ACLs can be used with the if-match command.
Q. Does the switch support packet filtering?

A. The switch supports the packet-filter command on Ethernet and VLAN interfaces in both inbound and outbound
directions.
If you apply the packet-filter command to the inbound direction of a VLAN interface, the ACL filters Layer 3 unicast packets.
If you apply the command in the outbound direction of a VLAN interface, the ACL filters all packets.
The packet-filter command takes effect on all packets on Ethernet interfaces.
You can use the packet-filter forwarding-layer route outbound command to specify the outbound packet filter on a VLAN
interface to filter Layer 3 packets on Ethernet interface cards. After you execute this command, the packet-filter outbound
command on a VLAN interface filters only outbound Layer 3 unicast packets.

Q. How do I configure packet filtering on the switch?

A. Create an ACL and configure a rule. Apply the rule to filter packets. An example is as follows:
# Create an ACL and configure a rule.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip source 192.168.1.2 0
# Apply the rule to filter incoming packets on a VLAN interface.
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] packet-filter 3000 inbound
[Sysname-Vlan-interface2] quit
Q. Does the switch support traffic policing for traffic flows on multiple ports (aggregate

CAR)?

A. Yes.
Q. Why do interface traffic statistics not change after CAR is configured on an interface on

the switch?

A. After CAR is configured on an interface, the display interface command still displays interface traffic statistics
before CAR is performed. CAR is performed after interface traffic statistics are collected.
Q. Does the switch support traffic redirection?

A. The switch supports traffic redirection only in the inbound direction. Packets can be redirected to the CPU,
common interfaces, aggregate interfaces, and next hop IP addresses. In IRF mode, packets can be redirected to
the interface of an OAA module on a different IRF member device.
Q. Does the switch support strong or weak PBR for traffic forwarding?

A. With strong PBR, the switch discards a packet if the next hop to which the packet will be redirected does not
exist. With weak PBR, the switch routes a packet based on its destination address if the next hop to which the
packet will be redirected does not exist. If no action is specified for weak PBR, the default action is forwarding.
The redirect next-hop ipv4-add1 fail-action { discard | forward } command can be used to configure strong or weak PBR for
traffic redirection.

Q. Why can a tracert response be received from the switch after the switch is configured

with PBR?

A. The switch reduces the TTL by 1 when forwarding an ICMP packet based on PBR. The CPU processes an ICMP
packet with the TTL value of 1 and returns a response.
Q. How do I clear traffic statistics on the switch?

A. You can use the reset counters interface interface-type interface-number command to clear traffic statistics.
<Sysname>reset counters interface g7/0/17
<Sysname>display qos policy interface g7/0/17
Interface: GigabitEthernet7/0/17
Direction: Inbound
Policy: p1
Classifier: c1
Operator: AND
Rule(s) : If-match acl 2020
Behavior: b1
Accounting Enable:
0 (Packets)
Q. Can an ACL match ICMP packets encapsulated with PPPoE on the switch?

A. The switch can distinguish between PPPoE control and data packets and use user-defined ACLs to match PPPoE
encapsulated ICMP packets based on ICMP packet characteristics. The switch cannot use basic, advanced, and
Ethernet frame header ACLs to match PPPoE packet fields.
Q. What are the functions of the qos priority dot1p and qos trust dot1p commands

configured on an interface on the switch?

A. The qos priority dot1p command configured on an interface changes the 802.1p priority value of the interface.
The default 802.1p priority value of an interface is 0.
When an interface uses the default dot1p/exp/dscp/lp/dp values, the packets forwarded on the interface inherit the default
interface priority configurations.
After an interface is configured with the qos priority dot1p command, the interface changes the 802.1p priority of an
incoming packet to the interface 802.1p priority and forwards the packet.
After the qos trust dot1p command is configured on an interface:
 For a tagged packet, the interface searches the priority mapping tables dot1p-exp, dot1p-dscp, dot1p-lp, and dot1p-dp
based on the packet 802.1p priority value and changes the packet priority values according to the mappings.
 For an untagged packet:
 If the qos priority dot1p command is used to change the interface 802.1p priority value, the interface changes the packet
802.1p priority value to the interface 802.1p priority value.
 If the qos priority dot1p command is not used to change the interface 802.1p priority value, the interface changes the
packet 802.1p priority value to the default interface 802.1p priority value.
After the qos trust dot1p override command is configured on an interface:
 For a tagged packet, the interface searches the dot1p-dot1p priority mapping table based on the packet 802.1p value
and searches the mapped 802.1p value in the priority mapping tables dot1p-exp, dot1p-dscp, dot1p-lp, and dot1p-dp.
Then the interface changes the packet priority values according to the mappings.
 For an untagged packet:
 If the qos priority dot1p command is used to change the interface 802.1p priority value, the interface changes the packet
802.1p priority value to the interface 802.1p priority value.
 If the qos priority dot1p command is not used to change the interface 802.1p priority value, the interface changes the
packet 802.1p priority value to the default interface 802.1p priority value.
Q. Does the switch trust the priorities of a packet by default?

