Configuration Guide - Ethernet Switching

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
V200R011C10
Configuration Guide - Ethernet

Switching
Issue 08
Date 2019-07-31
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. i

S1720, S2700, S5700, and S6720 Series Ethernet Switches
Configuration Guide - Ethernet Switching About This Document
About This Document
Intended Audience
This document is intended for network engineers responsible for switch configuration and
management. You should be familiar with basic Ethernet knowledge and have extensive
experience in network deployment and management.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a potentially hazardous situation

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. ii

Convention Description
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Security Conventions
l Password setting
– To ensure device security, use ciphertext when configuring a password and change
the password periodically.
– The switch considers all passwords starting and ending with %^%#, %#%#, %@
%@ or @%@% as ciphertext and attempts to decrypt them. If you configure a
plaintext password that starts and ends with %^%#, %#%#, %@%@ or @%@%,
the switch decrypts it and records it into the configuration file (plaintext passwords
are not recorded for the sake of security). Therefore, do not set a password starting
and ending with %^%#, %#%#, %@%@ or @%@%.
– When you configure passwords in ciphertext, different features must use different
ciphertext passwords. For example, the ciphertext password set for the AAA feature
cannot be used for other features.
l Encryption algorithms
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5. 3DES,
RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are irreversible. Using
the encryption algorithms DES , 3DES, RSA (RSA-1024 or lower), MD5 (in digital
signature scenarios and password encryption), or SHA1 (in digital signature scenarios) is
a security risk. If protocols allow, use more secure encryption algorithms, such as AES,
RSA (RSA-2048 or higher), SHA2, or HMAC-SHA2.
An irreversible encryption algorithm must be used for the administrator password. SHA2
is recommended for this purpose.
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. iii

l Personal data
Some personal data (such as MAC or IP addresses of terminals) may be obtained or used
during operation or fault location of your purchased products, services, features, so you
have an obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
l Mirroring
The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this
document are mentioned only to describe the product's function of communication error
or failure detection, and do not involve collection or processing of any personal
information or communication data of users.
l Reliability design declaration
Network planning and site design must comply with reliability design principles and
provide device- and solution-level protection. Device-level protection includes planning
principles of dual-network and inter-board dual-link to avoid single point or single link
of failure. Solution-level protection refers to a fast convergence mechanism, such as FRR
and VRRP. If solution-level protection is used, ensure that the primary and backup paths
do not share links or transmission devices. Otherwise, solution-level protection may fail
to take effect.
Reference Standards and Protocols

To obtain reference standards and protocols, log in to Huawei official website, search for
"standard and protocol compliance list", and download the Huawei S-Series Switch Standard
and Protocol Compliance List.
Disclaimer
l This document is designed as a reference for you to configure your devices. Its contents,
including web pages, command line input and output, are based on laboratory conditions.
It provides instructions for general scenarios, but does not cover all use cases of all
product models. The examples given may differ from your use case due to differences in
software versions, models, and configuration files. When configuring your device, alter
the configuration depending on your use case.
l The specifications provided in this document are tested in lab environment (for example,
a certain type of cards have been installed on the tested device or only one protocol is
run on the device). Results may differ from the listed specifications when you attempt to
obtain the maximum values with multiple functions enabled on the device.
l In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
Product Software Versions Matching NMS Versions

The product software versions matching NMS versions are as follows.
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. iv

S1720, S2700, S5700, and S6720 NMS

Product Software Version
V200R011C10 eSight V300R008C00 (not matching the S1720)

iManager U2000 V200R017C50 (only matching the
S1720-10GW-2P-E)
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. v

Configuration Guide - Ethernet Switching Contents
Contents
About This Document.....................................................................................................................ii

1 Ethernet Switching Features Supported in This Version......................................................1
2 Ethernet Switching........................................................................................................................ 7
2.1 Overview of Ethernet Switching.................................................................................................................................... 7
2.2 Basic Concepts of Ethernet.............................................................................................................................................8
2.2.1 Ethernet Network Layers.............................................................................................................................................8
2.2.2 Overview of Ethernet Cable Standards....................................................................................................................... 9
2.2.3 CSMA/CD................................................................................................................................................................. 12
2.2.4 Minimum Frame Length and Maximum Transmission Distance..............................................................................12
2.2.5 Duplex Modes of Ethernet.........................................................................................................................................13
2.2.6 Auto-Negotiation of Ethernet.................................................................................................................................... 13
2.2.7 Collision Domain and Broadcast Domain................................................................................................................. 15
2.2.8 MAC Sub-layer..........................................................................................................................................................16
2.2.9 LLC Sub-layer........................................................................................................................................................... 20
2.3 Switching on the Ethernet.............................................................................................................................................21
2.3.1 Layer 2 Switching......................................................................................................................................................21
2.3.2 Layer 3 Switching......................................................................................................................................................22
2.4 Application Scenarios for Ethernet Switching............................................................................................................. 25
2.4.1 Building an Enterprise Network................................................................................................................................ 25
3 MAC Address Table Configuration.........................................................................................26

3.1 Overview of MAC Address Tables...............................................................................................................................27
3.2 Understanding MAC Address Tables........................................................................................................................... 27
3.2.1 Definition and Classification of MAC Address Entries............................................................................................ 27
3.2.2 Elements and Functions of a MAC Address Table....................................................................................................29
3.2.3 MAC Address Entry Learning and Aging................................................................................................................. 30
3.2.4 MAC Address Learning Control............................................................................................................................... 32
3.2.5 MAC Address Flapping.............................................................................................................................................32
3.2.6 MAC Address-Triggered ARP Entry Update............................................................................................................35
3.3 Application Scenarios for MAC Address Tables..........................................................................................................36
3.3.1 Configuring MAC Address Flapping Prevention to Block User Attacks................................................................. 36
3.3.2 Configuring MAC Address Flapping Detection to Quickly Detect Loops............................................................... 36
3.3.3 Configuring MAC Address-Triggered ARP Entry Update to Improve VRRP Switchover Performance.................37
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. vi

3.4 Summary of MAC Address Table Configuration Tasks...............................................................................................39

3.5 Licensing Requirements and Limitations for MAC Address Tables............................................................................41
3.6 Default Settings for MAC Address Tables................................................................................................................... 44
3.7 Configuring MAC Address Tables............................................................................................................................... 45
3.7.1 Configuring a Static MAC Address Entry.................................................................................................................45
3.7.2 Configuring a Blackhole MAC Address Entry..........................................................................................................46
3.7.3 Setting the Aging Time of Dynamic MAC Address Entries..................................................................................... 46
3.7.4 Disabling MAC Address Learning............................................................................................................................ 47
3.7.5 Configuring the MAC Address Limiting Function................................................................................................... 54
3.7.6 Enabling MAC Address Trap Functions................................................................................................................... 56
3.7.7 Configuring a MAC Hash Algorithm........................................................................................................................ 57
3.7.8 Configuring the Extended MAC Entry Resource Mode........................................................................................... 59
3.8 Configuring MAC Address Flapping Prevention......................................................................................................... 59
3.8.1 Configuring a MAC Address Learning Priority for an Interface.............................................................................. 59
3.8.2 Preventing MAC Address Flapping Between Interfaces with the Same Priority......................................................61
3.9 Configuring MAC Address Flapping Detection...........................................................................................................61
3.10 Configuring the Switch to Discard Packets with an All-0 MAC Address................................................................. 64
3.11 Enabling MAC Address-triggered ARP Entry Update...............................................................................................64
3.12 Enabling Port Bridge.................................................................................................................................................. 65
3.13 Configuring Re-marking of Destination MAC Addresses......................................................................................... 66
3.14 Maintaining MAC Address Tables............................................................................................................................. 73
3.14.1 Displaying MAC Address Entries........................................................................................................................... 73
3.14.2 Deleting MAC Address Entries............................................................................................................................... 74
3.14.3 Displaying MAC Address Flapping Information.................................................................................................... 74
3.15 Configuration Examples for MAC Address Tables....................................................................................................74
3.15.1 Example for Configuring Static MAC Address Entries.......................................................................................... 74
3.15.2 Example for Configuring Blackhole MAC Address Entries................................................................................... 76
3.15.3 Example for Configuring MAC Address Limiting on an Interface.........................................................................78
3.15.4 Example for Configuring MAC Address Limiting in a VLAN...............................................................................79
3.15.5 Example for Configuring MAC Address Flapping Prevention............................................................................... 81
3.15.6 Example for Configuring MAC Address Flapping Detection.................................................................................83
3.16 Troubleshooting MAC Address Tables...................................................................................................................... 85
3.16.1 MAC Address Entries Failed to Be Learned on an Interface.................................................................................. 85
3.17 FAQ About MAC Address Tables.............................................................................................................................. 88
3.17.1 How Do I Enable and Disable MAC Address Flapping Detection?....................................................................... 88
3.17.2 How Do I Check MAC Address Flapping Information?.........................................................................................89
3.17.3 What Should I Do When Finding a MAC Address Flapping Alarm?.....................................................................89
3.17.4 How Do I Rapidly Determine a Loop?....................................................................................................................89
3.17.5 How Do I Configure VLAN-based Blackhole MAC Address Entries?.................................................................. 90
4 Link Aggregation Configuration..............................................................................................92

4.1 Overview of Link Aggregation.....................................................................................................................................93
4.2 Understanding Link Aggregation................................................................................................................................. 93
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. vii

4.2.1 Basic Concepts of Link Aggregation.........................................................................................................................93

4.2.2 Link Aggregation in Manual Mode........................................................................................................................... 96
4.2.3 Link Aggregation in LACP Mode............................................................................................................................. 96
4.2.4 Load Balancing Modes of Link Aggregation.......................................................................................................... 102
4.2.5 Link Aggregation in Stack Scenarios...................................................................................................................... 104
4.2.6 E-Trunk....................................................................................................................................................................106
4.3 Application Scenarios for Link Aggregation..............................................................................................................109
4.3.1 Switches Are Directly Connected Using Link Aggregation....................................................................................109
4.3.2 Switches Are Connected Across a Transmission Device Using Link Aggregation................................................ 110
4.3.3 Switches Connect to Transmission Devices Using Link Aggregation.................................................................... 110
4.3.4 A Switch Connects to a Server Using Link Aggregation........................................................................................ 111
4.3.5 A Switch Connects to a Stack Using Link Aggregation..........................................................................................112
4.3.6 Using E-Trunk to Implement Link Aggregation Across Devices........................................................................... 113
4.4 Summary of Link Aggregation Configuration Tasks................................................................................................. 114
4.5 Licensing Requirements and Limitations for Link Aggregation................................................................................ 115
4.6 Default Settings for Link Aggregation....................................................................................................................... 120
4.7 Configuring Link Aggregation in Manual Mode....................................................................................................... 120
4.7.1 (Optional) Setting the Maximum Number of LAGs and the Maximum Number of Member Interfaces in Each
LAG.................................................................................................................................................................................. 120
4.7.2 Creating an LAG..................................................................................................................................................... 121
4.7.3 Setting the Manual Load Balancing Mode.............................................................................................................. 122
4.7.4 Adding Member Interfaces to an Eth-Trunk............................................................................................................123
4.7.5 (Optional) Setting the Lower Threshold for the Number of Active Interfaces....................................................... 124
4.7.6 (Optional) Configuring a Load Balancing Mode.................................................................................................... 124
4.7.7 Verifying the Configuration of Link Aggregation in Manual Mode....................................................................... 127
4.8 Configuring Link Aggregation in LACP Mode......................................................................................................... 127
4.8.1 (Optional) Setting the Maximum Number of LAGs and the Maximum Number of Member Interfaces in Each
LAG.................................................................................................................................................................................. 127
4.8.2 Creating an LAG..................................................................................................................................................... 128
4.8.3 Setting the LACP Mode.......................................................................................................................................... 129
4.8.4 Adding Member Interfaces to an Eth-Trunk............................................................................................................130
4.8.5 (Optional) Setting the Upper and Lower Thresholds for the Number of Active Interfaces.................................... 131
4.8.6 (Optional) Configuring a Load Balancing Mode.................................................................................................... 132
4.8.7 (Optional) Setting the LACP System Priority......................................................................................................... 135
4.8.8 (Optional) Setting the LACP Interface Priority.......................................................................................................135
4.8.9 (Optional) Configuring LACP Preemption............................................................................................................. 136
4.8.10 (Optional) Setting the Timeout Interval for Receiving LACPDUs....................................................................... 137
4.8.11 (Optional) Configuring an Eth-Trunk Member Interface on a Switch Directly Connected to a Server to Forward
Packets.............................................................................................................................................................................. 138
4.8.12 Verifying the Configuration of Link Aggregation in LACP Mode....................................................................... 139
4.9 Associating the Secondary Member Interface of an Eth-Trunk Interface in LACP Mode with Its Primary Member
Interface............................................................................................................................................................................ 139
4.10 Configuring Preferential Forwarding of Local Traffic in a Stack............................................................................ 141
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. viii

4.11 Creating an Eth-Trunk Sub-interface........................................................................................................................142

4.12 Configuring an E-Trunk............................................................................................................................................143
4.12.1 Setting the LACP System ID and LACP Priority of an E-Trunk.......................................................................... 143
4.12.2 Creating an E-Trunk and Setting the E-Trunk Priority..........................................................................................144
4.12.3 Configuring Local and Remote IP Addresses of an E-Trunk................................................................................145
4.12.4 Binding an E-Trunk to a BFD Session.................................................................................................................. 145
4.12.5 Adding an Eth-Trunk to an E-Trunk......................................................................................................................146
4.12.6 (Optional) Configuring the Working Mode of an Eth-Trunk in an E-Trunk......................................................... 146
4.12.7 (Optional) Setting the Password for Encrypting Packets...................................................................................... 147
4.12.8 (Optional) Setting the Timeout Interval of Hello Packets..................................................................................... 148
4.12.9 (Optional) Setting the Revertive Switching Delay................................................................................................ 149
4.12.10 (Optional) Disabling Revertive Switching on an E-Trunk.................................................................................. 149
4.12.11 (Optional) Configuring the E-Trunk Sequence Number Check Function........................................................... 150
4.12.12 Verifying the E-Trunk Configuration.................................................................................................................. 150
4.13 Maintaining Link Aggregation................................................................................................................................. 150
4.14 Configuration Examples for Link Aggregation........................................................................................................151
4.14.1 Example for Configuring Link Aggregation in Manual Mode..............................................................................151
4.14.2 Example for Configuring Link Aggregation in LACP Mode................................................................................154
4.14.3 Example for Configuring an Inter-Chassis Eth-Trunk to Forward Traffic Preferentially Through Local Member
Interfaces (Stack).............................................................................................................................................................. 158
4.15 Troubleshooting Link Aggregation.......................................................................................................................... 162
4.15.1 Traffic Is Unevenly Load Balanced Among Eth-Trunk Member Interfaces Because the Load Balancing Mode Is
Incorrect............................................................................................................................................................................162
4.15.2 Eth-Trunk at Both Ends Cannot Be Up Because the Lower Threshold for the Number of Active Interfaces Is
Incorrect............................................................................................................................................................................163
4.16 FAQ About Link Aggregation.................................................................................................................................. 163
4.16.1 Can an Eth-Trunk Be Configured with an IP Address?.........................................................................................163
4.16.2 How Do I Add Member Interfaces to an Eth-Trunk?............................................................................................163
4.16.3 How Do I Delete Member Interfaces from an Eth-Trunk?....................................................................................164
4.16.4 What Is the Function of the Delay for LACP Preemption?...................................................................................164
4.16.5 Which Switches Are Recommended for Link Aggregation in FTTx Scenarios of MAN?...................................164
5 VLAN Configuration................................................................................................................ 166

5.1 Overview of VLANs.................................................................................................................................................. 166
5.2 Understanding VLANs............................................................................................................................................... 167
5.2.1 VLAN Tags..............................................................................................................................................................167
5.2.2 Link and Interface Types......................................................................................................................................... 169
5.2.3 Default VLAN......................................................................................................................................................... 171
5.2.4 Adding and Removing VLAN Tags........................................................................................................................ 172
5.2.5 LNP..........................................................................................................................................................................176
5.2.6 VLAN Assignment.................................................................................................................................................. 178
5.2.7 Intra-VLAN Communication.................................................................................................................................. 183
5.2.8 Inter-VLAN Communication...................................................................................................................................186
5.2.9 Intra-VLAN Layer 2 Isolation................................................................................................................................. 190
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. ix

5.2.10 Inter-VLAN Layer 3 Isolation............................................................................................................................... 191

5.2.11 mVLAN................................................................................................................................................................. 191
5.2.12 Protocol Packet Transparent Transmission in a VLAN.........................................................................................192
5.3 Application Scenarios for VLANs............................................................................................................................. 192
5.3.1 Using VLAN Assignment to Implement Layer 2 Isolation.....................................................................................192
5.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer 3 Connectivity......................................................... 194
5.3.3 Using a Traffic Policy to Implement Inter-VLAN Access Control......................................................................... 196
5.3.4 Using a VLANIF Interface to Implement Layer 3 Connectivity Between the Switch and Router......................... 197
5.4 Summary of VLAN Configuration Tasks...................................................................................................................197
5.5 Licensing Requirements and Limitations for VLANs................................................................................................199
5.6 Default Settings for VLANs....................................................................................................................................... 203
5.7 Configuring VLANs................................................................................................................................................... 204
5.7.1 Configuring Interface-based VLAN Assignment (Statically Configured Interface Type)......................................204
5.7.2 Configuring Interface-based VLAN Assignment (LNP Dynamically Negotiates the Link Type)......................... 207
5.7.3 Configuring MAC Address-based VLAN Assignment...........................................................................................209
5.7.4 Configuring IP Subnet-based VLAN Assignment...................................................................................................211
5.7.5 Configuring Protocol-based VLAN Assignment.................................................................................................... 213
5.7.6 Configuring Policy-based VLAN Assignment........................................................................................................215
5.7.7 Configuring Inter-VLAN Communication.............................................................................................................. 216
5.7.8 Configuring a Traffic Policy to Implement Intra-VLAN Layer 2 Isolation............................................................ 218
5.7.9 Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation............................................................ 219
5.7.10 Configuring an mVLAN........................................................................................................................................220
5.7.11 Configuring Transparent Transmission of Protocol Packets in a VLAN.............................................................. 222
5.8 Maintaining VLANs................................................................................................................................................... 223
5.8.1 Collecting VLAN Traffic Statistics......................................................................................................................... 223
5.8.2 Clearing VLAN Traffic Statistics............................................................................................................................ 224
5.8.3 Clearing Packet Statistics on a VLANIF Interface..................................................................................................224
5.8.4 Clearing LNP Packet Statistics................................................................................................................................224
5.8.5 Enabling GMAC Ping to Detect Layer 2 Network Connectivity............................................................................ 225
5.8.6 Enabling GMAC Trace to Locate Faults................................................................................................................. 226
5.9 Configuration Examples for VLANs..........................................................................................................................226
5.9.1 Example for Configuring Interface-based VLAN Assignment (Statically Configured Link Type)....................... 227
5.9.2 Example for Configuring Interface-based VLAN Assignment (LNP Dynamically Negotiates the Link Type).....229
5.9.3 Example for Configuring MAC Address-based Assignment (the Switch Connects to Downstream Terminals)... 232
5.9.4 Example for Configuring MAC Address-based VLAN Assignment (the Switch Connects to Downstream Layer 2
Switching Devices)...........................................................................................................................................................234
5.9.5 Example for Configuring IP Subnet-based VLAN Assignment............................................................................. 236
5.9.6 Example for Configuring Protocol-based VLAN Assignment................................................................................239
5.9.7 Example for Configuring VLANIF Interfaces to Implement Inter-VLAN Communication.................................. 242
5.9.8 Example for Configuring VLANIF Interfaces to Implement Intra-VLAN Communication.................................. 244
5.9.9 Example for Configuring VLANIF Interfaces to Implement Communication of Hosts on Different Network
Segments in the Same VLAN...........................................................................................................................................248
5.9.10 Example for Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation..................................... 251
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. x

5.9.11 Example for Configuring an mVLAN to Implement Remote Management......................................................... 257

5.9.12 Example for Configuring Transparent Transmission of Protocol Packets in a VLAN......................................... 260
5.10 Troubleshooting VLANs.......................................................................................................................................... 262
5.10.1 A VLANIF Interface Fails to Be Created..............................................................................................................262
5.10.2 A VLANIF Interface Goes Down......................................................................................................................... 263
5.10.3 Users in a VLAN Cannot Communicate............................................................................................................... 264
5.10.4 IP Addresses of the Connected Interfaces Between Switches Cannot Be Pinged.................................................266
5.11 FAQ About VLANs.................................................................................................................................................. 267
5.11.1 How Do I Create VLANs in a Batch?................................................................................................................... 267
5.11.2 How Do I Add Interfaces to a VLAN in a Batch?.................................................................................................267
5.11.3 How Do I Restore the Default VLAN Configuration of an Interface?..................................................................268
5.11.4 How Do I Change the Link Type of an Interface?.................................................................................................269
5.11.5 How Do I Rapidly Query the Link Types and Default VLANs of All Interfaces?............................................... 270
5.11.6 How Do I Delete a Single VLAN or VLANs in a Batch?.....................................................................................271
5.11.7 Can Multiple Network Segments Be Configured in a VLAN?............................................................................. 272
5.11.8 How Is the Inter-VLAN Communication Fault Rectified?....................................................................................272
5.11.9 Do VLANs Need to Be Assigned on the Intermediate Device That Transparently Transmits Packets?.............. 274
5.11.10 Why Are MAC-VLAN Entries Invalid?..............................................................................................................275
5.11.11 Can the Switch Collect Statistics on Only Traffic Destined for the VLANIF Interface Enabled with Traffic
Statistics?.......................................................................................................................................................................... 275
6 VLAN Aggregation Configuration........................................................................................ 276

6.1 Overview of VLAN Aggregation............................................................................................................................... 276
6.2 Understanding VLAN Aggregation............................................................................................................................277
6.3 Application Scenarios for VLAN Aggregation.......................................................................................................... 283
6.4 Licensing Requirements and Limitations for VLAN Aggregation............................................................................ 284
6.5 Default Settings for VLAN Aggregation....................................................................................................................286
6.6 Configuring VLAN Aggregation................................................................................................................................286
6.6.1 Creating a Sub-VLAN............................................................................................................................................. 286
6.6.2 Creating a Super-VLAN.......................................................................................................................................... 287
6.6.3 Configuring a VLANIF Interface Corresponding to a Super-VLAN......................................................................288
6.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface Corresponding to a Super-VLAN..............................289
6.6.5 Verifying the VLAN Aggregation Configuration....................................................................................................289
6.7 Example for Configuring VLAN Aggregation...........................................................................................................290
6.8 FAQ About VLAN Aggregation................................................................................................................................ 293
6.8.1 How Do I Implement Communication Between Specific Sub-VLANs in a Super-VLAN.................................... 293
6.8.2 How Can a Traffic Policy Be Configured in a Super-VLAN or Sub-VLAN to Make the Traffic Policy Take Effect
.......................................................................................................................................................................................... 294
7 MUX VLAN Configuration..................................................................................................... 295

7.1 Overview of MUX VLANs........................................................................................................................................ 295
7.2 Licensing Requirements and Limitations for MUX VLANs..................................................................................... 298
7.3 Default Settings for MUX VLANs.............................................................................................................................301
7.4 Configuring MUX VLANs.........................................................................................................................................301
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xi

7.4.1 Configuring a Principal VLAN for MUX VLANs..................................................................................................301

7.4.2 Configuring a Group VLAN for a Subordinate VLAN...........................................................................................302
7.4.3 Configuring a Separate VLAN for a Subordinate VLAN....................................................................................... 302
7.4.4 Enabling the MUX VLAN Function on an Interface.............................................................................................. 303
7.4.5 Verifying the MUX VLAN Configuration.............................................................................................................. 304
7.5 Configuration Examples for MUX VLANs............................................................................................................... 304
7.5.1 Example for Configuring MUX VLAN on the Access Device...............................................................................304
7.5.2 Example for Configuring MUX VLAN on the Aggregation Device...................................................................... 307
8 VLAN Termination Configuration........................................................................................ 310

8.1 Overview of VLAN Termination................................................................................................................................310
8.2 Application Scenarios for VLAN Termination...........................................................................................................312
8.2.1 Using a Dot1q Termination Sub-interface to Implement Inter-VLAN Communication.........................................312
8.2.2 Using a Dot1q Termination Sub-interface to Connect to a VPN.............................................................................313
8.2.3 Using a QinQ Termination Sub-interface to Connect to a VPN..............................................................................315
8.3 Summary of VLAN Termination Configuration Tasks.............................................................................................. 317
8.4 Licensing Requirements and Limitations for VLAN Termination.............................................................................318
8.5 Default Settings for VLAN Termination.................................................................................................................... 321
8.6 Configuring a Dot1q Termination Sub-interface to Implement Inter-VLAN Communication..................................321
8.7 Configuring a Dot1q Termination Sub-interface and Connecting It to an L2VPN....................................................322
8.7.1 Configuring a Dot1q Termination Sub-interface.....................................................................................................322
8.7.2 Configuring L2VPN................................................................................................................................................ 323
8.7.3 Verifying the Configuration of a Dot1q Termination Sub-interface and Its Connection to an L2VPN.................. 324
8.8 Configuring a Dot1q Termination Sub-interface and Connecting It to an L3VPN....................................................324
8.8.1 Configuring a Dot1q Termination Sub-interface.....................................................................................................324
8.8.3 Verifying the Configuration of a Dot1q Termination Sub-interface and Its Connection to an L3VPN.................. 326
8.9 Configuring a QinQ Termination Sub-interface and Connecting It to an L2VPN..................................................... 326
8.9.1 Configuring a QinQ Sub-interface.......................................................................................................................... 326
8.9.3 Verifying the Configuration of a QinQ Termination Sub-interface and Its Connection to an L2VPN................... 334
8.10 Configuring a QinQ Termination Sub-interface and Connecting It to an L3VPN................................................... 334
8.10.1 Configuring a QinQ Sub-interface........................................................................................................................ 334
8.10.2 Configuring L3VPN.............................................................................................................................................. 336
8.10.3 Verifying the Configuration of QinQ Termination Sub-interface and Its Connection to an L3VPN.................... 336
8.11 Configuration Examples for VLAN Termination..................................................................................................... 336
8.11.1 Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication......... 336
8.11.2 Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication Across
Different Networks........................................................................................................................................................... 339
8.11.3 Example for Connecting Dot1q Sub-interfaces to a VLL Network...................................................................... 343
8.11.4 Example for Connecting QinQ Termination Sub-interfaces to a VLL Network................................................... 352
8.11.5 Example for Connecting Dot1q Termination Sub-interfaces to a VPLS Network................................................362
8.11.6 Example for Connecting QinQ Termination Sub-interfaces to a VPLS Network................................................. 372
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xii

8.11.7 Example for Connecting Dot1q Termination Sub-interfaces to an L3VPN.......................................................... 383

8.11.8 Example for Connecting QinQ Termination Sub-interfaces to an L3VPN........................................................... 396
9 Voice VLAN Configuration.....................................................................................................413

9.1 Overview of Voice VLANs........................................................................................................................................ 413
9.2 Voice VLAN Typical Networking.............................................................................................................................. 414
9.3 Understanding Voice VLANs..................................................................................................................................... 414
9.4 Application Scenarios for Voice VLANs................................................................................................................... 416
9.5 Licensing Requirements and Limitations for Voice VLAN....................................................................................... 417
9.6 Default Settings for Voice VLANs............................................................................................................................. 420
9.7 Configuring a MAC Address-based Voice VLAN..................................................................................................... 421
9.7.1 Enabling the Voice VLAN Function........................................................................................................................421
9.7.2 Configuring a Mode in Which the Priority of Voice Packets Is Increased Based on MAC Addresses...................422
9.7.3 Configuring an OUI for a Voice VLAN.................................................................................................................. 422
9.7.4 Configuring a Mode in Which an Interface Is Added to a Voice VLAN................................................................ 423
9.7.5 (Optional) Configuring the Secure or Normal Mode of a Voice VLAN................................................................. 424
9.7.6 (Optional) Configuring the 802.1p Priority and DSCP Priority for a Voice VLAN............................................... 426
9.7.7 Verifying the MAC Address-based Voice VLAN Configuration............................................................................ 426
9.8 Configuring a VLAN ID-based Voice VLAN............................................................................................................ 426
9.8.1 Enabling the Voice VLAN Function........................................................................................................................427
9.8.2 Configuring a Mode in Which the Priority of Voice Packets Is Increased Based on VLAN IDs........................... 427
9.8.3 Configuring a Mode in Which an Interface Is Added to a Voice VLAN................................................................ 428
9.8.4 Configuring the Switch to Advertise Voice VLAN Information to an IP Phone.................................................... 428
9.8.5 (Optional) Configuring the 802.1p Priority and DSCP Priority for a Voice VLAN............................................... 429
9.8.6 Verifying the VLAN ID-based Voice VLAN Configuration................................................................................... 430
9.9 Configuration Examples for Voice VLANs................................................................................................................430
9.9.1 Example for Configuring a MAC Address-based Voice VLAN (IP Phones Send Untagged Voice Packets).........430
9.9.2 Example for Configuring a VLAN ID-based Voice VLAN (IP Phones Send Tagged Voice Packets)................... 432
10 QinQ Configuration................................................................................................................435
10.1 Overview of QinQ.................................................................................................................................................... 435
10.2 Understanding QinQ.................................................................................................................................................436
10.2.1 QinQ Fundamentals............................................................................................................................................... 436
10.2.2 Basic QinQ............................................................................................................................................................ 439
10.2.3 Selective QinQ.......................................................................................................................................................440
10.2.4 VLAN Stacking on a VLANIF Interface.............................................................................................................. 442
10.2.5 TPID...................................................................................................................................................................... 443
10.2.6 QinQ Mapping....................................................................................................................................................... 444
10.3 Application Scenarios for QinQ............................................................................................................................... 446
10.3.1 Public User Services on a Metro Ethernet Network..............................................................................................446
10.3.2 Enterprise Network Connection Through Private Lines....................................................................................... 447
10.4 Summary of QinQ Configuration Tasks................................................................................................................... 448
10.5 Licensing Requirements and Limitations for QinQ................................................................................................. 449
10.6 Configuring Basic QinQ........................................................................................................................................... 454
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xiii

10.7 Configuring Selective QinQ..................................................................................................................................... 455

10.7.1 Configuring VLAN ID-based Selective QinQ...................................................................................................... 455
10.7.2 Configuring MQC-based Selective QinQ..............................................................................................................457
10.8 Configuring the TPID Value in an Outer VLAN Tag...............................................................................................463
10.9 Configuring QinQ Stacking on a VLANIF Interface............................................................................................... 464
10.10 Configuring the Device to Add Double VLAN Tags to Untagged Packets........................................................... 466
10.11 Configuring QinQ Mapping....................................................................................................................................467
10.11.1 Configuring 1-to-1 QinQ Mapping......................................................................................................................467
10.11.2 Configuring 2-to-1 QinQ Mapping......................................................................................................................468
10.12 Displaying VLAN Translation Resource Usage.....................................................................................................469
10.13 Configuration Examples for QinQ......................................................................................................................... 469
10.13.1 Example for Configuring Basic QinQ................................................................................................................. 469
10.13.2 Example for Configuring Selective QinQ........................................................................................................... 472
10.13.3 Example for Configuring Selective QinQ and VLAN Mapping......................................................................... 475
10.13.4 Example for Configuring Flow-based Selective QinQ........................................................................................477
10.13.5 Example for Connecting a Single-Tag VLAN Mapping Sub-Interface to a VLL Network................................481
10.13.6 Example for Connecting a Double-Tag VLAN Mapping Sub-Interface to a VLL Network.............................. 490
10.13.7 Example for Connecting a VLAN Stacking Sub-interface to a VLL Network...................................................500
10.13.8 Example for Connecting a Single-tag VLAN Mapping Sub-interface to a VPLS Network............................... 510
10.13.9 Example for Connecting a Double-tag VLAN Mapping Sub-interface to a VPLS Network............................. 520
10.13.10 Example for Connecting a VLAN Stacking Sub-interface to a VPLS Network...............................................531
10.13.11 Example for Configuring QinQ Stacking on a VLANIF Interface................................................................... 542
10.14 Troubleshooting QinQ............................................................................................................................................ 545
10.14.1 QinQ Traffic Forwarding Fails Because the Outer VLAN Is Not Created......................................................... 545
10.14.2 QinQ Traffic Forwarding Fails Because the Interface Does Not Transparently Transmit the Outer VLAN ID.546
10.15 FAQ About QinQ....................................................................................................................................................547
10.15.1 Does the Switch Support QinQ?..........................................................................................................................547
10.15.2 What Are Causes for QinQ Traffic Forwarding Failures?.................................................................................. 547
10.15.3 Can I Rapidly Delete All QinQ Configurations of an Interface?........................................................................ 547
10.15.4 Can I Directly Delete Inner VLAN IDs from QinQ Configuration?...................................................................547
10.15.5 Can the Switch Add Double VLAN Tags to Untagged Packets?........................................................................548
10.15.6 Which Tag Does the TPID Configured by the qinq protocol Command Match?.............................................. 548
10.15.7 Which VLAN Does the Interface Enabled with VLAN Mapping or QinQ Obtain Through MAC Address
Learning?.......................................................................................................................................................................... 548
11 VLAN Mapping Configuration............................................................................................ 549

11.1 Overview of VLAN Mapping...................................................................................................................................549
11.2 Understanding VLAN Mapping............................................................................................................................... 550
11.3 Application Scenarios for VLAN Mapping..............................................................................................................551
11.4 Licensing Requirements and Limitations for VLAN Mapping................................................................................ 554
11.5 Configuring VLAN ID-based VLAN Mapping........................................................................................................560
11.5.1 Configuring 1:1 VLAN Mapping.......................................................................................................................... 560
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xiv


11.5.4 Verifying the VLAN ID-based VLAN Mapping Configuration............................................................................563
11.6 Configuring MQC-based VLAN Mapping...............................................................................................................563
11.7 Displaying VLAN Translation Resource Usage.......................................................................................................570
11.8 Configuration Examples for VLAN Mapping.......................................................................................................... 571
11.8.1 Example for Configuring VLAN ID-based 1:1 VLAN Mapping..........................................................................571
11.8.2 Example for Configuring VLAN ID-based N:1 VLAN Mapping.........................................................................574
11.8.3 Example for Configuring VLAN ID-based 2 to 1 VLAN Mapping......................................................................575
11.8.4 Example for Configuring VLAN ID-based 2:2 VLAN Mapping..........................................................................580
11.9 Troubleshooting VLAN Mapping.............................................................................................................................584
11.9.1 Communication Failure After VLAN Mapping Configuration.............................................................................584
12 GVRP Configuration.............................................................................................................. 587

12.1 Overview of GVRP.................................................................................................................................................. 587
12.2 Understanding GVRP............................................................................................................................................... 588
12.2.1 Basic Concepts of GVRP...................................................................................................................................... 588
12.2.2 Packet Format........................................................................................................................................................ 591
12.2.3 Working Mechanism..............................................................................................................................................593
12.3 Application Scenarios for GVRP............................................................................................................................. 596
12.4 Licensing Requirements and Limitations for GVRP................................................................................................596
12.5 Default Settings for GVRP....................................................................................................................................... 599
12.6 Configuring GVRP................................................................................................................................................... 600
12.6.1 Enabling GVRP..................................................................................................................................................... 600
12.6.2 (Optional) Setting the Registration Mode for a GVRP Interface.......................................................................... 601
12.6.3 (Optional) Setting GARP Timers.......................................................................................................................... 602
12.6.4 Verifying the GVRP Configuration....................................................................................................................... 603
12.7 Clearing GVRP Statistics......................................................................................................................................... 604
12.8 Example for Configuring GVRP.............................................................................................................................. 604
12.9 FAQ About GVRP....................................................................................................................................................608
12.9.1 Why Is the CPU Usage High When VLANs Are Created or Deleted Through GVRP in Default Configuration?
.......................................................................................................................................................................................... 608
13 VCMP Configuration..............................................................................................................609
13.1 Overview of VCMP..................................................................................................................................................609
13.2 Understanding VCMP.............................................................................................................................................. 610
13.2.1 Basic Concepts of VCMP......................................................................................................................................610
13.2.2 VCMP Implementation..........................................................................................................................................612
13.3 Application Scenarios for VCMP.............................................................................................................................618
13.4 Licensing Requirements and Limitations for VCMP............................................................................................... 619
13.5 Default Settings for VCMP...................................................................................................................................... 622
13.6 Configuring VCMP.................................................................................................................................................. 623
13.7 Maintaining VCMP.................................................................................................................................................. 625
13.7.1 Displaying VCMP Running Information.............................................................................................................. 626
13.7.2 Clearing VCMP Running Information.................................................................................................................. 626
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xv

13.8 Example for Configuring VCMP to Implement Centralized VLAN Management..................................................626
14 STP/RSTP Configuration....................................................................................................... 632

14.1 Overview of STP/RSTP............................................................................................................................................632
14.2 Understanding STP/RSTP........................................................................................................................................ 633
14.2.1 Background............................................................................................................................................................633
14.2.2 Basic Concepts of STP/RSTP................................................................................................................................634
14.2.3 BPDU Format........................................................................................................................................................ 641
14.2.4 STP Topology Calculation.....................................................................................................................................643
14.2.5 Improvements in RSTP......................................................................................................................................... 650
14.2.6 RSTP Technology Details......................................................................................................................................656
14.3 Application Scenarios for STP................................................................................................................................. 657
14.4 Summary of STP/RSTP Configuration Tasks.......................................................................................................... 658
14.5 Licensing Requirements and Limitations for STP/RSTP.........................................................................................659
14.6 Default Settings for STP/RSTP................................................................................................................................ 662
14.7 Configuring STP/RSTP............................................................................................................................................ 662
14.7.1 Configuring the STP/RSTP Mode......................................................................................................................... 662
14.7.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge.................................................................. 663
14.7.3 (Optional) Setting a Priority for a Switching Device............................................................................................ 664
14.7.4 (Optional) Setting a Path Cost for a Port............................................................................................................... 664
14.7.5 (Optional) Setting a Priority for a Port.................................................................................................................. 665
14.7.6 Enabling STP/RSTP.............................................................................................................................................. 666
14.7.7 Verifying the STP/RSTP Configuration................................................................................................................ 667
14.8 Setting STP Parameters That Affect STP Convergence...........................................................................................667
14.8.1 Setting the STP Network Diameter....................................................................................................................... 668
14.8.2 Setting the STP Timeout Interval.......................................................................................................................... 668
14.8.3 Setting the STP Timers.......................................................................................................................................... 669
14.8.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation........... 670
14.8.5 Verifying the Configuration of STP Parameters that Affect STP Convergence....................................................671
14.9 Setting RSTP Parameters that Affect RSTP Convergence.......................................................................................672
14.9.1 Setting the RSTP Network Diameter.....................................................................................................................672
14.9.2 Setting the RSTP Timeout Interval........................................................................................................................672
14.9.3 Setting RSTP Timers............................................................................................................................................. 673
14.9.5 Setting the Link Type for a Port............................................................................................................................ 675
14.9.6 Setting the Maximum Transmission Rate of an Interface..................................................................................... 676
14.9.7 Switching to the RSTP Mode................................................................................................................................ 676
14.9.8 Configuring Edge Ports and BPDU Filter Ports.................................................................................................... 677
14.9.9 Verifying the Configuration of RSTP Parameters that Affect RSTP Convergence.............................................. 678
14.10 Configuring RSTP Protection Functions................................................................................................................ 678
14.10.1 Configuring BPDU Protection on a Switching Device....................................................................................... 678
14.10.2 Configuring TC Protection on a Switching Device.............................................................................................679
14.10.3 Configuring Root Protection on a Port................................................................................................................ 680
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xvi

14.10.4 Configuring Loop Protection on a Port............................................................................................................... 680

14.10.5 Verifying the Configuration of RSTP Protection Functions................................................................................681
14.11 Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices.............................................. 681
14.12 Maintaining STP/RSTP.......................................................................................................................................... 682
14.12.1 Clearing STP/RSTP Statistics............................................................................................................................. 682
14.12.2 Monitoring STP/RSTP Topology Change Statistics............................................................................................683
14.13 Configuration Examples for STP/RSTP.................................................................................................................683
14.13.1 Example for Configuring Basic STP Functions.................................................................................................. 683
14.13.2 Example for Configuring Basic RSTP Functions................................................................................................687
14.14 FAQ About STP/RSTP........................................................................................................................................... 692
14.14.1 How to Prevent Low Convergence for STP Edge Ports that Connect Terminals?..............................................692
14.14.2 Can Switches Using RSTP and STP Be Connected?.......................................................................................... 692
14.14.3 Why Is the Recommended Value of STP Network Radius Within 7?.................................................................692
14.14.4 Why Does the STP Convergence Fail for a Switch?........................................................................................... 693
14.14.5 In What Condition Do I Need to Configure STP Edge Ports?............................................................................ 693
14.14.6 What Are Precautions for Configuring the Formats of Sent and Received BPDUs on an STP Interface?.........693
14.14.7 How Do I Configure a User-Side Interface on an STP Switch?..........................................................................693
14.14.8 How Do I Prevent Terminals' Failures to Ping the Gateway or Low Speed in Obtaining IP Addresses When
They Connect to an STP Network?.................................................................................................................................. 694
14.14.9 Can the Switch Work with the Non-Huawei Devices Running STP or RSTP?.................................................. 694
14.14.10 What Is the Function of the Automatic Edge-port Detecting?.......................................................................... 694
15 MSTP Configuration...............................................................................................................695
15.1 Overview of MSTP...................................................................................................................................................695
15.2 Understanding MSTP............................................................................................................................................... 696
15.2.1 MSTP Background................................................................................................................................................ 696
15.2.2 Basic Concepts of MSTP.......................................................................................................................................698
15.2.3 MST BPDUs..........................................................................................................................................................703
15.2.4 MSTP Topology Calculation................................................................................................................................. 706
15.2.5 MSTP Fast Convergence....................................................................................................................................... 709
15.2.6 MSTP Multi-Process............................................................................................................................................. 710
15.3 Application Scenarios for MSTP..............................................................................................................................718
15.4 Summary of MSTP Configuration Tasks................................................................................................................. 719
15.5 Licensing Requirements and Limitations for MSTP................................................................................................ 720
15.6 Default Settings for MSTP....................................................................................................................................... 723
15.7 Configuring MSTP................................................................................................................................................... 724
15.7.1 Configuring the MSTP Mode................................................................................................................................ 724
15.7.2 Configuring and Activating an MST Region........................................................................................................ 725
15.7.4 (Optional) Configuring a Priority for a Switch in an MSTI.................................................................................. 727
15.7.5 (Optional) Configuring a Path Cost of a Port in an MSTI.....................................................................................728
15.7.6 (Optional) Configuring a Port Priority in an MSTI............................................................................................... 728
15.7.7 Enabling MSTP..................................................................................................................................................... 729
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xvii

15.7.8 Verifying the Basic MSTP Configuration............................................................................................................. 730

15.8 Configuring MSTP Multi-Process............................................................................................................................730
15.8.1 Creating an MSTP Process.................................................................................................................................... 731
15.8.2 Adding a Port to an MSTP Process....................................................................................................................... 731
15.8.4 (Optional) Configuring a Priority for a Switch in an MSTI.................................................................................. 733
15.8.5 (Optional) Configuring a Path Cost of a Port in an MSTI.....................................................................................734
15.8.6 (Optional) Configuring a Port Priority in an MSTI............................................................................................... 735
15.8.7 Configuring TC Notification in MSTP Multi-process.......................................................................................... 735
15.8.8 Enabling MSTP..................................................................................................................................................... 736
15.8.9 Verifying the MSTP Multi-Process Configuration................................................................................................ 737
15.9 Configuring MSTP Parameters on an Interface....................................................................................................... 737
15.9.1 Setting the MSTP Network Diameter....................................................................................................................738
15.9.2 Setting the MSTP Timeout Interval.......................................................................................................................738
15.9.3 Setting the Values of MSTP Timers...................................................................................................................... 739
15.9.6 Setting the Maximum Transmission Rate of an Interface..................................................................................... 742
15.9.7 Switching to the MSTP Mode............................................................................................................................... 742
15.9.8 Configuring a Port as an Edge Port and BPDU Filter Port................................................................................... 743
15.9.9 Setting the Maximum Number of Hops in an MST Region..................................................................................745
15.9.10 Verifying the Configuration of MSTP Parameters on an Interface..................................................................... 745
15.10 Configuring MSTP Protection Functions............................................................................................................... 745
15.10.1 Configuring BPDU Protection on a Switch.........................................................................................................746
15.10.2 Configuring TC Protection on a Switch.............................................................................................................. 747
15.10.3 Configuring Root Protection on an Interface...................................................................................................... 747
15.10.4 Configuring Loop Protection on an Interface......................................................................................................748
15.10.5 Configuring Shared-Link Protection on a Switch............................................................................................... 749
15.10.6 Verifying the MSTP Protection Function Configuration.....................................................................................750
15.11 Configuring MSTP Interoperability Between Huawei and Non-Huawei Devices.................................................750
15.11.1 Configuring a Proposal/Agreement Mechanism..................................................................................................750
15.11.2 Configuring the MSTP Protocol Packet Format on an Interface.........................................................................751
15.11.3 Enabling the Digest Snooping Function.............................................................................................................. 751
15.11.4 Verifying the Configuration of MSTP Interoperability Between Huawei and Non-Huawei Devices.................752
15.12 Maintaining MSTP................................................................................................................................................. 752
15.12.1 Clearing MSTP Statistics.....................................................................................................................................752
15.12.2 Monitoring the Statistics on MSTP Topology Changes...................................................................................... 753
15.13 Configuration Examples for MSTP........................................................................................................................ 753
15.13.1 Example for Configuring MSTP......................................................................................................................... 753
15.13.2 Example for Configuring MSTP + VRRP Network............................................................................................761
15.13.3 Example for Connecting CEs to the VPLS in Dual-Homing Mode Through MSTP..........................................772
15.13.4 Example for Configuring MSTP Multi-Process for Layer 2 Single-Access Rings and Layer 2 Multi-Access
Rings................................................................................................................................................................................. 789
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xviii

15.14 FAQ About MSTP.................................................................................................................................................. 796

15.14.1 Can a Huawei STP Switch Work with a Non-Huawei STP Device?.................................................................. 797
15.14.2 How to Prevent Low Convergence for STP Edge Ports that Connect Terminals?..............................................797
15.14.3 How Do I Configure a User-Side Interface on an STP Switch?..........................................................................797
15.14.4 How Do I Prevent Terminals' Failures to Ping the Gateway or Low Speed in Obtaining IP Addresses When
They Connect to an STP Network?.................................................................................................................................. 797
16 VBST Configuration............................................................................................................... 799

16.1 Overview of VBST................................................................................................................................................... 799
16.2 Understanding VBST............................................................................................................................................... 802
16.3 Application Scenarios for VBST.............................................................................................................................. 806
16.4 Summary of VBST Configuration Tasks..................................................................................................................807
16.5 Licensing Requirements and Limitations for VBST................................................................................................ 809
16.6 Default Settings for VBST....................................................................................................................................... 813
16.7 Configuring VBST................................................................................................................................................... 814
16.7.1 (Optional) Setting the Device Priority...................................................................................................................814
16.7.2 (Optional) Setting the Path Cost for a Port............................................................................................................814
16.7.3 (Optional) Configuring Port Priorities...................................................................................................................816
16.7.4 (Optional) Manually Configuring the Mapping between MSTIs and VLANs..................................................... 816
16.7.5 Enabling VBST......................................................................................................................................................817
16.7.6 Verifying the Basic VBST Configuration..............................................................................................................819
16.8 Setting VBST Parameters That Affect VBST Convergence.................................................................................... 819
16.8.1 Setting the Network Diameter............................................................................................................................... 820
16.8.2 Setting Values of VBST Timers.............................................................................................................................820
16.8.3 Setting the VBST Timeout Interval....................................................................................................................... 821
16.8.5 Setting the Maximum Transmission Rate of a Port...............................................................................................823
16.8.6 Manually Switching to the VBST Mode............................................................................................................... 823
16.8.7 Configuring a VBST Convergence Mode............................................................................................................. 824
16.8.8 Configuring a Port as an Edge Port and BPDU Filter Port................................................................................... 825
16.8.9 Verifying the Configuration of VBST Parameters That Affect VBST Convergence............................................826
16.9 Configuring Protection Functions of VBST............................................................................................................. 826
16.9.1 Configuring BPDU Protection on the Switch........................................................................................................826
16.9.2 Configuring TC Protection on the Switch............................................................................................................. 827
16.9.3 Configuring Root Protection on a Port.................................................................................................................. 828
16.9.4 Configuring Loop Protection on a Port................................................................................................................. 829
16.9.5 Verifying the Configuration of VBST Protection Functions................................................................................. 829
16.10 Setting Parameters for Interworking Between a Huawei Datacom Device and a Non-Huawei Device................ 830
16.11 Maintaining VBST..................................................................................................................................................831
16.11.1 Displaying VBST Running Information and Statistics........................................................................................831
16.11.2 Clearing VBST Statistics..................................................................................................................................... 832
16.12 Example for Configuring VBST.............................................................................................................................832
17 SEP Configuration...................................................................................................................842
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xix

17.1 Overview of SEP...................................................................................................................................................... 842

17.2 Understanding SEP...................................................................................................................................................843
17.2.1 SEP Implementation.............................................................................................................................................. 843
17.2.2 Basic Concepts of SEP.......................................................................................................................................... 846
17.2.3 SEP Implementation Mechanisms.........................................................................................................................850
17.3 Application Scenarios for SEP................................................................................................................................. 862
17.3.1 Open Ring Networking..........................................................................................................................................862
17.3.2 Closed Ring Networking....................................................................................................................................... 863
17.3.3 Multi-Ring Networking......................................................................................................................................... 864
17.3.4 Hybrid SEP+MSTP Ring Networking.................................................................................................................. 865
17.3.5 Hybrid SEP+RRPP Ring Networking................................................................................................................... 866
17.3.6 SEP Multi-Instance................................................................................................................................................867
17.3.7 Association Between SEP and CFM..................................................................................................................... 868
17.4 Summary of SEP Configuration Tasks..................................................................................................................... 869
17.5 Licensing Requirements and Limitations for SEP................................................................................................... 871
17.6 Configuring SEP.......................................................................................................................................................874
17.6.1 Configuring a SEP Segment.................................................................................................................................. 874
17.6.2 Configuring a Control VLAN................................................................................................................................874
17.6.3 Configuring a Protected Instance.......................................................................................................................... 875
17.6.4 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface.....................................876
17.6.5 Verifying the Basic SEP Configuration................................................................................................................. 879
17.7 Specifying an Interface to Block.............................................................................................................................. 879
17.7.1 Setting an Interface Blocking Mode...................................................................................................................... 879
17.7.2 Configuring the Preemption Mode........................................................................................................................ 881
17.7.3 Verifying the Configuration of Specifying an Interface to Block..........................................................................882
17.8 Configuring SEP Multi-Instance.............................................................................................................................. 882
17.9 Configuring the Topology Change Notification Function........................................................................................884
17.9.1 Reporting Topology Changes in a Lower-Layer Network - SEP Topology Change Notification........................ 885
17.9.2 Reporting Topology Changes in a Lower-Layer Network - Enabling the Devices in a SEP Segment to Process
SmartLink Flush Packets.................................................................................................................................................. 886
17.9.3 Reporting Topology Changes in an Upper-Layer Network - Configuring Association Between SEP and CFM.887
17.9.4 Verifying the Configuration of the Topology Change Notification Function........................................................887
17.10 Clearing SEP Statistics........................................................................................................................................... 888
17.11 Configuration Examples for SEP............................................................................................................................888
17.11.1 Example for Configuring SEP on a Closed Ring Network................................................................................. 888
17.11.2 Example for Configuring SEP on a Multi-Ring Network................................................................................... 894
17.11.3 Example for Configuring a Hybrid SEP+MSTP Ring Network......................................................................... 907
17.11.4 Example for Configuring a Hybrid SEP+RRPP Ring Network.......................................................................... 915
17.11.5 Example for Configuring SEP Multi-Instance.....................................................................................................927
18 RRPP Configuration............................................................................................................... 935

18.1 Overview of RRPP................................................................................................................................................... 935
18.2 Understanding RRPP................................................................................................................................................ 937
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xx

18.2.1 Basic Concepts of RRPP....................................................................................................................................... 938

18.2.2 RRPP Packets........................................................................................................................................................ 942
18.2.3 Implementation of a Single RRPP Ring (When the Ring is Complete)................................................................ 944
18.2.4 Implementation of a Single RRPP Ring (When the Ring is Faulty)..................................................................... 946
18.2.5 Implementation of a Single RRPP Ring (When the Fault is Rectified)................................................................ 947
18.2.6 Implementation of Multiple Rings........................................................................................................................ 950
18.2.7 RRPP Multi-Instance............................................................................................................................................. 957
18.3 Application Scenarios for RRPP.............................................................................................................................. 960
18.3.1 Application of a Single Ring................................................................................................................................. 960
18.3.2 Application of Tangent RRPP Rings..................................................................................................................... 961
18.3.3 Application of Intersecting RRPP Rings............................................................................................................... 962
18.3.4 Application of RRPP and STP...............................................................................................................................963
18.3.5 Application of Intersecting RRPP Rings of Multi-Instance on a MAN................................................................ 963
18.3.6 Application of Tangent RRPP Rings of Multi-Instance on a MAN...................................................................... 965
18.3.7 Application of Multiple Instances Single-homed to an RRPP Aggregation Ring................................................ 966
18.3.8 Application of the RRPP Multi-instance Ring and Smart Link Network............................................................. 967
18.3.9 Application of RRPP Snooping............................................................................................................................. 968
18.4 Summary of RRPP Configuration Tasks.................................................................................................................. 971
18.5 Licensing Requirements and Limitations for RRPP.................................................................................................972
18.6 Default Settings for RRPP........................................................................................................................................ 975
18.7 Configuring RRPP.................................................................................................................................................... 975
18.7.1 Configuring Interfaces on an RRPP Ring..............................................................................................................976
18.7.2 Creating an RRPP Domain and the Control VLAN.............................................................................................. 976
18.7.3 Creating an Instance.............................................................................................................................................. 978
18.7.4 Configuring a Protected VLAN.............................................................................................................................978
18.7.5 Creating and Enabling an RRPP Ring................................................................................................................... 979
18.7.6 Enabling RRPP...................................................................................................................................................... 980
18.7.7 (Optional) Creating a Ring Group......................................................................................................................... 981
18.7.8 (Optional) Setting the Values of the Hello Timer and Fail Timer in an RRPP Domain........................................981
18.7.9 (Optional) Setting the Value of the Link-Up Timer...............................................................................................982
18.7.10 Verifying the RRPP Configuration...................................................................................................................... 983
18.8 Configuring RRPP Snooping....................................................................................................................................983
18.8.1 Enabling RRPP Snooping......................................................................................................................................983
18.8.2 Configuring the VSI Associated with RRPP Snooping.........................................................................................984
18.8.3 Verifying the RRPP Snooping Configuration........................................................................................................985
18.9 Clearing RRPP Statistics.......................................................................................................................................... 985
18.10 Configuration Examples for RRPP.........................................................................................................................985
18.10.1 Example for Configuring a Single RRPP Ring with a Single Instance...............................................................986
18.10.2 Example for Configuring Intersecting RRPP Rings with a Single Instance....................................................... 990
18.10.3 Example for Configuring Tangent RRPP Rings................................................................................................1000
18.10.4 Example for Configuring a Single RRPP Ring with Multiple Instances.......................................................... 1009
18.10.5 Example for Configuring Intersecting RRPP Rings with Multiple Instances................................................... 1018
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xxi

18.10.6 Example for Configuring Tangent RRPP Rings with Multiple Instances......................................................... 1034
18.11 Troubleshooting RRPP......................................................................................................................................... 1044
18.11.1 A Loop Occurs After the RRPP Configuration is Complete............................................................................. 1044
18.12 FAQ About RRPP.................................................................................................................................................1045
18.12.1 Why Does a Broadcast Storm Occur When the Secondary Port of the Master Node Is Blocked?................... 1045
18.12.2 Can Data Packets Be Blocked in the Control VLAN of RRPP?....................................................................... 1045
19 ERPS (G.8032) Configuration.............................................................................................. 1046

19.1 Overview of ERPS..................................................................................................................................................1046
19.2 Understanding ERPS.............................................................................................................................................. 1048
19.2.1 Basic Concepts of ERPS......................................................................................................................................1048
19.2.2 RAPS PDUs.........................................................................................................................................................1055
19.2.3 ERPS Single-ring Implementation...................................................................................................................... 1057
19.2.4 ERPS Multi-ring Implementation........................................................................................................................1061
19.2.5 ERPS Multi-instance........................................................................................................................................... 1064
19.3 Application Scenarios for ERPS.............................................................................................................................1065
19.4 Summary of ERPS Configuration Tasks................................................................................................................ 1067
19.5 Licensing Requirements and Limitations for ERPS...............................................................................................1067
19.6 Default Settings for ERPS...................................................................................................................................... 1070
19.7 Configuring ERPSv1.............................................................................................................................................. 1070
19.7.1 Creating an ERPS Ring....................................................................................................................................... 1070
19.7.2 Configuring the Control VLAN.......................................................................................................................... 1071
19.7.3 Configuring an ERP Instance and Activating the Mapping Between the ERP Instance and VLAN..................1072
19.7.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role............................................................1073
19.7.5 (Optional) Configuring Timers in an ERPS Ring................................................................................................1075
19.7.6 (Optional) Configuring the MEL Value...............................................................................................................1075
19.7.7 (Optional) Configuring Association Between ERPS and Ethernet CFM............................................................1076
19.7.8 Verifying the ERPSv1 Configuration.................................................................................................................. 1077
19.8 Configuring ERPSv2.............................................................................................................................................. 1077
19.8.1 Creating an ERPS Ring....................................................................................................................................... 1077
19.8.2 Configuring the Control VLAN.......................................................................................................................... 1078
19.8.3 Configuring an ERP Instance and Activating the Mapping Between the ERP Instance and VLAN..................1079
19.8.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the Port Role............................................................1080
19.8.5 Configuring the Topology Change Notification Function...................................................................................1082
19.8.6 (Optional) Configuring ERPS Protection Switching...........................................................................................1083
19.8.7 (Optional) Configuring Timers in an ERPS Ring................................................................................................1084
19.8.8 (Optional) Configuring Association Between ERPS and Ethernet CFM............................................................1085
19.8.9 Verifying the ERPSv2 Configuration.................................................................................................................. 1085
19.9 Configuring the ERPS over VPLS Function.......................................................................................................... 1086
19.10 Clearing ERPS Statistics...................................................................................................................................... 1087
19.11 Configuration Examples for ERPS....................................................................................................................... 1088
19.11.1 Example for Configuring ERPS Multi-instance................................................................................................ 1088
19.11.2 Example for Configuring Intersecting ERPS Rings.......................................................................................... 1097
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xxii

19.11.3 Example for Configuring ERPS over VPLS in Scenarios Where a CE Is Dual-Homed to PEs (Through Ethernet
Sub-interfaces)................................................................................................................................................................ 1105
19.11.4 Example for Configuring ERPS over VPLS in Scenarios Where a CE Is Dual-Homed to PEs (Through
VLANIF Interfaces)........................................................................................................................................................1115
19.12 Troubleshooting ERPS..........................................................................................................................................1125
19.12.1 Traffic Forwarding Fails in an ERPS Ring........................................................................................................1125
20 LBDT Configuration............................................................................................................. 1127

20.1 Overview of LBDT.................................................................................................................................................1127
20.2 Understanding LDT and LBDT..............................................................................................................................1128
20.3 Application Scenarios for LDT and LBDT............................................................................................................ 1131
20.4 Licensing Requirements and Limitations for LDT and LBDT...............................................................................1133
20.5 Default Settings for LDT and LBDT......................................................................................................................1136
20.6 Configuring Automatic LBDT................................................................................................................................1137
20.6.1 Enabling Automatic LBDT..................................................................................................................................1137
20.6.2 (Optional) Setting the Interval for Sending LBDT Packets.................................................................................1138
20.6.3 (Optional) Setting the Recovery Time of an Interface.........................................................................................1138
20.6.4 Verifying the Automatic LBDT Configuration....................................................................................................1139
20.7 Configuring Manual LBDT.................................................................................................................................... 1139
20.7.1 Enabling Manual LBDT...................................................................................................................................... 1139
20.7.2 (Optional) Setting the Interval for Sending LBDT Packets.................................................................................1141
20.7.3 Configuring an Action Taken After a Loop Is Detected......................................................................................1142
20.7.4 (Optional) Setting the Recovery Time of an Interface.........................................................................................1143
20.7.5 Verifying the Manual LBDT Configuration........................................................................................................ 1143
20.8 Configuration Examples for LBDT........................................................................................................................ 1144
20.8.1 Example for Configuring LBDT to Detect Loopbacks on an Interface.............................................................. 1144
20.8.2 Example for Configuring LBDT to Detect Loops on the Downstream Network................................................1146
20.8.3 Example for Configuring LBDT to Detect Loops on the Local Network........................................................... 1148
21 Layer 2 Protocol Transparent Transmission Configuration..........................................1152

21.1 Overview of Layer 2 Protocol Transparent Transmission...................................................................................... 1152
21.2 Understanding Layer 2 Protocol Transparent Transmission...................................................................................1154
21.3 Application Scenarios for Layer 2 Protocol Transparent Transmission................................................................. 1159
21.4 Summary of Layer 2 Protocol Transparent Transmission Configuration Tasks.....................................................1160
21.5 Licensing Requirements and Limitations for Layer 2 Protocol Transparent Transmission................................... 1161
21.6 Configuring Interface-based Layer 2 Protocol Transparent Transmission............................................................. 1165
21.6.1 (Optional) Defining Characteristic Information About a Layer 2 Protocol.........................................................1165
21.6.2 Configuring Layer 2 Protocol Transparent Transmission Mode......................................................................... 1166
21.6.3 Enabling Layer 2 Protocol Transparent Transmission on an Interface................................................................1167
21.6.4 Verifying the Configuration of Interface-based Layer 2 Protocol Transparent Transmission.............................1168
21.7 Configuring VLAN-based Layer 2 Protocol Transparent Transmission................................................................ 1168
21.7.3 Enabling VLAN-based Layer 2 Protocol Transparent Transmission on an Interface......................................... 1170
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xxiii

21.7.4 Verifying the Layer 2 Protocol Transparent Transmission Configuration...........................................................1171

21.8 Configuring QinQ-based Layer 2 Protocol Transparent Transmission.................................................................. 1171
21.8.3 Enabling QinQ-based Layer 2 Transparent Transmission on an Interface.......................................................... 1173
21.9 Configuring VPLS-based Layer 2 Protocol Transparent Transmission................................................................. 1174
21.9.3 Enabling VPLS-based Layer 2 Protocol Transparent Transmission on an Interface...........................................1176
21.10 Configuration Examples for Layer 2 Protocol Transparent Transmission........................................................... 1178
21.10.1 Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission................................... 1178
21.10.2 Example for Configuring VLAN-based Layer 2 Protocol Transparent Transmission...................................... 1181
21.10.3 Example for Configuring QinQ-based Layer 2 Protocol Transparent Transmission........................................ 1186
21.10.4 Example for Configuring VPLS-based Layer 2 Protocol Transparent Transmission....................................... 1192
21.11 FAQ About Layer 2 Protocol Transparent Transmission..................................................................................... 1200
21.11.1 How Can I Configure BPDU Tunnel to Transparently Transmit BPDUs?....................................................... 1201
21.11.2 Can the Interfaces Not Enabled with the BPDU Function Send BPDUs?........................................................ 1201
21.11.3 How to View and Change MAC Addresses of BPDUs?................................................................................... 1201
21.11.4 How Does a Switch Process BPDUs?............................................................................................................... 1201
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xxiv

Configuration Guide - Ethernet Switching 1 Ethernet Switching Features Supported in This Version
1 Ethernet Switching Features Supported in

This Version
The configuration modes supported by different models are as follows:

l S1720GW (without license), S1720GWR (without license) and S1720X (without
license): Web Configuration (For the web configuration, see S1720GW, S1720GWR,
S1720X, S1720GW-E, S1720GWR-E, and S1720X-E V200R011C10 Web System Guide.)
l S1720GW (license loaded), S1720GWR (license loaded), S1720X (license loaded),
S1720GW-E (license loaded), S1720GWR-E (license loaded) and S1720X-E (license
loaded): Web Configuration (For the web configuration, see S1720GW, S1720GWR,
S1720X, S1720GW-E, S1720GWR-E, and S1720X-E V200R011C10 Web System Guide)
and CLI. CLI configuration supports the following features.
l Other models: Web Configuration (For the web configuration, see S1720GFR, S2700,
S5700, and S6720 V200R011C10 Web System Guide) and CLI. CLI configuration
supports the following features.
Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. 1

Feature S17 S27 S5700 S5720 S5720 S5720 S6720 S6720 S6720
20 20E LI LI SI EI LI SI EI
GF I S5700 S5720 S5720 S5720 S6720 S6720 S6720
R S27 S-LI S-LI S-SI HI S-LI S-SI S-EI
S17 50E S5710- S5730
20 I X-LI SI
G
W S5730
S-EI
S17
20
G
W
R
S17
20
X
S17
20
G
W-
E
S17
20
G
W
R-
E
S17
20
X-E
MAC Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
address port port ted ted ted ted ted ted ted
table ed ed
Link Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
aggrega port port ted ted ted ted ted ted ted
tion ed ed
VLAN Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
port port ted ted ted ted ted ted ted
ed ed
VLAN Not Not Not Not Suppor Suppor Not Suppor Suppor
aggrega sup sup suppor suppor ted ted suppor ted ted
tion port port ted ted ted
ed ed
MUX Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
VLAN port port ted ted ted ted ted ted ted
ed ed

GF I S5700 S5720 S5720 S5720 S6720 S6720 S6720
S17 50E S5710- S5730
20 I X-LI SI
G
W S5730
S-EI
S17
20
G
W
R
S17
20
X
S17
20
G
W-
E
S17
20
G
W
R-
E
S17
20
X-E
VLAN Not Not Not Not Not Suppor Not Not Suppor
terminat sup sup suppor suppor suppor ted suppor suppor ted
ion port port ted ted ted ted ted
ed ed
Voice Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
VLAN port port ted ted ted ted ted ted ted
ed ed
QinQ Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
ed ed
VLAN Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
mappin port port ted ted ted ted ted ted ted
g ed ed
GVRP Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
ed ed

GF I S5700 S5720 S5720 S5720 S6720 S6720 S6720
S17 50E S5710- S5730
20 I X-LI SI
G
W S5730
S-EI
S17
20
G
W
R
S17
20
X
S17
20
G
W-
E
S17
20
G
W
R-
E
S17
20
X-E
VCMP Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
ed ed
STP/ Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
RSTP port port ted ted ted ted ted ted ted
ed ed
MSTP Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
ed ed
VBST Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
ed ed

GF I S5700 S5720 S5720 S5720 S6720 S6720 S6720
S17 50E S5710- S5730
20 I X-LI SI
G
W S5730
S-EI
S17
20
G
W
R
S17
20
X
S17
20
G
W-
E
S17
20
G
W
R-
E
S17
20
X-E
SEP Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
ed ed
exc
ept
S17
20
GF
R
ERPS Sup Sup Only Suppor Suppor Suppor Suppor Suppor Suppor
(G. port port suppor ted ted ted ted ted ted
8032) ed ed ted by
exc the
ept S5700
S17 LI and
20 S5710-
GF X-LI.
R

GF I S5700 S5720 S5720 S5720 S6720 S6720 S6720
S17 50E S5710- S5730
20 I X-LI SI
G
W S5730
S-EI
S17
20
G
W
R
S17
20
X
S17
20
G
W-
E
S17
20
G
W
R-
E
S17
20
X-E
RRPP Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
ed ed
exc
ept
S17
20
GF
R
LBDT Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
ed ed
Layer 2 Sup Sup Suppor Suppor Suppor Suppor Suppor Suppor Suppor
protocol port port ted ted ted ted ted ted ted
transpar ed ed
ent
transmis
sion

Configuration Guide - Ethernet Switching 2 Ethernet Switching
2 Ethernet Switching
About This Chapter
Ethernet is a simple, cost-effective, and easy-to-implement LAN technology and widely used.
2.1 Overview of Ethernet Switching

2.2 Basic Concepts of Ethernet
2.3 Switching on the Ethernet
2.4 Application Scenarios for Ethernet Switching
2.1 Overview of Ethernet Switching

Definition
The earliest Ethernet standard was the DEC-Intel-Xerox (DIX) standard jointly developed by
the Digital Equipment Corporation (DEC), Intel, and Xerox in 1982. After years of
development, Ethernet has become the most widely used local area network (LAN) type, and
many Ethernet standards have been put into use, including standard Ethernet (10 Mbit/s), fast
Ethernet (100 Mbit/s), gigabit Ethernet (1000 Mbit/s), and 10G Ethernet (10 Gbit/s). IEEE
802.3 was defined based on Ethernet and is compatible with Ethernet standards.
In the TCP/IP suite, the IP packet encapsulation format on an Ethernet network is defined in
RFC 894, and the IP packet encapsulation format on an IEEE 802.3 network is defined in
RFC 1042. Currently, the format defined in RFC 894 is most commonly used. This format is
called Ethernet_II or Ethernet DIX.
NOTE
To distinguish Ethernet frames of the two types, Ethernet frames defined in RFC 894 are called
Ethernet_II frames and Ethernet frames defined in RFC 1042 IEEE 802.3 are called frames in this
document.
History
In 1972, when Robert Metcalfe (father of Ethernet) was hired by Xerox, his first job was to
connect computers in Xerox's Palo Alto Research Center (PARC) to the Advanced Research

Projects Agency Network (ARPANET), progenitor of the Internet. In 1972 also, Robert
Metcalfe designed a network to connect computers in the PARC. That network was based on
the Aloha system (a radio network system) and connected many computers in the PARC, so
Metcalfe originally named the network Alto Aloha network. The Alto Aloha network started
operating in May 1973, and Metcalfe then gave it an official name Ethernet, which is the
prototype of Ethernet. The network operated at a rate of 2.94 Mbit/s and used thick coaxial
cable as transmission medium. In June 1976, Metcalfe and his assistant David Boggs
published a paper Ethernet Distributed Packet Switching for Local Computer Networks. At
the end of 1977, Metcalfe and his three co-workers were gained a patent on "Multipoint data
communication system with collision detection." Since then, Ethernet was known to the
public.
As Ethernet technology develops rapidly, Ethernet has become the most widely used LAN
technology and replaced most of other LAN standards, such as token ring, fiber distributed
data interface (FDDI), and attached resource computer network (ARCNET). After rapid
development of 100M Ethernet in the 20th century, gigabit Ethernet and even 10G Ethernet
are now expanding their applications as promoted by international standardization
organizations and industry-leading enterprises.
Purpose
Ethernet is a universal communication protocol standard used for local area networks (LANs).
This standard defines the cable type and signal processing method used for LANs.
Ethernet networks are broadcast networks established based on the Carrier Sense Multiple
Access with Collision Detection (CSMA/CD) mechanism. Collisions restrict Ethernet
performance. Early Ethernet devices such as hubs work at the physical layer, and cannot
confine collisions to a particular scope. This restricts network performance improvement.
Working at the data link layer, switches are able to confine collisions to a particular scope.
Switches help improve Ethernet performance and have replaced hubs as mainstream Ethernet
devices. However, switches do not restrict broadcast traffic on the Ethernet. This affects
Ethernet performance. Dividing a LAN into virtual local area networks (VLANs) on switches
or using Layer 3 switches can solve this problem.
As a simple, cost-effective, and easy-to-implement LAN technology, Ethernet has become the
mainstream in the industry. Gigabit Ethernet and even 10G Ethernet make Ethernet the most
promising network technology.
2.2 Basic Concepts of Ethernet
2.2.1 Ethernet Network Layers
Ethernet uses passive medium and transmits data in broadcast mode. It defines protocols used
on the physical layer and data link layer, interfaces between the two layers, and interfaces
between the data link layer and upper layers.
Physical Layer
The physical layer determines basic physical attributes of Ethernet, including data coding,
time scale, and electrical frequency.

The physical layer is the lowest layer in the Open Systems Interconnection (OSI) reference
model and is closest to the physical medium (communication channel) that transmits data.
Data is transmitted on the physical layer in binary bits (0 or 1). Transmission of bits depends
on transmission devices and physical media, but the physical layer does not refer to a specific
physical device or a physical media. Actually, the physical layer is located above a physical
medium and provides the data link layer with physical connections to transmit original bit
streams.
Data Link Layer

The data link layer is the second layer in the OSI reference model, located between the
physical layer and network layer. The data link layer obtains service from the physical layer
and provides service for the network layer. The basic service that the data link layer provides
is to reliably transmit data from the network layer of a source device to the network layer of
an adjacent destination device.
The physical layer and data link layer depend on each other. Therefore, different working
modes of the physical layer must be supported by corresponding data link layer modes. This
hinders Ethernet design and application.
Some organizations and vendors propose to divide the data link layer into two sub-layers: the
Media Access Control (MAC) sub-layer and the Logical Link Control (LLC) sub-layer. Then
different physical layers correspond to different MAC sub-layers, and the LLC sub-layer
becomes totally independent, as shown in Figure 2-1.
Figure 2-1 Hierarchy of Ethernet data link layer
The following sections describe concepts involved in the physical layer and data link layer.
2.2.2 Overview of Ethernet Cable Standards
Overview of Ethernet Cable Standards

Currently, mature Ethernet physical layer standards are:
l 10BASE-2
l 10BASE-5
l 10BASE-T
l 10BASE-F
l 100BASE-T4
l 100BASE-TX

l 100BASE-FX
l 1000BASE-SX
l 1000BASE-LX
l 1000BASE-TX
l 10GBASE-T
l 10GBASE-LR
l 10GBASE-SR
In the preceding standards, 10, 100, 1000 and 10G stand for transmission rates, and BASE
represents baseband.
l 10M Ethernet cable standards

Table 2-1 lists the 10M Ethernet cable standards defined in IEEE 802.3.
Table 2-1 10M Ethernet cable standards

Name Cable Maximum
Transmission Distance
10BASE-5 Thick coaxial cable 500 m
10BASE-2 Thin coaxial cable 200 m
10BASE-T Twisted pair cable 100 m
10BASE-F Fiber 2000 m
NOTE
Coaxial cables have a fatal defect: Devices are connected in series and therefore a single-point
failure can cause the breakdown of the entire network. As the physical standards of coaxial cables,
10BASE-2 and 10BASE-5 have fallen into disuse.
l 100M Ethernet cable standards
100M Ethernet is also called Fast Ethernet (FE). Compared with 10M Ethernet, 100M
Ethernet has a faster transmission rate at the physical layer, but they have no difference
at the data link layer.
Table 2-2 lists the 100M Ethernet cable standards.
Table 2-2 100M Ethernet cable standards

Name Cable Maximum
100Base-T4 Four pairs of Category 3 100 m

twisted pair cables
100Base-TX Two pairs of Category 5 100 m

twisted pair cables
100Base-FX Single-mode fiber or multi- 2000 m

mode fiber

Both 10Base-T and 100Base-TX apply to Category 5 twisted pair cables. They have
different transmission rates. The 10Base-T transmits data at 10 Mbit/s, whereas the
100Base-TX transmits data at 100 Mbit/s.
The 100Base-T4 is rarely used now.
l Gigabit Ethernet cable standards
Gigabit Ethernet is developed on the basis of the Ethernet standard defined in IEEE
802.3. Based on the Ethernet protocol, Gigabit Ethernet increases the transmission rate to
10 times the FE transmission rate, reaching 1 Gbit/s. Table 2-3 lists the Gigabit Ethernet
cable standards.
Table 2-3 Gigabit Ethernet cable standards

Interface Name Cables Maximum
1000Base-LX Single-mode fiber or multi- 316 m

mode fiber
1000Base-SX Multi-mode fiber 316 m
1000Base-TX Category 5 twisted pair cable 100 m
Gigabit Ethernet technology can upgrade the existing Fast Ethernet from 100 Mbit/s to
1000 Mbit/s.
The physical layer of Gigabit Ethernet uses 8B10B coding. In traditional Ethernet
technology, the data link layer delivers 8-bit data sets to its physical layer. After
processing the data sets, the physical layer sends them to the data link layer. The data
sets are still 8 bits after processing.
The situation is different on the Gigabit Ethernet of optical fibers. The physical layer
maps the 8-bit data sets transmitted from the data link layer to 10-bit data sets and then
sends them out.
l 10G Ethernet cable standards
10G Ethernet is currently defined in supplementary standard IEEE 802.3ae, which will
be combined with IEEE 802.3 later. Table 2-4 lists the 10G Ethernet cable standards.
Table 2-4 10G Ethernet cable standards

Name Cables Maximum
10GBASE-T CAT-6A or CAT-7 100 m
10GBase-LR Single-mode optical fiber 10 km
10GBase-SR Multi-mode optical fiber Several hundred meters
l 100G Ethernet cable standards

The standard for 40G/100G Ethernet is defined in IEEE 802.3ba, which was published in
2010. 100G Ethernet will be widely used as network technologies develop.
2.2.3 CSMA/CD
l Definition of CSMA/CD
Ethernet was originally designed to connect computers and other digital devices on a
shared physical line. The computers and digital devices can access the shared line only in
half-duplex mode. Therefore, a mechanism of collision detection and avoidance is
required to prevent multiple devices from contending for the line. This mechanism is
called the Carrier Sense Multiple Access with Collision Detection (CSMA/CD).
The concept of CSMA/CD is described as follows:
– Carrier sense (CS)
Before transmitting data, a station checks whether the line is idle to reduce chances
of collision.
– Multiple access (MA)
Data sent by a station can be received by multiple stations.
– Collision detection (CD)
If two stations transmit electrical signals at the same time, the voltage amplitude
doubles the normal amplitude as signals of the two stations accumulate. The
situation results in collision.
The stations stop transmission after detecting the collision, and resume the
transmission after a random delay.
l CSMA/CD working process
CSMA/CD works as follows:
a. A station continuously detects whether the shared line is idle.
n If the line is idle, the station sends data.
n If the line is in use, the station waits until the line becomes idle.
b. If two stations send data at the same time, a collision occurs on the line, and signals
on the line become unstable.
c. After detecting the instability, the station immediately stops sending data.
d. The station sends a series of disturbing pulses. After a period of time, the station
resumes the data transmission.
The station sends disturbing pulses to inform other stations, especially the station
that sends data at the same time, that a collision occurred on the line.
After detecting a collision, the station waits for a random period of time, and then
resumes the data transmission.
2.2.4 Minimum Frame Length and Maximum Transmission

Distance
Due to the limitation of the CSMA/CD algorithm, an Ethernet frame must be longer than or
equal to a specified length. On the Ethernet, the minimum frame length is 64 bytes, which is
determined jointly by the maximum transmission distance and the collision detection
mechanism.

The use of minimum frame length can prevent the following situation: station A finishes
sending the last bit, but the first bit does not arrive at station B, which is far from station A.
Station B considers that the line is idle and begins to send data, leading to a collision.
Figure 2-2 Ethernet_II frame format

6bytes 6bytes 2bytes 46~1500bytes 4bytes
DMAC SMAC Type Data CRC
The upper layer protocol must ensure that the Data field of a packet contains at least 46 bytes,
so that the total length of the Data field, the 14-byte Ethernet frame header, and the 4-byte
check code at the frame tail can reach the minimum frame length, as shown in Figure 2-2. If
the Data field is less than 46 bytes, the upper layer must pad the field to 46 bytes.
2.2.5 Duplex Modes of Ethernet
The physical layer of Ethernet can work in either half-duplex or full-duplex mode.
l Half-duplex mode
The half-duplex mode has the following features:
– Data only be sent or received at any time.
– The CSMA/CD mechanism is used.
– The maximum transmission distance is limited.
Hubs work in half-duplex mode.
l Full-duplex mode
After Layer 2 switches replace hubs, the shared Ethernet changes to the switched
Ethernet, and the half-duplex mode is replaced by the full-duplex mode. As a result, the
transmission rate increases greatly, and the maximum throughput doubles the
transmission rate.
The full-duplex mode solves the problem of collisions and eliminates the need for the
CSMA/CD mechanism.
The full-duplex mode has the following features:
– Data can be sent and received at the same time.
– The maximum throughput doubles the transmission rate.
– This mode does not have the limitation on the transmission distance.
All network cards, Layer 2 devices (except hubs), and Layer 3 devices produced support
the full-duplex mode.
The following hardware components are required to realize the full-duplex mode:
– Full-duplex network cards and chips
– Physical media with separate data transmission and receiving channels
– Point-to-point connection
2.2.6 Auto-Negotiation of Ethernet

l Purpose of auto-negotiation
The earlier Ethernet adopts the 10 Mbit/s half-duplex mode; therefore, mechanisms such
as CSMA/CD are required to guarantee system stability. With development of
technologies, the full-duplex mode and 100M Ethernet emerge, which greatly improve
the Ethernet performance. How to achieve the compatibility between the earlier and new
Ethernet networks becomes a new problem.
The auto-negotiation technology is introduced to solve this problem. In auto-negotiation,
the devices on two ends of a link can choose the same operation parameters by
exchanging information. The main parameters to be negotiated are mode (half-duplex or
full-duplex), speed, and flow control. After the negotiation succeeds, the devices on two
ends operate in the negotiated mode and rate.
The auto-negotiation of duplex mode and speed is defined in the following standards:
– 100M Ethernet standard: IEEE 802.3u
In IEEE 802.3u, auto-negotiation is defined as an optional function.
– Gigabit Ethernet standard: IEEE 802.3z
In IEEE 802.3z, auto-negotiation is defined as a mandatory and default function.
l Principle of auto-negotiation
Auto-negotiation is an Ethernet procedure by which two connected devices choose
common transmission parameters. It allows a network device to transmit the supported
operating mode to the peer and receives the operating mode from the peer. In this
process, the connected devices first share their capabilities regarding these parameters
and then choose the highest performance transmission mode they both support.
When no data is transmitted over a twisted pair on an Ethernet network, pulses of high
frequency are transmitted at an interval of 16 ms to maintain the connections at the link
layer. These pulses form a Normal Link Pulse (NLP) code stream. Some pulses of higher
frequency can be inserted in the NLP to transmit more information. These pulses form a
Fast Link Pulse (FLP) code stream, as shown in Figure 2-3. The basic mechanism of
auto-negotiation is to encapsulate the negotiation information into FLP.
Figure 2-3 Pulse insertion
Similar to an Ethernet network that uses twisted pair cables, an Ethernet network that
uses optical modules and optical fibers also implements auto-negotiation by sending
code streams. These code streams are called Configuration (C) code streams. Different
from electrical interfaces, optical interfaces do not negotiate traffic transmission rates
and they work in duplex mode. Optical interfaces only negotiate flow control parameters.
If auto-negotiation succeeds, the Ethernet card activates the link. Then, data can be
transmitted on the link. If auto-negotiation fails, the link is unavailable.
If one end does not support auto-negotiation, the other end that supports auto-negotiation
adopts the default operating mode, which is generally 10 Mbit/s half-duplex.