A. The switch does not trust the 802.1p priority, EXP value, and DSCP value of a packet by default. When an
interface uses the default priority configurations, the packets forwarded on the interface inherit the default
interface priority configurations (dot1p/exp/dscp/lp/dp).
Q. Does the switch functioning as a P device in an MPLS network trust the EXP value of a

packet?

A. The switch functioning as a P device in an MPLS network does not trust the EXP value of a packet by default.
You can execute the qos trust exp command on the incoming interface to configure the interface to trust the EXP
value of an MPLS packet.
Q. Why is the scheduling inaccurate when both SP and WRR scheduling algorithms are

configured in a queue scheduling profile?

A. The scheduling might be inaccurate if the queues in a WRR group have inconsecutive numbers. When both SP
and WRR scheduling algorithms are configured in a queue scheduling profile, make sure the queues in a WRR
group have consecutive numbers.
Q. Can WRR be configured together with GTS?

A. If both WRR and GTS are configured, WRR scheduling is inaccurate. To guarantee accurate scheduling, avoid
configuring WRR and GTS at the same time.
Q. How do I resolve the problem that the switch discards packets because congestion occurs

on an interface?

A. Execute the buffer-manage egress slot slotnum share-size buf-size command to increase the shared buffer size.
Q. Does the switch support collecting traffic statistics of a VLAN interface?

A. No.
Q. Do statistics collected by the per-port queue-based accounting include statistics about

outgoing packets that are filtered out on the switch?

A. No.
Q. What restrictions and guidelines should I follow when I configure traffic mirroring and

port mirroring on the switch in IRF mode?

A. Follow these restrictions and guidelines when you configure traffic and port mirroring on the switch in IRF
mode:
 The switch in IRF mode supports inbound traffic mirroring to a VLAN. When two Ethernet interfaces belong to the
same VLAN but on different IRF member devices, traffic is mirrored to the local Ethernet interface but not the remote
one.
  The switch in IRF mode cannot mirror traffic from a specific source VLAN to a destination interface.

QinQ
This section contains the most frequently asked questions about QinQ.

Q. What is QinQ?

A. 802.1Q-in-802.1Q (QinQ), also called "802.1Q tunneling," is a Layer 2 VPN technology that enables a service
provider to extend Layer 2 Ethernet connections across an Ethernet MAN between customer sites.
Q. How does QinQ work?

A. QinQ is typically deployed on the edge devices of a service provider network. It adds a tier of 802.1Q tag to
customer frames (tagged or untagged) before the customer frames enter the service provider network.
Q. What benefits does QinQ provide?

A. QinQ provides the following benefits:

 Enables a service provider to use a single service VLAN (SVLAN) to convey multiple customer VLANs (CVLANs) for a
customer.
 Enables customers to plan CVLANs without conflicting with SVLANs.
 Enables customers to keep their VLAN assignment schemes unchanged when the service provider changes its VLAN
assignment scheme.
 Allows customers to use overlapping CVLAN IDs, because devices in the service provider network make forwarding
decisions based on SVLAN IDs instead of CVLAN IDs.

Q. What are the differences between basic QinQ and selective QinQ?

A. Basic QinQ tags all incoming frames (tagged or untagged) on a port with the PVID tag without discriminating
between CVLANs.
Selective QinQ is implemented through QoS policies. It can assign different SVLANs to different CVLANs on a port. In addition,
it can replace the SVLAN 802.1p priority based on the CVLAN 802.1p priority.

Q. Can QinQ add another tier of VLAN tag to a double-tagged customer frame?

A. Yes.
Q. What VLAN tags do the if-match service-vlan-id command and the if-match customer-

vlan-id command match?