Auto-negotiation is implemented based on the chip design at the physical layer. As

defined in IEEE 802.3, auto-negotiation is implemented in any of the following cases:
– A faulty link recovers.
– A device is power recycled.
– Either of two connected devices resets.
– A renegotiation request packet is received.
In other cases, two connected devices do not always send auto-negotiation code streams.
Auto-negotiation does not use special packets or bring additional protocol costs.
l Auto-negotiation rules for interfaces
Two connected interfaces can communicate with each other only when they are working
in the same working mode.
– If both interfaces work in the same non-auto-negotiation mode, the interfaces can
communicate.
– If both interfaces work in auto-negotiation mode, the interfaces can communicate
through negotiation. The negotiated working mode depends on the interface with
lower capability (specifically, if one interface works in full-duplex mode and the
other interface works in half-duplex mode, the negotiated working mode is half-
duplex). The auto-negotiation function also allows the interfaces to negotiate about
the flow control function.
– If a local interface works in auto-negotiation mode and the remote interface works
in a non-auto-negotiation mode, the negotiated working mode of the local interface
depends on the working mode of the remote interface.
2.2.7 Collision Domain and Broadcast Domain
Collision Domain
On a legacy Ethernet network using thick coaxial cables as a transmission medium, multiple
nodes on a shared medium share the bandwidth on the link and compete for the right to use
the link. A network collision occurs when more than one node attempts to send a packet on
this link at the same time. The Carrier Sense Multiple Access with Collision Detection
(CSMA/CD) mechanism is used to solve the problem of collisions. Once a collision occurs on
a link, the CSMA/CD mechanism prevents data transmission on this link within a specified
time. Collisions are inevitable on an Ethernet network, and the probability that collision
occurs increases when more nodes are deployed on a shared medium. All nodes on a shared
medium constitute a collision domain. All the nodes in a collision domain compete for
bandwidth. Packets sent from a node, including unicast, multicast, and broadcast packets, can
reach all the other nodes in the collision domain.
Broadcast Domain
Packets are broadcast in a collision domain, which results in a low bandwidth efficiency and
degrades packet processing performance of network devices. Therefore, broadcasting of
packets must be restricted. For example, the ARP protocol sends broadcast packets to obtain
MAC addresses mapping specified IP addresses. The all 1s MAC address FFFF-FFFF-FFFF
is the broadcast MAC address. All nodes must process data frames with this MAC address as
the destination MAC address. A broadcast domain is a group of nodes, among which
broadcast packet from one node can reach all the other nodes. A network bridge forwards
unicast packets according to its MAC address table and forwards broadcast packets to all its

ports. Therefore, nodes connected to all ports of a bridge belong to a broadcast domain, but
each port belongs to a different collision domain.
2.2.8 MAC Sub-layer
Functions of the MAC Sub-layer

The MAC sub-layer has the following functions:
l Provides access to physical links.

The MAC sub-layer is associated with the physical layer. That is, different MAC sub-
layers provide access to different physical layers.
Ethernet has two types of MAC sub-layers:
– Half-duplex MAC: provides access to the physical layer in half-duplex mode.
– Full-duplex MAC: provides access to the physical layer in full-duplex mode.
The two types of MAC sub-layers are integrated in a network interface card. After the
network interface card is initialized, auto-negotiation is performed to choose an
operation mode, and then a MAC sub-layer is chosen according to the operation mode.
l Identifies stations at the data link layer.
The MAC sub-layer reserves a unique MAC address for each station.
The MAC sub-layer uses a MAC address to uniquely identify a station.
MAC addresses are managed by Institute of Electrical and Electronics Engineers (IEEE)
and allocated in blocks. An organization, generally a device manufacturer, obtains a
unique address block from IEEE. The address block is called an Organizationally Unique
Identifier (OUI). Using the OUI, the organization can allocate MAC addresses to
16777216 devices.
A MAC address has 48 bits, which are generally expressed in 12-digit hexadecimal
notation. For example, the 48-bit MAC address
000000001110000011111100001110011000000000110100 is represented by
00e0:fc39:8034.
The first 6 digits in hexadecimal notation stand for the OUI, and the last 6 digits are
allocated by the vendor. For example, in 00e0:fc39:8034, 00e0:fc is the OUI allocated by
IEEE to Huawei, and 39:8034 is the address number allocated by Huawei.
The second bit of a MAC address indicates whether the address is globally unique or
locally unique. Ethernet uses globally unique MAC addresses.
MAC addresses are divided into the following types:
– Physical MAC address
A physical MAC address is burned into hardware (such as a network interface card)
and uniquely identifies a terminal on the Ethernet.
– Broadcast MAC address
A broadcast MAC address indicates all the terminals on a network.
The 48 bits of a broadcast MAC address are all 1s, such as ffff.ffff.ffff.
– Multicast MAC address
A multicast MAC address indicates a group of terminals on a network.
The eighth bit of a multicast MAC address is 1, such as
000000011011101100111010101110101011111010101000.

l Transmits data over the data link layer. After receiving data from the LLC sub-layer, the
MAC sub-layer adds the MAC address and control information to the data, and then
transmits the data to the physical link. In the process, the MAC sub-layer provides other
functions such as the check function.
Data is transmitted at the data link layer as follows:
a. The upper layer delivers data to the MAC sub-layer.
b. The MAC sub-layer stores the data in the buffer.
c. The MAC sub-layer adds the destination MAC address and source MAC address to
the data, calculates the length of the data frame, and forms an Ethernet frame.
d. The Ethernet frame is sent to the peer according to the destination MAC address.
e. The peer compares the destination MAC address with entries in the MAC address
table.
n If a matching entry is found, the frame is accepted.
n If no matching entry is found, the frame is discarded.
The preceding describes frame transmission in unicast mode. After an upper-layer
application is added to a multicast group, the data link layer generates a multicast MAC
address according to the application, and then adds the multicast MAC address to the
MAC address table. The MAC sub-layer receives frames with the multicast MAC
address and transmits the frames to the upper layer.
Ethernet Frame Structure

l Format of an Ethernet_II frame
Figure 2-4 Format of an Ethernet_II frame

6bytes 6bytes 2bytes 46~1500bytes 4bytes
DMAC SMAC Type Data CRC
Table 2-5 describes the fields in an Ethernet_II frame.
Table 2-5 Fields in an Ethernet_II frame

Field Description
DMAC It indicates the destination MAC address. DMAC specifies the

receiver of the frame.
SMAC It indicates the source MAC address. SMAC specifies the station
that sends the frame.

Field Description
Type The 2-byte Type field identifies the upper layer protocol of the Data
field. The receiver can know the meaning of the Data field
according to the Type field.
Ethernet allows multiple protocols to coexist on a LAN. The
hexadecimal values in the Type field of an Ethernet_II frame stand
for different protocols.
l Frames with the Type field value 0800 are IP frames.
l Frames with the Type field value 0806 are Address Resolution
Protocol (ARP) frames.
l Frames with the Type field value 8035 are Reverse Address
Resolution Protocol (RARP) frames.
l Frames with the Type field value 8137 are Internetwork Packet
Exchange (IPx) and Sequenced Packet Exchange (SPx) frames.
Data The minimum length of the Data field is 46 bytes, which ensures
that the frame is at least 64 bytes in length. The 46-byte Data field is
required even if only 1-byte information needs to be transmitted.
If the payload of the Data field is less than 46 bytes, the Data field
must be padded to 46 bytes.
The maximum length of the Data field is 1500 bytes.
CRC The Cyclic Redundancy Check (CRC) field provides an error

detection mechanism.
Each sending device calculates a CRC code containing the DMAC,
SMAC, Type, and Data fields. Then the CRC code is filled into the
4-byte CRC field.
The fields of a Ethernet_II frame are described as follows:

– DMAC
It indicates the destination MAC address. DMAC specifies the receiver of the
frame.
– SMAC
It indicates the source MAC address. SMAC specifies the station that sends the
frame.
– Type
The 2-byte Type field identifies the upper layer protocol of the Data field. The
receiver can know the meaning of the Data field according to the Type field.
Ethernet allows multiple protocols to coexist on a LAN. The hexadecimal values in
the Type field of an Ethernet_II frame stand for different protocols.
n Frames with the Type field value 0800 are IP frames.
n Frames with the Type field value 0806 are Address Resolution Protocol (ARP)
frames.
n Frames with the Type field value 8035 are Reverse Address Resolution
Protocol (RARP) frames.

n Frames with the Type field value 8137 are Internetwork Packet Exchange
(IPx) and Sequenced Packet Exchange (SPx) frames.
– Data
The minimum length of the Data field is 46 bytes, which ensures that the frame is at
least 64 bytes in length. The 46-byte Data field is required even if only 1-byte
information needs to be transmitted.
If the payload of the Data field is less than 46 bytes, the Data field must be padded
to 46 bytes.
The maximum length of the Data field is 1500 bytes.
– CRC
The Cyclic Redundancy Check (CRC) field provides an error detection mechanism.
Each sending device calculates a CRC code containing the DMAC, SMAC, Type,
and Data fields. Then the CRC code is filled into the 4-byte CRC field.
l Format of an IEEE 802.3 frame
Figure 2-5 Format of an IEEE 802.3 frame
6byte 6byte 2byte 38~1492byte 4byte

DMAC SMAC Length LLC SNAP Data CRC
DSAP SSAP Control org code Type

1byte 1byte 1byte 3byte 2byte
As shown in Figure 2-5, the format of an IEEE 802.3 frame is similar to that of an
Ethernet_II frame except that the Type field is changed to the Length field in an IEEE
802.3 frame, and the LLC field and the Sub-Network Access Protocol (SNAP) field
occupy 8 bytes of the Data field.
Table 2-6 Format of an IEEE 802.3 frame

Field Description
Length The Length field specifies the number of bytes in the Data field.
LLC The LLC field consists of three sub-fields: Destination Service

Access Point (DSAP), Source Service Access Point (SSAP), and
Control.
SNAP The SNAP field consists of the Org Code field and the Type field.
Three bytes in the Org Code field are all 0s. The Type field
functions the same as the Type field in Ethernet_II frames.
NOTE
For description about other fields, see the description of Ethernet_II frames.
Based on the values of DSAP and SSAP, IEEE 802.3 frames can be divided into the
following types:

– If DSAP and SSAP are both 0xff, the IEEE 802.3 frame changes to a Netware-
Ethernet frame that carries NetWare data.
– If DSAP and SSAP are both 0xaa, the IEEE 802.3 frame changes to an
Ethernet_SNAP frame.
Ethernet_SNAP frames can be encapsulated with data of multiple protocols. The
SNAP can be considered as an extension of the Ethernet protocol. SNAP allows
vendors to define their own Ethernet transmission protocols.
The Ethernet_SNAP standard is defined by IEEE 802.1 to guarantee
interoperability between IEEE 802.3 LANs and Ethernet networks.
– Other values of DSAP and SSAP indicate IEEE 802.3 frames.
2.2.9 LLC Sub-layer

The MAC sub-layer supports two types of frame: IEEE 802.3 frames and Ethernet_II frames.
In an Ethernet_II frame, the Type field identifies the upper layer protocol. Therefore, only the
MAC sub-layer is required on a device, and the LLC sub-layer does not need to be realized.
In an IEEE 802.3 frame, the LLC sub-layer defines useful features in addition to traditional
services of the data link layer. All these features are provided by the sub-fields of DSAP,
SSAP, and Control.
The following lists three types of point-to-point services:
l Connectionless service
Currently, the Ethernet implements this service.
l Connection-oriented service
A connection is set up before data is transmitted. The reliability of data is guaranteed
during the transmission.
l Connectionless data transmission with acknowledgement
A connection is not required before data transmission. The acknowledgement
mechanism is used to improve the reliability.
The following is an example that describes the applications of SSAP and DSAP. Assume that
terminals A and B use connection-oriented services. Data is transmitted in the following
process:
1. A sends a frame to B to require the establishment of a connection with B.

2. If B has enough resources, it returns an acknowledgement message that contains a
Service Access Point (SAP). The SAP identifies the connection required by A.
3. After receiving the acknowledgement message, A knows that B has set up a local
connection with A. After creating the SAP, A sends a message containing the SAP to B.
The connection is set up.
4. The LLC sub-layer of A encapsulates the data into a frame. The DSAP field is filled in
with the SAP sent by B; the SSAP field is filled in with the SAP created by A. Then the
LLC sub-layer sends the frame to the MAC sub-layer of A.
5. The MAC sub-layer of A adds the MAC address and the Length field into the frame, and
then sends the frame to the data link layer.
6. After the frame is received at the MAC sub-layer of B, the frame is transmitted to the
LLC sub-layer. The LLC sub-layer figures out the connection to which the frame belongs
according to the DSAP field.

7. After checking and acknowledging the frame based on the connection type, the LLC sub-
layer of B transmits the frame to the upper layer.
8. After the frame reaches its destination, A instructs B to release the connection by
sending a frame. At this time, the communications end.
2.3 Switching on the Ethernet
2.3.1 Layer 2 Switching

A Layer 2 device works at the second layer of the OSI model and forwards data packets based
on media access control (MAC) addresses. Ports on a Layer 2 device send and receive data
independently and belong to different collision domains. Collision domains are isolated at the
physical layer so that collisions will not occur between hosts (or networks) connected through
this Layer 2 device due to uneven traffic rates on these hosts (or networks).
A Layer 2 device parses and learns source MAC addresses of Ethernet frames and maintains a
mapping table of MAC addresses and ports. This table is called a MAC address table. When
receiving an Ethernet frame, the device searches for the destination MAC address of the frame
in the MAC table to determine through which port to forward this frame.
1. When the Layer 2 device receives an Ethernet frame, it records the source MAC address
and the inbound port of the frame in the MAC address table to guide Layer 2 forwarding.
If the same MAC address entry exists in the MAC address table, the device resets the
aging time of the entry. An aging mechanism is used to maintain entries in the MAC
address table. Entries that are not updated within the aging time are deleted from the
MAC address table.
2. The device determines whether the destination MAC address is a broadcast address.
a. If the destination MAC address is a broadcast address, the device forwards the
frame to all its ports except the port from which the frame is received.
b. If the destination MAC address is not a broadcast address, the device looks up the
MAC address table based on the destination MAC address of the Ethernet frame. If
a matching entry is found in the MAC address table, the device forwards the frame
to the port specified in the entry. If no matching entry is found, the device forwards
the frame to all its ports except the port from which the frame is received.
According to the preceding forwarding process, a Layer 2 device maintains a MAC address
table and forwards Ethernet frames based on destination MAC addresses. This forwarding
mechanism fully uses network bandwidth and improves network performance. Figure 2-6
shows an example of Layer 2 switching

Figure 2-6 Layer 2 switching example

MAC Address Port
MAC A Port 1
MAC B Port 2 PC B
MAC C Port 3
PC A Port 2
Port 1
Port 3
PC C
MAC C MAC A Type Data MA
CC
MA
CA
Typ
e Dat
a
Although Layer 2 devices can isolate collision domains, they cannot isolate broadcast
domains. As described in the Layer 2 forwarding process, broadcast packets and packets that
do not match nay entry in the MAC address table are forwarded to all ports (except the port
from which the frame is received). Packet broadcasting consumes much bandwidth on
network links and brings security issues. Routers can isolate broadcast domains, but high
costs and low forwarding performance of routers limit the application of routers in Layer 2
forwarding. The virtual local area network (VLAN) technology is introduced to solve this
problem in Layer 2 switching.
2.3.2 Layer 3 Switching
Background of Layer 3 Switches

In early stage of network deployment, most local area networks (LANs) were established
using Layer 2 switches, and routers completed communication between LANs. At that time,
intra-LAN traffic accounted for most of network traffic and little traffic was transmitted
between LANs. A few routers were enough to handle traffic transmission between LANs.
As data communication networks expand and more services emerge on the networks,
increasing traffic needs to be transmitted between networks. Routers cannot adapt to this
development trend because of their high costs, low forwarding performance, and small port
quantities. New devices capable of high-speed Layer 3 forwarding are required. Layer 3
switches are such devices.
Routers use CPUs to complete Layer 3 forwarding, whereas Layer 3 switches use hardware to
complete Layer 3 forwarding. Hardware forwarding has a much higher performance than
software forwarding (CPU based forwarding). Switches cannot replace routers in all scenarios
because routers provide rich interface types, good service class control, and powerful routing
capabilities that Layer 3 switches cannot provide.
Layer 3 Forwarding Mechanism

Layer 3 switches divide a Layer 2 network into multiple VLANs. They implement Layer 2
switching within the VLANs and Layer 3 IP connectivity between VLANs. Two hosts on
different networks communicate with each other through the following process:

1. Before the source host starts communicating with the destination host, it compares its
own IP address with the IP address of the destination host. If IP addresses of the two
hosts have the same network ID (calculated by an AND operation between the IP
addresses and masks), the hosts are located on the same network segment. In this case,
the source host sends an Address Resolution Protocol (ARP) request to the destination
host. After receiving an ARP reply from the destination host, the source host obtains the
MAC address of the destination host and sends packets to this destination MAC address.
2. If the source and destination hosts are located on different network segments, the source
host sends an ARP request to obtain the MAC address mapping the gateway IP address.
After receiving an ARP reply from the gateway, the source host sends packets to the
MAC address of the gateway. In these packets, the source IP address is the IP address of
the source host, and destination IP address is still the IP address of the destination host.
The following is the detailed Layer 3 switching process.
As shown in Figure 2-7, the source and destination hosts connect to the same Layer 3 switch
but belong to different VLANs (network segments). Both the two hosts are located on the
directly connected network segments of the Layer 3 switch, so the routes to the IP addresses
of the hosts are direct routes.
Figure 2-7 Layer 3 forwarding
Figure 2-7 shows the MAC addresses, IP addresses, and gateway addresses of the hosts,
MAC address of the Layer 3 switch, and IP addresses of Layer 3 interfaces configured in
VLANs on the Layer 3 switch. The process of a ping from PC A to PC B is as follows (the
Layer 3 switch has not created any MAC address entry):
1. PC A finds that the destination IP address 10.2.1.2 (PC B) is on a different network
segment than its own IP address. Therefore, PC A sends an ARP request to request for
the MAC address mapping the gateway address 10.1.1.1.

2. L3 Switch receives the ARP request from PC A and finds that 10.1.1.1 is the IP address
of its own Layer 3 interface. L3 switch then sends an ARP reply to PC A. The ARP reply
carries the MAC address of its Layer 3 interface (MAC Switch). In addition, L3 switch
adds the mapping between the IP address and MAC address of PC A (10.1.1.2 and MAC
A) to its ARP table. The IP address and MAC address of PC A are carried in the ARP
request sent from PC A.
3. After PC A receives the ARP reply from the gateway (L3 Switch), it sends an ICMP
request packet. In the ICMP request packet, the destination MAC address (DMAC) is
MAC Switch; the source MAC address (SMAC) is MAC A; the source IP address (SIP)
is 10.1.1.2; the destination IP address (DIP) is 10.2.1.2.
4. When L3 Switch receives the ICMP request packet, it updates the matching MAC
address entry according to the source MAC address and VLAN ID of the packet. Then
L3 Switch looks up the MAC address table according to the destination MAC address
and VLAN ID of the packet and finds the entry with the MAC address of its Layer 3
interface, the packet needs to be forwarded at Layer 3. Then L3 Switch looks up Layer 3
forwarding entries of the switching chip to guide Layer 3 forwarding.
5. The switching chip loops up Layer 3 forwarding entries according to the destination IP
address of the packet. The entry lookup fails because no entry has been created. The
switching chip then sends the packet to the CPU for software processing.
6. The CPU looks up the software routing table according to the destination IP address of
the packet and finds a directly connected network segment, network segment of PC B.
Then the CPU looks up its ARP table, and the lookup still fails. Therefore, L3 Switch
sends an ARP request to all ports in VLAN 3 (network segment of PC B), to request the
MAC address mapping IP address 10.2.1.2.
7. After PC B receives the ARP request from L3 Switch, it checks the ARP request and
finds that 10.2.1.2 is its own IP address. PC B then sends an ARP reply carrying its
MAC address (MAC B). Meanwhile, PC B records the mapping between the IP address
and MAC address of L3 Switch (10.2.1.1 and MAC Switch) in its ARP table.
8. When L3 Switch receives the ARP reply from PC B, it records the mapping between the
IP address and MAC address of PC B (10.2.1.2 and MAC B) in its ARP table. L3 Switch
changes the destination MAC address in the ICMP request packet sent from PC A to
MAC B and changes the source MAC address to its own MAC address (MAC Switch),
and then sends the ICMP request to PC B. The Layer 3 forwarding entry containing the
IP address and MAC address of PC B, outbound VLAN ID, and outbound port is also
added to the Layer 3 forwarding of the switching chip. Subsequent packets sent from PC
A to PC B are directly forwarded according to this hardware entry.
9. When PC B receives the ICMP request packet from L3 Switch, it sends an ICMP reply
packet to PC A. The forwarding process for the ICMP reply packet is similar to that for
the ICMP request packet except that the ICMP reply packet is directly forwarded to PC
A by the switching chip according to the hardware entry. The reason is that L3 Switch
has obtained the mapping between the IP address and MAC address of PC A and added
matching Layer 3 forwarding entry to the L3 forwarding table of the switching chip.
10. Subsequent packets exchanged between PC A and PC B are forwarded following the
same process: MAC address table lookup, Layer 3 forwarding table lookup, and
hardware forwarding by the switching chip.
In a summary, a Layer 3 switch provides high-speed Layer 3 switching through one routing
process (forwarding the first packet to the CPU and creating a hardware Layer 3 forwarding
entry) and multiple switching processes (hardware forwarding of subsequent packets).

2.4 Application Scenarios for Ethernet Switching
2.4.1 Building an Enterprise Network

As shown in Figure 2-8, an enterprise needs to build a network to provide access to various
terminals, including IP phones, PCs, network printers, and servers.
Figure 2-8 Using Ethernet technology to build an enterprise network
Network
Aggregation/Core Layer
Access Layer ……
Terminal ……
Ethernet technology can connect various terminals to a network to allow employees to surf on
the Internet, make IP calls, access shared resources on servers, and print files using remote
printers over the network. The IT administrators of the enterprise can manage the network in a
centralized manner.

Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3 MAC Address Table Configuration
About This Chapter
This chapter describes how to configure the Medium Access Control (MAC) address table.
Each station or server has a unique MAC address. When a device exchanges data with
connected stations or servers, the device records their MAC addresses, access interfaces, and
VLAN IDs for unicast forwarding.
3.1 Overview of MAC Address Tables
3.2 Understanding MAC Address Tables
3.3 Application Scenarios for MAC Address Tables
3.4 Summary of MAC Address Table Configuration Tasks
3.5 Licensing Requirements and Limitations for MAC Address Tables
3.6 Default Settings for MAC Address Tables
3.7 Configuring MAC Address Tables
3.8 Configuring MAC Address Flapping Prevention
3.9 Configuring MAC Address Flapping Detection
3.10 Configuring the Switch to Discard Packets with an All-0 MAC Address
3.11 Enabling MAC Address-triggered ARP Entry Update
3.12 Enabling Port Bridge
3.13 Configuring Re-marking of Destination MAC Addresses
3.14 Maintaining MAC Address Tables
3.15 Configuration Examples for MAC Address Tables
3.16 Troubleshooting MAC Address Tables
3.17 FAQ About MAC Address Tables

3.1 Overview of MAC Address Tables

A MAC address defines the location of a network device. A MAC address consists of 48 bits
and is displayed as a 12-digit hexadecimal number. Bits 0 to 23 are assigned by the IETF and
other institutions to identify vendors, and bits 24 to 47 are the unique ID assigned by vendors
to identify their network adapters.
MAC addresses fall into the following types:
l Physical MAC address: uniquely identifies a terminal on an Ethernet network and is the
globally unique hardware address.
l Broadcast MAC address: indicates all terminals on a LAN. The broadcast address is all
1s (FF-FF-FF-FF-FF-FF).
l Multicast MAC address: indicates a group of terminals on a LAN. All the MAC
addresses with the eighth bit as 1 are multicast MAC addresses (for example,
01-00-00-00-00-00), excluding the broadcast MAC address. The multicast MAC address
starting from 01-80-c2 is the BPDU MAC address, and is often used as the destination
MAC address of protocol packets.
3.2 Understanding MAC Address Tables
3.2.1 Definition and Classification of MAC Address Entries

Definition of a MAC Address Table
A MAC address table records other devices' MAC addresses learned by the switch, interfaces
on which MAC addresses are learned, and VLANs that the interfaces belong to. Before
forwarding a packet, the switch looks up the destination MAC address of the packet in the
MAC address table. If a MAC address entry matches the destination MAC address, the switch
forwards the packet from the corresponding outbound interface in the MAC address entry. If
no MAC address entry matches the destination MAC address, the switch broadcasts the
packet to all interfaces in the corresponding VLAN, except the inbound interface receiving
the packet.
Classification of MAC Address Entries

MAC address entries are classified into dynamic, static, and blackhole entries. In addition,
there are MAC address entries that are related to service types, for example, secure MAC,
MUX MAC, authen MAC, and guest MAC. They are maintained by service modules and are
converted from dynamic MAC address entries.

Table 3-1 Characteristics and functions of different MAC address entries

MAC Address Entry Characteristics Function
Type
Dynamic MAC address l Dynamic MAC address l You can check whether
entry entries are obtained by data is forwarded
learning source MAC between two connected
addresses of packets on devices by checking
an interface, and can be dynamic MAC address
aged. entries.
l Dynamic MAC address l You can obtain the
entries are lost after a number of
system restart. communicating users
connected to an
interface by checking
the number of specified
dynamic MAC address
entries.
Static MAC address entry l Static MAC address When static MAC address
entries are manually entries are configured,
configured. Static MAC authorized users can use
address entries never age. network resources and
l The static MAC address other users are prevented
entries saved in the from using the bound MAC
system are not lost after a addresses to initiate attacks.
system restart.
l After an interface is
statically bound to a
MAC address, other
interfaces discard packets
from this source MAC
address.
l Each static MAC address
entry can have only one
outbound interface.
l Statically binding an
interface to a MAC
address does not affect the
learning of dynamic MAC
address entries on the
interface.

MAC Address Entry Characteristics Function

Type
Blackhole MAC address l Blackhole MAC address Blackhole MAC address

entry entries are manually entries can filter out
configured. Blackhole unauthorized users.
MAC address entries
never age.
l The blackhole MAC
address entries saved in
the system are not lost
after a system restart.
l After blackhole MAC
address entries are
configured, the device
discards packets from or
destined for the blackhole
MAC addresses.
3.2.2 Elements and Functions of a MAC Address Table

Elements
Each entry in a MAC address table is identified by a MAC address and a VLAN ID or VSI.
When a destination host joins multiple VLANs or VSIs, the host's MAC address corresponds
to multiple VLAN IDs or VSIs in the MAC address table. Table 3-2 lists four MAC address
entries, which specify the outbound interfaces for packets with specified destination MAC
addresses and VLAN IDs or VSI names. For example, the first MAC address entry is used to
forward the packets with destination MAC address 0011-0022-0034 and VLAN 10 through
outbound interface GE3/0/1.
Table 3-2 MAC address entries

MAC Address VLAN ID/VSI Name Outbound Interface
0011-0022-0034 10 GE0/0/1
0011-0022-0034 20 GE0/0/2
0011-0022-0035 30 Eth-Trunk20
0011-0022-0035 huawei GE0/0/3
Functions
A MAC address table is used for unicast forwarding of packets. In Figure 3-1, when packets
sent from PC1 to PC3 reach the switch, the switch searches its MAC address table for the
destination MAC address MAC3 and VLAN 10 in the packets to obtain outbound interface
Port3. The switch then forwards packets to PC3 from Port3.

Figure 3-1 Forwarding based on the MAC address table
MAC Address VLANID Port

MAC1 10 Port1
MAC2 10 Port2
PC2
MAC3 10 Port3
PC1 Switch Port2

Port1
Port3 PC3
MAC3 MAC1 VLAN10 Type Data MAC
3 MAC
1 V
LAN
10 T
ype
Data
3.2.3 MAC Address Entry Learning and Aging
MAC Address Entry Learning

Generally, MAC address entries are learned from source MAC addresses of data frame.
Figure 3-2 MAC address entry learning
PortA
HostA Data frame SwitchA
As shown in Figure 3-2, HostA sends a data frame to SwitchA. When receiving the data
frame, SwitchA obtains the source MAC address (HostA's MAC address) and VLAN ID of
the frame.
l If the MAC address entry does not exist in the MAC address table, SwitchA adds an
entry with the new MAC address, PortA, and VLAN ID to the MAC address table.
l If the MAC address entry exists in the MAC address table, SwitchA resets the aging
timer of the MAC address entry and updates the entry.
NOTE
l If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC address entry is
Eth-TrunkA.
l All interfaces of a switch belong to VLAN 1 by default. If the default VLAN is not changed, the
VLAN ID of all MAC address entries is VLAN 1.
l The switch does not learn the BPDU MAC address similar to 0180-c200-xxxx.
MAC address entry learning and update are triggered on a device only when the device
receives data frames.
MAC Address Entry Aging

A device needs to update its MAC address table continuously to adapt to changing network
topologies. Dynamic MAC address entries are not always valid. Each entry has a life cycle

(aging time) and will be deleted when the aging time expires. If an entry is updated within the
aging time, the aging timer of the entry is reset.
Figure 3-3 MAC address entry aging

t1: The entry with MAC
t2-t3: No packet matching
address 00e0-fc00-0001
this MAC address is
and VLAN ID 1 is learned,
received, so hit flag is 0.
and the hit flag is set to 1.
1 2 3 4
0 T T T T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
As shown in Figure 3-3, the aging time of MAC address entries is set to T. At t1, packets with
source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an interface, which has joined
VLAN 1. If no entry with MAC address 0e0-fc00-0001 and VLAN 1 exists in the MAC
address table, the MAC address is learned as a dynamic MAC address entry in the MAC
address table, and the hit flag of the entry is set to 1.
The device checks all dynamic MAC address entries at an interval of T.
1. At t2, if the device finds that the hit flag of the matching dynamic MAC address entry
with MAC address 00e0-fc00-0001 and VLAN 1 is 1, the device sets the hit flag to 0 but
does not delete the MAC address entry.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the device
between t2 and t3, the hit flag of the matching MAC address entry is always 0.
3. At t3, the device finds that the hit flag of the matching MAC address entry is 0. The
device considers that the aging time of the MAC address entry has expired and deletes
the MAC address entry.
The minimum holdtime of a dynamic MAC address entry ranges from T to 2T on the device.
You can set the aging time of MAC address entries to control the life cycle of dynamic MAC
address entries in a MAC address table.
NOTE
l By default, the switch does not age the MAC address entries that match destination MAC addresses
of packets. Use the mac-address destination hit aging enable command to configure the switch to
age MAC address entries regardless of whether the entries match destination MAC addresses of
packets.
l When the interface frequently alternates between Up and Down, MAC address entries may be not
aged within two aging period. At this time, you are advised to check the link quality or run the port
link-flap protection enable command to configure link flapping protection.

3.2.4 MAC Address Learning Control

When hackers send a large number of packets with different source MAC addresses to a
device, useless MAC addresses will consume MAC address entry resources of the device. As
a result, the device cannot learn source MAC addresses of valid packets. The device
broadcasts the packets that do not match MAC address entries, wasting bandwidth resources.
The device provides the following MAC address learning control methods to address the
preceding issue:
l Disabling MAC address learning on a VLAN or an interface
l Limiting the number of learned MAC address entries on a VLAN or an interface
Table 3-3 MAC address learning control

MAC Address Principle Application Scenario
Learning
Control Method
Disabling MAC After MAC address learning is l In most cases, attack packets
address learning disabled on a VLAN or an sent by a hacker enter the
on a VLAN or an interface, the device does not device through the same
interface learn new dynamic MAC address interface. Therefore, you can
entries on the VLAN or interface. use either of the two methods
The dynamic MAC address to prevent attack packets from
entries learned before are aged using up MAC address entry
out when the aging time expires. resources on the device.
They can also be manually l The method of limiting the
deleted through commands. number of learned MAC
Limiting the The device can only learn a address entries on a VLAN or
number of learned specified number of MAC an interface can also be used
MAC address address entries on a VLAN or an to limit the number of access
entries on a VLAN interface. users.
or an interface When the number of learned
MAC address entries reaches the
limit, the device reports an alarm
to notify the network
administrator.
Then, the device cannot learn
new MAC address entries on the
VLAN or interface and discards
the packets with source MAC
addresses out of the MAC
address table.
3.2.5 MAC Address Flapping
What Is MAC Address Flapping

MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN and the MAC address entry learned later overrides the earlier one. Figure 3-4 shows

how MAC address flapping occurs. In the MAC address entry with MAC address
0011-0022-0034 and VLAN 2, the outbound interface is changed from GE0/0/1 to GE0/0/2.
MAC address flapping can cause an increase in the CPU usage on the device.
MAC address flapping does not occur frequently on a network unless a network loop occurs.
If MAC address flapping frequently occurs on your network, you can quickly locate the fault
and eliminate the loops according to alarms and MAC address flapping records.
Figure 3-4 MAC address flapping
MAC Address VLAN ID Port

0011-0022-0034 2 GE0/0/1
MAC Address VLAN ID Port

0011-0022-0034 2 GE0/0/2
How to Detect MAC Address Flapping

MAC address flapping detection determines whether MAC address flapping occurs by
checking whether outbound interfaces in MAC address entries change frequently.
After MAC address flapping detection is enabled, the device can report an alarm when MAC
address flapping occurs. The alarm contains the flapping MAC address, VLAN ID, and
outbound interfaces between which the MAC address flaps. A loop may exist between the
outbound interfaces. The network administrator can locate the cause of the loop based on the
alarm. Alternatively, the device can perform the action specified in the configuration of MAC
address flapping detection to remove the loop automatically. The action can be quit-vlan
(remove the interface from the VLAN) or error-down (shut down the interface).
Figure 3-5 Networking of MAC address flapping detection
Network
Port1 SwitchA
MAC:11-22-33
Port2 Access interface
MAC:11-22-33
User
SwitchB
SwitchC Broadcast SwitchD

storm
Incorrect connection Data flow

As shown in Figure 3-5, a network cable is incorrectly connected between SwitchC to

SwitchD, causing a loop between SwitchB, SwitchC, and SwitchD. When Port1 of SwitchA
receives a broadcast packet, SwitchA forwards the packet to SwitchB. The packet is then sent
to Port2 of SwitchA. After MAC address flapping detection is configured on SwitchA,
SwitchA can detect that the source MAC address of the packet flaps from Port1 to Port2. If
the MAC address flaps between Port1 and Port2 frequently, SwitchA reports an alarm about
MAC address flapping to alert the network administrator.
NOTE
MAC address flapping detection allows a device to detect changes in traffic transmission paths based on
learned MAC addresses, but the device cannot obtain the entire network topology. It is recommended
that this function be used on the interface connected to a user network where loops may occur.
How to Prevent MAC Address Flapping

MAC address flapping occurs on a network when the network has a loop or undergoes an
attack.
During network planning, you can use the following methods to prevent MAC address
flapping:
l Increase the MAC address learning priority of an interface: When the same MAC
address is learned on interfaces of different priorities, the MAC address entry on the
interface with the highest priority overrides the MAC address entries on the other
interfaces.
l Prevent MAC address entries from being overridden on interfaces with the same priority:
If the interface connected to a bogus network device has the same priority as the
interface connected to an authorized device, the MAC address entry of the bogus device
learned later does not override the original correct MAC address entry. If the authorized
device is powered off, the MAC address entry of the bogus device is learned. After the
authorized device is powered on again, its MAC address cannot be learned.
As shown in Figure 3-6, Port1 of the switch is connected to a server. To prevent unauthorized
users from connecting to the switch using the server's MAC address, you can set a high MAC
address learning priority for Port1.
Figure 3-6 Networking of MAC address flapping prevention

MAC:11-22-33
MAC:11-22-33
Server
Unauthorized
user
Port1
Switch
Authorized Authorized Authorized

user 1 user 2 user 3

3.2.6 MAC Address-Triggered ARP Entry Update

NOTE
Only the S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720HI, S6720EI,
and S6720S-EI support this function.
On an Ethernet network, a host sends and receives Ethernet data frames based on MAC
addresses. The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses.
When two devices on different network segments communicate with each other, they need to
map IP addresses to MAC addresses and outbound interfaces according to ARP entries.
Generally, the outbound interfaces in the matching MAC address entries and ARP entries are
consistent. As shown in Figure 3-7, the outbound interface in both the MAC address entry
and ARP entry is GE0/0/1 at T1. The interface is then changed. At T2, after a packet is
received from the peer device, the outbound interface in the MAC address entry is
immediately changed to GE0/0/2. However, the outbound interface in the ARP entry is still
GE0/0/1. At T3, the aging time of the ARP entry expires, and the outbound interface in the
ARP entry is changed to GE0/0/2 through ARP aging probe. Between T2 and T3, the
outbound interface in the ARP entry is unavailable, interrupting communication between
devices on different network segments.
Figure 3-7 MAC address-triggered ARP entry update is not enabled

MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 GE0/0/1 10.2.2.2 11-22-34 2 GE0/0/1
Before port switching
Port switching
& ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T2 11-22-34 2 GE0/0/2 10.2.2.2 11-22-34 2 GE0/0/1
After port switching &
ARP aging probe
T3 11-22-34 2 GE0/0/2 10.2.2.2 11-22-34 2 GE0/0/2
MAC address-triggered ARP entry update enables a device to update the outbound interface
in an ARP entry immediately after the outbound interface in the corresponding MAC address
entry changes. As shown in Figure 3-8, MAC address-triggered ARP entry update is enabled.
At T2, after the outbound interface in the MAC address entry is changed to GE0/0/2, the
outbound interface in the ARP entry is immediately changed to GE0/0/2. This function
prevents communication interruption between T2 and T3 due to the incorrect outbound
interface in the ARP entry.
Figure 3-8 MAC address-triggered ARP entry update is enabled

MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 GE0/0/1 10.2.2.2 11-22-34 2 GE0/0/1
Before port switching
Port switching
& ARP aging probe
T2 11-22-34 2 GE0/0/2 10.2.2.2 11-22-34 2 GE0/0/2
After port switching &
ARP aging probe
T3 11-22-34 2 GE0/0/2 10.2.2.2 11-22-34 2 GE0/0/2

NOTE
The MAC address-triggered ARP entry update function is often used in networking where devices in a
Virtual Router Redundancy Protocol (VRRP) group connect to servers (see 3.3.3 Configuring MAC
Address-Triggered ARP Entry Update to Improve VRRP Switchover Performance), or Layer 3
traffic switching scenarios where STP and Smart Link are used.
3.3 Application Scenarios for MAC Address Tables
3.3.1 Configuring MAC Address Flapping Prevention to Block

User Attacks
When you deploy a Layer 2 network, you can configure MAC address flapping prevention to
block attacks from unauthorized users. As shown in Figure 3-9, employees of an enterprise
need to access the server connected to Port1 of the switch. If an unauthorized user sends
packets using the server's MAC address as the source MAC address, the server's MAC
address is learned on another interface of the switch. Then packets sent by employees to the
server are sent to the unauthorized user. As a result, employees cannot access the server, and
important data may be intercepted by the unauthorized user. To prevent unauthorized users
from using the server's MAC address to attack the switch, set a higher MAC address learning
priority for the interface connected to the server than the interfaces connected to unauthorized
users. In this case, MAC address flapping will not occur when unauthorized users attack the
switch.

MAC:11-22-33
MAC:11-22-33
Server
Unauthorized
user
Port1
Switch

3.3.2 Configuring MAC Address Flapping Detection to Quickly

Detect Loops
When a loop occurs, MAC address flapping must have occurred on the failure point. You can
use the MAC address flapping function to locate loops on a network. When one of the
following situations occurs, enable MAC address flapping detection to check whether a loop
occurs:

l A MAC address entry alternatively appears and disappears.

l Ping operations alternatively succeed and fail.
l A high CPU usage alarm is generated.
Compared to other loop detection technologies, MAC address flapping detection is easy to
configure. Table 3-4 compares loop detection technologies.
Table 3-4 Comparison of loop detection technologies

Feature Advantage Disadvantage
MAC address l Checks all interfaces and The device only reports alarms
flapping detection VLANs on a device. after detecting a loop but cannot
l Requires only one command eliminate the loop.
and is enabled by default.
Loopback l Detects loops based on This function is not enabled by

detection interfaces and VLANs. default and needs to be configured
l The device can eliminate a through commands.
loop after detecting the
loop.
3.3.3 Configuring MAC Address-Triggered ARP Entry Update to

Improve VRRP Switchover Performance
When a VRRP group connects to servers, MAC address-triggered ARP entry update can be
configured to speed up VRRP active/standby switchovers. This function reduces the service
interruption time upon a link or device failure. The Virtual Router Redundancy Protocol
(VRRP) groups multiple routing devices into a virtual router. The virtual router functions as
the virtual gateway for users, and its virtual IP address is used as the default gateway address
to implement communication with an external network. When a gateway device fails, VRRP
selects another gateway device to transmit service traffic, ensuring reliable communication.
As shown in Figure 3-10, HostA is dual-homed to SwitchA and SwitchB through the switch.
A VRRP group is configured on SwitchA and SwitchB to implement link redundancy. If the
link between SwitchA and the switch fails, MAC address entries and ARP entries on the
switch are updated to ensure that traffic is switched to the link between the switch and
SwitchB.

Figure 3-10 VRRP networking
SwitchA SwitchB
(VRRP Master) (VRRP Backup)
Port1 Port1
Port1 Port2
Before Switch After
switchover switchover
HostA
A VRRP group may connect to a server but not a switch, as shown in Figure 3-11. Generally,
a server selects only one of network interfaces to send packets. When the server detects a
network failure or traffic transmission failure, it sends packets through another network
interface.
l SwitchA functions as the master device, and the server uses Port2 to send packets.
SwitchA learns the ARP entry and MAC address entry matching the server on Port2, and
SwitchB learns the server MAC address on Port1.
l When the server detects that Port2 is faulty, the server sends packets through Port1.
SwitchA then learns the server MAC address on Port1. If the server does not send an
ARP Request packet to SwitchA, SwitchA still maintains the ARP entry on Port2. In this
case, packets sent from SwitchA to the server are still forwarded through Port2 until the
ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update on the switches.
This function enables a switch to update the corresponding ARP entry when the outbound
interface in a MAC address entry changes.
Figure 3-11 VRRP group connects to a server
SwitchA(VRRP Master) SwitchB(VRRP Backup)
Port2 Port2
Port1 Port1
Port1 Port2
Server

3.4 Summary of MAC Address Table Configuration Tasks
Table 3-5 MAC address table configuration tasks
Scenario Description Task
MAC addresses and Configure static MAC address entries 3.7.1 Configuring a
interfaces need to be to bind MAC addresses and interfaces, Static MAC Address
bound statically. improving security of authorized users. Entry
Attack packets from Configure blackhole MAC address 3.7.2 Configuring a

unauthorized users entries to filter out packets from Blackhole MAC
need to be filtered unauthorized users, thereby protecting Address Entry
out. the system against attacks.
Aging of dynamic Set the aging time according to your 3.7.3 Setting the Aging
MAC address entries needs. Set the aging time to a large Time of Dynamic
needs to be flexibly value or 0 (not to age dynamic MAC MAC Address Entries
controlled. address entries) on a stable network;
set a short aging time in other
situations.
MAC address Attacks initiated by unauthorized users 3.7.4 Disabling MAC

learning needs to be may exhaust MAC address entries. To Address Learning
controlled. prevent this problem, disable MAC 3.7.5 Configuring the
address learning or limit the number of MAC Address
learned MAC address entries. Limiting Function
The MAC address You can configure various trap 3.7.6 Enabling MAC
table needs to be functions about MAC addresses to Address Trap
monitored. monitor the usage of MAC address Functions
entries.
l Configure an alarm threshold for
MAC address usage. When the
MAC address usage exceeds the
upper threshold, the switch
generates an alarm. When the MAC
address usage falls below the lower
threshold, the switch reports a clear
alarm.
l Enable the trap function for MAC
address learning or aging. When a
MAC address entry is learned or
aged out, the switch sends an alarm.
l Enable the trap function for MAC
address hash conflicts. If the device
cannot learn MAC address entries
while its MAC address table is not
full, the switch reports an alarm
about a MAC address hash conflict.

The outbound Configure the MAC address-triggered 3.11 Enabling MAC

interfaces in ARP ARP entry update function. When the Address-triggered
entries need to be outbound interface in a MAC address ARP Entry Update
updated quickly. entry changes, the device updates the
outbound interface in the
corresponding ARP entry before ARP
probing. This function shortens service
interruption time.
MAC address MAC address flapping occurs on a 3.8 Configuring MAC

flapping needs to be network when the network has a loop Address Flapping
prevented. or undergoes an attack. You can use the Prevention
following methods to prevent MAC
address flapping:
l Configure the MAC address
learning priorities for interfaces.
When the same MAC address is
learned by two interfaces of
different priorities, the MAC
address entries learned by the
interface with a higher priority
override the MAC address entries
learned by the other interface.
l Prevent MAC address entries from
being overridden on interfaces with
the same priority.
MAC address MAC address flapping occurs when a 3.9 Configuring MAC
flapping needs to be MAC address is learned by two Address Flapping
detected. interfaces in the same VLAN and the Detection
MAC address entry learned later
overrides the earlier one.
MAC address flapping detection
enables a switch to check whether any
MAC address flaps between interfaces
and determine whether a loop occurs.
When MAC address flapping occurs,
the switch sends an alarm to the NMS.
The network maintenance personnel
can locate the loop based on the alarm
information and historical records for
MAC address flapping. This greatly
improves network maintainability. If
the network connected to the switch
does not support loop prevention
protocols, configure the switch to shut
down the interfaces where MAC
address flapping occurs to reduce the
impact of MAC address flapping on
the network.

The switch needs to A faulty host or device may send 3.10 Configuring the
discard packets with packets with an all-0 source or Switch to Discard
an all-0 source or destination MAC address to a switch. Packets with an All-0
destination MAC Configure the switch to discard such MAC Address
address. packets and send an alarm to the NMS
so that the network administrator can
locate the faulty host or device based
on the alarm information.
An interface needs to By default, an interface does not 3.12 Enabling Port

forward packets of forward packets whose source and Bridge
which the source and destination MAC addresses are both
destination MAC learned by this interface. When the
addresses are both interface receives such a packet, it
learned on the discards the packet as an invalid
interface. packet. After the port bridge function is
enabled on the interface, the interface
forwards such packets. This function
applies to a switch that connects to
devices incapable of Layer 2
forwarding or functions as an access
device in a data center.
3.5 Licensing Requirements and Limitations for MAC

Address Tables
Involved Network Elements

Other network elements are not required.
Licensing Requirements
MAC address configuration commands are available only after the S1720GW, S1720GWR,
and S1720X have the license (WEB management to full management Electronic RTU
License) loaded and activated and the switches are restarted. MAC address configuration
commands on other models are not under license control.
For details about how to apply for a license, see S Series Switch License Use Guide.

Version Requirements
Table 3-6 Products and versions supporting MAC

Product Product Software Version
Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E
Other S1700 Models that cannot be configured using commands. For

models details about features and versions, see S1700
Documentation Bookshelf.
S2700 S2700SI V100R005C01, V100R006(C00&C01&C03&C05)
S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10
S2750EI V200R003C00, V200R005C00SPC300, V200R006C00,

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00


Model
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
To know details about software mappings, see Hardware Query Tool.

Feature Limitations
l Dynamic MAC address entries can be learned on an interface only after the interface is
added to an existing VLAN.
l Among existing MAC address entries, only MAC addresses of the dynamic type can be
overwritten as MAC addresses of other types.
l Each static MAC address entry can have only one outbound interface.
l When the aging time of dynamic MAC address entries is set to 0, dynamic MAC address
entries do not age. To age MAC address entries, delete the aging time configuration.
l When MAC address learning is disabled in a VLAN and an interface in the VLAN on
the S5700EI, S5710EI, S5700HI, S5710HI, and S5720EI and the discard action is
configured for the interface, the interface does not discard packets from this VLAN. For
example, MAC address learning is disabled in VLAN 2 but enabled in VLAN 3; Port1 in
VLAN 2 and VLAN 3 has MAC address learning disabled and the discard action is
defined. In this situation, Port1 discards packets from VLAN 3 but forwards packets
from VLAN 2.
l When the interface frequently alternates between Up and Down, MAC address entries
may be not aged within two aging period. At this time, you are advised to check the link
quality or run the port link-flap protection enable command to configure link flapping
protection.
3.6 Default Settings for MAC Address Tables
Table 3-7 Default setting for a MAC address table

Parameter Default Setting
Aging time of dynamic MAC address 300s

entries
MAC address learning Enabled
MAC address learning priority of an 0

interface
Preventing MAC address entries from being Disabled

overridden on interfaces with the same
priority
MAC address flapping detection Enabled
Aging time of flapping MAC address 300s

entries
MAC address-triggered ARP entry update Disabled
Trap function for the MAC address usage Enabled
Trap function for MAC address learning or Disabled

aging

Trap function for MAC address hash Disabled

conflicts
Discarding packets with an all-0 MAC Disabled

address
Trap function for packets with an all-0 Disabled

MAC address
Port bridge Disabled
3.7 Configuring MAC Address Tables
3.7.1 Configuring a Static MAC Address Entry
Context
A device cannot distinguish packets from authorized and unauthorized users when it learns
source MAC addresses of packets to maintain the MAC address table. This causes network
risks. If an unauthorized user uses the MAC address of an authorized user as the source MAC
address of attack packets and connects to another interface of the device, the device learns an
incorrect MAC address entry. As a result, packets destined for the authorized user are
forwarded to the unauthorized user. For security purposes, you can create static MAC address
entries to bind MAC addresses of authorized users to specified interfaces. This prevents
unauthorized users from intercepting data of authorized users.
Static MAC address entries have the following characteristics:
l A static MAC address entry will not be aged out. After being saved, a static MAC
address entry will not be lost after a system restart, and can only be deleted manually.
l The VLAN bound to a static MAC address entry must have been created and assigned to
the interface bound to the entry.
l The MAC address in a static MAC address entry must be a unicast MAC address, and
cannot be a multicast or broadcast MAC address.
l A static MAC address entry takes precedence over a dynamic MAC address entry. The
system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is created.
----End

Verifying the Configuration

Run the display mac-address static command to check configured static MAC address
entries.
3.7.2 Configuring a Blackhole MAC Address Entry
Context
To protect a device or network against MAC address attacks from hackers, configure MAC
addresses of untrusted users as blackhole MAC addresses. The device then directly discards
the received packets of which the source or destination MAC addresses match the blackhole
MAC address entries.
Procedure
Step 2 Run mac-address blackhole mac-address [ vlan vlan-id ]
A blackhole MAC address entry is configured.
----End

Run the display mac-address blackhole command to check configured blackhole MAC
address entries.
3.7.3 Setting the Aging Time of Dynamic MAC Address Entries
Context
Because the network topology changes frequently, the switch will learn more and more MAC
addresses. Therefore, the aging time needs to be set properly for dynamic MAC address
entries so that the switch can delete unneeded MAC address entries to prevent a sharp
increase of MAC address entries. A shorter aging time makes the switch more sensitive to
network changes and is applicable to networks where network topology changes frequently. A
longer aging time makes the switch more insensitive to network changes and is only
applicable to stable networks.
Procedure
Step 2 Run mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.

The aging time is 0 or an integer that ranges from 10 to 1000000, in seconds. The default
value is 300. The value 0 indicates that dynamic MAC address entries will not be aged out.
NOTE
When the aging time is 0, MAC address entries can be fixed. To clear the fixed MAC address entries, set
the aging time to a non-0 value. The system then deletes fixed MAC address entries after twice the aging
time.
----End

Run the display mac-address aging-time command to view the aging time of dynamic MAC
address entries.
3.7.4 Disabling MAC Address Learning
Context
The MAC address learning function is enabled by default on the switch. When receiving a
data frame, the switch records the source MAC address of the data frame and the interface
that receives the data frame in a MAC address entry. When receiving data frames destined for
this MAC address, the switch forwards the data frames through the outbound interface
according to the MAC address entry. The MAC address learning function reduces broadcast
packets on a network. After MAC address learning is disabled on an interface, the switch does
not learn source MAC addresses of data frames received by the interface, but the dynamic
MAC address entries learned on the interface are not immediately deleted. These dynamic
MAC address entries are deleted after the aging time expires or can be manually deleted using
commands.
Procedure
l Disable MAC address learning on an interface.
a. Run system-view
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
By default, the switch takes the forward action after MAC address learning is
disabled. That is, the switch forwards packets according to the MAC address table.
When the action is set to discard, the switch looks up the source MAC address of
the packet in the MAC address table. If the source MAC address is found in the
MAC address table, the switch forwards the packet according to the matching MAC
address entry. If the source MAC address is not found, the switch discards the
packet.
l Disable MAC address learning in a VLAN.
a. Run system-view

b. Run vlan vlan-id

The VLAN view is displayed.
c. Run mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
NOTE
When MAC address learning is disabled in a VLAN and an interface in the VLAN on the
S5720EI, and the discard action is configured for the interface, the interface does not discard
packets from this VLAN. For example, MAC address learning is disabled in VLAN 2 but enabled
in VLAN 3; Port1 in VLAN 2 and VLAN has MAC address learning disabled and performs the
discard action. In this situation, Port1 discards packets from VLAN 3 but forwards packets from
VLAN 2.
l Disable MAC address learning for a specified flow.
a. Configure a traffic classifier.
i. Run system-view
ii. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or an
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which
means that:
○ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier if they
match one of the rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
iii. Configure matching rules according to the following table.
NOTE
Only the S5720EI, S6720EI, and S6720S-EI support traffic classifiers with advanced
ACLs containing the ttl-expired field.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the
S5720HI does not support remark 8021p [ 8021p-value | inner-8021p ], remark
cvlan-id cvlan-id, remark vlan-id vlan-id, or mac-address learning disable.
Matchin Command Remarks

g Rule
Outer if-match vlan-id start-vlan-id Only the S1720X, S1720X-

VLAN ID [ to end-vlan-id ] [ cvlan-id E, S5720EI, S5720HI,
or inner cvlan-id ] S5730SI, S5730S-EI,
and outer S6720LI, S6720S-LI,
VLAN S6720SI, S6720S-SI,
IDs of S6720EI, and S6720S-EI
QinQ support the cvlan-id cvlan-
packets id parameter.


g Rule
Inner and if-match cvlan-id start-vlan-id -

outer [ to end-vlan-id ] [ vlan-id vlan-
VLAN id ] (S1720X, S1720X-E,
IDs in S5720EI, S5720HI, S5730SI,
QinQ S5730S-EI, S6720LI, S6720S-
packets LI, S6720SI, S6720S-SI,
S6720EI, S6720S-EI)
802.1p if-match 8021p 8021p-value If you enter multiple 802.1p

priority in &<1-8> priority values in one
VLAN command, a packet
packets matches the traffic
classifier if it matches any
of the priorities, regardless
of whether the relationship
between rules in the traffic
classifier is AND or OR.
Inner if-match cvlan-8021p 8021p- -

802.1p value &<1-8> (S5720EI,
priority in S5720HI, S6720EI, S6720S-EI)
QinQ
packets
Drop if-match discard (S5720EI, A traffic classifier

packet S5720HI, S6720EI, S6720S-EI) containing this matching
rule can only be bound to
traffic behaviors containing
traffic statistics collection
and flow mirroring actions.
Double if-match double-tag (S5720EI, -

tags in S5720HI, S6720EI, S6720S-EI)
QinQ
packets
Destinatio if-match destination-mac mac- -

n MAC address [ mac-address-mask ]
address
Source if-match source-mac mac- -

MAC address [ mac-address-mask ]
address
Protocol if-match l2-protocol { arp | ip | -

type field mpls | rarp | protocol-value }
in the
Ethernet
frame
header


g Rule
All if-match any After the if-match any

packets command is run, only the
matching rule configured
using this command takes
effect, and the other
matching rules in the same
traffic classifier will
become ineffective.
DSCP if-match dscp dscp-value l If you enter multiple

priority in &<1-8> DSCP values in one
IP packets command, a packet
matches the traffic
classifier if it matches
any of the DSCP
values, regardless of
whether the relationship
between rules in the
traffic classifier is AND
or OR.
l If the relationship
between rules in a
traffic classifier is AND,
the if-match dscp and
if-match ip-precedence
commands cannot be
used in the traffic
classifier
simultaneously.
IP if-match ip-precedence ip- l The if-match dscp and

precedenc precedence-value &<1-8> if-match ip-precedence
e in IP commands cannot be
packets configured in a traffic
classifier in which the
relationship between
rules is AND.
l If you enter multiple IP
precedence values in
one command, a packet
matches the traffic
classifier if it matches
any of the IP precedence
or OR.


g Rule
Layer 3 if-match protocol { ip | ipv6 } -

protocol
type
SYN Flag if-match tcp syn-flag { syn- -

in the flag-value | ack | fin | psh | rst |
TCP syn | urg }
packet
Inbound if-match inbound-interface A traffic policy containing

interface interface-type interface-number this matching rule cannot
be applied to the outbound
direction or in the interface
view.
Outbound if-match outbound-interface A traffic policy containing

interface interface-type interface-number this matching rule cannot
(S5720EI, S5720HI, S6720EI, be applied to the inbound
S6720S-EI) direction on the S5720HI.
The traffic policy
containing this matching
rule cannot be applied in
the interface view.
ACL rule if-match acl { acl-number | acl- l When an ACL is used to

name } define a traffic
classification rule, it is
recommended that the
ACL be configured first.
l If an ACL in a traffic
classifier defines
multiple rules, a packet
matches the ACL as
long as it matches one
of rules, regardless of
or OR.
ACL6 if-match ipv6 acl { acl-number | Before specifying an ACL6

rule acl-name } in a matching rule,
configure the ACL6.


g Rule
Flow ID if-match flow-id flow-id The traffic classifier

(S5720EI, S6720EI, S6720S-EI) containing if-match flow-
id and the traffic behavior
containing remark flow-id
must be bound to different
traffic policies.
The traffic policy
containing if-match flow-
id can only be applied to an
interface, a VLAN, or the
system in the inbound
direction.
iv. Run quit

Exit from the traffic classifier view.
b. Configure a traffic behavior.
i. Run the traffic behavior behavior-name command to create a traffic behavior
and enter the traffic behavior view.
ii. Run the mac-address learning disable command in the traffic behavior view
to disable MAC address learning.
NOTE
This command is only supported by the S5720HI, S5720EI, S6720EI, and S6720S-EI.
iii. Run the quit command to exit from the traffic behavior view.
iv. Run the quit command to exit from the system view.
c. Configure a traffic policy.
i. Run traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed. If you do not specify a matching
order for traffic classifiers in the traffic policy, the default matching order
config is used.
After a traffic policy is applied, you cannot use the traffic policy command to
modify the matching order of traffic classifiers in the traffic policy. To modify
the matching order, delete the traffic policy, create a traffic policy, and specify
the matching order.
When creating a traffic policy, you can specify the matching order of its
matching rules. The matching order can be either automatic order or
configuration order:
○ Automatic order: Traffic classifiers are matched based on the priorities of
their types. Traffic classifiers based on the following information are in
descending order of priority: Layer 2 and IPv4 Layer 3 information,
advanced ACL6 information, basic ACL6 information, Layer 2
information, IPv4 Layer 3 information, and user-defined ACL
information. If data traffic matches multiple traffic classifiers, and the
traffic behaviors conflict with each other, the traffic behavior
corresponding to the highest priority rule takes effect.

○ Configuration order: Traffic classifiers are matched based on the

sequence in which traffic classifiers were bound to traffic behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy must be
applied to an interface, a VLAN, and the system in sequence in the outbound direction.
In the preceding situation, if you need to update ACL rules, delete the traffic policy
from the interface, VLAN, and system and reconfigure it in sequence.
ii. Run classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in the traffic policy.
iii. Run quit
Exit from the traffic policy view.
iv. Run quit
Exit from the system view.
d. Apply the traffic policy.
n Applying a traffic policy to an interface
1) Run system-view
2) Run interface interface-type interface-number
3) Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the interface.
A traffic policy can be applied to only one direction on an interface, but a
traffic policy can be applied to different directions on different interfaces.
After a traffic policy is applied to an interface, the system performs traffic
policing for all the incoming or outgoing packets that match traffic
classification rules on the interface.
n Applying a traffic policy to a VLAN
1) Run system-view
2) Run vlan vlan-id
3) Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the VLAN.
Only one traffic policy can be applied to a VLAN in the inbound or
outbound direction.
After a traffic policy is applied, the system performs traffic policing for
the packets that belong to a VLAN and match traffic classification rules
in the inbound or outbound direction.
n Applying a traffic policy to the system
1) Run system-view
2) Run traffic-policy policy-name global { inbound | outbound } [ slot
slot-id ]

A traffic policy is applied to the system.

Only one traffic policy can be applied to the system or slot in one
direction. A traffic policy cannot be applied to the same direction in the
system and slot simultaneously.
○ In a stack, a traffic policy that is applied to the system takes effect on
all the interfaces and VLANs of all the member switches in the
stack. The system then performs traffic policing for all the incoming
and outgoing packets that match traffic classification rules on all the
member switches. A traffic policy that is applied to a specified slot
takes effect on all the interfaces and VLANs of the member switch
with the specified stack ID. The system then performs traffic
policing for all the incoming and outgoing packets that match traffic
classification rules on this member switch.
○ On a standalone switch, a traffic policy that is applied to the system
takes effect on all the interfaces and VLANs of the local switch. The
system then performs traffic policing for all the incoming and
outgoing packets that match traffic classification rules on the local
switch. Traffic policies applied to the slot and system have the same
functions.

l Run the display traffic classifier user-defined [ classifier-name ] command to check the
traffic classifier configuration on the device.
l Run the display traffic behavior user-defined [ behavior-name ] command to check the
traffic behavior configuration on the device.
l Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ]
command to check the user-defined traffic policy configuration.
l Run the display traffic-applied [ interface [ interface-type interface-number ] | vlan
[ vlan-id ] ] { inbound | outbound } [ verbose ] command to check traffic actions and
ACL rules associated with the system, a VLAN, or an interface.
l Run the display traffic policy { interface [ interface-type interface-number ] | vlan
[ vlan-id ] | global } [ inbound | outbound ] command to check the traffic policy
configuration on the device.
l Run the display traffic-policy applied-record [ policy-name ] command to check the
record of the specified traffic policy.
3.7.5 Configuring the MAC Address Limiting Function
Context
An insecure network is vulnerable to MAC address attacks. When hackers send a large
number of forged packets with different source MAC addresses to the switch, the MAC
address table of the switch will be filled with useless MAC address entries. As a result, the
switch cannot learn source MAC addresses of valid packets.
You can limit the number of MAC address entries learned on the switch. When the number of
learned MAC address entries reaches the limit, the switch does not learn new MAC address
entries. You can also configure an action to take when the number of MAC address entries
reaches the limit. This prevents MAC address attacks and improves network security.

Procedure
l Limit the number of MAC address entries learned on an interface.
a. Run system-view


c. Run mac-limit maximum max-num
The maximum number of MAC address entries that can be learned on the interface
is set.
By default, the number of MAC address entries learned on an interface is not

limited.
d. Run mac-limit action { discard | forward }
The action to take when the number of learned MAC address entries reaches the
limit is configured.
By default, the switch discards packets with new MAC addresses when the number
of learned MAC address entries reaches the limit.
e. Run mac-limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.
l Limit the number of MAC address entries learned in a VLAN.
a. Run system-view

b. Run vlan vlan-id

c. Run mac-limit maximum max-num
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not limited.
d. Run mac-limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.
----End

Run the display mac-limit command to check limiting on MAC address learning.

3.7.6 Enabling MAC Address Trap Functions
Context
The switch enabled with trap functions sends an alarm when the MAC address usage exceeds
the threshold, a MAC address changes, or a MAC address hash conflict occurs. The alarms
enable you to know the running status of the MAC address table in real time. MAC address
entry resources are key resources for the switch. Monitoring the use of the MAC address table
ensures normal system operations. The switch provides three trap functions for MAC address
entries.
Table 3-8 Three trap functions for MAC address entries

Trap Function Description
MAC address An alarm is generated when the MAC address usage is higher than
usage out of the 80%, and a clear alarm is generated when the MAC address usage is
specified range lower than 70%.
A clear alarm can be generated only if a threshold-exceeding alarm
has been generated.
A threshold-exceeding alarm indicates that the MAC address usage
is too high. You are advised to redistribute traffic or expand the
network.
MAC address An alarm is generated when a MAC address entry is learned or aged.
learning or aging
MAC address hash To improve the MAC address forwarding performance, the MAC
conflict address table of the switch is saved using a hash chain. When
multiple MAC addresses map the same key value in accordance with
the hash algorithm, some MAC addresses may not be learned. That
is, a MAC address hash conflict occurs.
In this situation, the MAC address entries cannot be learned even
though the MAC address table is not full.
A MAC address hash conflict does not affect traffic forwarding. The
switch broadcasts traffic destined for the conflicting MAC addresses,
occupying bandwidth and system resources. You can replace the
device or network adapter of a terminal to prevent MAC address
hash conflicts.
Procedure
l Enable the trap function for MAC address usage out of the specified range.
a. Run system-view
b. Run mac-address threshold-alarm upper-limit upper-limit-value lower-limit
lower-limit-value
The upper and lower alarm thresholds for the MAC address usage are set.

By default, the upper and lower alarm thresholds for the MAC address usage are 80%
and 70% respectively. An alarm is generated when the MAC address usage is higher than
80%, and a clear alarm is generated when the MAC address usage is lower than 70%.
l Enable the trap function for MAC address learning or aging.
a. Run system-view
b. (Optional) Run mac-address trap notification interval interval-time
The interval at which the switch checks MAC address learning or aging is set.
By default, the switch checks MAC address learning or aging at intervals of 10s.
c. Run interface interface-type interface-number
d. Run mac-address trap notification { aging | learn | all }
The trap function for MAC address learning and aging is enabled on the interface.
By default, the trap function for MAC address learning or aging is disabled.
l Enable the trap function for MAC address hash conflicts.
a. Run system-view
b. Run mac-address trap hash-conflict enable
The trap function for MAC address hash conflicts is enabled.
By default, the trap function for MAC address hash conflicts is enabled.
c. (Optional) Run mac-address trap hash-conflict history history-number
The number of MAC address hash conflict alarms reported at an interval is set.
By default, 10 MAC address hash conflict alarms are reported at an interval.
d. (Optional) Run mac-address trap hash-conflict interval interval-time
The interval at which MAC address hash conflict alarms are reported is set.
By default, MAC address hash conflict alarms are reported at intervals of 60s.

Run the display current-configuration command to check MAC address trap functions on
the switch.
3.7.7 Configuring a MAC Hash Algorithm
Context
A device usually uses a hash algorithm to learn MAC address entries to improve MAC
address forwarding performance. When multiple MAC addresses map the same key value, a
MAC address hash conflict may occur. When a MAC address hash conflict occurs, the device
may fail to learn many MAC addresses and can only broadcast traffic destined for these MAC
addresses. The heavy broadcast traffic increases the load on the device. In this case, use an
appropriate hash algorithm to mitigate the hash conflict.

NOTE
l The device uses the hash bucket to store MAC addresses. The device that uses the hash bucket
performs hash calculation for VLAN IDs and MAC addresses in MAC address entries to be stored
and obtains hash bucket indexes. The MAC addresses with the same hash bucket index are stored in
the same hash bucket. If a hash bucket with the maximum storage space cannot accommodate
learned MAC addresses of the hash bucket, a hash conflict occurs and MAC addresses cannot be
stored. The maximum number of MAC addresses learned by the device through the hash bucket may
be not reached.
l The S5720HI does not support this configuration.
l MAC addresses are distributed on a network randomly, so the best hash algorithm cannot be
determined. Generally, the default hash algorithm is the best one, so do not change the hash
algorithm unless you have special requirements.
l An appropriate hash algorithm can reduce hash conflicts, but cannot prevent them.
l After the hash algorithm is changed, restart the device to make the configuration take effect.
Procedure
Step 2 Configure a hash algorithm.

l Run the mac-address hash-mode { xor | crc } slot slot-id command on the S1720GFR,
S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750EI,
S2720EI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI, S5700S-LI, S5710-X-
LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI.
l Run the mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-
upper | lsb } slot slot-id command on other models except the S1720GFR, S1720GW,
S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S2720EI,
S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI, S5700S-LI, S5710-X-LI, S5730SI,
S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI.
By default, the hash algorithm is crc on the S1720GFR, S1720GW, S1720GWR, S1720X,
S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S2720EI, S5720LI, S5720S-LI, S6720LI,
S6720S-LI, S5700LI, S5700S-LI, S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI,
S5720SI, and S5720S-SI and crc32-lower on other models.
Step 3 Run mac-address hash-bucket-mode { size4 | size8 | size12 | size16 }
The hash bucket size is configured for the MAC address table.
This function is supported only by the S1720GFR, S1720GW, S1720GWR, S1720X,

S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S5700LI, S5700S-LI, S5720LI, S5720S-
LI, S5720SI, and S5720S-SI.
By default, the hash bucket size of a MAC address table is 4.

NOTE
l A larger hash bucket size will lower device forwarding performance.

l After you change the hash bucket size to a smaller value, you need to restart the device.
----End


Run the display mac-address hash-mode command to check the running and configured
hash algorithms.
3.7.8 Configuring the Extended MAC Entry Resource Mode
Context
You can set the MAC entry resource mode to big-mac to increase the MAC address table
size. When the switch transmits heavy traffic, MAC address entries increase accordingly. If
the current MAC address table size cannot meet service requirements, service running
efficiency is reduced. The switch provides the extended entry space register. You can
configure an extended MAC entry resource mode to increase the MAC address table size.
NOTE
Only the S5720EI, S6720EI and S6720S-EI support this function.
Procedure
Step 1 (Optional) Run display resource-mode configuration
The extended entry resource mode is displayed.
Step 3 Run assign resource-mode enhanced-mac slot slot-id
The extended MAC entry resource mode is configured.
NOTE
After the extended MAC entry resource mode is configured, you must restart the switch to make the
configuration take effect.
----End

Run the display resource-mode configuration command to check the configured and current
extended entry resource modes.
3.8 Configuring MAC Address Flapping Prevention
3.8.1 Configuring a MAC Address Learning Priority for an

Interface
Context
To prevent MAC address flapping, set different MAC address learning priorities for
interfaces. When two interfaces learn the same MAC address entries, the MAC address entries

learned by the interface with a higher priority override the MAC address entries learned by
the other interface.
Procedure
Perform the following operations on the S5720HI, S5720EI, S6720EI, and S6720S-EI.
1. Run system-view
2. Run interface interface-type interface-number
3. Run mac-learning priority priority-id
The MAC address learning priority of the interface is set.
By default, the MAC address learning priority of an interface is 0. A larger priority value
indicates a higher MAC address learning priority.
4. Run mac-learning priority flapping-defend action discard
The switch is configured to discard packets when the switch is configured to prohibit
MAC address flapping.
By default, the action is forward when the switch is configured to prohibit MAC address
flapping.
Perform the following operations on the S1720GFR, S1720GW, S1720GWR, S1720X,
S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5700LI, S5700S-LI, S5720LI, S5720S-
LI, S6720LI, S6720S-LI, S5710-X-LI, S2750EI, S5730SI, S5730S-EI, S6720SI, S6720S-SI,
S5720S-SI, and S5720SI.
1. Run system-view
2. Run mac-spoofing-defend enable
Global MAC spoofing defense is enabled.
By default, global MAC spoofing defense is disabled.
4. Run mac-spoofing-defend enable
MAC spoofing defense is enabled on the interface so that the interface becomes a trusted
interface.
By default, MAC spoofing defense is disabled on an interface.

Run the display current-configuration command to check the MAC address learning
priorities of interfaces.

3.8.2 Preventing MAC Address Flapping Between Interfaces with

the Same Priority
Context
Preventing MAC address flapping between interfaces with the same priority can improve
network security.
After the switch is configured to prevent MAC address flapping between interfaces with the
same priority, the following problem may occur: If the network device (such as a server)
connected to an interface of switch is powered off and the same MAC address is learned on
another interface, the switch cannot learn the correct MAC address on the original interface
after the network device is powered on.
NOTE
Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this configuration.
Procedure
Step 2 Run undo mac-learning priority priority-id allow-flapping
The device is configured to prevent MAC address flapping between interfaces with the same
priority.
By default, the device allows MAC address flapping between interfaces with the same
priority.
Step 3 Run mac-learning priority flapping-defend action discard
The switch discards packets when it is configured to prohibit MAC address flapping.
By default, the action is forward when the switch is configured to prohibit MAC address
flapping.
----End

Run the display current-configuration command to check whether MAC address flapping is
allowed between interfaces with the same priority.
3.9 Configuring MAC Address Flapping Detection

Context
MAC address flapping detection enables the device to check all MAC addresses to detect
MAC address flapping.

NOTE
l Configuring an action to take for MAC address flapping on an uplink interface may cause
interruption of important uplink traffic, and such configuration is not recommended.
l The device enabled with MAC address flapping detection can detect loops on a single point, but
cannot obtain the entire network topology. If the network connected to the device supports loop
prevention protocols, use the loop prevention protocols instead of MAC address flapping detection
to eliminate loops.
l If only a few VLANs on the user network encounter loops, it is recommended that you set the loop
prevention action to quit-vlan.
l If a large number of VLANs on the user network encounter loops, it is recommended that you set the
loop prevention action to error-down. This action improves system performance. Additionally, the
remote device can detect the error-down event so that it can quickly switch traffic to a backup link
(if any).
Procedure
Step 2 Run mac-address flapping detection
MAC address flapping detection is enabled.
By default, MAC address flapping detection is enabled. The device detects MAC address
flapping in all VLANs.
Step 3 (Optional) Run mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10>
One or more VLANs are excluded from MAC address flapping detection.
By default, the system performs MAC address flapping detection in all VLANs. In special
scenarios, for example, when a switch is connected to a server with two network adapters in
active-active mode, the server's MAC address may be learned on two interfaces of the switch.
Such a MAC address flapping event does not need to be handled. You can exclude the VLAN
where the server resides from MAC address flapping detection.
Step 4 (Optional) Run mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all } security-level { high | middle | low }
The security level of MAC address flapping detection is configured in one or more specified
VLANs.
By default, the security level of MAC address flapping detection is middle. That is, the
system considers that MAC address flapping occurs when a MAC address flaps 10 times.
Step 5 (Optional) Run mac-address flapping aging-time aging-time
The aging time of flapping MAC addresses is set.
By default, the aging time of flapping MAC addresses is 300 seconds. If the aging time of
dynamic MAC addresses is long, a MAC address flapping event may be detected after a long
time. To ensure that the system detects MAC address flapping quickly, shorten the aging time
of flapping MAC addresses.
Step 6 (Optional) Configure an action to take after MAC address flapping is detected on an interface
and the priority of the action.


2. Run mac-address flapping action { quit-vlan | error-down }
An action is specified for the interface if MAC address flapping occurs on the interface.
By default, no action is configured. If an interface is connected to a user network that
does not support loop prevention protocols, MAC address flapping may occur when
there is a loop on the user network. Use this command to configure an action on the
interface. When MAC address flapping is detected on the interface, the device takes the
configured action. If the action is set to error-down, the device shuts down the interface.
If the action is set to quit-vlan, the device removes the interface from the VLAN where
MAC address flapping occurs. Only one interface can be shut down during one aging
time of flapping MAC addresses.
NOTE
– Do not use the quit-vlan action together with dynamic VLAN functions such as GVRP.
– When a MAC address flaps between an interface configured with the error-down action and
an interface configured with the quit-vlan action, the former interface is shut down and the
latter interface is removed from the VLAN. If a loop may be generated between some
interfaces, configure the same action for all the interfaces.
3. Run mac-address flapping action priority priority
The priority of the action against MAC address flapping is set.
----End

Run the display mac-address flapping command to check information about MAC address
flapping detection in a VLAN.
Action to Take After MAC Address Flapping Occurs

The device that has MAC address flapping detection configured reports alarms when it detects
MAC address flapping. If the same alarm is reported multiple times, a loop may exist on the
network. To remove the loop, run the shutdown command to shut down the interface
specified in the MAC address flapping alarm. Alternatively, configure an action against MAC
address flapping on the interface to remove the loop.
When configuring an action against MAC address flapping on an interface to remove a loop,
pay attention to the following points:
l When the action is set to error-down, the interface cannot be automatically restored
after it is shut down. You can only restore the interface by running the shutdown and
undo shutdown commands or the restart command in the interface view.
To enable the interface to go Up automatically, you must run the error-down auto-
recovery cause mac-address-flapping command in the system view before the interface
enters the error-down state. This command enables an interface in error-down state to go
Up and sets a recovery delay. The interface goes Up automatically after the delay.
l If the action is set to quit-vlan, the interface can be automatically restored after a delay
after it is removed from the VLAN. The default recovery delay is 10 minutes. The
recovery delay time can be set using the mac-address flapping quit-vlan recover-time
time-value command in the system view.

3.10 Configuring the Switch to Discard Packets with an

All-0 MAC Address
Context
You can configure the switch to discard packets with an all-0 source or destination MAC
address.
Procedure
Step 2 Run drop illegal-mac enable
The switch is enabled to discard packets with an all-0 MAC address.
By default, the switch does not discard packets with an all-0 MAC address.
Step 3 (Optional) Run drop illegal-mac alarm
The switch is configured to send an alarm to the NMS when receiving packets with an all-0
MAC address.
By default, the switch does not send an alarm when receiving packets with an all-0 MAC
address.
NOTE
The drop illegal-mac alarm command allows the switch to generate one alarm. You must reconfigure
the drop illegal-mac alarm command if more than one alarm is required.
----End

Run the display current-configuration command to check whether the switch is enabled to
discard packets with an all-0 MAC address.
3.11 Enabling MAC Address-triggered ARP Entry Update
Context
Each network device uses an IP address to communicate with other devices. On an Ethernet
network, a host, switching device, or routing device sends and receives Ethernet data frames
based on MAC addresses. The ARP protocol maps IP addresses to MAC addresses. When
two devices on different network segments communicate with each other, they need to map IP
addresses to MAC addresses and outbound interfaces according to ARP entries.

Procedure
Step 2 Run mac-address update arp
The MAC address-triggered ARP entry update function is enabled.
By default, the MAC address-triggered ARP entry update function is disabled.
NOTE
l Only the S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720HI,
S6720EI, and S6720S-EI support this command.
l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when
the corresponding MAC address entries change.
l The MAC address-triggered ARP entry update function does not take effect after ARP entry fixing
is enabled using the arp anti-attack entry-check enable command.
l After the MAC address-triggered ARP entry update function is enabled, the switch updates an ARP
entry only when the outbound interface in the corresponding MAC address entry changes.
----End

Run the display current-configuration command to check whether the MAC address-
triggered ARP entry update function is enabled.
3.12 Enabling Port Bridge
Context
By default, an interface does not forward packets whose source and destination MAC
addresses are both learned by this interface. When the interface receives such a packet, it
discards the packet as an invalid packet.
After the port bridge function is enabled on the interface, the interface forwards such a packet
if the destination MAC address of the packet is in the MAC address table.
The port bridge function is used in the following scenarios:
l The switch connects to devices that do not support Layer 2 forwarding. When users
connected to the devices need to communicate, the devices send packets of the users to
the switch for packet forwarding. Because source and destination MAC addresses of the
packets are learned on the same interface, the port bridge function needs to be enabled on
the interface so that the interface can forward such packets.
l The switch is used as an access device in a data center and is connected to servers. Each
server is configured with multiple virtual machines. The virtual machines need to
transmit data to each other. If servers perform data switching for virtual machines, the
data switching speed and server performance are reduced. To improve the data
transmission rate and server performance, enable the port bridge function on the
interfaces connected to the servers so that the switch forwards data packets between the
virtual machines.

Procedure
Step 2 Run interface interface-type interface-number
Step 3 Run port bridge enable
The port bridge function is enabled on the interface.
By default, the port bridge function is disabled on an interface.
----End

Run the display current-configuration command to check whether the port bridge function
is enabled.
3.13 Configuring Re-marking of Destination MAC

Addresses
Context
The re-marking function enables the switch to set the specified fields of packets matching
traffic classification rules. After the re-marking action is configured, the switch still processes
outgoing packets based on the original priority but the downstream device processes the
packets based on the re-marked priority. You can configure action that re-marks the
destination MAC address of packets in a traffic behavior so that the downstream device can
identify packets and provide differentiated services.
NOTE
Only the S5720EI, S6720EI, and S6720S-EI support this configuration.
Procedure
1. Configure a traffic classifier.
a. Run system-view
b. Run traffic classifier classifier-name [ operator { and | or } ]
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.

n If the traffic classifier does not contain any ACL rules, packets match the
The logical operator or means that packets match the traffic classifier if they match
one of the rules in the classifier.
c. Configure matching rules according to the following table.
NOTE
Only the S5720EI, S6720EI, and S6720S-EI support traffic classifiers with advanced ACLs
containing the ttl-expired field.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the S5720HI
does not support remark 8021p [ 8021p-value | inner-8021p ], remark cvlan-id cvlan-id,
remark vlan-id vlan-id, or mac-address learning disable.
Matching Command Remarks

Rule
Outer if-match vlan-id start-vlan-id [ to Only the S1720X, S1720X-E,

VLAN ID end-vlan-id ] [ cvlan-id cvlan-id ] S5720EI, S5720HI, S5730SI,
or inner S5730S-EI, S6720LI,
and outer S6720S-LI, S6720SI,
VLAN IDs S6720S-SI, S6720EI, and
of QinQ S6720S-EI support the cvlan-
packets id cvlan-id parameter.

VLAN IDs id ] (S1720X, S1720X-E,
in QinQ S5720EI, S5720HI, S5730SI,
packets S5730S-EI, S6720LI, S6720S-LI,
S6720SI, S6720S-SI, S6720EI,
S6720S-EI)

VLAN command, a packet matches
packets the traffic classifier if it
matches any of the priorities,
regardless of whether the
relationship between rules in
the traffic classifier is AND
or OR.