A. The if-match customer-vlan-id command matches the inner VLAN ID of double-tagged frames.
The if-match service-vlan-id command matches the outer VLAN ID of double-tagged frames or the VLAN ID of single-tagged
frames. If the frames do not have VLAN tags, the service-vlan-id represents the PVID of the port.
Q. What command should I use to match the VLAN ID of a single-tagged customer frame for

selective QinQ?

A. Use the if-match service-vlan-id command. The service-vlan-id keyword represents a frame's outer VLAN ID,
which might be an SVLAN ID or CVLAN ID.
Q. Why can't the if-match customer-vlan-id command match the CVLAN tag for selective

QinQ?

A. The customer-vlan-id keyword for the if-match command represents the inner VLAN ID instead of the customer
VLAN ID. To match the outer VLAN ID of a tagged customer frame, you must use the if-match service-vlan-id
command.
Q. How does selective QinQ obtain the 802.1p priority value for an SVLAN tag?

A. By default, the switch copies the 802.1p priority in the outer CVLAN tag to the SVLAN tag.
Alternatively, you can configure an 802.1p remark action to set the 802.1p priority value in the SVLAN tag.

Q. Can the 802.1p priority in a CVLAN tag be modified?

A. No.
Q. Does the switch learn MAC addresses to the SVLAN or CVLAN on a QinQ port?

A. The switch learns MAC addresses to the SVLAN on QinQ ports.

Q. Why can't QinQ frames sent by the switch be correctly identified as tagged on third-party

vendors' devices?

A. This issue might result from TPID inconsistency. The default TPID for 802.1Q frames is 0x8100 on the switch.
However, some vendors use 0x9100 or 0x9200 as the TPID for 802.1Q frames. For correctly identifying VLAN-
tagged frames on the switch and the third-party devices, use the qinq ethernet-type command to change the
SVLAN TPID value on the switch.

IRF
This section contains the most frequently asked questions about IRF.
Q. Can an H3C S12500 switch form an IRF fabric with other series devices?

A. No. An H3C S12500 switch can form an IRF fabric with switches in the same series.
Q. How many chassis can an H3C S12500 IRF fabric have?

A. By default, an H3C S12500 IRF fabric can have two member chassis. To set up a four-chassis IRF fabric, you must
configure the irf mode enhanced command.
Q. Are there any special requirements for connecting IRF member chassis?

A. Yes. When you connect two neighboring IRF members, you must connect the physical ports of IRF-port 1 on one
member to the physical ports of IRF-port 2 on the other. The IRF fabric cannot be formed if physical connections
are incorrect.
When you bind physical ports to IRF ports, you must make sure the bindings are consistent with the physical connections.

Q. What topologies does IRF support?

A. A four-chassis S12500 IRF fabric must use the ring topology, and a two-chassis S12500 IRF fabric must use the
daisy-chained topology.
A two-chassis S12500 IRF fabric can have relay devices between member devices, but a four-chassis S12500 IRF fabric cannot.
IRF does not support the full mesh topology.

Q. Does an IRF fabric support multichassis Ethernet link aggregation?

A. Yes.
Q. Can I set up an IRF connection that has multiple links?

A. Yes, you can bind multiple physical links into one IRF connection. These links aggregate automatically. You do
not need to create a link aggregation group as you do for creating an Ethernet link aggregation.
Q. Can IRF member chassis use duplicate member IDs?

A. No. You must assign a unique IRF member ID to each member chassis before setting up an IRF fabric. If a chassis
has different member IDs on its active MPU and the standby MPU, the standby MPU will reboot automatically
with the member ID on the active MPU.
Q. Are there any software feature consistency requirements for a successful IRF setup?

A. Yes. To set up an IRF fabric, you must make sure all member chassis have the same settings for the following
commands:
 acl ipv6 { enable | disable }
 acl mode
 irf mode enhanced
 portal-roaming enable
 system working mode
 vpn popgo
Q. Why can't I configure a port as a Layer 3 Ethernet interface?

A. Check the IRF mode. If enhanced IRF is enabled, the switch does not support the Layer 3 Ethernet interface,
Layer 3 Ethernet subinterface, Layer 3 aggregate interface, or Layer 3 aggregation subinterface.
Q. Why can't I disable enhanced IRF?