802.1p value &<1-8> (S5720EI, S5720HI,
priority in S6720EI, S6720S-EI)
QinQ
packets


Rule
Drop if-match discard (S5720EI, A traffic classifier containing

packet S5720HI, S6720EI, S6720S-EI) this matching rule can only
be bound to traffic behaviors
containing traffic statistics
collection and flow mirroring
actions.

QinQ
packets

address
Source if-match source-mac mac-address -

MAC [ mac-address-mask ]
address

in the
Ethernet
frame
header

effect, and the other matching
rules in the same traffic
classifier will become
ineffective.


Rule
DSCP if-match dscp dscp-value &<1-8> l If you enter multiple

priority in DSCP values in one
matches the traffic
of the DSCP values,
relationship between rules
in the traffic classifier is
AND or OR.
between rules in a traffic
classifier is AND, the if-
match dscp and if-match
ip-precedence commands
cannot be used in the
traffic classifier
simultaneously.
IP if-match ip-precedence ip- l The if-match dscp and if-

precedence precedence-value &<1-8> match ip-precedence
in IP commands cannot be
is AND.
precedence values in one
command, a packet
matches the traffic
of the IP precedence
or OR.

protocol
type
SYN Flag if-match tcp syn-flag { syn-flag- -

in the TCP value | ack | fin | psh | rst | syn |
packet urg }


Rule

interface interface-type interface-number this matching rule cannot be
applied to the outbound
view.

(S5720EI, S5720HI, S6720EI, applied to the inbound
The traffic policy containing
this matching rule cannot be
applied in the interface view.

classifier defines multiple
rules, a packet matches
the ACL as long as it
matches one of rules,
AND or OR.
ACL6 rule if-match ipv6 acl { acl-number | Before specifying an ACL6

acl-name } in a matching rule, configure
the ACL6.

(S5720EI, S6720EI, S6720S-EI) containing if-match flow-id
and the traffic behavior
traffic policies.
if-match flow-id can only be
applied to an interface, a
VLAN, or the system in the
inbound direction.
d. Run quit
2. Configure a traffic behavior.

a. Run the traffic behavior behavior-name command to create a traffic behavior and
enter the traffic behavior view.
b. Run the remark destination-mac mac-address command to configure the action
that re-marks destination MAC addresses of packets. The destination MAC address
to be re-marked must be a unicast MAC address.
c. Run the quit command to exit from the traffic behavior view.
d. Run the quit command to exit from the system view.
3. Configure a traffic policy.
a. Run traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the view of an
existing traffic policy is displayed. If you do not specify a matching order for traffic
classifiers in the traffic policy, the default matching order config is used.
modify the matching order of traffic classifiers in the traffic policy. To modify the
matching order, delete the traffic policy, create a traffic policy, and specify the
matching order.
When creating a traffic policy, you can specify the matching order of its matching
rules. The matching order can be either automatic order or configuration order:
n Automatic order: Traffic classifiers are matched based on the priorities of their
types. Traffic classifiers based on the following information are in descending
order of priority: Layer 2 and IPv4 Layer 3 information, advanced ACL6
information, basic ACL6 information, Layer 2 information, IPv4 Layer 3
information, and user-defined ACL information. If data traffic matches
multiple traffic classifiers, and the traffic behaviors conflict with each other,
the traffic behavior corresponding to the highest priority rule takes effect.
n Configuration order: Traffic classifiers are matched based on the sequence in
which traffic classifiers were bound to traffic behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy must be applied to
an interface, a VLAN, and the system in sequence in the outbound direction. In the
preceding situation, if you need to update ACL rules, delete the traffic policy from the
interface, VLAN, and system and reconfigure it in sequence.
b. Run classifier classifier-name behavior behavior-name
c. Run quit
d. Run quit
4. Apply the traffic policy.
– Applying a traffic policy to an interface
i. Run system-view
ii. Run interface interface-type interface-number
iii. Run traffic-policy policy-name { inbound }


– Applying a traffic policy to a VLAN
i. Run system-view
ii. Run vlan vlan-id
iii. Run traffic-policy policy-name { inbound }
– Applying a traffic policy to the system
i. Run system-view
ii. Run traffic-policy policy-name global { inbound | outbound } [ slot slot-id ]
Only one traffic policy can be applied to the system or slot in one direction. A
traffic policy cannot be applied to the same direction in the system and slot
simultaneously.
○ In a stack, a traffic policy that is applied to the system takes effect on all
the interfaces and VLANs of all the member switches in the stack. The
system then performs traffic policing for all the incoming and outgoing
packets that match traffic classification rules on all the member switches.
A traffic policy that is applied to a specified slot takes effect on all the
interfaces and VLANs of the member switch with the specified stack ID.
The system then performs traffic policing for all the incoming and
outgoing packets that match traffic classification rules on this member
switch.
○ On a standalone switch, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of the local switch. The system
then performs traffic policing for all the incoming and outgoing packets
that match traffic classification rules on the local switch. Traffic policies
applied to the slot and system have the same functions.

[ vlan-id ] ] { inbound } [ verbose ] command to check traffic actions and ACL rules
associated with the system, a VLAN, or an interface.
[ vlan-id ] | global } [ inbound ] command to check the traffic policy configuration on
the device.

3.14 Maintaining MAC Address Tables
3.14.1 Displaying MAC Address Entries

Table 3-9 Commands used to display MAC address entries
Action Command
Display all MAC address entries. display mac-address
Display static MAC address entries. display mac-address static
Display static MAC address entries in a display mac-address static vlan vlan-id
specified VLAN.
Display MAC address entries learned in a display mac-address dynamic vlan vlan-id
VLAN.
Display MAC address entries learned on an display mac-address dynamic interface-

interface. type interface-number
Display a specified MAC address. display mac-address mac-address
Display the aging time of dynamic MAC display mac-address aging-time

address entries.
Display statistics on MAC address entries. l Display the total statistics: display mac-
address total-number
l Display the statistics of various types of
MAC address entries: display mac-
address summary
Display the system MAC address. display bridge mac-address
Display the MAC address of an interface. display interface interface-type interface-

number
Hardware address indicates the MAC
address of the interface.
Display the MAC address of a VLANIF display interface vlanif vlan-id

interface. Hardware address indicates the MAC
address of the VLANIF interface.

3.14.2 Deleting MAC Address Entries
Table 3-10 Commands used to delete MAC address entries
Action Command
Delete all MAC address entries. undo mac-address
Delete MAC address entries in a VLAN. undo mac-address vlan vlan-id
Delete MAC address entries on an interface. undo mac-address interface-type interface-

number
Delete all the dynamic MAC address entries undo mac-address dynamic
Delete all the static MAC address entries undo mac-address static
3.14.3 Displaying MAC Address Flapping Information
Table 3-11 Commands used to display MAC address flapping records
Action Command
Display alarms about MAC address Run the display trapbuffer command to
flapping. check whether the following alarms exist:
l OID 1.3.6.1.4.1.2011.5.25.160.3.7
Display detailed MAC address flapping display mac-address flapping record

records.
3.15 Configuration Examples for MAC Address Tables
3.15.1 Example for Configuring Static MAC Address Entries
Networking Requirements
As shown in Figure 3-12, the user PC with MAC address 0002-0002-0002 connects to the
GE0/0/1 of the Switch, and the server with MAC address 0004-0004-0004 connects to
GE0/0/2 of the Switch. The user PC and server communicate in VLAN 2.
l To prevent unauthorized users from using the user PC's MAC address to initiate attacks,
configure a static MAC address entry for the user PC on the Switch.
l To prevent unauthorized users from using the server's MAC address to intercept
information about important users, configure a static MAC address entry for the server
on the Switch.

NOTE
This example applies to scenarios with a small number of users. When there are many users, use
dynamic MAC address entries. For details, see Example for Configuring Port Security in "Port Security
Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security.
Figure 3-12 Networking for configuring static MAC address entries
Network
Switch
GE0/0/1 GE0/0/2
VLAN 2
PC:2-2-2 Server:4-4-4
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 2 and add the interfaces connected to the PC and server to the VLAN to
implement Layer 2 forwarding.
2. Configure static MAC address entries to prevent attacks from unauthorized users.
Procedure
Step 1 Create static MAC address entries.
# Create VLAN 2 and add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 2
[Switch-GigabitEthernet0/0/1] quit
# Configure static MAC address entries.

[Switch] mac-address static 2-2-2 GigabitEthernet 0/0/1 vlan 2
[Switch] mac-address static 4-4-4 GigabitEthernet 0/0/2 vlan 2

Step 2 Verify the configuration.

# Run the display mac-address static vlan 2 command in any view to check whether the
static MAC address entries are successfully added to the MAC address table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/-/- GE0/0/1 static
0004-0004-0004 2/-/- GE0/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
#
port default vlan 2
#
mac-address static 0002-0002-0002 GigabitEthernet0/0/1 vlan 2
mac-address static 0004-0004-0004 GigabitEthernet0/0/2 vlan 2
#
return
3.15.2 Example for Configuring Blackhole MAC Address Entries
In Figure 3-13, the Switch receives packets from an unauthorized PC that has the MAC
address of 0005-0005-0005 and belongs to VLAN 3. This MAC address entry can be
configured as a blackhole MAC address entry so that the Switch filters out packets from the
unauthorized PC.

Figure 3-13 Networking for configuring a blackhole MAC address entry
Unauthorized
MAC Address VLAN ID
5-5-5 3 user
Switch

1. Create a VLAN to implement Layer 2 forwarding.
2. Configure a blackhole MAC address entry to filter out packets from the unauthorized
PC.
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.
[Switch] vlan 3
[Switch-vlan3] quit
# Configure a blackhole MAC address entry.

[Switch] mac-address blackhole 0005-0005-0005 vlan 3

# Run the display mac-address blackhole command in any view to check whether the
blackhole MAC address entry is successfully added to the MAC address table.
[Switch] display mac-address blackhole
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0005-0005-0005 3/-/- - blackhole
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files

#
sysname Switch
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
3.15.3 Example for Configuring MAC Address Limiting on an

Interface
In Figure 3-14, user network 1 and user network 2 connect to the Switch through the LSW,
and the LSW connects to the Switch through GE0/0/1. User network 1 and user network 2
belong to VLAN 10 and VLAN 20 respectively. On the Switch, MAC address limiting can be
configured on GE0/0/1 to control the number of access users.
Figure 3-14 Networking for configuring MAC address limiting on an interface
Network
Switch
GE0/0/1
LSW
User User
network 1 network 2
VLAN 10 VLAN 20
1. Create VLANs and add the downlink interface to the VLANs to implement Layer 2
forwarding.
2. Configure MAC address limiting on the interface to control the number of access users.

Procedure
Step 1 Configure MAC address limiting.
# Create VLAN 10 and VLAN 20, and add the GigabitEthernet0/0/1 to VLAN 10 and VLAN
20.
[Switch] vlan batch 10 20
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20
# Configure a MAC address limiting rule on GigabitEthernet0/0/1: A maximum of 100 MAC

address entries can be learned on the interface. When the number of learned MAC address
entries reaches the limit, the Switch forwards the packets with new source MAC address
entries and generates an alarm.
[Switch-GigabitEthernet0/0/1] mac-limit maximum 100 alarm enable
[Switch-GigabitEthernet0/0/1] return

# Run the display mac-limit command in any view to check whether the MAC address
limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
GE0/0/1 - - 100 - discard enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
port link-type hybrid
port hybrid tagged vlan 10 20
mac-limit maximum 100
#
return
3.15.4 Example for Configuring MAC Address Limiting in a

VLAN
In Figure 3-15, user network 1 is connected to GE0/0/1 of the Switch through LSW1, and
user network 2 is connected to GE0/0/2 of the Switch through LSW2. GE0/0/1 and GE0/0/2
belong to VLAN 2. To control the number of access users, configure MAC address limiting in
VLAN 2.

Figure 3-15 Networking of MAC address limiting
Network
Switch
GE0/0/1 GE0/0/2
LSW1 LSW2
User User
network 1 VLAN 2 network 2
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2 forwarding.
2. Configure MAC address limiting in the VLAN to prevent MAC address attacks and
control access users.
Procedure
Step 1 Configure MAC address limiting.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2.

[Switch] vlan 2
[Switch-vlan2] quit
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 2
# Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC
addresses can be learned. When the number of learned MAC address entries reaches the limit,
the Switch directly discards the packets with new source MAC address entries and generates
an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 alarm enable
[Switch-vlan2] return


# Run the display mac-limit command in any view to check whether the MAC address
limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100
#
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
#
return
3.15.5 Example for Configuring MAC Address Flapping

Prevention
In Figure 3-16, employees of an enterprise need to access the server connected to a switch
interface. If an unauthorized user uses the server's MAC address as the source MAC address
to send packets to another interface, the server's MAC address is learned on the interface.
Then packets sent from employees to the server are forwarded to the unauthorized user. As a
result, employees cannot access the server, and important data may be intercepted by the
unauthorized user.
MAC address flapping prevention can be configured to protect the server against attacks from
unauthorized users.

Server
MAC:11-22-33
GE0/0/1 VLAN 10
Switch
GE0/0/2 PC4
MAC:11-22-33
LSW
PC1 PC2 PC3
VLAN10
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2 forwarding.
2. Configure MAC address flapping prevention on the server-side interface.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 10.

[Switch] vlan 10
[Switch-vlan10] quit
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
Step 2 # Set the MAC address learning priority of GigabitEthernet0/0/1 to 2.

[Switch-GigabitEthernet0/0/1] mac-learning priority 2
# Run the display current-configuration command in any view to check whether the MAC
address learning priority is set correctly.

[Switch] display current-configuration interface gigabitethernet 0/0/1

#
mac-learning priority 2
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
mac-learning priority 2
#
port link-type trunk
port trunk allow-pass vlan 10
#
return
3.15.6 Example for Configuring MAC Address Flapping Detection
In Figure 3-17, a loop occurs on a user network because two LSWs are incorrectly connected
using a network cable. The loop causes MAC address flapping in the MAC address table of
the Switch.
To detect loops in a timely manner, configure MAC address flapping detection on the Switch.
This function enables the Switch to detect loops by checking whether a MAC address flaps
between interfaces. To remove loops on the network, configure an action against MAC
address flapping on the interfaces.

Figure 3-17 Networking of MAC address flapping detection
Network
Switch
GE0/0/1 GE0/0/2
LSW1 LSW2
Incorrect connection
1. Enable MAC address flapping detection.

2. Set the aging time of flapping MAC addresses.
3. Configure an action against MAC address flapping on the interfaces to remove loops.
Procedure
Step 1 Enable MAC address flapping detection.
[Switch] mac-address flapping detection
Step 2 Set the aging time of flapping MAC addresses.

[Switch] mac-address flapping aging-time 500
Step 3 Configure the action against MAC address flapping to shutdown on the GE0/0/1 and
GE0/0/2.
[Switch-GigabitEthernet0/0/1] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/2] mac-address flapping action error-down
Step 4 Enable error-down interfaces to go Up automatically and set the automatic recovery delay.
[Switch] error-down auto-recovery cause mac-address-flapping interval 500
When the MAC address learned on the GE moves to GE0/0/2, GE0/0/2 is shut down
automatically. You can run the display mac-address flapping record command to view
MAC address flapping records.

[Switch] display mac-address flapping record

S : start time
E : end time
(Q) : quit vlan
(D) : error down
-------------------------------------------------------------------------------
Move-Time VLAN MAC-Address Original-Port Move-Ports
MoveNum
-------------------------------------------------------------------------------
S:2012-04-01 17:22:36 1 0000-0000-0007 GE0/0/1 GE0/0/2(D) 83
E:2012-04-01 17:22:44
-------------------------------------------------------------------------------
Total items on slot 0: 1
----End
Configuration Files
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
mac-address flapping action error-down
#
mac-address flapping action error-down
#
return
3.16 Troubleshooting MAC Address Tables
3.16.1 MAC Address Entries Failed to Be Learned on an Interface
Fault Symptom
MAC address entries cannot be learned on an interface, causing Layer 2 forwarding failures.
Procedure
Step 1 Check the configuration on the device.
Check Item Check Method Follow-up Operation
Whether the Run the display vlan vlan- Run the vlan vlan-id command in the
VLAN that the id command in any view. If system view to create the VLAN.
interface belongs the system displays the
to has been message "Error: The
created VLAN does not exist", the
VLAN is not created.

Whether the Run the display vlan vlan- Run one of the following commands in
interface id command in any view to the interface view to add the interface
transparently check whether the interface to the VLAN.
transmits packets name exists. If not, the l Run the port trunk allow-pass
from the VLAN interface does not vlan command if the interface is a
transparently transmit trunk interface.
packets from the VLAN.
l Run the port hybrid tagged vlan
or port hybrid untagged vlan
command if the interface is a
hybrid interface.
l Run the port default vlan
command if the interface is an
access interface.
Whether a Run the display mac- If a blackhole MAC address entry is

blackhole MAC address blackhole displayed, run the undo mac-address
address entry is command in any view to blackhole command to delete it.
configured check whether a blackhole
MAC address entry is
configured.
Whether MAC Run the display this | Run the undo mac-address learning
address learning is include learning command disable command in the interface view
disabled on the in the interface view and or VLAN view to enable MAC address
interface or in the VLAN view to check learning.
VLAN whether the mac-address
learning disable
configuration exists. If so,
MAC address learning is
disabled on the interface or
in the VLAN.
Whether MAC Run the display this | l Run the mac-limit command in the
address limiting is include mac-limit interface view or VLAN view to
configured on the command in the interface increase the maximum number of
interface and in view and VLAN view to learned MAC address entries.
the VLAN check whether there is the l Run the undo mac-limit command
MAC address limiting in the interface view or VLAN
configuration. If so, the view to cancel MAC address
maximum number of limiting.
learned MAC address
entries is set.

Whether port Run the display this | l Run the undo port-security
security is include port-security enable command in the interface
configured on the command in the interface view to disable port security.
interface view to check whether there l Run the port-security max-mac-
is the port security num command in the interface
configuration. If so, port view to increase the maximum
security is configured on the number of secure dynamic MAC
interface. address entries on the interface.
If the fault persists, go to step 2.

Step 2 Check whether a loop causes MAC address entry flapping.
1. Generally, MAC address flapping is caused by loops. Run the mac-address flapping
detection command in the system view to configure MAC address flapping detection.
2. The system checks all MAC addresses in the VLAN to detect MAC address flapping.
Run the display mac-address flapping record command to check MAC address
flapping records to determine whether a loop occurs.
3. If MAC address flapping occurs, use the following methods to remove MAC address
flapping:
– Eliminate the loop.
– Run the mac-learning priority command in the interface view to configure the
MAC address learning priority for the interface so that a MAC address is learned by
the correct interface.
If no loop occurs, go to step 3.
Step 3 Check whether the number of learned MAC address entries has reached the maximum value.
If so, the device cannot learn new MAC address entries.
l If the number of MAC address entries on the interface is less than or equal to the number
of hosts connected to the interface, the device is connected to more hosts than it
supports. Adjust the network deployment.
l If the interface has learned more MAC address entries than the hosts connected to the
interface, the interface may be undergoing a MAC address attack from the attached
network. Locate the attack source in accordance with the following table.
Scenario Solution
The interface connects to another network Run the display mac-address command
device. on the connected device to view MAC
address entries. Locate the interface
connected to the malicious user host
based on the displayed MAC address
entries. If the interface that you find is
connected to another device, repeat this
step until you find the malicious host.

Scenario Solution
The interface connects to a host. – Disconnect the host after obtaining

permission from the administrator.
When the attack stops, connect the
host to the network again.
– Run the port-security enable
command on the interface to enable
port security or the mac-limit
command to set the maximum number
of MAC address entries to 1.
The interface connects to a hub. – Configure port mirroring and use a

tool to analyze packets received by the
interface. Analyze the packet types to
locate the attacking host. Disconnect
the host after obtaining permission
from the administrator. When the
attack stops, connect the host to the
hub again.
– Disconnect hosts connected to the hub
one by one after obtaining permission
from the administrator. If the fault is
rectified after a host is disconnected,
the host is the attacker. After the host
stops the attack, connect it to the hub
again.
If the number of MAC addresses that have learned by the device does not reach the maximum
number of addresses allowed on the device but MAC addresses still cannot be learned, go to
step 4.
Step 4 Check whether a MAC address hash conflict alarm is generated on the device.
L2IFPPI/4/MACHASHCONFLICTALARM: OID [oid] A hash conflict occurs in MAC addresses.
(IfIndex=[INTEGER], MacAddr=[OPAQUE], VLAN=[GAUGE], VsiName=[OCTET1],
InterfaceName=[OCTET2]).
For details about how to handle this alarm, see L2IFPPI_1.3.6.1.4.1.2011.5.25.315.3.6

hwMacTrapHashConflictAlarm.
----End
3.17 FAQ About MAC Address Tables
3.17.1 How Do I Enable and Disable MAC Address Flapping

Detection?

Version Enable MAC Address Disable MAC Address

Flapping Detection Flapping Detection
Versions earlier than Run the loop-detect eth-loop Run the undo loop-detect eth-
V200R001 support alarm-only in the VLAN view. loop alarm-only in the VLAN
only MAC address view.
flapping detection in
a VLAN.
V200R001 and later Run the mac-address flapping Run the undo mac-address
versions support detection in the system view. flapping detection in the
global MAC address system view.
all VLANs. By
default, global MAC
address flapping
detection is enabled.
3.17.2 How Do I Check MAC Address Flapping Information?

Version Command
Versions earlier than display trapbuffer

V200R001
V200R001 and later display trapbuffer or display mac-address flapping record

versions
3.17.3 What Should I Do When Finding a MAC Address Flapping

Alarm?
If the alarm is reported only once, ignore it.
If the alarm is reported multiple times, find the first and second interfaces where the MAC
address is learned. Shut down the second interface to locate the loop. Then adjust the
networking to remove the loop.
3.17.4 How Do I Rapidly Determine a Loop?

Check whether MAC address flapping occurs to rapidly determine a loop on a network.
Generally, a loop occurs if a MAC address flapping alarm is generated consecutively.
Enable MAC address flapping detection according to the following table.

Version Enable MAC Address Disable MAC Address

Flapping Detection Flapping Detection
Versions earlier than Run the loop-detect eth-loop Run the undo loop-detect eth-
V200R001 support alarm-only in the VLAN view. loop alarm-only in the VLAN
only MAC address view.
a VLAN.
V200R001 and later Run the mac-address flapping Run the undo mac-address
versions support detection in the system view. flapping detection in the
global MAC address system view.
all VLANs. By
default, global MAC
address flapping
detection is enabled.
Check whether MAC address flapping occurs according to the following table.
Version Command
Versions earlier than display trapbuffer

V200R001
V200R001 and later display trapbuffer or display mac-address flapping record

versions
3.17.5 How Do I Configure VLAN-based Blackhole MAC Address

Entries?
To configure VLAN-based blackhole MAC address entries, perform the following operations:
# Add a blackhole MAC address entry to the MAC address table. For example, in the
blackhole MAC address entry, the MAC address is 0004-0004-0004 and the VLAN ID is
VLAN 10.
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] mac-address blackhole 0004-0004-0004 vlan 10
For the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-

E, S2750EI, S2720EI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI, S5700S-LI,
S5710-X-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, or S6720S-SI switch, if
both traffic policy-based redirection action and VLAN-based blackhole MAC address are
configured, the switch will not discard the packet if its source or destination MAC address is a
blackhole MAC address and the packet matches the redirection policy. In this scenario, you
are advised to configure a global blackhole MAC address or configure an ACL-based
simplified traffic policy to discard a specific packet.

# Add the global blackhole MAC address 0004-0004-0004 to the MAC address table.
[HUAWEI] mac-address blackhole 0004-0004-0004
# Configure an ACL-based simplified traffic policy to discard the packet with MAC address
0004-0004-0004 and VLAN 10.
[HUAWEI] vlan 10
[HUAWEI] acl number 4000
[HUAWEI-acl-L2-4000] rule 5 deny source-mac 0004-0004-0004 vlan-id 10
[HUAWEI-acl-L2-4000] rule 10 deny destination-mac 0004-0004-0004 vlan-id 10
[HUAWEI-acl-L2-4000] quit
[HUAWEI] traffic-filter inbound acl 4000

Configuration Guide - Ethernet Switching 4 Link Aggregation Configuration
4 Link Aggregation Configuration
About This Chapter
This chapter describes how to configure link aggregation. Link aggregation bundles multiple
Ethernet links into a logical link to increase bandwidth, improve reliability, and load balance
traffic.
4.1 Overview of Link Aggregation

4.2 Understanding Link Aggregation
4.3 Application Scenarios for Link Aggregation
4.4 Summary of Link Aggregation Configuration Tasks
4.5 Licensing Requirements and Limitations for Link Aggregation
4.6 Default Settings for Link Aggregation
4.7 Configuring Link Aggregation in Manual Mode
4.8 Configuring Link Aggregation in LACP Mode
4.9 Associating the Secondary Member Interface of an Eth-Trunk Interface in LACP Mode
with Its Primary Member Interface
4.10 Configuring Preferential Forwarding of Local Traffic in a Stack
4.11 Creating an Eth-Trunk Sub-interface
4.12 Configuring an E-Trunk
4.13 Maintaining Link Aggregation
4.14 Configuration Examples for Link Aggregation
4.15 Troubleshooting Link Aggregation
4.16 FAQ About Link Aggregation

4.1 Overview of Link Aggregation
Definition
Ethernet link aggregation, also called Eth-Trunk, bundles multiple physical links to form a
logical link to increase link bandwidth. The bundled links back up each other, increasing
reliability.
Purpose
As the network scale expands increasingly, users propose increasingly high requirements on
Ethernet backbone network bandwidth and reliability. Originally, to increase the bandwidth,
users use high-speed devices to replace old devices. This solution, however, is costly and
inflexible.
Link aggregation helps increase bandwidth by bundling a group of physical interfaces into a
single logical interface, without having to upgrade hardware. In addition, link aggregation
provides link backup mechanisms, greatly improving link reliability.
Link aggregation has the following advantages:
l Increased bandwidth
The bandwidth of the link aggregation interface is the sum of bandwidth of member
interfaces.
l Higher reliability
When an active link fails, traffic on this active link is switched to another active link,
improving reliability of the link aggregation interface.
l Load balancing
In a link aggregation group (LAG), traffic is load balanced among active links of
member interfaces.
4.2 Understanding Link Aggregation
4.2.1 Basic Concepts of Link Aggregation

As shown in Figure 4-1, DeviceA and DeviceB are connected through three Ethernet physical
links. The three Ethernet physical links are bundled into an Eth-Trunk link, and the bandwidth
of the Eth-Trunk link is the sum of bandwidth of the three Ethernet physical links. The three
Ethernet physical links back up each other, improving reliability.

Figure 4-1 Eth-Trunk networking
Link aggregation concepts are described as follows:

l LAG and LAG interface
A link aggregation group (LAG) is a logical link bundled by multiple Ethernet links.
Each LAG corresponds to a logical interface, that is, link aggregation interface or Eth-
Trunk. The Eth-Trunk can be used as a common Ethernet interface. The only difference
between the Eth-Trunk and common Ethernet interface is that the Eth-Trunk needs to
select one or more member interfaces to forward traffic.
l Member interface and member link
The interfaces that constitute an Eth-Trunk are member interfaces. The link
corresponding to a member interface is a member link.
l Active and inactive interfaces and links
There are two types of interfaces in an LAG: active interface that forwards data and
inactive interface that does not forward data.
The link connected to an active interface is the active link, whereas the link connected to
an inactive interface is the inactive link.
l Upper threshold for the number of active interfaces
When the number of active interfaces reaches this threshold, the bandwidth of an Eth-
Trunk will not increase even if more member links go Up. This guarantees higher
network reliability. When the number of active member interfaces reaches the upper
threshold, additional active member interfaces are set to Down.
For example, 8 trouble-free member links are bundled into an Eth-Trunk link and each
link provides a bandwidth of 1 Gbit/s. The Eth-Trunk link only needs to provide a
maximum bandwidth of 5 Gbit/s. You can set the maximum number of Up member links
to 5 or larger. Then any unselected Up links automatically enter the backup state,
improving reliability.
NOTE
The upper threshold for the number of active interfaces is inapplicable to the manual load
balancing mode.
l Lower threshold for the number of active interfaces
When the number of active interfaces falls below this threshold, an Eth-Trunk goes
Down. This guarantees the Eth-Trunk a minimum available bandwidth.
For example, if the Eth-Trunk is required to provide a minimum bandwidth of 2 Gbit/s
and each member link's bandwidth is 1 Gbit/s, the minimum number of Up member links
must be set to 2 or larger.

l Link aggregation mode

There are two link aggregation modes: manual and LACP. Table 4-1 compares the two
modes.
Table 4-1 Comparisons between link aggregation modes

Item Manual Mode LACP Mode
Definition You must manually create An Eth-Trunk is created

an Eth-Trunk and add based on LACP. LACP
member interfaces to the provides a standard
Eth-Trunk. In this mode, negotiation mechanism for
LACP is not required. a switching device so that
the switching device can
automatically form and
start the aggregated link
according to its
configuration. After the
aggregated link is formed,
LACP is responsible for
maintaining the link status.
When the link aggregation
condition is changed,
LACP adjusts or removes
the aggregated link.
Whether LACP is required No Yes
Data forwarding Generally, all links are Generally, some links are
active links. All active active links. All active
links participate in data links participate in data
forwarding. If one active forwarding. If an active
link fails, traffic is load link fails, the system
balanced among the selects a link among
remaining active links. inactive links as the active
link. That is, the number
of links participating in
data forwarding remains
unchanged.
Whether inter-device link No Yes

aggregation is supported
Fault detection This mode can only detect This mode can detect
member link member link
disconnections, but cannot disconnections and other
detect other faults such as faults such as link layer
link layer faults and faults and incorrect link
incorrect link connections. connections.

NOTE
For more information, see 4.2.2 Link Aggregation in Manual Mode and 4.2.3 Link Aggregation in
LACP Mode.
l Link aggregation modes supported by the device
– Intra-device: Member interfaces of an Eth-Trunk are located on the same device.
– Inter-stack-device: Member interfaces of an Eth-Trunk are located on member
devices of a stack. For details, see 4.2.5 Link Aggregation in Stack Scenarios.
– Inter-device: The inter-device link aggregation refers to E-Trunk. E-Trunk allows
links between multiple devices to be aggregated based on LACP. For details, see
4.2.6 E-Trunk.
4.2.2 Link Aggregation in Manual Mode

Link aggregation can work in manual or static LACP mode depending on whether LACP is
used.
In manual mode, you must manually create an Eth-Trunk and add member interfaces to the
Eth-Trunk. In this mode, LACP is not required. The manual mode applies to the scenario
where a high link bandwidth between two directly connected devices is required but the
remote device does not support the LACP protocol. This mode can increase bandwidth,
enhance reliability, and implement load balancing.
As shown in Figure 4-2, an Eth-Trunk is created between DeviceA and DeviceB. In manual
mode, three active links participate in data forwarding and load balance traffic. When one link
becomes faulty, the remaining two links load balance traffic.
Figure 4-2 Link aggregation in manual mode

DeviceA DeviceB
A%
B%
Eth-Trunk
C%
A%+B%+C%=100%
One link is faulty
DeviceA DeviceB
D%
E%
Eth-Trunk
D%+E%=100%
4.2.3 Link Aggregation in LACP Mode
Background
An Eth-Trunk in manual mode can increase the bandwidth. However, the manual mode can
only detect member link disconnections, but cannot detect other faults such as link layer faults
and incorrect link connections.
The Link Aggregation Control Protocol (LACP) can improve fault tolerance of the Eth-Trunk,
provide backup, and ensure high reliability of member links.

LACP uses a standard negotiation mechanism for a switching device so that the switching
device can create and start the aggregated link based on its configuration. After the aggregated
link is created, LACP maintains the link status. If an aggregated link's status changes, LACP
adjusts or removes the link.
For example, in Figure 4-3, four interfaces on DeviceA are bundled into an Eth-Trunk and the
Eth-Trunk is connected to the corresponding interfaces on DeviceB. Because an interface on
DeviceA is incorrectly connected to an interface on DeviceC, DeviceA may incorrectly send
data destined for DeviceB to DeviceC. However, the Eth-Trunk in manual mode cannot detect
this fault in a timely manner.
If LACP is enabled on DeviceA and DeviceB, the Eth-Trunk correctly selects active links to
forward data after negotiation. Data sent by DeviceA can reach DeviceB.
Figure 4-3 Incorrect Eth-Trunk connection
DeviceA DeviceB
Eth-Trunk
DeviceC
Concepts
l LACP system priority
LACP system priorities are set on devices at both ends of an Eth-Trunk. In LACP mode,
active member interfaces selected by both devices must be consistent; otherwise, an
LAG cannot be established. To keep active member interfaces consistent at both ends,
set a higher priority for one end so that the other end selects active member interfaces
based on the selection of the end with a higher priority. The smaller the LACP system
priority value, the higher the LACP system priority.
l LACP interface priority
Interface LACP priorities are set to prioritize interfaces of an Eth-Trunk. Interfaces with
higher priorities are selected as active interfaces. The smaller the LACP interface priority
value, the higher the LACP interface priority.
l M:N backup of member interfaces
In LACP mode, LACP is used to negotiate parameters to determine active links in an
LAG. This mode is also called the M:N mode, where M refers to the number of active
links and N refers to the number of backup links. This mode guarantees high reliability
and allows traffic to be load balanced among M active links.
As shown in Figure 4-4, M+N links with the same attributes (in the same LAG) are set
up between two devices. When data is transmitted over the aggregated link, traffic is
load balanced among M active links and no data is transmitted over N backup links.
Therefore, the actual bandwidth of the aggregated link is the sum of the M links'
bandwidth, and the maximum bandwidth of the aggregated link is the sum of the M+N
links' bandwidth.
If one of M links fails, LACP selects a link from N backup links to replace the faulty
link. The actual bandwidth of the aggregated link is still the sum of M links' bandwidth,

but the maximum bandwidth of the aggregated link is the sum of the (M+N-1) links'
bandwidth.
Figure 4-4 Networking of M:N backup
DeviceA DeviceB
Eth-Trunk
Eth-Trunk 1 Eth-Trunk 1
Active link
Backup link
M:N backup is mainly applied in situations where the bandwidth of M links must be
assured and a fault tolerance mechanism is in place. If an active link fails, the system
selects the backup link with the highest priority as the active link.
If no available backup link is found and the number of active links is smaller than the
lower threshold for the number of active interfaces, the system shuts down the LAG.
Implementation of Link Aggregation in LACP Mode

LACP, as specified in IEEE 802.3ad, implements dynamic link aggregation and de-
aggregation, allowing both ends to exchange Link Aggregation Control Protocol Data Units
(LACPDUs).
After member interfaces are added to an Eth-Trunk in LACP mode, each end sends
LACPDUs to inform its remote end of its system priority, MAC address, member interface
priorities, interface numbers, and keys. The remote end then compares this information with
that saved on itself, and selects which interfaces to be aggregated. The two ends perform
LACP negotiation to select active interfaces and links.
Figure 4-5 shows the format of an LACPDU.

Figure 4-5 Fields in an LACPDU

Destination Address
Source Address
Length/Type
Subtype=LACP
Version Number
TLV_type=Actor Information
Actor_Information_Length=20
Actor_System_Priority
Actor_System
Actor_Key
Actor_Port_Priority
Actor_Port
Actor_State
Reserved
TLV_type=Partner Information
Partner_Information_Length=20
Partner_System_Priority
Partner_System
Partner_Key
Partner_Port_Priority
Partner_Port
Partner_State
Reserved
TLV_type=Collector Information
Collector_Information_Length=16
CollectorMaxDelay
Reserved
TLV_type=Terminator
Terminator_Length=0
Reserved
FCS
The meaning of each field is explained as follows:

Item Description
Actor_Port/Partner_Port Interface of the Actor or Partner.
Actor_State/Partner_State Status of the Actor or Partner.
Actor_System_Priority/ System priority of the Actor or Partner.

Partner_System_Priority
Actor_System/Partner_System System ID of the Actor or Partner.
Actor_Key/Partner_Key Operational key of the Actor or Partner.
Actor_Port_Priority/Partner_Port_Priority Interface priority of the Actor or Partner.

l An Eth-Trunk in LACP mode is set up as follows:

a. Devices at both ends send LACPDUs to each other.
As shown in Figure 4-6, you need to create an Eth-Trunk in LACP mode on
DeviceA and DeviceB and add member interfaces to the Eth-Trunk. Then the
member interfaces are enabled with LACP, and devices at both ends can send
LACPDUs to each other.
Figure 4-6 LACPDUs sent in LACP mode
DeviceA LACPDU DeviceB
LACPDU
b. Devices at both ends determine the Actor and active links.

As shown in Figure 4-7, devices at both ends receive LACPDUs from each other.
For example, when DeviceB receives LACPDUs from DeviceA, DeviceB checks
and records information about DeviceA and compares system priorities. If the
system priority of DeviceA is higher than that of DeviceB, DeviceA acts as the
Actor. If DeviceA and DeviceB have the same system priority, the device with a
smaller MAC address functions as the Actor.
After the Actor is selected, devices at both ends select active interfaces based on the
interface priority of the Actor. If priorities of interfaces on the Actor are the same,
interfaces with smaller interface numbers are selected as active interfaces. An Eth-
Trunk is established when devices at both ends select consistent interfaces. Active
links load balance data.
Figure 4-7 Selecting the Actor in LACP mode
LACP port priority LACP port priority

DeviceA
1 3 DeviceB
2 2
3 1
The device with higher The device with lower
system priority system priority
Compare system priority
and determine the Actor
DeviceA 1 3 DeviceB
2 2
3 1
Actor
The Actor determines
active links
DeviceA DeviceB
1 3
2 2
3 1
Actor

l LACP preemption
When LACP preemption is enabled, interfaces with higher priorities in an LAG function
as active interfaces.
As shown in Figure 4-8, Port 1, Port 2, and Port 3 are member interfaces of an Eth-
Trunk; DeviceA acts as the Actor; the upper threshold for the number of active interfaces
is 2; LACP priorities of Port 1, Port 2, and Port 3 are 10, 20, and 30 respectively. When
LACP negotiation is complete, Port 1 and Port 2 are selected as active interfaces because
their LACP priorities are higher, and Port 3 is used as the backup interface.
Figure 4-8 LACP preemption

DeviceA LACP port priority DeviceB
Port 1 10 Port 1
Port 2 20 Eth-Trunk Port 2
Port 3 30 Port 3
Actor
Active link
Backup link
LACP preemption is used in the following situations:

– Port 1 becomes faulty, and then recovers. When Port 1 fails, Port 3 replaces Port 1
to transmit services. After Port 1 recovers, if LACP preemption is not enabled on
the Eth-Trunk, Port 1 still retains in backup state. If LACP preemption is enabled on
the Eth-Trunk, Port 1 and Port 3 become the active interface and backup interface
respectively.
– If LACP preemption is enabled and Port 3 needs to replace Port 1 or Port 2 to
become the active interface, set the highest LACP priority value for Port 3. When
LACP preemption is not enabled, the system does not re-select the active interface
even if the priority of a backup interface is higher than that of the active interface.
l LACP preemption delay
After LACP preemption occurs, a backup link waits for a given period of time and then
switches to the active status. This period is called LACP preemption delay. The LACP
preemption delay is used to prevent unstable data transmission over an Eth-Trunk link
caused by frequent status changes of member links.
As shown in Figure 4-8, Port 1 becomes inactive due to a link fault. Then the link of
Port 1 recovers. If LACP preemption is enabled and the LACP preemption delay is set,
Port 1 switches to be active after the LACP preemption delay.
l Switchover between active and inactive links
In LACP mode, a link switchover in an LAG is triggered if a device at one end detects
one of the following events:
– An active link goes Down.
– Ethernet OAM detects a link fault.
– LACP detects a link fault.
– An active interface becomes unavailable.
– When LACP preemption is enabled, a backup interface's priority is changed to be
higher than that of the current active interface.
When any of the preceding events occurs, perform the following operations:

a. Shut down the faulty link.

b. Select the backup link with the highest priority among N backup links to replace the
faulty active link.
c. The highest priority backup link becomes the active link and begins forwarding
data.
4.2.4 Load Balancing Modes of Link Aggregation
Background
A data flow is a group of data packets with one or more identical attributes. The attributes
include the source MAC address, destination MAC address, source IP address, destination IP
address, source TCP/UDP port number, and destination TCP/UDP port number.
Load balancing falls into packet- and flow-based load balancing.
l Packet-based load balancing

There are multiple physical links between both devices of the Eth-Trunk, so the first and
second data frames of the same data flow may be transmitted over two physical links. In
this case, the second data frame may arrive at the remote device earlier than the first data
frame. As a result, packet mis-sequencing occurs.
l Flow-based load balancing
The system uses the hash algorithm to calculate the address in a data frame and generates
a HASH-KEY value. Then the system searches for the outbound interface in the Eth-
Trunk forwarding table based on the generated HASH-KEY value. Each MAC or IP
address corresponds to a HASH-KEY value, so the system uses different outbound
interfaces to forward data. This mode ensures that frames of the same data flow are
forwarded on the same physical link and implements load balancing of flows. Flow-
based load balancing ensures the sequence of data transmission, but cannot ensure the
bandwidth utilization.
NOTE
The switch supports only flow-based load balancing.
Forwarding Principle
As shown in Figure 4-9, the Eth-Trunk is located between the MAC address layer and the
LLC sub-layer, that is, data link layer.
Figure 4-9 Eth-Trunk in the Ethernet protocol stack
LLC
Data link Eth-Trunk
layer
MAC
Physical layer PHY
The Eth-Trunk module maintains a forwarding table that consists of the following entries:

l HASH-KEY value
The HASH-KEY value is calculated through the hash algorithm based on the MAC
address or IP address in a packet.
l Interface number
Eth-Trunk forwarding entries are relevant to the number of member interfaces in an Eth-
Trunk. Different HASH-KEY values map different outbound interfaces.
For example, an Eth-Trunk supports a maximum of eight member interfaces. If physical
interfaces 1, 2, 3, and 4 are bundled into an Eth-Trunk, the Eth-Trunk forwarding table
contains four entries, as shown in Figure 4-10. In the Eth-Trunk forwarding table, the
HASH-KEY values are 0, 1, 2, 3, 4, 5, 6, and 7, and the corresponding interface numbers
are 1, 2, 3, 4, 1, 2, 3, and 4.
Figure 4-10 Example of an Eth-Trunk forwarding table
HASH-KEY 0 1 2 3 4 5 6 7
PORT 1 2 3 4 1 2 3 4
The Eth-Trunk module forwards a packet according to the Eth-Trunk forwarding table:
1. The Eth-Trunk module receives a packet from the MAC sub-layer, and then extracts its
source/destination MAC address or IP address.
2. The Eth-Trunk module calculates the HASH-KEY value using the hash algorithm.
3. Based on the HASH-KEY value, the Eth-Trunk module searches the Eth-Trunk
forwarding table for the interface number, and then sends the packet from the
corresponding interface.
Load Balancing Mode

To prevent data packet mis-sequencing, an Eth-Trunk uses flow-based load balancing. Data
forwarding varies depending on the load balancing mode.
You can use the following load balancing modes according to the actual networking:
l Based on source MAC addresses of packets

l Based on destination MAC addresses of packets
l Based on source IP addresses of packets
l Based on destination IP addresses of packets
l Based on the Exclusive-Or result of source and destination MAC addresses of packets
l Based on the Exclusive-Or result of source and destination IP addresses of packets
l Enhanced load balancing: based on VLAN IDs and source physical interface numbers
for Layer 2, IPv4, IPv6, and MPLS packets
When configuring a load balancing mode, pay attention to the following points:
l The load balancing mode is only valid for the outbound interface of traffic. If traffic of
the inbound interface is uneven, change the load balancing mode of the uplink outbound
interface.

l Data flows should be load balanced among all active links as much as possible. If data
flows are transmitted over one link, traffic congestion may occur and service running is
affected.
For example, when data packets have only one destination MAC address and IP address,
use load balancing based on the source MAC address and IP address of packets. If load
balancing based on the destination MAC address and IP address is used, traffic is
transmitted over one link, causing congestion.
For details about how to determine whether Eth-Trunk load balancing is uneven and how to
adjust Eth-Trunk configurations in this scenario, visit Huawei technical support website to
search for How Do I Adjust Eth-Trunk Configurations When Eth-Trunk Load Balancing Is
Uneven.
4.2.5 Link Aggregation in Stack Scenarios

Concepts
l Stack device
A stack device is a logical device formed by connecting multiple devices through stack
cables. In Figure 4-11, DeviceB and DeviceC are connected to form a logical device.
l Inter-chassis Eth-Trunk
Physical interfaces in a stack are added to an Eth-Trunk. When a device in the stack fails
or a device physical interface added to the Eth-Trunk fails, traffic can be transmitted
between devices through stack cables. The inter-chassis Eth-Trunk ensures reliable
transmission and implements device backup.
l Preferential forwarding of local traffic
In b of Figure 4-11, traffic from DeviceB or DeviceC is only forwarded through local
member interfaces when the network runs properly. In a of Figure 4-11, traffic is
forwarded across devices through stack cables.

Figure 4-11 Inter-chassis Eth-Trunk
DeviceA DeviceA
Eth-Trunk Eth-Trunk
Stack Stack
DeviceB DeviceC DeviceB DeviceC
a. The Eth-Trunk is not enabled to b. The Eth-Trunk is enabled to

preferentially forward local preferentially forward local
interface traffic. interface traffic.
Data flow 1
Data flow 2
Stack cable
Inter-Chassis Eth-Trunk Supporting Preferential Forwarding of Local Traffic

In a stack, an Eth-Trunk is configured to be the outbound interface of traffic to ensure reliable
transmission. Member interfaces of the Eth-Trunk are located on different devices. When the
stack device forwards traffic, the Eth-Trunk may select an inter-chassis member interface
based on the hash algorithm. This forwarding mode occupies bandwidth resources between
devices and reduces traffic forwarding efficiency.
As shown in Figure 4-11, DeviceB and DeviceC constitute a stack, and the stack connects to
DeviceA through an Eth-Trunk. After the Eth-Trunk in the stack is configured to
preferentially forward local traffic, the following functions are implemented:
l Forwarding received traffic by the local device

When DeviceB has member interfaces of the Eth-Trunk and the member interfaces
function properly, the Eth-Trunk forwarding table of DeviceB contains only local
member interfaces. In this manner, the hash algorithm selects a local member interface,
and traffic is only forwarded through DeviceB.
l Forwarding received traffic by another device

When DeviceB does not have any member interface of the Eth-Trunk or all member
interfaces are faulty, the Eth-Trunk forwarding table of DeviceB contains all available
member interfaces. In this manner, the hash algorithm selects a member interface on
DeviceC, and traffic is forwarded through DeviceC.
NOTE
l This function is only valid for known unicast packets, and is invalid for unknown unicast packets,
broadcast packets, and multicast packets.
l Before configuring an Eth-Trunk to preferentially forward local traffic, ensure that member
interfaces of the local Eth-Trunk have sufficient bandwidth to forward local traffic; otherwise, traffic
may be discarded.
4.2.6 E-Trunk
Enhanced Trunk (E-Trunk), an extension based on the Link Aggregation Control Protocol
(LACP), controls and implements link aggregation among multiple devices. E-Trunk
implements device-level link reliability, instead of card-level link reliability implemented by
LACP.
E-Trunk is mainly applied to a scenario where a CE is dual-homed to a network. In this

scenario, E-Trunk can be used to protect PEs and links between the CE and PEs. Without E-
Trunk, a CE can be connected to only one PE by using an Eth-Trunk link. If the Eth-Trunk or
PE fails, the CE cannot communicate with the PE. By using E-Trunk, the CE can be dual-
homed to PEs, establishing device-level protection.
Figure 4-12 E-Trunk networking

PE1
Eth-Trunk10
Eth-Trunk20
E-Trunk1
CE
Eth-Trunk10 PE2
NOTE
Only the S1720X, S1720X-E, S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720LI,
S6720S-LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support the E-Trunk.
Basic Concepts
l LACP system priority
In LACP, the LACP system priority is used to differentiate priorities of devices at both
ends of an Eth-Trunk link. A smaller value indicates a higher LACP system priority.
l System ID

In LACP, the system ID is used to determine the priorities of the two devices at both
ends of an Eth-Trunk link if their LACP priorities are the same. The smaller the system
ID, the higher the priority. By default, the system ID is the MAC address of an Eth-
Trunk.
To enable a CE to consider the PEs as a single device, you must configure the same
system LACP priority and system ID for the PEs at both ends of an E-Trunk link.
l E-Trunk priority
The E-Trunk priority determines the master/backup status of two devices in an LAG. As
shown in Figure 4-12, PE1 has a higher E-Trunk priority than PE2, and therefore PE1 is
the master device and PE2 is the backup device. The smaller the E-Trunk priority value,
the higher the E-Trunk priority.
l E-Trunk ID
An E-Trunk ID is an integer that identifies an E-Trunk.
l Working mode
The working mode depends on the working mode of the Eth-Trunk added to the E-
Trunk. The Eth-Trunk works in one of the following modes:
– Automatic
– Forcible master
– Forcible backup
l Timeout interval
Normally, the master and backup devices in an E-Trunk periodically send Hello
messages to each other. If the backup device does not receive any Hello message within
the timeout interval, it becomes the master device.
E-Trunk Working Principle

The E-Trunk working process is described as follows:
l Master/Backup status negotiation
As shown in Figure 4-12, the CE is directly connected to PE1 and PE2, and E-Trunk
runs between PE1 and PE2.
– PE
The same Eth-Trunk and E-Trunk are created on PE1 and PE2. In addition, the Eth-
Trunks are added to the E-Trunk.
– CE
An Eth-Trunk in LACP mode is configured on the CE. The CE is connected to PE1
and PE2 through the Eth-Trunk.
The E-Trunk is invisible to the CE.
a. Determine the E-Trunk master/backup status.
PE1 and PE2 negotiate the E-Trunk master/backup status by exchanging E-Trunk
packets. Normally, after the negotiation, one PE functions as the master and the
other as the backup.
The master/backup status of a PE depends on the E-Trunk priority and E-Trunk ID
carried in E-Trunk packets. The smaller the E-Trunk priority value, the higher the
E-Trunk priority. The PE with the higher E-Trunk priority functions as the master. If
the E-Trunk priorities of the PEs are the same, the PE with the smaller E-Trunk
system ID functions as the master device.

b. Determine the master/backup status of a member Eth-Trunk in the E-Trunk.

The master/backup status of a member Eth-Trunk in the E-Trunk is determined by
its E-Trunk status and the remote Eth-Trunk status.
As shown in Figure 4-12, PE1 and PE2 are at both ends of the E-Trunk link. PE1 is
considered as the local end and PE2 as the remote end.
Figure 4-12 describes the status of each member Eth-Trunk in the E-Trunk.
Table 4-2 Master/Backup status of an E-Trunk and its member Eth-Trunks

Local E-Trunk Working Mode Remote Eth- Local Eth-
Status of the Local Trunk Status Trunk Status
Eth-Trunk
- Forcible master - Master
- Forcible backup - Backup
Master Automatic Down Master
Backup Automatic Down Master
Backup Automatic Up Backup
In normal situations:
n If PE1 functions as the master, Eth-Trunk 10 on PE1 functions as the master
and its link status is Up.
n If PE2 functions as the backup, Eth-Trunk 10 on PE2 functions as the backup
and its link status is Down.
If the link between the CE and PE1 fails, the following situations occur:
i. PE1 sends an E-Trunk packet containing information about faulty Eth-Trunk
10 of PE1 to PE2.
ii. After receiving the E-Trunk packet, PE2 finds that Eth-Trunk 10 on the remote
device is faulty. Eth-Trunk 10 on PE2 becomes the master. Through LACP
negotiation, Eth-Trunk 10 on PE2 becomes Up.
The Eth-Trunk status on PE2 becomes Up, and traffic of the CE is forwarded
through PE2. In this way, traffic destined for the CE is protected.
If PE1 is faulty, PE2 will not receive any E-Trunk packet from PE1 before the
timeout. PE2 will function as the master and Eth-Trunk 10 on PE2 will function as
the master. Through LACP negotiation, the status of Eth-Trunk 10 on PE2 becomes
Up. The traffic of the CE is forwarded through PE2.
l Sending and receiving of E-Trunk packets
E-Trunk packets carrying the source IP address and port number configured on the local
end are sent through UDP. E-Trunk packets are sent in the following situations:
– The sending timer times out.
– The configurations change. For example, the E-Trunk priority, packet sending
interval, timeout interval multiplier, and source/destination IP address of the E-
Trunk changes, and member Eth-Trunks are added or deleted.

– A member Eth-Trunk fails or recovers.

E-Trunk packets at the local end needs to carry the timeout interval so that the remote
device can obtain the timeout interval in Eth-Trunk packets from the local end as its
timeout interval.
l Switchback mechanism
If the physical status of the Eth-Trunk on the local device in master state goes Down or
the local device fails, the remote device becomes the master and the physical status of
the member Eth-Trunk becomes Up.
When the local device recovers and needs to function as the master, the local Eth-Trunk
enters the LACP negotiation state. After LACP informs that the negotiation capability is
Up, the local device starts the switchback delay timer. After the switchback delay timer
expires, the local Eth-Trunk becomes the master. After LACP negotiation, the Eth-Trunk
becomes Up.
E-Trunk Constraints
As shown in Figure 4-12, to improve reliability of CE and PE links and ensure that traffic is
switched between these links, comply with the following rules:
l The configurations at both ends of the E-Trunk link must be consistent. The Eth-Trunk
links directly connecting PEs to the CE must be configured with the same working rate
and duplex mode so that both Eth-Trunks have the same key and join the same E-Trunk.
After the Eth-Trunks are added to the E-Trunk, both PEs must contain the LACP system
priorities and IDs. The interfaces connecting the CE to PE1 and PE2 must be added to
the same Eth-Trunk. The Eth-Trunk on the CE can have a different ID from that of the
PEs. For example, the CE is configured with Eth-Trunk 1, and both PEs are configured
with Eth-Trunk 10.
l The IP address of the local PE must be the same as the local address of the remote PE
and the IP address of the remote PE must be the same as the remote address of the local
PE to ensure Layer 3 connectivity. Here, it is recommended that the addresses of the PEs
are configured as loopback interface addresses.
l The two PEs must be configured with the same security key if necessary.
4.3 Application Scenarios for Link Aggregation
4.3.1 Switches Are Directly Connected Using Link Aggregation

As shown in Figure 4-13, traffic of services with different priorities is sent to the core
network through the UPE and PE-AGG. To ensure the bandwidth and reliability of the link
between the UPE and PE-AGG, an LAG, Eth-Trunk 1, is established.

Figure 4-13 Link aggregation networking
Core
Network
PE-AGG
Eth-Trunk 1
UPE
…… ……
VoIP DATA
IPTV
You can determine the working mode for the Eth-Trunk according to the following situations:
l If devices at both ends of the Eth-Trunk support LACP, the LACP mode is
recommended.
l If the device at either end of the Eth-Trunk does not support LACP, you must use the
manual mode.
QoS can be implemented on an Eth-Trunk as a common interface. At both ends (UPE and PE-
AGG) of Eth-Trunk 1, traffic shaping, congestion management, and congestion avoidance can
be performed for outgoing traffic, ensuring that packets of high priorities are sent in a timely
manner.
4.3.2 Switches Are Connected Across a Transmission Device

Using Link Aggregation
As shown in Figure 4-14, a transmission device needs to be deployed between two switches
that are far away from each other. In addition, link aggregation is configured between the two
switches to enhance link bandwidth and reliability.
l The switches at both ends must use link aggregation in LACP mode.
l The transmission device between switches must be configured to transparently transmit
LACPDUs.
Figure 4-14 Switches are connected across a transmission device using link aggregation
Transmission
device
4.3.3 Switches Connect to Transmission Devices Using Link

Aggregation
As shown in Figure 4-15, one core site and multiple access sites are deployed. The sites are
far away from each other, so transmission devices need to be deployed between devices to

ensure communication. At each site, link aggregation is deployed between the switch and the
transmission device to improve the reliability.
l The link aggregation mode on the transmission device must be the same as that of the
switch. Configure the transmission device according to its operation guide.
Figure 4-15 Networking where switches are connected to transmission devices using link
aggregation
Core site
Transmission
device
Transmission Transmission
device device
Access site 1 Access site 3

Transmission
device
Access site 2
4.3.4 A Switch Connects to a Server Using Link Aggregation

As shown in Figure 4-16, to improve the server bandwidth and reliability, two or more
network adapters of the server are aggregated to form a network adapter group to implement
load balancing or redundancy.
In addition to the configuration notes in 4.5 Licensing Requirements and Limitations for
Link Aggregation, pay attention to the following points:
l Network adapters of the server must use the same type.
l The link aggregation modes on the server and access device must be consistent.
Intel network adapter is used as an example. A server often uses static or IEEE 802.3ad
dynamic link aggregation. When the server uses static link aggregation, the access device
must use the manual mode. When the server uses IEEE 802.3ad dynamic link
aggregation, the access device must use the LACP mode.
l When a server needs to obtain the configuration file from the remote file server through
a switch and link aggregation needs to be used, run the lacp force-forward command on
the link aggregation interface of the switch.

NOTE
Different types of network adapters use different link aggregation configuration. See the network adapter
operation guide.
Figure 4-16 Networking where a switch connects to a server
Network
Eth-Trunk 1
4.3.5 A Switch Connects to a Stack Using Link Aggregation

As shown in Figure 4-17, the switch connects to a stack using link aggregation, and the Eth-
Trunk is enabled to preferentially forward local traffic. Preferentially forwarding local traffic
ensures reliable transmission, reduces the bandwidth burden between stack devices, and
improves the forwarding efficiency.

Figure 4-17 Preferentially forwarding local traffic
Network
CSS
VLAN 2 VLAN 3
VLAN 2 data flow

VLAN 3 data flow
4.3.6 Using E-Trunk to Implement Link Aggregation Across

Devices
NOTE
As shown in Figure 4-18, the Enhanced Trunk (E-Trunk) protects the links between CE1 and
two PEs (PE1 and PE2) on the network. CE1 is connected to PE1 and PE2 using two Eth-
Trunks in LACP mode. The two Eth-Trunks form an E-Trunk to implement backup and
enhance the network reliability.

Figure 4-18 E-Trunk networking

Loopback1
PE1
Eth-Trunk10
Eth-Trunk20
E-Trunk1 Internet
CE1
Eth-Trunk10 PE2
Loopback1
4.4 Summary of Link Aggregation Configuration Tasks

Table 4-3 describes the link aggregation configuration tasks.
Table 4-3 Link aggregation configuration tasks

Scenario Task
Switches Are Directly Connected Using Perform either of the two operations:
Link Aggregation l 4.7 Configuring Link Aggregation in
Manual Mode
l 4.8 Configuring Link Aggregation in
LACP Mode
Switches Are Connected Across a 4.8 Configuring Link Aggregation in

Transmission Device Using Link LACP Mode
Aggregation
A Switch Connects to a Server Using Link Perform either of the two operations:
Aggregation l 4.7 Configuring Link Aggregation in
Manual Mode
l 4.8 Configuring Link Aggregation in
LACP Mode

Scenario Task
Using E-Trunk to Implement Link 1. 4.8 Configuring Link Aggregation in

Aggregation Across Devices LACP Mode
NOTE 2. 4.12 Configuring an E-Trunk
Only the S1720X, S1720X-E, S5720SI, S5720S-
SI, S5720EI, S5720HI, S5730SI, S5730S-EI,
S6720LI, S6720S-LI, S6720SI, S6720S-SI,
S6720EI, and S6720S-EI support the E-Trunk.
4.5 Licensing Requirements and Limitations for Link

Aggregation

Configuration commands of Ethernet link aggregation are available only after the S1720GW,
S1720GWR, and S1720X have the license (WEB management to full management Electronic
RTU License) loaded and activated and the switches are restarted.Configuration commands of
Ethernet link aggregation on other models are not under license control.
Table 4-4 Products and versions supporting link aggregation

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E



Model
S2700 S2700SI V100R005C01, V100R006(C00&C01&C03&C05)
S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10


Model
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
Feature Limitations
Configuration Guidelines Before an Eth-Trunk Is Configured
l An Eth-Trunk contains a maximum of 32 member interfaces on the S5720HI, 16
member interfaces on the S1720X, S1720X-E, S5730SI, S5730S-EI, S6720LI, S6720S-
LI, S6720SI, and S6720S-SI, and 8 member interfaces on other models.
l Starting from V200R009, for the S6720EI and S6720S-EI, you can run the assign trunk
{ trunk-group group-number | trunk-member member-number }* command to
configure the maximum number of Eth-Trunks and maximum number of member
interfaces in each Eth-Trunk. For details, see the description of the assign trunk
command in "Ethernet Switching Configuration Commands" in the Command Reference
of the corresponding version. After the configuration, you can run the display trunk
configuration command to check the default specifications of the maximum number of
Eth-Trunks that are supported and maximum number of member interfaces in each Eth-
Trunk, current specifications, and configured specifications.
l Some commands (such as port link-type access) and static MAC address entries cannot
be configured on member interfaces of an Eth-Trunk. Otherwise, errors will be reported.
l An Eth-Trunk cannot be added to another Eth-Trunk.

l Member interfaces of an Eth-Trunk must use the same Ethernet type. For example, GE
electrical and optical interfaces can join the same Eth-Trunk.
l In earlier versions of V200R011C10, interfaces with different rates cannot join the same
Eth-Trunk. In V200R011C10 and later versions, interfaces with different rates can join
the same Eth-Trunk by running mixed-rate link enable.
l When an Eth-Trunk performs load balancing calculation, the interface rate cannot be
used as the calculation weight. When interfaces with different rates are added to the
same Eth-Trunk, traffic is evenly load balanced on all the links. Therefore, the bandwidth
of member interfaces is calculated by the minimum rate of the member interfaces in the
Eth-Trunk. For example, when a GE interface and a 10GE interface are added to the
same Eth-Trunk, the rate of the GE interface is used in calculation and the bandwidth of
the Eth-Trunk is 2G.
l Both devices of the Eth-Trunk must use the same number of physical interfaces,
interface rate, duplex mode, and flow control mode.
l If an interface of the local device is added to an Eth-Trunk, an interface of the remote
device directly connected to the interface of the local device must also be added to the
Eth-Trunk so that the two ends can communicate.
l Devices on both ends of an Eth-Trunk must use the same link aggregation mode.
l When the number of active interfaces falls below the lower threshold, the Eth-Trunk
goes Down. This ensures that the Eth-Trunk has a minimum available bandwidth.
l In FTTx scenarios of MANs, PPPoE is often used for Internet access. If switches use
link aggregation, when traffic is aggregated, ensure that PPPoE packets are load
balanced. In such scenarios, the S5700EI, S5710EI, S5720EI, S5700HI, S5710HI,
S5720HI, S5730SI, S5730S-EI, S6700EI, S6720EI, S6720S-EI, S6720SI, S6720S-SI,
S6720LI, S6720S-LI are recommended.
In the following scenarios, there are other configuration guidelines in addition to the
preceding ones.
Table 4-5 Configuration guidelines in different scenarios

Usage Scenario Precaution
Switches Are Connected Across a l The switches at both ends must use link
Transmission Device Using Link aggregation in LACP mode.
Aggregation l The transmission device between
switches must be configured to
transparently transmit LACPDUs.
Switches Connect to Transmission Devices The link aggregation mode on the

Using Link Aggregation transmission device must be the same as
that of the switch. Configure the
transmission device according to its
operation guide.

Usage Scenario Precaution
A Switch Connects to a Server Using Link l Network adapters of the server must use
Aggregation the same type.
l The link aggregation modes on the
server and access device must be
consistent.
Intel network adapter is used as an
example. A server often uses static or
IEEE 802.3ad dynamic link aggregation.
When the server uses static link
aggregation, the access device must use
the manual mode. When the server uses
IEEE 802.3ad dynamic link aggregation,
the access device must use the LACP
mode.
l When a server needs to obtain the
configuration file from the remote file
server through a switch and link
aggregation needs to be used, run the
lacp force-forward command on the
Eth-Trunk of the switch.
Configuration Guidelines After an Eth-Trunk Is Configured

l An Ethernet interface can be added to only one Eth-Trunk. To add an Ethernet interface
to another Eth-Trunk, delete it from the original one first.
l After an interface is added to an Eth-Trunk, only the Eth-Trunk learns MAC address
entries or ARP entries, but the member interface does not.
l Before deleting an Eth-Trunk, delete member interfaces from the Eth-Trunk.
Specifications
Link aggregation modes:
l Manual
l LACP
Link aggregation modes supported by the device:
l Intra-device: Member interfaces of an Eth-Trunk are located on the same device.

l Inter-stack-device: Member interfaces of an Eth-Trunk are located on member devices of
a stack.
l Inter-device: Inter-device link aggregation refers to E-Trunk. E-Trunk allows links
between multiple devices to be aggregated based on LACP.
Load balancing modes supported by the device:
To prevent data packet mis-sequencing, an Eth-Trunk uses flow-based load balancing.
You can use the following load balancing modes based on actual networking:

l Based on source MAC addresses of packets

l Based on destination MAC addresses of packets
l Based on source IP addresses of packets
l Based on destination IP addresses of packets
l Based on the Exclusive-Or result of source and destination MAC addresses of packets
l Based on the Exclusive-Or result of source and destination IP addresses of packets
l Enhanced load balancing: based on VLAN IDs and source physical interface numbers
for Layer 2, IPv4, IPv6, and MPLS packets
4.6 Default Settings for Link Aggregation
Table 4-6 Default setting for link aggregation

Parameter Value
Link aggregation mode Manual mode
Upper threshold for the number of active 32 on the S5720HI and 8 on other models
member links On the S6720EI, and S6720S-EI, you can
run the assign trunk command to set the
value, and run the display trunk
configuration command to check the
configuration.
Lower threshold for the number of active 1

member links
LACP system priority 32768
LACP interface priority 32768
LACP preemption Disabled
LACP preemption delay 30s
Timeout interval at which LACPDUs are 90s

received
4.7 Configuring Link Aggregation in Manual Mode
4.7.1 (Optional) Setting the Maximum Number of LAGs and the

Maximum Number of Member Interfaces in Each LAG
Context
Generally, a switch supports a fixed maximum number of LAGs and a fixed maximum
number of member interfaces in each LAG. On the S6720EI and S6720S-EI, you can run the

assign trunk command to set the maximum number of LAGs and the maximum number of
member interfaces in each LAG, implementing flexible networking and meeting various
service requirements.
Procedure
Step 2 Run assign trunk { trunk-group group-number | trunk-member member-number }*
The maximum number of LAGs and the maximum number of member interfaces in each
LAG are set.
By default, the device supports a maximum of 128 LAGs and 8 member interfaces in each
LAG. member-number can be 8, 16, 32, or 64, and member-number multiplied by group-
number cannot exceed 2048.
l When more than 128 Eth-Trunks or 16 member interfaces are configured using the
assign trunk { trunk-group group-number | trunk-member member-number } *
command, the enhanced mode is used for load balance known unicast packets by default.
If the enhanced mode is not used, problems such as packet loss and uneven load
balancing may occur. The switch load balances non-known unicast packets based on
source and destination MAC addresses by default.
l If you use the assign trunk command to modify Eth-Trunk specifications, the existing
Eth-Trunk configuration will become invalid or be lost. Exercise caution when you run
the assign trunk command.
– When the configured Eth-Trunk specifications are reduced and the Eth-Trunks that
exceed the specifications are configured, the configuration of excess Eth-Trunks is
invalid.
– When the configured value of group-number is larger than 128 or the configured
value of member-number is larger than 16, the switch can only use the enhanced
mode to load balance known unicast packets. The common mode is invalid for the
known unicast packets.
l After the Eth-Trunk specifications are modified, save the configuration and restart the
switch to make the modification take effect.
----End
4.7.2 Creating an LAG
Context
Each LAG corresponds to a logical interface, that is, Eth-Trunk. Before configuring link
aggregation, create an Eth-Trunk.
Procedure

Step 2 Run interface eth-trunk trunk-id
An Eth-Trunk is created and the Eth-Trunk interface view is displayed.
The value of trunk-id is as follows.

l S1720GFR, S2750EI, S5700LI, S5700S-LI, and S5710-X-LI: 0-63
l S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2720EI, S5720SI, S5720LI,
S5720S-LI, and S5720S-SI: 0-119
l S5720EI, S5720HI, S6720EI, and S6720S-EI: 0-127
l S1720X, S1720X-E, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720LI, S6720S-LI:
0-249
On the S6720EI, and S6720S-EI, you can run the assign trunk command to set the value, and
run the display trunk configuration command to check the configuration.
If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk
interface view.
----End
4.7.3 Setting the Manual Load Balancing Mode
Context
Link aggregation can work in manual load balancing mode and LACP mode.
In manual load balancing mode, you must manually create an Eth-Trunk and add member
interfaces to the Eth-Trunk. All active links forward data and evenly load balance traffic. The
manual load balancing mode is used when the peer device does not support LACP.
If an Eth-Trunk interface has member interfaces, you can switch the Eth-Trunk interface's
working mode between manual mode and LACP mode. However, if the Eth-Trunk interface is
added to an E-Trunk, you cannot change its working mode.
To delete existing member interfaces, run the undo eth-trunk command in the interface view
or the undo trunkport interface-type interface-number command in the Eth-Trunk interface
view.
Procedure
The Eth-Trunk interface view is displayed.
Step 3 Run mode manual load-balance
A working mode of the Eth-Trunk is configured.
By default, an Eth-Trunk works in manual load balancing mode.

Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the
local end works in manual load balancing mode, the remote end must use the manual load
balancing mode.
----End
4.7.4 Adding Member Interfaces to an Eth-Trunk
Context
Before adding member interfaces to an Eth-Trunk, you need to learn about the configuration
notes. See 4.5 Licensing Requirements and Limitations for Link Aggregation.
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run system-view
b. Run interface eth-trunk trunk-id
c. (Optional) Run mixed-rate link enable
Interfaces with different rates are allowed to be added to the same Eth-Trunk.
By default, interfaces with different rates are not allowed to be added to the same
Eth-Trunk.
d. Run trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> [ mode { active | passive } ]
A member interface is added to the Eth-Trunk.
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface fails to be
added to the Eth-Trunk, subsequent interfaces in the batch cannot be added to the Eth-Trunk.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run system-view
b. (Optional) Interfaces with different rates are allowed to be added to the same Eth-
Trunk.
i. Run the interface eth-trunk trunk-id command to enter the Eth-Trunk
interface view.
ii. Run the mixed-rate link enable command to allow the device to add
interfaces with different rates to the same Eth-Trunk.
By default, interfaces with different rates are not allowed to be added to the
same Eth-Trunk.
iii. Run the quit command to return to the system view.

The member interface view is displayed.

d. Run eth-trunk trunk-id [ mode { active | passive } ]
The member interface is added to an Eth-Trunk.
When adding an interface to an Eth-Trunk, pay attention to the following points:
– An Ethernet interface can be added to only one Eth-Trunk. To add an Ethernet

interface to another Eth-Trunk, delete it from the original one first.
– After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC addresses
and ARP entries but member interfaces do not.
– Before deleting an Eth-Trunk, delete member interfaces from the Eth-Trunk.
----End
4.7.5 (Optional) Setting the Lower Threshold for the Number of

Active Interfaces
Context
The lower threshold for the number of active interfaces affects the status and bandwidth of an
Eth-Trunk. To ensure that the Eth-Trunk functions properly and is less affected by member
link status changes, set the lower threshold for the number of active interfaces.
When the number of active interfaces falls below the lower threshold, the Eth-Trunk goes
Down. This ensures that the Eth-Trunk has a minimum available bandwidth.
The upper threshold for the number of active interfaces is inapplicable to the manual load
balancing mode.
Procedure
Step 3 Run least active-linknumber link-number
The lower threshold for the number of active interfaces is set.
By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local switch can be different
from that on the remote switch.
----End
4.7.6 (Optional) Configuring a Load Balancing Mode

Context
An Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that frames
of the same data flow are forwarded on the same physical link. Different data flows are
forwarded on different physical links to implement load balancing.
You can configure a common load balancing mode in which IP addresses or MAC addresses
of packets are used to load balance packets; you can also configure an enhanced load
balancing mode for Layer 2 packets, IP packets, and MPLS packets.
Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different and do not affect each other.
Only the S1720X, S1720X-E, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S5730SI, S5730S-
EI, S5720HI, S5720EI, S6720EI, and S6720S-EI support the enhanced load balancing mode.
On the S6720EI and S6720S-EI, when more than 16 member interfaces are configured using
the assign trunk { trunk-group group-number | trunk-member member-number } *
command, only the enhanced mode can be used for load balancing. If the enhanced mode is
not used, problems such as packet loss and uneven load balancing may occur.
If an incorrect load balancing mode is configured, traffic will be unevenly load balanced
among Eth-Trunk member interfaces. The following restrictions apply when configuring a
load balancing mode:
l In practical services, you need to configure a proper load balancing mode based on
traffic characteristics. When a parameter of traffic changes frequently, you can set the
load balancing mode based on this parameter to ensure that the traffic load is balanced
evenly. For example, if IP addresses in packets change frequently, use the load balancing
mode based on dst-ip, src-ip, or src-dst-ip so that traffic can be properly load balanced
among physical links. If MAC addresses in packets change frequently and IP addresses
are fixed, use the load balancing mode based on dst-mac, src-mac, or src-dst-mac so
that traffic can be properly load balanced among physical links.
l If the majority of service traffic are MPLS packets, you need to set the enhanced load
balancing mode. You can run the mpls field command in the load balancing profile view
to configure the load balancing mode of MPLS packets.
l On a network where an Eth-Trunk and a stack is configured, if the local-preference
enable command is run to configure an Eth-Trunk interface to preferentially forward
local traffic, traffic arriving at the local device is preferentially forwarded through Eth-
Trunk member interfaces of the local device. If there is no Eth-Trunk member interface
on the local device, traffic is forwarded through Eth-Trunk member interfaces on another
device. This forwarding mode effectively saves bandwidth resources of member devices
in the stack and improves traffic forwarding efficiency.
Procedure
l Configure a common load balancing mode.
a. Run system-view
c. Run load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
A load balancing mode of the Eth-Trunk is set.

The default load balancing mode is src-dst-ip.

Other load balancing modes are as follows:
n dst-ip: based on destination IP addresses
n dst-mac: based on destination MAC addresses
n src-ip: based on source IP addresses
n src-mac: based on source MAC addresses
n src-dst-ip: based on the Exclusive-Or result of source and destination IP
addresses
n src-dst-mac: based on the Exclusive-Or result of source and destination MAC
addresses
NOTE
The S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E,

S2750EI, S2720EI, S5700LI, S5700S-LI, S5720LI, S5720S-LI, S6720LI, S6720S-LI,
S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI use the
src-dst-ip in the HASH algorithm for load balancing regardless of whether you configure
this parameter.
On S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E,
S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI, when the
load balancing mode of an Eth-Trunk is modified, the modification takes effect on all Eth-
Trunks. The load balancing mode will be set to the default mode when a new Eth-Trunk is
created.
l Configure an enhanced load balancing mode.
a. Run system-view
b. Run load-balance-profile profile-name
A load balancing profile is created and its view is displayed. Only one load
balancing profile can be created.
c. Run the following commands as required. You can configure load balancing modes
for Layer 2 packets, IPv4 packets, IPv6 packets, and MPLS packets respectively.
n Run l2 field [ dmac | l2-protocol | smac | sport | vlan ] *
A load balancing mode of Layer 2 packets is set.
By default, load balancing of Layer 2 packets is based on the source MAC
address (smac) and destination MAC address (dmac).
n Run ipv4 field [ dip | l4-dport | l4-sport | protocol | sip | sport | vlan ] *
A load balancing mode of IPv4 packets is set.
By default, load balancing of IPv4 packets is based on the source IP address
(sip) and destination IP address (dip).
n Run mpls field [ 2nd-label | dip | dmac | sip | smac | sport | top-label | vlan ]
*
A load balancing mode of MPLS packets is set.

By default, load balancing of MPLS packets is based on the two outer labels
(top-label and 2nd-label) of each packet.
d. Run quit
Return to the system view.

e. Run interface eth-trunk trunk-id

f. Run load-balance enhanced profile profile-name
The load balancing profile is applied.

NOTE
The preceding load balancing modes apply only to known unicast traffic. To configure a load
balancing mode for unknown unicast traffic, run the unknown-unicast load-balance { dmac |
smac | smacxordmac | enhanced } command in the system view. Only S5720EI, S5720HI,
S6720EI, and S6720S-EI support load balancing for unknown unicast traffic.
----End
4.7.7 Verifying the Configuration of Link Aggregation in Manual

Mode
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information
about Eth-Trunk member interfaces.
l Run the display eth-trunk [ trunk-id ] load-balance command to check the load
balancing mode of the Eth-Trunk.
l Run the display load-balance-profile [ profile-name ] command to check the load
balancing profile of the Eth-Trunk.
----End
4.8 Configuring Link Aggregation in LACP Mode
4.8.1 (Optional) Setting the Maximum Number of LAGs and the

Maximum Number of Member Interfaces in Each LAG
Context
Generally, a switch supports a fixed maximum number of LAGs and a fixed maximum
number of member interfaces in each LAG. On the S6720EI and S6720S-EI, you can run the
assign trunk command to set the maximum number of LAGs and the maximum number of
member interfaces in each LAG, implementing flexible networking and meeting various
service requirements.

Procedure
Step 2 Run assign trunk { trunk-group group-number | trunk-member member-number }*

The maximum number of LAGs and the maximum number of member interfaces in each
LAG are set.
By default, the device supports a maximum of 128 LAGs and 8 member interfaces in each
LAG. member-number can be 8, 16, 32, or 64, and member-number multiplied by group-
number cannot exceed 2048.
l When more than 128 Eth-Trunks or 16 member interfaces are configured using the
assign trunk { trunk-group group-number | trunk-member member-number } *
command, the enhanced mode is used for load balance known unicast packets by default.
If the enhanced mode is not used, problems such as packet loss and uneven load
balancing may occur. The switch load balances non-known unicast packets based on
source and destination MAC addresses by default.
l If you use the assign trunk command to modify Eth-Trunk specifications, the existing
Eth-Trunk configuration will become invalid or be lost. Exercise caution when you run
the assign trunk command.
– When the configured Eth-Trunk specifications are reduced and the Eth-Trunks that
exceed the specifications are configured, the configuration of excess Eth-Trunks is
invalid.
– When the configured value of group-number is larger than 128 or the configured
value of member-number is larger than 16, the switch can only use the enhanced
mode to load balance known unicast packets. The common mode is invalid for the
known unicast packets.
l After the Eth-Trunk specifications are modified, save the configuration and restart the
switch to make the modification take effect.
----End
4.8.2 Creating an LAG
Context
Each LAG corresponds to a logical interface, that is, Eth-Trunk. Before configuring link
aggregation, create an Eth-Trunk.
Procedure
The value of trunk-id is as follows.

l S1720GFR, S2750EI, S5700LI, S5700S-LI, and S5710-X-LI: 0-63

l S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2720EI, S5720SI, S5720LI,
S5720S-LI, and S5720S-SI: 0-119
l S5720EI, S5720HI, S6720EI, and S6720S-EI: 0-127
l S1720X, S1720X-E, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720LI, S6720S-LI:
0-249
If the specified Eth-Trunk already exists, this command directly displays the Eth-Trunk
interface view.
----End
4.8.3 Setting the LACP Mode
Context
Link aggregation can work in manual mode or LACP mode depending on whether LACP is
used.
In LACP mode, you must manually create an Eth-Trunk and add interfaces to the Eth-Trunk.
However, LACP determines active interfaces through negotiation.
If an Eth-Trunk interface has member interfaces, you can switch the Eth-Trunk interface's
working mode between manual mode and LACP mode. However, if the Eth-Trunk interface is
added to an E-Trunk, you cannot change its working mode.
To delete existing member interfaces, run the undo eth-trunk command in the interface view
or the undo trunkport interface-type interface-number command in the Eth-Trunk interface
view.
Procedure
Step 3 Run mode lacp
A working mode of the Eth-Trunk is configured.
By default, an Eth-Trunk works in manual mode.
Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the
local end works in LACP mode, the remote end must use the LACP mode.
----End

4.8.4 Adding Member Interfaces to an Eth-Trunk

Context
Before adding member interfaces to an Eth-Trunk, you need to learn about the configuration
notes. See 4.5 Licensing Requirements and Limitations for Link Aggregation.
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run system-view
c. (Optional) Run mixed-rate link enable
Interfaces with different rates are allowed to be added to the same Eth-Trunk.
By default, interfaces with different rates are not allowed to be added to the same
Eth-Trunk.
d. Run trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> [ mode { active | passive } ]
A member interface is added to the Eth-Trunk.
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface fails to be
added to the Eth-Trunk, subsequent interfaces in the batch cannot be added to the Eth-Trunk.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run system-view
b. (Optional) Interfaces with different rates are allowed to be added to the same Eth-
Trunk.
i. Run the interface eth-trunk trunk-id command to enter the Eth-Trunk
interface view.
ii. Run the mixed-rate link enable command to allow the device to add
interfaces with different rates to the same Eth-Trunk.
By default, interfaces with different rates are not allowed to be added to the
same Eth-Trunk.
iii. Run the quit command to return to the system view.
d. Run eth-trunk trunk-id [ mode { active | passive } ]
The member interface is added to an Eth-Trunk.

When adding an interface to an Eth-Trunk, pay attention to the following points:

– An Ethernet interface can be added to only one Eth-Trunk. To add an Ethernet
interface to another Eth-Trunk, delete it from the original one first.
– After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC addresses
and ARP entries but member interfaces do not.
– Before deleting an Eth-Trunk, delete member interfaces from the Eth-Trunk.
----End
4.8.5 (Optional) Setting the Upper and Lower Thresholds for the
Number of Active Interfaces
Context
The number of Up member links affects the status and bandwidth of an Eth-Trunk. To ensure
that the Eth-Trunk functions properly and is less affected by member link status changes, set
the following thresholds.
l Lower threshold for the number of active interfaces: When the number of active
interfaces falls below this threshold, the Eth-Trunk goes Down. This guarantees the Eth-
Trunk a minimum available bandwidth.
l Upper threshold for the number of active interfaces: It is used for improving network
reliability with assured bandwidth. When the number of active interfaces reaches this
threshold, you can add new member interfaces to the Eth-Trunk, but excess member
interfaces enter the Down state.
Procedure
Step 3 Run least active-linknumber link-number
The lower threshold for the number of active interfaces is set.
By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local device can be different
from that on the remote device. If the two values are different, the larger one is used.
Step 4 Run max active-linknumber link-number
The upper threshold for the number of active interfaces is set.
By default, the upper threshold for the number of active interfaces in an Eth-Trunk is 32 on
the S5720HI, 16 on the S1720X, S1720X-E, S5730SI, S5730S-EI, S6720LI, S6720S-LI,
S6720SI, and S6720S-SI, and 8 on other models.