A. To execute the undo irf mode enhanced command, verify that the following requirements are met:
 The IRF fabric has only up to two member chassis.
 On each member chassis, only one of the IRF ports has IRF physical port bindings.

Q. Can I run LACP MAD on any Ethernet link aggregation?

A. No. To run LACP MAD, make sure the aggregation meets following requirements:
 The remote device is a Comware-based H3C device that can process the LACPDUs that convey the ActiveID field for
MAD.
 The aggregation mode is dynamic.
 The aggregation includes at least one link from each member chassis.

Q. Why doesn't BFD MAD take effect when the spanning tree feature is enabled globally in

IRF mode?

A. This issue occurs if the spanning tree feature is enabled both globally and on the physical ports in the BFD MAD
VLAN. To resolve this issue, you must disable the spanning tree feature on the physical ports in the BFD MAD
VLAN.
In IRF mode, the member chassis are considered as one system. The spanning tree feature can cause shutdown of physical
links in the BFD MAD VLAN for detection of loops:
 If BFD MAD links are between member chassis, the system will shut down the physical ports in the BFD MAD VLAN
because the STP BPDUs sent between them are all sent by the system itself.
 If BFD MAD links are between the member chassis and a remote device, the remote device will shut down all but one
physical port in the BFD MAD VLAN, because the ports receive STP BPDUs sent by the same system.

Q. Why are ports that were shut down by MAD still down after an IRF merge?

A. If you reboot the Active-state fabric instead of the Recovery-state IRF fabric to complete an IRF merge, the ports
that were shut down by MAD cannot be restored automatically. You must use the mad restore command to
restore their original physical state.
To avoid this issue, reboot the Recovery-state IRF fabric instead of the Active-state IRF fabric to complete an IRF merge.

Q. Why doesn't the running configuration on a re-unified IRF fabric include the

configuration that I made on one chassis after an IRF split?

A. When an IRF merge merges, chassis in the Recovery-state IRF fabric reboot with the running configuration on
the Active-state IRF fabric. The configuration you made on the Active-state IRF fabric will not take effect.
Q. Why do the subordinate chassis reboot automatically upon IRF merge?

A. When an IRF merge occurs after a split, the subordinate chassis reboots automatically if the following conditions
are met:
 The IRF split occurred because of an IRF hello timeout.
  IRF port bindings have not been changed.

Q. Why can't data traffic be forwarded at the wire speed on IRF links?

A. This issue occurs for various reasons, including:

 Link type inconsistency between peer IRF physical ports—For example, one of them is an access port and the other one
is a trunk port. The trunk port adds a 4-byte VLAN tag to each packet.
 Unbalanced traffic distribution—IRF distributes traffic across member chassis on a flow-by-flow basis. All traffic of a
flow will be forwarded on the same IRF link. As a result, some IRF links might have heavy traffic while others have light
traffic.
 Control traffic—Part of bandwidth is used for configuration synchronization and IRF protocol traffic between member
chassis.

Q. Will the Active-state IRF fabric retain configuration for chassis in the Recovery-state IRF

fabric after an IRF split?

A. Yes. The running configuration on the Active-state IRF fabric will retain the settings for the chassis in the
Recovery-state IRF fabric, even though the display current-configuration command does not display these
settings. You do not need to reconfigure these settings after the Recovery-state IRF fabric rejoins the Active-state
IRF fabric.
These settings will be lost if the Active-state IRF fabric reboots before an IRF merge occurs. You cannot save these settings to
the configuration file on the Active-state IRF fabric while the subordinate chassis is absent.
About H3C
Corporate Profile
Corporate Responsibility
H3C Green IT Principles
News
Success Stories
Visual Identity
Contact Us
Product & Technology
Cloud Computing
Switches
Routers
WLAN
Security Products
iMC
Technology Solutions
Technical Support
Software Download
Technical Documents
Service and Support Policy
Warranty Enquiry
Repair & Replace
Product Life Cycle Management Strategy
Tools & Resources
Product Licensing
Training & Certification
Training Courses
H3C Training Center
 Certification
H3CSE-Routing & Switching
H3CNE
Training Partner
Partners
Become a H3C Partner
Partners Classifications
Find a H3C Partner
Partner Support
Site Map | Contact Us | Legal & Privacy | New H3C Technologies Co., Ltd. Copyright 2003-2018, All rights reserved