The upper thresholds configured by the max active-linknumber command on both ends must
be the same; otherwise, the Eth-Trunk status flaps if an active interface fails.
The upper threshold for the number of active interfaces must be greater than or equal to the
lower threshold for the number of active interfaces.
Step 5 (Optional) Run load-distribution active-linknumber-change link-number1 to link-number2
The number of interfaces in an Eth-Trunk where load balancing calculation is performed is

configured.
By default, the number of interfaces in an Eth-Trunk where load balancing calculation is

performed is the number of active interfaces of the device.
If the number of active interfaces is smaller than 8 and traffic on an Eth-Trunk is unevenly
load balanced, you can run the load-distribution active-linknumber-change command to
increase the number of interfaces in the Eth-Trunk where load balancing calculation is
performed so that traffic can be better load balanced among active links.Only the S1720GFR,
S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2720EI, S2750EI, S5700LI, S5700S-
LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, and S5720S-SI support this command.
NOTE
l The load-distribution active-linknumber-change link-number1 to link-number2 command with

different values of link-number1 can be configured repeatedly. When the number of active interfaces
is the same as the value of link-number1, the configuration takes effect. If the load-distribution
active-linknumber-change link-number1 to link-number2 command with the same value of link-
number1 is configured, only the latest configuration takes effect.
l When an inter-device Eth-Trunk is configured in a iStack and the local-preference enable command
is used to configure an Eth-Trunk to preferentially forward local traffic, the number of interfaces in
the Eth-Trunk where load balancing calculation is performed is the number of active interfaces.
----End
4.8.6 (Optional) Configuring a Load Balancing Mode
Context
An Eth-Trunk uses flow-based load balancing. Flow-based load balancing ensures that frames
of the same data flow are forwarded on the same physical link. Different data flows are
forwarded on different physical links to implement load balancing.
You can configure a common load balancing mode in which IP addresses or MAC addresses
of packets are used to load balance packets; you can also configure an enhanced load
balancing mode for Layer 2 packets, IP packets, and MPLS packets.
Load balancing is valid only for outgoing traffic; therefore, the load balancing modes for the
interfaces at both ends of the link can be different and do not affect each other.
Only the S1720X, S1720X-E, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S5730SI, S5730S-
EI, S5720HI, S5720EI, S6720EI, and S6720S-EI support the enhanced load balancing mode.
On the S6720EI and S6720S-EI, when more than 16 member interfaces are configured using
the assign trunk { trunk-group group-number | trunk-member member-number } *
command, only the enhanced mode can be used for load balancing. If the enhanced mode is
not used, problems such as packet loss and uneven load balancing may occur.

If an incorrect load balancing mode is configured, traffic will be unevenly load balanced
among Eth-Trunk member interfaces. The following restrictions apply when configuring a
load balancing mode:
l In practical services, you need to configure a proper load balancing mode based on
traffic characteristics. When a parameter of traffic changes frequently, you can set the
load balancing mode based on this parameter to ensure that the traffic load is balanced
evenly. For example, if IP addresses in packets change frequently, use the load balancing
mode based on dst-ip, src-ip, or src-dst-ip so that traffic can be properly load balanced
among physical links. If MAC addresses in packets change frequently and IP addresses
are fixed, use the load balancing mode based on dst-mac, src-mac, or src-dst-mac so
that traffic can be properly load balanced among physical links.
l If the majority of service traffic are MPLS packets, you need to set the enhanced load
balancing mode. You can run the mpls field command in the load balancing profile view
to configure the load balancing mode of MPLS packets.
l On a network where an Eth-Trunk and a stack is configured, if the local-preference
enable command is run to configure an Eth-Trunk interface to preferentially forward
local traffic, traffic arriving at the local device is preferentially forwarded through Eth-
Trunk member interfaces of the local device. If there is no Eth-Trunk member interface
on the local device, traffic is forwarded through Eth-Trunk member interfaces on another
device. This forwarding mode effectively saves bandwidth resources of member devices
in the stack and improves traffic forwarding efficiency.
Procedure
l Configure a common load balancing mode.
a. Run system-view
c. Run load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
A load balancing mode of the Eth-Trunk is set.
The default load balancing mode is src-dst-ip.
Other load balancing modes are as follows:
n dst-ip: based on destination IP addresses
n dst-mac: based on destination MAC addresses
n src-ip: based on source IP addresses
n src-mac: based on source MAC addresses
n src-dst-ip: based on the Exclusive-Or result of source and destination IP
addresses
n src-dst-mac: based on the Exclusive-Or result of source and destination MAC
addresses

NOTE
The S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E,

S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI use the
src-dst-ip in the HASH algorithm for load balancing regardless of whether you configure
this parameter.
On S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E,
S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI, when the
load balancing mode of an Eth-Trunk is modified, the modification takes effect on all Eth-
Trunks. The load balancing mode will be set to the default mode when a new Eth-Trunk is
created.
l Configure an enhanced load balancing mode.
a. Run system-view

b. Run load-balance-profile profile-name
A load balancing profile is created and its view is displayed. Only one load
balancing profile can be created.
c. Run the following commands as required. You can configure load balancing modes
for Layer 2 packets, IPv4 packets, IPv6 packets, and MPLS packets respectively.
n Run l2 field [ dmac | l2-protocol | smac | sport | vlan ] *
A load balancing mode of Layer 2 packets is set.
By default, load balancing of Layer 2 packets is based on the source MAC
address (smac) and destination MAC address (dmac).
n Run mpls field [ 2nd-label | dip | dmac | sip | smac | sport | top-label | vlan ]
*
A load balancing mode of MPLS packets is set.

By default, load balancing of MPLS packets is based on the two outer labels
(top-label and 2nd-label) of each packet.
d. Run quit

e. Run interface eth-trunk trunk-id

f. Run load-balance enhanced profile profile-name
The load balancing profile is applied.

NOTE
The preceding load balancing modes apply only to known unicast traffic. To configure a load
balancing mode for unknown unicast traffic, run the unknown-unicast load-balance { dmac |
smac | smacxordmac | enhanced } command in the system view. Only S5720EI, S5720HI,
S6720EI, and S6720S-EI support load balancing for unknown unicast traffic.
----End
4.8.7 (Optional) Setting the LACP System Priority
Context
LACP system priority differentiates priorities of devices at both ends. In LACP mode, active
interfaces selected by devices at both ends must be consistent; otherwise, the LAG cannot be
set up. To keep active interfaces consistent at both ends, you can set the priority of one device
to be higher than that of the other device so that the other device can select active interfaces
according to those selected by the device with a higher priority.
Procedure
Step 2 Run lacp priority priority
The LACP system priority is set.
A smaller LACP priority value indicates a higher priority. By default, the LACP system
priority is 32768.
The end with a smaller priority value functions as the Actor. If the two ends have the same
priority, the end with a smaller MAC address functions as the Actor.
----End
4.8.8 (Optional) Setting the LACP Interface Priority
Context
In LACP mode, LACP interface priorities are set to prioritize interfaces of the same device.
Interfaces with higher priorities are selected as active interfaces.
Procedure
Step 3 Run lacp priority priority
The LACP priority of the member interface is configured.

By default, the LACP interface priority is 32768. A smaller priority value indicates a higher
LACP priority.
By default, the system selects active interfaces based on interface priorities. However, low-
speed member interfaces with high priorities may be selected as active interfaces. To select
high-speed member interfaces as active interfaces, run the lacp selected { priority | speed }
command to configure the system to select active interfaces based on the interface rate.
NOTE
If the max active-linknumber link-number command is run in the Eth-Trunk interface view, you need
to run the lacp preempt enable command to enable LACP preemption on the current Eth-Trunk
interface. Otherwise, interfaces with high LACP priorities may fail to be selected as active interfaces.
----End
4.8.9 (Optional) Configuring LACP Preemption
Context
The LACP preemption function ensures that the interface with the highest LACP priority
always functions as an active interface. For example, the interface with the highest priority
becomes inactive due to a failure. If LACP preemption is enabled, the interface becomes
active again after it recovers; if LACP preemption is disabled, the interface cannot become
active interface after it recovers.
The LACP preemption delay is the period during which an inactive interface switches to
active. The LACP preemption delay prevents unstable data transmission on an Eth-Trunk link
due to frequent status changes of some links.
Procedure
Step 3 Run lacp preempt enable
LACP preemption is enabled.
By default, LACP preemption is disabled. To ensure normal running of an Eth-Trunk, enable

or disable LACP preemption at both ends of the Eth-Trunk.
Step 4 Run lacp preempt delay delay-time
The LACP preemption delay is set.
By default, the LACP preemption delay is 30 seconds. If both devices of an Eth-Trunk use
different preemption delays, a longer preemption delay is used.
----End

4.8.10 (Optional) Setting the Timeout Interval for Receiving

LACPDUs
Context
If the Eth-Trunk on the local device cannot detect a self-loop or fault that occurred on a
member interface in the LAG on the remote device, data on the local device is still load
balanced among original active interfaces. As a result, data traffic on the faulty link is
discarded.
After the timeout interval at which LACPDUs are received is set, if a local member interface
does not receive any LACPDUs within the configured timeout interval, the local member
interface becomes Down immediately and no longer forwards data.
Procedure
Step 3 Run lacp timeout { fast [ user-defined user-defined ] | slow }
The timeout interval at which LACPDUs are received is set.
By default, the timeout interval at which an Eth-Trunk receives LACPDUs is 90 seconds.
l After you run the lacp timeout command, the local end notifies the remote end of the
timeout interval by sending LACPDUs. When fast is specified, the interval for sending
LACPDUs is 1 second. When slow is specified, the interval for sending LACPDUs is 30
seconds.
l The timeout interval for receiving LACPDUs is three times the interval for sending
LACPDUs. When fast is specified, the timeout interval for receiving LACPDUs is 3
seconds. When slow is specified, the timeout interval for receiving LACPDUs is 90
seconds.
l You can use different modes of the timeout interval at the two ends. However, to
facilitate maintenance, you are advised to use the same mode at both ends.
l Each member interface in an Eth-Trunk processes a maximum of 20 LACPDUs every
second; a switch processes a maximum of 100 LACPDUs every second. Extra
LACPDUs are discarded.
----End

4.8.11 (Optional) Configuring an Eth-Trunk Member Interface on

a Switch Directly Connected to a Server to Forward Packets
Context
Figure 4-19 A switch directly connects to a server
Server Switch Gateway File server

Interface1
Interface2
In Figure 4-19, two interfaces of two network adapters on a server are directly connected to a
switch. The switch is configured with an Eth-Trunk in LACP mode. The process on the server
is as follows:
1. The server configures an IP address for Interface1 based the default configuration during
startup, and sends a request to the remote file server through Interface1 and downloads
the configuration file from the remote file server.
2. After the configuration file is downloaded successfully, the server aggregates two
interfaces according to the configuration file. The server uses the two interfaces as Eth-
Trunk member interfaces to perform LACP negotiation with the switch.
Before the server obtains the configuration file, Interface1 is an independent physical
interface and is not configured with LACP. As a result, LACP negotiation on the switch
interface fails. The switch does not forward traffic on the Eth-Trunk, and the server cannot
download the configuration file through Interface1. In this case, the server cannot
communicate with the switch.
To address this issue, run the lacp force-forward command on the Eth-Trunk of the switch.
The Eth-Trunk member interface in Up state can still forward data packets even though the
remote device is not enabled with LACP.
Procedure
Step 3 Run lacp force-forward
The Eth-Trunk member interface in Up state is configured to forward data packets when the
remote interface does not join the Eth-Trunk.
By default, an Eth-Trunk member interface in Up state cannot forward data packets when the
remote interface does not join the Eth-Trunk.

NOTE
l When this command is used, Layer 3 forwarding is not supported but the member interface in ForceFwd
state can forward Layer 2 traffic. The ForceFwd state is automatically set when LACP negotiation fails,
and cannot be changed manually. You can use the display eth-trunk command to check the value of the
Status field.
l This command applies to only the scenario where an Eth-Trunk joins a VLAN as an access, hybrid, trunk,
and dot1q-tunnel interfaces.
l When a spanning tree protocol (for example, STP, RSTP, or MSTP) is used, the member interface in
ForceFwd state cannot be blocked. That is, the member interface in ForceFwd state can continue to
forward data packets. When other loop prevention protocols such as ERPS and RRPP are used, the
member interface in ForceFwd state can be blocked. The blocked member interface in ForceFwd state
cannot forward data packets.
l This command cannot be used with E-Trunk. That is, this command cannot be used on the Eth-Trunk that
joins an E-Trunk.
l This command cannot be used with max active-linknumber or least active-linknumber.
----End
4.8.12 Verifying the Configuration of Link Aggregation in LACP

Mode
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information
l Run the display eth-trunk [ trunk-id ] load-balance command to check the load
balancing mode of the Eth-Trunk.
l Run the display load-balance-profile [ profile-name ] command to check the load
balancing profile of the Eth-Trunk.
----End
4.9 Associating the Secondary Member Interface of an Eth-

Trunk Interface in LACP Mode with Its Primary Member
Interface
Prerequisites
NOTE
Only the S5720HI supports this configuration.

l Link aggregation in LACP mode has been configured, and the maximum number of
active links at both ends is 1 and two member interfaces have been added to the Eth-
Trunk at both ends. For details, see 4.8 Configuring Link Aggregation in LACP
Mode.
l Basic Y.1731 configurations have been completed, including the Maintenance
Association (MA), Maintenance Domain (MD), Maintenance Association End Point

(MEP), and test instance. For details, see Y.1731 Configuration in S1720, S2700, S5700,
and S6720 V200R011C10 Configuration Guide - Reliability. In this scenario, note the
following points:
– The map vlan vlan-id command cannot be used to bind an MA to a VLAN.
– Only the outward-facing MEP can be created.
Context
As shown in Figure 4-20, when no service is bound to the MA, an Eth-Trunk interface in
LACP mode is configured on two devices. interface1 where the MEP resides is the interface
of the Eth-Trunk interface's primary link. Configure thresholds for the delay and frame loss
ratio on interface1. If Y.1731 detects that the primary link has poor quality, interface1 is
triggered to go ETHOAM down. To ensure that services are not interrupted, associate the
secondary member interface of the Eth-Trunk interface in LACP mode with its primary
member interface. The secondary link then preempts the primary state, implementing an
automatic primary/secondary link switchover.
When the primary link's quality recovers, you can manually enable forcible switching if no
preemption is configured or preemption is enabled but the delay is not reached.
Figure 4-20 Eth-Trunk interface in LACP mode

Interface1 Interface1
Public
network
Device1 Device2
Procedure
The primary member interface view of an Eth-Trunk interface's Actor is displayed.
Step 3 Run the following commands to configure an interface based on site requirements.
1. Run delay-measure two-way { delay-threshold | variation-threshold } test-id test-id
trigger if-down
The interface is triggered to go ETHOAM down when the delay or delay variation based
on a test instance ID exceeds a specified threshold.
2. Run loss-measure single-ended-synthetic { local-ratio-threshold | remote-ratio-
threshold } test-id test-id trigger if-down
The interface is triggered to go ETHOAM down when the near- or far-end frame loss
ratio based on a test instance ID exceeds a specified threshold.
Step 4 Run quit
The secondary member interface view of an Eth-Trunk interface's Actor is displayed.

Step 6 Run lacp track interface interface-type interface-number priority-reduced value

The secondary member interface is associated with the primary member interface, and the
priority of the secondary member interface is dynamically changed.
When the primary link's quality recovers, run the lacp force-switch command in the Eth-
Trunk interface view to enable forcible switching if no preemption is configured or
preemption is enabled but the delay is not reached.
----End
4.10 Configuring Preferential Forwarding of Local Traffic

in a Stack
Context
You can configure an Eth-Trunk to preferentially forward local traffic (or not) in the following
scenarios:
l If active interfaces in the local Eth-Trunk have sufficient bandwidth to forward traffic on
the local device, configure the Eth-Trunk to preferentially forward local traffic, which
improves traffic forwarding efficiency and increases bandwidth use efficiency between
stack devices.
l If active interfaces in the local Eth-Trunk do not have sufficient bandwidth to forward
traffic on the local device, configure the Eth-Trunk not to preferentially forward local
interface traffic. Some traffic on the local device is forwarded through member interfaces
of an Eth-Trunk on another device. This prevents packet loss.
NOTE
The S1720GFR, S5700S-28P-LI-AC, and S5700S-52P-LI-AC do not support this configuration.
Pre-configuration Tasks
Before configuring an Eth-Trunk to preferentially forward local traffic, complete the
following tasks:
l Create an Eth-Trunk and add physical interfaces to the Eth-Trunk.
l Establish a stack
.
l Ensure that member interfaces of the local Eth-Trunk have sufficient bandwidth to
forward local traffic.
Procedure
The view of the Eth-Trunk that needs to be configured to preferentially forward local traffic is
displayed.

Step 3 Run local-preference enable

The Eth-Trunk is configured to preferentially forward local traffic.
By default, an Eth-Trunk forwards traffic preferentially through local member interfaces.
NOTE
This function is only valid for known unicast packets, and is invalid for unknown unicast packets,
broadcast packets, and multicast packets.
----End
4.11 Creating an Eth-Trunk Sub-interface
Context
If Layer 2 switching devices belong to different VLANs, and hosts in the VLANs need to
communicate with each other, you need to create sub-interfaces on the Eth-Trunk connecting
a Layer 3 device to a Layer 2 switching device, bind a VLAN to each sub-interface, and
configure an IP address for each sub-interface.
After the configuration is complete, hosts in the VLANs can use these sub-interfaces to
communicate with each other. Eth-Trunk sub-interfaces can be configured to terminate Dot1q
and QinQ VLAN tags.
After Layer 2 Eth-Trunk sub-interfaces are configured, the Eth-Trunk provides Layer 2
functions and the sub-interfaces provide Layer 3 functions.
NOTE
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support the Eth-Trunk sub-interface.
Figure 4-21 Typical application scenario of Layer 2 Eth-Trunk sub-interfaces
VPLS/MPLS/IP
PE1 PE2
Eth-Trunk
Sub-interface
Eth-Trunk
CE1 CE2
S1 S2 S3 S4
VLAN VLAN

Procedure
Step 3 Run quit
Step 4 Run interface eth-trunk trunk-id.subnumber
An Eth-Trunk sub-interface is created.
subnumber specifies the number of a sub-interface. The value ranges from 1 to 4096.
NOTE
l Only the S6720EI, S6720S-EI, S5720HI, and S5720EI support Ethernet sub-interfaces.
l Only hybrid and trunk interfaces on the preceding switches support Ethernet sub-interface
configuration.
l After you run the undo portswitch command to switch Layer 2 interfaces on the preceding series of
switches into Layer 3 interfaces, you can configure Ethernet sub-interfaces on the interfaces.
l After an interface is added to an Eth-Trunk, sub-interfaces cannot be configured on the interface.
l VLAN termination sub-interfaces cannot be created on a VCMP client.
Step 5 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the sub-interface.
When configuring multiple IP addresses for an Eth-Trunk sub-interface, use the sub keyword
to indicate the IP addresses configured after the first one.
----End
4.12 Configuring an E-Trunk

NOTE
4.12.1 Setting the LACP System ID and LACP Priority of an E-

Trunk
Context
In an E-Trunk, the two PEs must be configured with the same LACP system ID and priority
so that the CE considers the two PEs as one device.

Procedure
Step 2 Run lacp e-trunk system-id mac-address
The LACP system ID is set for the E-Trunk.
By default, the MAC address of an Ethernet interface is used as the LACP system ID.
The master and backup devices in an E-Trunk must use the same LACP system ID.
Step 3 Run lacp e-trunk priority priority
The LACP priority of an E-Trunk member is set.
By default, the LACP priority of an E-Trunk member is 32768.
The master and backup devices in an E-Trunk must use the same LACP priority.
----End
4.12.2 Creating an E-Trunk and Setting the E-Trunk Priority
Context
The E-Trunk priority determines whether an E-Trunk member device is the master or backup
device.
Procedure
Step 2 Run e-trunk e-trunk-id
An E-Trunk is created and the E-Trunk view is displayed or the view of an existing E-Trunk
view is directly displayed.
The member devices in an E-Trunk must be configured with the same E-Trunk ID.
A maximum of 16 E-Trunks can be created on a device.
Step 3 Run priority priority
The E-Trunk priority is set.
The E-Trunk priority is used for master/backup negotiation between two devices. The device
with a higher priority is the master. A smaller priority value indicates a higher E-Trunk
priority.
If the two devices have the same priority, the device with a smaller system ID is the master.
By default, the E-Trunk priority of a member device is 100.
----End

4.12.3 Configuring Local and Remote IP Addresses of an E-Trunk

Context
E-Trunk packets are sent with the source IP address and protocol port number configured on
the local device. When you change the local or remote IP address on a device, you must
change the corresponding address on the remote device. Otherwise, protocol packets are
discarded.
Procedure
The E-Trunk view is displayed.
Step 3 Run peer-address peer-ip-address source-address source-ip-address
The local and remote IP addresses of the E-Trunk are configured.
The remote IP address of the local device must be the same as the local IP address of the
remote device. For example, when an E-Trunk is created between device A and device B and
the local and remote IP addresses on device A are 10.1.1.1 and 10.2.2.2 respectively, the local
and remote IP addresses on device B must be 10.2.2.2 and 10.1.1.1 respectively.
----End
4.12.4 Binding an E-Trunk to a BFD Session

Context
When the local device of an E-Trunk cannot rapidly detect whether the remote device is faulty
by sending E-Trunk packets, it can use the Bidirectional Fast Detection (BFD) protocol to
quickly detect faults on the remote device. You need to specify the remote IP address on the
local device and create a BFD session to check the reachability of the route to the remote
device. The E-Trunk then can detect faults reported by the BFD session and the device can
handle the faults quickly.
NOTE
Only the S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720EI, S5720HI, S6720EI,
and S6720S-EI support this function.
Procedure
Step 3 Run e-trunk track bfd-session session-name bfd-session-name

The E-Trunk is bound to a BFD session.
BFD sessions are used to fast detect faults of link between the two E-Trunk member devices.
When a BFD session is bound with E-Trunk, the system does not allow the bound BFD
session to be deleted by default. To delete the bound BFD session, run the bfd session
nonexistent-config-check disable command to disable the device from checking whether the
bound BFD session is deleted.
----End
4.12.5 Adding an Eth-Trunk to an E-Trunk
Context
After you configure an E-Trunk, add Eth-Trunks to the E-Trunk. Then the E-Trunk
implements backup of LAGs between the two member devices to enhance network reliability.
Procedure
Only Eth-Trunks in LACP mode can be added to an E-Trunk.
Step 3 Run e-trunk e-trunk-id [ remote-eth-trunk eth-trunk-id ]
The Eth-Trunk is added to an E-Trunk.
An Eth-Trunk can be added to only one E-Trunk.
On two E-Trunk member devices, the IDs of the Eth-Trunks added to the E-Trunk can be
different. When adding Eth-Trunks with different IDs in LACP mode on PEs to an E-Trunk,
you must specify remote-eth-trunk so that the E-Trunk can work normally.
----End
4.12.6 (Optional) Configuring the Working Mode of an Eth-Trunk

in an E-Trunk
Context
You can configure the working mode for only the Eth-Trunks that have been added to an E-
Trunk. The working mode of an Eth-Trunk can be automatic, forced master, or forced backup.
Procedure

Only Eth-Trunks in LACP mode can be added to an E-Trunk.
Step 3 Run e-trunk mode { auto | force-master | force-backup }
A working mode of the Eth-Trunk in the E-Trunk is configured.
By default, an Eth-Trunk in an E-Trunk works in automatic mode.
The e-trunk mode command is valid only for the Eth-Trunk in an E-Trunk. When the Eth-
Trunk is deleted from the E-Trunk, the configuration is deleted automatically.
When an Eth-Trunk works in automatic mode, its master/backup status depends on the E-
Trunk status of the local device and fault information of the remote Eth-Trunk.
l If the local E-Trunk is the master, the local Eth-Trunk works in master state.
l If the local E-Trunk is the backup and the remote member Eth-Trunk fails, the local Eth-
Trunk works in master state. When the local Eth-Trunk receives a notification that the
remote Eth-Trunk has recovered, the local Eth-Trunk becomes the backup.
NOTE
During E-Trunk running, changing the hello packet sending interval or timeout interval will cause the E-
Trunk to alternate between the master and the backup. Before changing the hello packet sending interval or
timeout interval, you are advised to configure member Eth-Trunks to work in forcible master/backup state.
After the new configuration takes effect, restore the working mode to automatic.
----End
4.12.7 (Optional) Setting the Password for Encrypting Packets
Context
You can set a password for encrypting E-Trunk packets transmitted over an E-Trunk link to
enhance system security. The two member devices of an E-Trunk must use the same
password.
You can set a password in plain text or cipher text.

l The plain text password is displayed in plain text in the configuration file.
l The cipher text password is displayed as unidentifiable characters.
Procedure
Step 3 Run security-key { simple simple-key | cipher cipher-key }
The password for encrypting packets is configured.

If simple is specified, the password is saved in plain text in the configuration file. In this case,
lower-level users can obtain the password by querying the configuration file, which poses a
security risk. You are advised to specify cipher so that the password is saved in cipher text.
To ensure device security, change the password periodically.
----End
4.12.8 (Optional) Setting the Timeout Interval of Hello Packets

Context
If the backup device in an E-Trunk does not receive any hello packet from the master device
within the timeout interval, the back device becomes the master. The timeout interval is
specified in the hello packets sent by the remote device but not the timeout interval configured
on the local device.
NOTE
During E-Trunk running, changing the hello packet sending interval or timeout interval will cause the E-
Trunk to alternate between the master and the backup. Before changing the hello packet sending interval or
timeout interval, you are advised to configure member Eth-Trunks to work in forcible master/backup state.
After the new configuration takes effect, restore the working mode to automatic.
Procedure
Step 3 Run timer hello hello-times
The interval for sending hello packets is set.
By default, the value of hello-times is 10. The unit is 100 ms, so the default interval is 1s.
Step 4 Run timer hold-on-failure multiplier multiplier
The time multiplier for detecting hello packets is set.
The remote device checks the timeout interval in the received hello packet to check whether
the local device times out. If the remote device is the backup and does not receive hello
packets from the local device within the timeout interval, the remote device becomes the
master.
The timeout interval is calculated using the following formula:
Timeout interval = Interval for sending hello packets x Time multiplier
The default time multiplier is 20. It is recommended that you set the time multiplier to 3 or
more.
----End

4.12.9 (Optional) Setting the Revertive Switching Delay
Context
In a scenario where an E-Trunk works with other services, a member Eth-Trunk may be
restored earlier than other services after the faulty master device recovers. If traffic is
immediately switched back to the master device, service traffic will be interrupted.
Setting the revertive switching delay prevents this problem. After the revertive switching
delay is set, the local Eth-Trunk becomes Up only after the delay timer expires. Then the local
device becomes the master again.
Procedure
Step 3 Run timer revert delay delay-value
The revertive switching delay is set.
By default, the revertive switching delay is 120 seconds.
----End
4.12.10 (Optional) Disabling Revertive Switching on an E-Trunk
Context
On devices of an E-Trunk, disable revertive switching on the E-Trunk when the faulty master
device recovers to prevent loss of traffic that is switched back.
Procedure
Step 3 Run revert disable
Revertive switching is disabled on the E-Trunk.
By default, revertive switching is enabled on an E-Trunk.
----End

4.12.11 (Optional) Configuring the E-Trunk Sequence Number

Check Function
Context
If the master device in an E-Trunk fails, to prevent an attacker from obtaining the E-Trunk
packet sent by the master device and attacking the backup device, enable the E-Trunk
sequence number check function.
Procedure
Step 3 Run sequence enable
The E-Trunk sequence number check function is enabled on the E-Trunk.
By default, the E-Trunk sequence number check function is disabled.
The sequence enable command must be run on both the master and backup devices in an E-
Trunk. Otherwise, the E-Trunk sequence number check function fails, causing dual master
devices in the E-Trunk.
----End
4.12.12 Verifying the E-Trunk Configuration
Procedure
l Run the display e-trunk e-trunk-id command to check E-Trunk information.
----End
4.13 Maintaining Link Aggregation
Maintenance Item Operation(s)
Displaying the Eth-Trunk Run the display eth-trunk [ trunk-id [ interface interface-type
configuration interface-number | verbose ] ] command to check the Eth-
Trunk configuration.
Displaying the Eth-Trunk Run the display interface eth-trunk [ trunk-id ] command.
status
Displaying information Run the display trunkmembership eth-trunk trunk-id

about Eth-Trunk member command.
interfaces

Maintenance Item Operation(s)
Displaying statistics on Run the display lacp statistics eth-trunk [ trunk-id [ interface
received and sent interface-type interface-number ] ] command.
LACPDUs in LACP
mode
Clearing LACPDU Run the reset lacp statistics eth-trunk [ trunk-id [ interface
statistics interface-type interface-number ] ] command in the user view.
NOTICE
The cleared LACPDU
statistics cannot be
restored.
4.14 Configuration Examples for Link Aggregation
4.14.1 Example for Configuring Link Aggregation in Manual

Mode
In Figure 4-22, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20 through
Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB.
SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Data transmission and link reliability needs to be ensured.
Figure 4-22 Networking of link aggregation in manual mode
VLAN10 VLAN10
GE0/0/4 GE0/0/1 GE0/0/4

GE0/0/1
SwitchA GE0/0/2 Eth-Trunk GE0/0/2 SwitchB
GE0/0/3 GE0/0/3
GE0/0/5 Eth-Trunk 1 Eth-Trunk 1 GE0/0/5
VLAN20 VLAN20
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.

2. Create VLANs and add interfaces to the VLANs.

3. Configure a load balancing mode to ensure that traffic is load balanced among Eth-Trunk
member interfaces.
Procedure
Step 1 Create an Eth-Trunk on SwitchA and SwitchB, and add member interfaces to the Eth-Trunk.
[HUAWEI] sysname SwitchA
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 0/0/1 to 0/0/3
[SwitchA-Eth-Trunk1] quit
[HUAWEI] sysname SwitchB
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 0/0/1 to 0/0/3
[SwitchB-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs.

# Create VLAN 10 and VLAN 20, and add interfaces to VLAN 10 and VLAN 20. The
configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/4] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through. The
here.
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Configure a load balancing mode for Eth-Trunk 1. The configuration of SwitchB is similar to
the configuration of SwitchA, and is not mentioned here.
[SwitchA-Eth-Trunk1] load-balance src-dst-mac

Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is created
and whether member interfaces are added.
[SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/1 Up 1

The preceding command output shows that Eth-Trunk 1 has three member interfaces:
GigabitEthernet0/0/1, GigabitEthernet0/0/2, and GigabitEthernet0/0/3. The member interfaces
are all in Up state. The Operate status of Eth-Trunk 1 is Up.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
interface Eth-Trunk1
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
l SwitchB configuration file

#
sysname SwitchB
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return

4.14.2 Example for Configuring Link Aggregation in LACP Mode
In Figure 4-23, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20 through
Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB. The link
between SwitchA and SwitchB is required to provide high bandwidth to implement inter-
VLAN communication. Link aggregation in LACP mode is configured on SwitchA and
SwitchB to improve the bandwidth and reliability. The following requirements must be met:
l Two active links implement load balancing.

l One link functions as the backup link. When a fault occurs on an active link, the backup
link replaces the faulty link to maintain reliable data transmission.
l Devices in the same VLAN can communicate.
Figure 4-23 Networking diagram for configuring link aggregation in LACP mode
VLAN 10 VLAN 10
GE0/0/4 GE0/0/1 GE0/0/1 GE0/0/4

SwitchA GE0/0/2 Eth-Trunk GE0/0/2 SwitchB
GE0/0/3 GE0/0/3
GE0/0/5 Eth-Trunk 1 Eth-Trunk 1 GE0/0/5
VLAN 20 VLAN 20
Active link
Backup link
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to implement
link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Set the LACP system priority and determine the Actor so that the Partner selects active
interfaces based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve reliability.
5. Set LACP interface priorities and determine active interfaces so that interfaces with
higher priorities are selected as active interfaces.

Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode. The
here.
[SwitchA-Eth-Trunk1] mode lacp
Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is similar
to the configuration of SwitchA, and is not mentioned here.
[SwitchA-GigabitEthernet0/0/1] eth-trunk 1
Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA-Eth-Trunk1] max active-linknumber 2
Step 5 Set the LACP interface priority and determine active links on SwitchA.
[SwitchA-GigabitEthernet0/0/1] lacp priority 100
[SwitchA-GigabitEthernet0/0/2] lacp priority 100
# Create VLAN 10 and VLAN 20 and add interfaces to VLAN 10 and VLAN 20. The
here.
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through. The
here.
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20


# Check information about the Eth-Trunk of the Switches and check whether negotiation is
successful on the link.
[SwitchA] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 100 System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey
PortState Weight
GigabitEthernet0/0/1 Selected 1GE 100 6145 2865
11111100 1
11111100 1
GigabitEthernet0/0/3 Unselect 1GE 32768 6147 2865
11100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey
PortState
GigabitEthernet0/0/1 32768 00e0-fca6-7f85 32768 6145
2609 11111100
2609 11111100
2609 11110000
[SwitchB] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 8
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo
PortKey PortState Weight
11111100 1
11111100 1
GigabitEthernet0/0/3 Unselect 1GE 32768 6147 2609
11100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo
PortKey PortState
GigabitEthernet0/0/1 100 00e0-fca8-0417 100 6145
2865 11111100
2865 11111100
2865 11110000
The preceding information shows that the LACP system priority of SwitchA is 100, which is
higher than the LACP system priority of SwitchB. Member interfaces GigabitEthernet0/0/1
and GigabitEthernet0/0/2 become the active interfaces and are in Selected state. Interface

GigabitEthernet0/0/3 is in Unselect state. Two links are active and work in load balancing
mode, and one link is the backup link.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
lacp priority 100
#
mode lacp
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
mode lacp
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#


#
return
4.14.3 Example for Configuring an Inter-Chassis Eth-Trunk to

Forward Traffic Preferentially Through Local Member Interfaces
(Stack)
NOTE
The S1720GFR, S5700S-28P-LI-AC, and S5700S-52P-LI-AC do not support this configuration.
On the network shown in Figure 4-24, Switch3 and Switch4 are connected through Stack
cables to increase the total capacity. The two switches are considered as one logical switch. To
improve reliability, physical interfaces on the two switches are added to an Eth-Trunk. When
the network runs properly, traffic from VLAN 2 is forwarded through GE1/0/1 and GE1/0/2,
and traffic from VLAN 3 is forwarded through GE1/0/1 and GE1/0/2. This increases
bandwidth use efficiency between devices and reduces traffic forwarding efficiency.
To improve traffic forwarding efficiency, traffic from VLAN 2 should be forwarded through
GE1/0/1 and traffic from VLAN 3 should be forwarded through GE1/0/2. To achieve this
goal, configure the Eth-Trunk to preferentially forward local traffic.

Figure 4-24 Preferentially forwarding traffic through the local member interface
Network
PE
GE1/0/1 GE1/0/2
Eth-Trunk 10
GE1/0/4 GE2/0/4 Stack
Switch3 GE1/0/3 GE2/0/3 Switch4
GE0/0/2 GE0/0/2
Switch1
Switch2
GE0/0/1 GE0/0/1
Stack cable
VLAN 2 data flow
VLAN 3 data flow
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
3. Configure the Eth-Trunk to preferentially forward local traffic.
4. Configure the Layer 2 forwarding function.
Procedure
Step 1 Create an Eth-Trunk and configure the Eth-Trunk to allow packets all VLANs to pass
through.
# Configure the stack.

[HUAWEI] sysname Stack
[Stack] interface eth-trunk 10
[Stack-Eth-Trunk10] port link-type trunk
[Stack-Eth-Trunk10] port trunk allow-pass vlan all
[Stack-Eth-Trunk10] quit
# Configure the PE.

[HUAWEI] sysname PE
[PE] interface eth-trunk 10
[PE-Eth-Trunk10] port link-type trunk
[PE-Eth-Trunk10] port trunk allow-pass vlan all
[PE-Eth-Trunk10] quit
Step 2 Add member interfaces to the Eth-Trunk.

[Stack] interface gigabitethernet 1/0/4
[Stack-GigabitEthernet1/0/4] eth-trunk 10
[Stack-GigabitEthernet1/0/4] quit
[Stack-GigabitEthernet2/0/4] eth-trunk 10
# Configure the PE.

[PE] interface gigabitethernet 1/0/1
[PE-GigabitEthernet1/0/1] eth-trunk 10
[PE-GigabitEthernet1/0/1] quit
[PE] interface gigabitethernet 1/0/2
[PE-GigabitEthernet1/0/2] eth-trunk 10
[PE-GigabitEthernet1/0/2] quit
Step 3 In the stack view, configure the Eth-Trunk to preferentially forward local traffic.
[Stack] interface eth-trunk 10
[Stack-Eth-Trunk10] local-preference enable
[Stack-Eth-Trunk10] quit
Step 4 Configure the Layer 2 forwarding function.

[Stack] vlan batch 2 3
[Stack-GigabitEthernet1/0/3] port link-type trunk
[Stack-GigabitEthernet1/0/3] port trunk allow-pass vlan 2
[Stack-GigabitEthernet2/0/3] port link-type trunk
[Stack-GigabitEthernet2/0/3] port trunk allow-pass vlan 3
# Configure Switch1.
[HUAWEI] sysname Switch1
[Switch1] vlan 2
[Switch1-vlan2] quit
[Switch1] interface gigabitethernet 0/0/1
[Switch1-GigabitEthernet0/0/1] port link-type trunk
[Switch1-GigabitEthernet0/0/1] port trunk allow-pass vlan 2
[Switch1-GigabitEthernet0/0/1] quit

[Switch2] vlan 3

Run the display trunkmembership eth-trunk command in any view to check information
The display on the stack is used as an example.
<Stack> display trunkmembership eth-trunk 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: up
Interface GigabitEthernet1/0/4, valid, operate up, weight=1

Interface GigabitEthernet2/0/4, valid, operate up, weight=1
----End
Configuration Files
l Stack configuration file
#
sysname Stack
#
vlan batch 2 3
#
port trunk allow-pass vlan 2 to 4094
#
#
#
eth-trunk 10
#
eth-trunk 10
#
return
l PE configuration file
#
sysname PE
#

#
eth-trunk 10
#
eth-trunk 10
#
return
l Switch1 configuration file

#
sysname Switch1
#
vlan batch 2
#
#
#
return

#
sysname Switch2
#
vlan batch 3
#
#
#
return
4.15 Troubleshooting Link Aggregation
4.15.1 Traffic Is Unevenly Load Balanced Among Eth-Trunk

Member Interfaces Because the Load Balancing Mode Is Incorrect
Fault Description
Traffic is unevenly load balanced among Eth-Trunk member interfaces due to the incorrect
load balancing mode.
Procedure
1. Run the display eth-trunk command to check whether the load balancing mode of the
Eth-Trunk meets networking requirements. For example, source or destination IP
address-based load balancing is not recommended in Layer 2 networking.

2. Run the load-balance command to set an appropriate load balancing mode.
4.15.2 Eth-Trunk at Both Ends Cannot Be Up Because the Lower

Threshold for the Number of Active Interfaces Is Incorrect
Fault Description
The Eth-Trunk is Down because the lower threshold for the number of active interfaces is
incorrect.
Procedure
1. Run the display eth-trunk trunk-id command to check whether the lower threshold for
the number of active interfaces of an Eth-Trunk is set.
If the number of Eth-Trunk member interfaces in Up state is lower than the lower
threshold, the Eth-Trunk becomes Down.
2. Run the least active-linknumber link-number command to configure the lower
threshold for the number of active interfaces of an Eth-Trunk to be smaller than the
number of Eth-Trunk member interfaces in Up state.
The local and remote devices can use different lower thresholds for the number of active
interfaces. If the lower thresholds are different, a larger value is used.
4.16 FAQ About Link Aggregation
4.16.1 Can an Eth-Trunk Be Configured with an IP Address?

By default, an Eth-Trunk is a Layer 2 interface and cannot be configured with an IP address.
If an Eth-Trunk is switched to a Layer 3 interface, it can be configured with an IP address.
4.16.2 How Do I Add Member Interfaces to an Eth-Trunk?

Before adding a new member interface, ensure that the type of the new member interface is
the same as that of other member interfaces and there is no configuration on the new member
interface.
1. Run the shutdown command in the interface view to configure the new member
interface in Down state.
If the new member interface that joins the Eth-Trunk is not configured to be Down, a
temporary loop may occur. As a result, services are affected.
2. Run either of the following commands to add the new member interface to the Eth-
Trunk.
– Run the eth-trunk trunk-id command in the interface view.
– Run the trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> command in the Eth-Trunk interface view.
3. After member interfaces at both ends join the Eth-Trunk, run the undo shutdown
command in the interface view to enable the new member interfaces.

4.16.3 How Do I Delete Member Interfaces from an Eth-Trunk?

1. Run the shutdown command in the interface view to configure the member interface to
be deleted in Down state.
2. Run either of the following commands to delete the member interface from the Eth-
Trunk.
– Run the undo eth-trunk command in the interface view.
– Run the undo trunkport interface-type { interface-number1 [ to interface-
number2 ] } &<1-8> command in the Eth-Trunk interface view.
3. Run the undo shutdown command in the interface view to configure the member
interface to be deleted in Up state.
4.16.4 What Is the Function of the Delay for LACP Preemption?

When an Eth-Trunk interface in LACP mode goes Up and Down frequently due to unstable
physical links, LACP goes Up and Down accordingly. As a result, services transmitted on the
Eth-Trunk link are affected. After the LACP preemption delay is set, LACP negotiation is not
performed during the delay period. The possibility of LACP flapping is reduced, and services
will not be affected.
You can run the lacp preempt enable command to enable the LACP preemption function on
the current Eth-Trunk interface and run the lacp preempt delay delay-time command to
configure the preemption delay.
4.16.5 Which Switches Are Recommended for Link Aggregation

in FTTx Scenarios of MAN?
In Figure 4-25, users in the FTTx scenario of the MAN often use PPPoE for Internet access.
If switches use link aggregation, when traffic is aggregated, ensure that PPPoE packets are
load balanced. In such scenarios, the S5700EI, S5710EI, S5720EI, S5700HI, S5710HI,
S5720HI, S5730SI, S5730S-EI, S6700EI, S6720EI, S6720S-EI, S6720SI, S6720S-SI,
S6720LI, S6720S-LI are recommended.

Figure 4-25 FTTx scenario of the MAN
Internet
BRAS
Eth-TrunK
Switch
OLT OLT OLT
ONU ONU ONU

Configuration Guide - Ethernet Switching 5 VLAN Configuration
5 VLAN Configuration
About This Chapter
This chapter describes how to configure VLANs. VLANs provide broadcast domain isolation,
security hardening, flexible networking, and high extensibility.
5.1 Overview of VLANs

5.2 Understanding VLANs
5.3 Application Scenarios for VLANs
5.4 Summary of VLAN Configuration Tasks
5.5 Licensing Requirements and Limitations for VLANs
5.6 Default Settings for VLANs
5.7 Configuring VLANs
5.8 Maintaining VLANs
5.9 Configuration Examples for VLANs
5.10 Troubleshooting VLANs
5.11 FAQ About VLANs
5.1 Overview of VLANs
Definition
Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple
broadcast domains, each of which is called a VLAN.
Purpose
Ethernet technology implements data communication over shared media based on Carrier
Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a

large number of hosts, collision becomes a serious problem and can lead to broadcast storms.
As a result, network performance deteriorates, or can even result in a complete breakdown.
Using switches to connect LANs can mitigate collisions, but cannot isolate broadcast packets
or improve network quality.
VLAN technology divides a physical LAN into multiple VLANs to isolate broadcast
domains. Hosts within a VLAN can communicate with each other but cannot communicate
directly with hosts in other VLANs. Consequently, broadcast packets are confined to within a
single VLAN.
Figure 5-1 VLAN networking
VLAN 2
Router SwitchA SwitchB
VLAN 3
Figure 5-1 shows a typical VLAN networking environment. Two switches are deployed in
different locations (for example, on different floors of a building). Each switch is connected to
two PCs belonging to different VLANs, which likely belong to different entities or
companies.
Benefits
VLAN technology offers the following benefits:
l Limits broadcast domains. Broadcast domains are limited to conserve bandwidth and
improve network efficiency.
l Enhances LAN security. Packets from different VLANs are transmitted separately. Hosts
in a VLAN cannot communicate directly with hosts in another VLAN.
l Improves network robustness. A fault in a VLAN does not affect hosts in other VLANs.
l Allows flexible definition of virtual groups. With VLAN technology, hosts in different
geographical locations can be grouped together, thereby simplifying network
construction and maintenance.
5.2 Understanding VLANs
5.2.1 VLAN Tags

Definition and Function

A switch identifies packets from different VLANs according to the information contained in
VLAN tags. IEEE 802.1Q adds a 4-byte VLAN tag between the Source address and Length/
Type fields of an Ethernet frame, as shown in Figure 5-2.
Figure 5-2 IEEE 802.1Q tagged frame format
Traditional Ethernet data frame

6 bytes 6 bytes 2 bytes 46-1500 bytes 4 bytes
Destination Source Data FCS
Length/Type
address address
VLAN data frame

6 bytes 6 bytes 4 bytes 2 bytes 46-1500 bytes 4 bytes
Destination Source VLAN Length/ Data FCS
address address Tag Type
TPID PRI CFI VID
2 bytes 3 bits 1 bit 12 bits
A VLAN tag contains four fields. Table 5-1 describes the fields.
Table 5-1 Fields in a VLAN tag

Field Leng Description Value
th
TPID 2 Tag Protocol Identifier (TPID), The value 0x8100 indicates an 802.1Q-
bytes indicating the frame type. tagged frame. An 802.1Q-incapable
device discards the 802.1Q frames.
IEEE 802.1Q protocol defines the
value of the field as 0x8100. However,
manufacturers can define their own
TPID values and users can then modify
the value to realize interconnection of
devices from different manufacturers.
PRI 3 bits Priority (PRI), indicating the The value ranges from 0 to 7. A larger
frame priority. value indicates a higher priority. If
congestion occurs, the switch sends
packets with higher priorities first.

Field Leng Description Value

th
CFI 1 bit Canonical Format Indicator The value 0 indicates that the MAC
(CFI), indicating whether a address is encapsulated in canonical
MAC address is encapsulated in format, and the value 1 indicates that
canonical format over different the MAC address is encapsulated in
transmission media. CFI is used non-canonical format. The CFI field
to ensure compatibility between has a fixed value of 0 on Ethernet
Ethernet and token ring networks.
networks.
VID 12 VLAN ID (VID), indicating the VLAN IDs range from 0 to 4095. The
bits VLAN to which a frame values 0 and 4095 are reserved, and
belongs. therefore valid VLAN IDs range from
1 to 4094.
The switch identifies the VLAN that a frame belongs to according to the information
contained in the VID field. Broadcast frames are forwarded only in the local VLAN. That is, a
broadcast domain is confined to within a single VLAN.
VLAN Tags in Received and Sent Frames

In a VLAN, Ethernet frames are classified into the following types:
l Tagged frame: frame with a 4-byte VLAN tag
l Untagged frame: frame without a 4-byte VLAN tag
Common devices process tagged and untagged frames as follows:

l User hosts, servers, hubs, and simplified Layer 2 switches can only receive and send
untagged frames.
l Switches, routers, and ACs can receive and send both tagged and untagged frames.
l Voice terminals and APs can receive and send tagged and untagged frames
simultaneously.
All frames processed in a switch carry VLAN tags to improve frame processing efficiency.
5.2.2 Link and Interface Types
All frames processed in a switch carry VLAN tags. On a network, some devices connected to
a switch can only receive and send untagged frames. To enable communication between the
switch and these devices, the switch interfaces must be able to identify the untagged frames
and add or remove VLAN tags from the frames. Hosts in the same VLAN may be connected
to different switches, and more than one VLAN may span multiple switches. To enable
communication between hosts, interfaces between switches must be able to identify and send
VLAN frames.
To accommodate different connections and networking, Huawei defines four interface types
(access, trunk, hybrid, and QinQ) and two link types (access and trunk). Figure 5-3 shows
access, trunk, and hybrid interfaces. 10 QinQ Configuration shows the QinQ interface.

Figure 5-3 Link and interface types

2
3
Switch Switch
4
2
Trunk
4
Switch Switch
Hub Hub
VLAN 2 VLAN 3 VLAN 4 VLAN 2 VLAN 3 VLAN 4
Access link
Trunk link Untagged frame
Access interface 2 Tagged frame, VID=2
Trunk interface 3 Tagged frame, VID=3
4 Tagged frame, VID=4
Hybrid interface
Link Types
As shown in Figure 5-3, Ethernet links fall into the following types, depending on the number
of allowed VLANs:
l Access link
An access link can transmit data frames of only one VLAN. It connects a switch to a user
terminal, such as a host, server, and simplified Layer 2 switch. Generally, user terminals
do not need to know the VLANs to which they belong and cannot identify tagged
frames; therefore, only untagged frames are transmitted along an access link.
l Trunk link
A trunk link can transmit data frames from multiple VLANs. It connects a switch to
another switch or a router. Frames on a trunk link must be tagged so that other network
devices can correctly identify VLAN information in the frames.
Interface Types
As shown in Figure 5-3, Ethernet interfaces are classified into the following types depending
on the objects connected to them and the way they process frames:
l Access interface
An access interface often connects to a user terminal such as a user host or server that
cannot identify VLAN tags, or is used when VLANs do not need to be differentiated. In
most cases, access interfaces can only receive and send untagged frames, and can add

only a unique VLAN tag to untagged frames. However, if the VID and PVID are the
same in tagged frames, access interfaces can receive and process the tagged frames.
l Trunk interface
A trunk interface often connects to a switch, router, AP, or voice terminal that can
receive and send tagged and untagged frames simultaneously. It allows tagged frames
from multiple VLANs and untagged frames from only one VLAN.
l Hybrid interface
A hybrid interface can connect to not only a user terminal (such as a user host or server)
or network device (such as a hub or simplified Layer 2 switch) that cannot identify tags,
but also a switch, router, voice terminal, or AP that can receive and send tagged and
untagged frames. It allows tagged frames from multiple VLANs. Frames sent out from a
hybrid interface are tagged or untagged according to the VLAN configuration.
Hybrid and trunk interfaces can be interchanged in some scenarios, but hybrid interfaces
must be used in specified scenarios, for example, selective QinQ scenario. Before
packets from multiple VLANs provided by a service provider enter a user network, the
outer VLAN tags must be removed. The trunk interface cannot be used here because the
trunk interface allows only untagged packets from the default VLAN of the interface to
pass through. For details about selective QinQ, see 10.7 Configuring Selective QinQ in
"QinQ Configuration".
l QinQ interface
An 802.1Q-in-802.1Q (QinQ) interface often connects a private network to a public
network. It can add an additional 802.1Q tag to a tagged frame. QinQ supports up to
4094 x 4094 VLANs, thereby extending VLANs over the network. The outer tag is often
called the public tag and identifies the VLAN ID of the public network, whereas the
inner tag is often called the private tag and identifies the VLAN ID of the private
network.
For details about the QinQ interface and QinQ frame format, see 10.2.1 QinQ
Fundamentals.
5.2.3 Default VLAN
The default VLAN ID of an interface is called the port default VLAN ID (PVID). Frames
processed in a switch all carry VLAN tags. When the switch receives an untagged frame, it
adds a VLAN tag to the frame according to the default VLAN of the interface that receives
the frame. The PVID is used in the following scenarios:
l When an interface receives an untagged frame, the interface adds a tag with the PVID to
the frame and sends the frame to the switch for processing. When an interface receives a
tagged frame, the switch does not add a tag with the PVID to the frame.
l When an interface sends a frame in which the VLAN ID is the same as the PVID, the
switch removes the tag from the frame before sending it out from the interface.
Each interface has a default VLAN. By default, the default VLAN ID of all interfaces is
VLAN 1. You can change the default VLAN ID as required:
l The default VLAN of an access interface is the VLAN allowed by the access interface.
To change the default VLAN of an access interface, change the allowed VLAN.
l Trunk and hybrid interfaces allow multiple VLANs but have only one default VLAN.
Changing the allowed VLANs will not change the default VLAN.

5.2.4 Adding and Removing VLAN Tags
Ethernet data frames are tagged or untagged based on the interface type and default VLAN.
The following describes how access, trunk, and hybrid interfaces process data frames.
NOTE
A QinQ interface adds an additional tag to a tagged frame. For details, see 10 QinQ Configuration.
Access Interface
Figure 5-4 and Figure 5-5 shows how an access interface adds and removes VLAN tags.
Figure 5-4 Access interface adding VLAN tags

Receive a
frame
No
Carry tag?
Yes
Same No
Discard
VID and PVID?
Yes
Accept it and
add PVID Accept the frame
Further processing
Figure 5-5 Access interface removing VLAN tags

Prepare for
sending a frame
Remove tag
Send the frame

Trunk Interface
Figure 5-6 and Figure 5-7 shows how a trunk interface adds and removes VLAN tags.
Figure 5-6 Trunk interface adding VLAN tags

Receive a
frame
No
Carry tag?
Yes
No
Is VID
Add the PVID Discard
allowed?
Yes
Accept the frame
Further processing
Figure 5-7 Trunk interface removing VLAN tags

Prepare for
sending a frame
No Same as
PVID?
Yes
Remove tag
Retain tag Send the frame
Hybrid Interface
Figure 5-8 and Figure 5-9 shows how a hybrid interface adds and removes VLAN tags.

Figure 5-8 Hybrid interface adding VLAN tags

Receive a
frame
No
Carry tag?
Yes
No
Is VID
Add the PVID Discard
allowed?
Yes
Accept the frame
Further processing
Figure 5-9 Hybrid interface removing VLAN tags

Prepare for
sending a frame
No Does device
add tag to it?
Yes
Retain tag
Remove tag Send the frame

Frame Processing on Different Interfaces
Table 5-2 Frame processing based on the port type

Port Untagged Frame Tagged Frame Frame
Type Processing Processing Transmission
Access Accepts an untagged l Accepts the tagged After the PVID tag is
port frame and adds a tag with frame if the frame's stripped, the frame is
the default VLAN ID to VLAN ID matches the transmitted.
the frame. default VLAN ID.
l Discards the tagged
frame if the frame's
VLAN ID differs from
the default VLAN ID.
Trunk l Adds a tag with the l Accepts a tagged l If the frame's

port default VLAN ID to frame if the VLAN ID VLAN ID
the untagged frame carried in the frame is matches the
and then transmits it if permitted by the port. default VLAN ID
the default VLAN ID l Discards a tagged and the VLAN ID
is permitted by the frame if the VLAN ID is permitted by the
port. carried in the frame is port, the device
l Adds a tag with the denied by the port. removes the tag
default VLAN ID to and transmits the
the untagged frame frame.
and then discards it if l If the frame's
the default VLAN ID VLAN ID differs
is denied by the port. from the default
VLAN ID, but the
VLAN ID is still
permitted by the
port, the device
will directly
transmit the
frame.
Hybrid l Adds a tag with the l Accepts a tagged If the frame's VLAN
port default VLAN ID to an frame if the VLAN ID ID is permitted by the
untagged frame and carried in the frame is port, the frame is
accepts the frame if the permitted by the port. transmitted. The port
port permits the default l Discards a tagged can be configured
VLAN ID. frame if the VLAN ID whether to transmit
l Adds a tag with the carried in the frame is frames with tags.
default VLAN ID to an denied by the port.
untagged frame and
discards the frame if
the port denies the
default VLAN ID.
Interfaces process received frames as follows:

l Access, trunk, and hybrid interfaces add VLAN tags to received untagged frames. Trunk
and hybrid interfaces determine whether to accept untagged frames depending on
whether VLANs specified by the VLAN IDs in the frames are allowed, whereas an
access interface accepts the untagged frames unconditionally.
l Access, trunk, and hybrid interfaces determine whether to accept tagged frames
depending on whether VLANs specified by the VLAN IDs in the frames are allowed (the
VLAN ID allowed by an access interface is the default VLAN ID).
l Interfaces send frames as follows:
– An access interface directly removes VLAN tags from frames before sending the
frames.
– A trunk interface removes VLAN tags from frames only when their VLAN IDs are
the same as the PVID on the interface.
– A hybrid interface determines whether to remove VLAN tags from frames based on
the interface configuration.
Frames sent by an access interface are all untagged. On a trunk interface, only frames of
one VLAN are sent without tags, and frames of other VLANs are sent with tags. On a
hybrid interface, you can specify the VLANs of which frames are sent with or without
tags.
5.2.5 LNP
Definition
Link-type Negotiation Protocol (LNP) dynamically negotiates the link type of an Ethernet
interface. The negotiated link type can be access or trunk.
l When the link type on an Ethernet interface is negotiated as access, the interface joins
VLAN 1 by default.
l When the link type on an Ethernet interface is negotiated as trunk, the interface joins
VLAN 1 to VLAN 4094 by default.
Background
The switch supports the following link types on an Ethernet interface: access, hybrid, trunk,
and QinQ. The four link types are applicable to different network positions and are manually
specified. If the network topology changes, link types of Ethernet interfaces also need to be
reconfigured and the configuration is complex. To simplify the configuration, LNP supports
auto-negotiation of the link types on Ethernet interfaces and allows Ethernet interfaces to join
VLANs after the auto-negotiation.
Implementation
When Layer 2 devices on the network shown in Figure 5-10 are successfully connected, the
physical status of interfaces becomes Up. After LNP negotiation is complete, user-side
interfaces on Switch4, Switch5, Switch6, and Switch7 join VLAN 1 as access interfaces, and
interfaces between switches become trunk interfaces and allow all VLANs.

Figure 5-10 Typical LNP networking

Switch1
Switch2 Switch3
Trunk
Switch4 Switch5 Switch6 Switch7
Access
User User User User

terminal terminal terminal terminal
l LNP negotiation conditions

After LNP is enabled, LNP negotiation is triggered in the following situations:
– The local device receives LNP packets from the remote device.
– The local configuration or interface status changes.
In addition to access, hybrid, trunk, and Dot1q tunnel, LNP provides the following link
types:
– negotiation-desirable: The local device actively sends LNP packets.
– negotiation-auto: The local device does not actively send LNP packets.
NOTE
An interface that is negotiated as a trunk interface allows all VLANs by default; therefore, a loop
prevention protocol needs to be deployed to prevent loops.
If a loop prevention protocol (for example, STP, RSTP, MSTP, or VBST) is deployed on a Layer 2
network, LNP negotiation can succeed on a blocked interface regardless of the link type.
l LNP negotiation
The link type of a Layer 2 Ethernet interface determines the negotiation result. Table 5-3
describes LNP negotiation results on a Layer 2 interface in Up state.
NOTE
l If the two ends of an Eth-Trunk link have different numbers of member interfaces, the LNP
negotiation may fail.
l If the link type of the Layer 2 Ethernet interface is set to access, hybrid, trunk, or Dot1q
tunnel, LNP negotiation does not take effect on the interface.
l The link type of an interface will be set to access when the negotiation fails.

Table 5-3 LNP negotiation

Local LNP Remote Link Type or Negotiated Status of
Negotiation Mode LNP Negotiation Local Link Remote Link
Mode Type Type
negotiation- Access (LNP negotiation Access Access

desirable/ enabled)
negotiation-auto
Hybrid (LNP negotiation Trunk Hybrid
enabled)
Dot1q tunnel (LNP Access Dot1q tunnel

negotiation enabled)
Trunk (LNP negotiation Trunk Trunk

enabled)
LNP negotiation not Access Uncertain

supported or disabled
negotiation- negotiation-desirable Trunk Trunk

desirable
negotiation- negotiation-auto Trunk Trunk

desirable
negotiation-auto negotiation-auto Access Access
LNP negotiation depends on communication between both ends. When the

communication is delayed, the link type may be incorrectly negotiated. After three
rounds of communication are complete, the link type in stable negotiation state.
Otherwise, the link type of the interface keeps in negotiation state. Before the link type
enters the stable negotiation state, the interface in blocking state does not forward
packets. This prevents forwarding errors.
The VLAN Central Management Protocol (VCMP) domain name affects LNP
negotiation. The link type can be negotiated as trunk only when domain names at both
ends are consistent; otherwise, the link type is negotiated as access interface.
5.2.6 VLAN Assignment

VLAN Assignment Modes
VLANs can be assigned based on interfaces, MAC addresses, policies, IP subnets, and
protocols. Table 5-4 compares different VLAN assignment modes.

Table 5-4 Comparisons among VLAN assignment modes

VLAN Implementation Advantage,
Assignment Disadvantage and
Mode Usage Scenario
Interface-based VLANs are assigned based on Advantage:

VLAN interfaces. It is simple to define
assignment A network administrator preconfigures VLAN members.
a PVID for each interface on a switch. Disadvantage:
When an untagged frame arrives at an
interface, the switch adds the PVID of The network administrator
the interface to the frame. The frame is needs to reconfigure
then transmitted in the VLAN specified VLANs when VLAN
by the PVID. members change.
Usage Scenario:
Applies to networks of any
scale and with devices at
fixed locations.
MAC address- VLANs are assigned based on source Advantage:

based assignment MAC addresses of frames. When physical locations of
A network administrator preconfigures users change, the network
mappings between MAC addresses and administrator does not
VLAN IDs. When receiving an need to reconfigure
untagged frame, the switch adds the VLANs for the users. This
VLAN tag mapping the MAC address improves security and
of the frame to the frame. Then the access flexibility on a
frame is transmitted in the specified network.
VLAN. Disadvantage:
The network administrator
must predefine VLANs for
all members on a network.
Usage Scenario:
Applies to small-scale
networks where user
terminals often change
physical locations but their
NICs seldom change, for
example, mobile
computers.


Mode Usage Scenario
IP subnet-based VLANs are assigned based on source IP Advantage:

VLAN addresses and subnet masks. l When physical
assignment A network administrator preconfigures locations of users
mappings between IP addresses and change, the network
VLAN IDs. When receiving an administrator does not
untagged frame, the switch adds the need to reconfigure
VLAN tag mapping the IP address of VLANs for the users.
the frame to the frame. Then the frame l This mode reduces
is transmitted in the specified VLAN. communication traffic
and allows a broadcast
domain to span multiple
switches.
Disadvantage:
Users are distributed
regularly and multiple
users are on the same
network segment.
Usage Scenario:
Applies to scenarios where
there are high requirements
for mobility and simplified
management and low
requirements for security.
For example, this mode
can be used if a PC with
multiple IP addresses
needs to access servers on
different network segments
or a PC needs to join a new
VLAN automatically after
the PC's IP address
changes.


Mode Usage Scenario
Protocol-based VLANs are assigned based on protocol Advantage:

VLAN (suite) types and encapsulation formats This mode binds service
assignment of frames. types to VLANs,
A network administrator preconfigures facilitating management
mappings between protocol types and and maintenance.
VLAN IDs. When receiving an Disadvantage:
untagged frame, the switch adds the
VLAN tag mapping the protocol type of l The network
the frame to the frame. The frame is administrator must
then transmitted in the specified VLAN. preconfigure mappings
between all protocol
types and VLAN IDs.
l The switch needs to
analyze protocol
address formats and
convert the formats,
which consumes
excessive resources.
Therefore, this mode
slows down switch
response time.
Usage Scenario:
Applies to networks using
multiple protocols.
Policy-based VLANs are assigned based on policies Advantage:

VLAN such as combinations of interfaces, l This mode provides
assignment (MAC MAC addresses, and IP addresses. high security. MAC
addresses, IP A network administrator preconfigures addresses or IP
addresses, and policies. When receiving an untagged addresses of users that
interfaces) frame that matches a configured policy, have been bound to
the switch adds a specified VLAN tag VLANs cannot be
to the frame. The frame is then changed.
transmitted in the specified VLAN. l The network
administrator can
flexibly select which
policies to use
according to the
management mode and
requirements.
Disadvantage:
Each policy needs to be
manually configured.
Usage Scenario:
Applies to complex
networks.

Priorities of VLAN Assignment Modes

If incoming untagged frames match multiple VLAN assignment modes, the VLAN
assignment modes are selected in descending order of priority: policy-based VLAN
assignment > MAC address-based or IP subnet-based VLAN assignment > protocol-based
VLAN assignment > interface-based VLAN assignment.
l If frames match both MAC address-based and IP subnet-based VLAN assignment
modes, MAC address-based VLAN assignment is used by default. You can change
priorities of the two VLAN assignment modes to select a preferred VLAN assignment
mode for packets.
l Interface-based VLAN assignment has the lowest priority but is commonly used.
Figure 5-11 illustrates the matching sequence of VLAN assignment modes.

Figure 5-11 Matching sequence of VLAN assignment modes

Receive frame
Discard frame
from remote device
No
Yes Does interface Yes Forward/Label

Carry tag?
Allow tagged frame? operation
No
Yes Allocate VLAN ID to

Policy-based VLAN frame and forward it
assignment? at Layer 2
No
MAC address-based VLAN Subnet-based VLAN

assignment preferred MAC address or assignment preferred
subnet-based VLAN
assignment
preferred?
Yes MAC address-based Subnet-based VLAN Yes

VLAN assignment enabled? assignment enabled?
No No
Yes
Is
Subnet-based Yes
MAC-VLAN
VLAN assignment
enabled?
enabled?
No No
Yes Protocol-based
VLAN enabled?
No
No
Is default VLAN Discard frame
ID set?
Yes
Allocate VLAN ID to
frame and forward it
at Layer 2
5.2.7 Intra-VLAN Communication

Packets transmitted between users in a VLAN go through three phases:
l Packet transmission from the source user host
Before sending a frame, the source host compares its IP address with the destination IP
address. If the two IP addresses are on the same network segment, the source host
obtains the MAC address of the destination host and fills the destination field MAC
address of the frame with the obtained MAC address. If the two IP addresses are on
different network segments, the frame needs to be forwarded by the gateway. The source

host obtains the gateway's MAC address, and uses it as the destination MAC address to
send the frame to the gateway.
l Ethernet switching in a switch
The switch determines whether to forward a received frame at Layer 2 or Layer 3 based
on the information in the destination MAC address, VLAN ID, and Layer 3 forwarding
bit.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry of the switch and the Layer 3 forwarding bit is set, the switch searches for a
Layer 3 forwarding entry based on the destination IP address. If no entry is found,
the switch sends the frame to the CPU. The CPU then searches for a route to
forward the frame at Layer 3.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry but the Layer 3 forwarding bit is not set, the switch directly forwards the
frame from the outbound interface specified in the matching MAC address entry.
– If the destination MAC address and VLAN ID of the frame do not match any MAC
address entry, the switch broadcasts the frame to all the interfaces allowing the
VLAN specified in the VID to obtain the MAC address of the destination host.
For details about Layer 2 and Layer 3 switching, see 2.3.1 Layer 2 Switching and 2.3.2
Layer 3 Switching.
l Adding and removing VLAN tags during the exchange between devices (for example,
between a switch and a user host, another switch, or another network device)
Frames processed in a switch all carry VLAN tags. The switch needs to add or remove
VLAN tags according to the interface setting to communicate with other network
devices. For details on how VLAN tags are added and removed on different interfaces,
see 5.2.4 Adding and Removing VLAN Tags.
After VLANs are assigned, broadcast packets are forwarded at Layer 2 in the same VLAN.
That is, users in the same VLAN can directly communicate at Layer 2. There are two intra-
VLAN communication scenarios depending on whether hosts in the same VLAN connect to
the same or multiple switches.
Intra-VLAN Communication Through the Same Switch

As shown in Figure 5-12, Host_1 and Host_2 connect to the same switch, belong to VLAN 2,
and are located on the same network segment. The interfaces connected to Host_1 and Host_2
are access interfaces.
Figure 5-12 Intra-VLAN communication through the same switch
Switch
IF_1 IF_2
access access
Host_1 VLAN 2 VLAN 2 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.1.3
Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the switch):

1. Host_1 determines that the destination IP address is on the same network segment as its
IP address, and therefore broadcasts an ARP Request packet to obtain the MAC address
of Host_2. The ARP Request packet carries the all-F destination MAC address and
destination IP address of 10.1.1.3 (Host_2's IP address).
2. When the packet reaches IF_1 on the Switch, the Switch detects that the ARP Request
packet is untagged and adds VLAN 2 (PVID of IF_1) to the packet. The Switch then
adds the binding of the source MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) to
its MAC address table.
3. The Switch does not find a MAC address entry matching the destination MAC address
and VLAN ID of the ARP Request packet, so it broadcasts the ARP Request packet to
all interfaces that allow VLAN 2 (IF_2 in this example).
4. Before sending the ARP Request packet, IF_2 on the Switch removes the tag with
VLAN 2 from the packet.
5. Host_2 receives the ARP Request packet and records the mapping between the MAC
address and IP address of Host_1 in the ARP table. Then Host_2 compares the
destination IP address with its own IP address. If they are the same, Host_2 sends an
ARP Reply packet. The ARP Reply packet carries Host_2's MAC address of 2-2-2 and
Host_1's IP address of 10.1.1.2 as the destination IP address.
6. After receiving the ARP Reply packet, IF_2 on the Switch tags the packet with VLAN 2.
7. The Switch adds the mapping between the source MAC address, VLAN ID, and
interface (2-2-2, 2, IF_2) to its MAC address table, and then searches for an entry in its
MAC address table based on the destination MAC address and VLAN ID (1-1-1, 2). The
entry is found because the mapping has been recorded before (see step 5). The Switch
forwards the ARP Reply packet to IF_1.
8. Before forwarding the ARP Reply packet to IF_1, the Switch removes the tag with
VLAN 2 from the packet.
9. Host_1 receives the ARP Reply packet and records the mapping between the MAC
address and IP address of Host_2 in the ARP table.
Host_1 and Host_2 have learned the MAC address of each other, so they directly fill the
destination MAC address fields of packets with the learned MAC addresses of the packets in
subsequent communication.
In the preceding networking, if hosts in the same VLAN are on different network segments,
they encapsulate the gateway's MAC address into packets. If the Switch is a Layer 2 switch,
hosts cannot communicate. If the Switch is a Layer 3 switch, hosts can communicate through
VLANIF interfaces (with primary and secondary IP addresses configured). The principles are
similar to those in Inter-VLAN Communication Through the Same Switch, and are not
mentioned here.
Intra-VLAN Communication Through Multiple Switches

As shown in Figure 5-13, Host_1 and Host_2 connect to different switches, belong to VLAN
2, and are located on the same network segment. The switches are connected using a trunk
link over which frames can be identified and sent across switches.

Figure 5-13 Intra-VLAN communication through multiple switches
Switch_1 trunk trunk Switch_2

VLAN 2 VLAN 2
IF_1 IF_2 IF_2 IF_1

access access
VLAN 2 VLAN 2
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.1.3
Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
forwarding entry exists on Switch_1 and Switch_2):
1. The first two steps are similar to steps 1 and 2 in Intra-VLAN Communication
Through the Same Switch. After the two steps are complete, Host_1 broadcasts the
ARP Request packet to IF_2 on Switch_1.
2. IF_2 on Switch_1 transparently transmits the ARP Request packet to IF_2 on Switch_2
without removing the tag of the packet, because the VLAN ID of the packet is different
from the PVID of IF_2 on Switch_1.
3. After receiving the ARP Request packet, IF_2 on Switch_2 determines that VLAN 2 is
an allowed VLAN and accepts the packet.
4. Following the four steps similar to steps 3 to 6 in Intra-VLAN Communication
Through the Same Switch, Switch_2 forwards the ARP Reply packet of Host_2 to
IF_2. IF_2 on Switch_2 transparently transmits the ARP Reply packet to IF_2 on
Switch_1, because IF_2 is a trunk interface and its PVID is different from the VLAN ID
of the packet.
5. After receiving the ARP Reply packet, IF_2 on Switch_1 determines that VLAN 2 is an
allowed VLAN and accepts the packet. Subsequent steps are similar to steps 7 to 9 in
Intra-VLAN Communication Through the Same Switch.
In addition to transmitting frames from multiple VLANs, a trunk link can transparently
transmit frames without adding or removing the tags of the packets.
In the preceding networking, if hosts in the same VLAN are on different network segments
and Switch_1 or Switch_2 is a Layer 2 switch, hosts cannot communicate. If Switch_1 or
Switch_2 is a Layer 3 switch, hosts can communicate through VLANIF interfaces. The
principles are similar to those in Inter-VLAN Communication Through the Same Switch,
and are not mentioned here.
5.2.8 Inter-VLAN Communication

After VLANs are assigned, broadcast packets are only forwarded in the same VLAN. That is,
hosts in different VLANs cannot communicate at Layer 2. Therefore, VLAN technology
isolates broadcast domains. In real-world applications, hosts in different VLANs often need to
communicate, so inter-VLAN communication needs to be implemented to resolve this.

Similar to intra-VLAN communication described in 5.2.7 Intra-VLAN Communication,

inter-VLAN communication goes through three phases: packet transmission from the source
host, Ethernet switching in a switch, and adding and removing VLAN tags during the
exchange between devices. According to the Ethernet switching principle, broadcast packets
are only forwarded in the same VLAN and hosts in different VLANs cannot directly
communicate at Layer 2. Layer 3 routing or VLAN translation technology is required to
implement inter-VLAN communication.
Inter-VLAN Communication Technologies

Huawei provides a variety of technologies to implement inter-VLAN communication. The
following two technologies are commonly used:
l VLANIF interface
A VLANIF interface is a Layer 3 logical interface that can be used to implement inter-
VLAN Layer 3 connectivity.
It is simple to configure a VLANIF interface, so VLANIF interfaces are the most
commonly used for inter-VLAN communication. However, a VLANIF interface needs to
be configured for each VLAN and each VLANIF interface requires an IP address. As a
result, this technology wastes IP addresses.
l Dot1q termination sub-interface
A sub-interface is also a Layer 3 logical interface that can be used to implement inter-
VLAN Layer 3 connectivity.
A Dot1q termination sub-interface applies to scenarios where a Layer 3 Ethernet
interface connects to multiple VLANs. In such a scenario, data flows from different
VLANs preempt bandwidth of the primary Ethernet interface; therefore, the primary
Ethernet interface may become a bottleneck when the network is busy.
For details about the Dot1q termination sub-interface, see 8 VLAN Termination
Configuration.
VLANIF interfaces require that users in VLANs be located on different network segments.
(When hosts are located on the same network segment, a host encapsulates the destination
host' MAC address in packets. The device determines that packets should be forwarded at
Layer 2. Layer 2 switching is performed only in the same VLAN, and broadcast packets
cannot reach different VLANs. In this case, the device cannot obtain destination hosts' MAC
addresses and therefore cannot forward packets to the destination host.) On a network, VLAN
aggregation can allow hosts on the same network segment in different VLANs to
communicate.
VLAN aggregation, also known as super-VLAN, associates a super-VLAN with multiple sub-
VLANs. The sub-VLANs share the IP address of the super-VLAN as the gateway IP address
to implement Layer 3 connectivity with an external network. Proxy ARP can be enabled
between sub-VLANs to implement Layer 3 connectivity between sub-VLANs. VLAN
aggregation conserves IP addresses in inter-VLAN Layer 3 communication.
VLAN aggregation applies to scenarios where multiple VLANs share a gateway. For details
about VLAN aggregation, see 6 VLAN Aggregation Configuration.
Inter-VLAN Communication Through the Same Switch

As shown in Figure 5-14, Host_1 (source host) and Host_2 (destination host) connect to the
same Layer 3 switch, are located on different network segments, and belong to VLAN 2 and
VLAN 3, respectively. After VLANIF 2 and VLANIF 3 are created on the switch and

allocated IP addresses, the default gateway addresses of the hosts are set to IP addresses of the
VLANIF interfaces.
Figure 5-14 Using VLANIF interfaces to implement inter-VLAN communication through the
same switch
VLANIF 2 VLANIF 3
IP: 10.1.1.1/24 IP: 10.2.2.1/24
MAC: 3-3-3 Switch MAC: 4-4-4
IF_1 IF_2
access access
Host_1 VLAN 2 VLAN 3 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.2.2.2
Gateway address: 10.1.1.1 Gateway address: 10.2.2.1
forwarding entry exists on the switch):
1. Host_1 determines that the destination IP address is on a different network segment from
its own IP address, and therefore sends an ARP Request packet to request the gateway
MAC address. The ARP Request packet carries the destination IP address of 10.1.1.1
(gateway's IP address) and all-F destination MAC address.
2. When the ARP Request packet reaches IF_1 on the Switch, the Switch tags the packet
with VLAN 2 (PVID of IF_1). The Switch then adds the mapping between the source
MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) in its MAC address table.
3. The Switch detects that the packet is an ARP Request packet and the destination IP
address is the IP address of VLANIF 2. The Switch then encapsulates VLANIF 2's MAC
address of 3-3-3 into the ARP Reply packet and removes the tag with VLAN 2 from the
packet before sending it from IF_1. In addition, the Switch adds the binding of the IP
address and MAC address of Host_1 in its ARP table.
4. After receiving the ARP Reply packet from the Switch, Host_1 adds the binding of the
IP address and MAC address of VLANIF 2 on the Switch in its ARP table and sends a
packet to the Switch. The packet carries the destination MAC address of 3-3-3 and
destination IP address of 10.2.2.2 (Host_2's IP address).
5. After the packet reaches IF_1 on the Switch, the Switch tags the packet with VLAN 2.
6. The Switch updates its MAC address table based on the source MAC address, VLAN
ID, and inbound interface of the packet, and compares the destination MAC address of
the packet with the MAC address of VLANIF 2. If they are the same, the Switch
determines that the packet should be forwarded at Layer 3 and searches for a Layer 3
forwarding entry based on the destination IP address. If no entry is found, the Switch
sends the packet to the CPU. The CPU then searches for a routing entry to forward the
packet.
7. The CPU looks up the routing table based on the destination IP address of the packet and
detects that the destination IP address matches a directly connected network segment
(network segment of VLANIF 3). The CPU continues to look up its ARP table but finds
no matching ARP entry. Therefore, the Switch broadcasts an ARP Request packet with
the destination address of 10.2.2.2 to all interfaces in VLAN 3. Before sending the ARP
Request packet from IF_2, the Switch removes the tag with VLAN 2 from the packet.

8. After receiving the ARP Request packet, Host_2 detects that the IP address is its own IP
address and sends an ARP Reply packet with its own. Additionally, Host_2 adds the
mapping between the MAC address and IP address of VLANIF 3 to its ARP table.
9. After IF_2 on the Switch receives the ARP Reply packet, IF_2 tags the packet with
VLAN 3 to the packet and adds the binding of the MAC address and IP address of
Host_2 in its ARP table. Before forwarding the packet from Host_1 to Host_2, the
Switch removes the tag with VLAN 3 from the packet. The Switch also adds the binding
of Host_2's IP address, MAC address, VLAN ID, and outbound interface in its Layer 3
forwarding table.
The packet sent from Host_1 then reaches Host_2. The packet transmission process from
Host_2 to Host_1 is similar. Subsequent packets between Host_1 and Host_2 are first sent to
the gateway (Switch), and the Switch forwards the packets at Layer 3 based on its Layer 3
forwarding table.
Inter-VLAN Communication Through Multiple Switches

When hosts in different VLANs connect to multiple Layer 3 switches, you need to configure
static routes or a dynamic routing protocol in addition to VLANIF interface addresses. This is
because IP addresses of VLANIF interfaces can only be used to generate direct routes.
As shown in Figure 5-15, Host_1 (source host) and Host_2 (destination host) are located on
different network segments, connect to Layer 3 switches Switch_1 and Switch_2, and belong
to VLAN 2 and VLAN 3, respectively. On Switch_1, VLANIF 2 and VLANIF 4 are created
and allocated IP addresses of 10.1.1.1 and 10.1.4.1. On Switch_2, VLANIF 3 and VLANIF 4
are created and allocated IP addresses of 10.1.2.1 and 10.1.4.2. Static routes are configured on
Switch_1 and Switch_2. On Switch_1, the destination network segment in the static route is
10.1.2.0/24 and the next hop address is 10.1.4.2. On Switch_2, the destination network
segment in the static route is 10.1.1.0/24 and the next hop address is 10.1.4.1.
Figure 5-15 Using VLANIF interfaces to implement inter-VLAN communication through

multiple switches
Switch_1 Switch_2
Trunk
VLAN 4
IF_2 IF_2 IF_1
IF_1 access access
VLAN 2 VLAN 3
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.2.2
Gateway address: 10.1.1.1 Gateway address: 10.1.2.1
forwarding entry exists on Switch_1 and Switch_2):
1. The first six steps are similar to steps 1 to 6 in inter-VLAN communication when hosts
connect to the same switch. After the steps are complete, Switch_1 sends the packet to
its CPU and the CPU looks up the routing table.

2. The CPU of Switch_1 searches for the routing table based on the destination IP address
of 10.1.2.2 and finds a static route. In the static route, the destination network segment is
10.1.2.0/24 and the next hop address is 10.1.4.2. The CPU continues to look up its ARP
table but finds no matching ARP entry. Therefore, Switch_1 broadcasts an ARP Request
packet with the destination address of 10.1.4.2 to all interfaces in VLAN 4. IF_2 on
Switch_1 transparently transmits the ARP Request packet to IF_2 on Switch_2 without
removing the tag from the packet.
3. After the ARP Request packet reaches Switch_2, Switch_2 finds that the destination IP
address of the ARP Request packet is the IP address of VLANIF 4. Switch_2 then sends
an ARP Reply packet with the MAC address of VLANIF 4 to Switch_1.
4. IF_2 on Switch_2 transparently transmits the ARP Reply packet to Switch_1. After
Switch_1 receives the ARP Reply packet, it adds the binding of the MAC address and IP
address of VLANIF4 in its ARP table.
5. Before forwarding the packet of Host_1 to Switch_2, Switch_1 changes the destination
MAC address of the packet to the MAC address of VLANIF 4 on Switch_2 and the
source MAC address to the MAC address of VLANIF 4 on itself. In addition, Switch_1
records the forwarding entry (10.1.2.0/24, next hop IP address, VLAN, and outbound
interface) in its Layer 3 forwarding table. Similarly, the packet is transparently
transmitted to IF_2 on Switch_2.
6. After Switch_2 receives packets of Host_1 forwarded by Switch_1, the steps similar to
steps 6 to 9 in inter-VLAN communication when hosts connect to the same switch
are performed. In addition, Switch_2 records the forwarding entry (Host_2's IP address,
MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table.
5.2.9 Intra-VLAN Layer 2 Isolation

You can add different users to different VLANs to implement Layer 2 isolation between users.
If an enterprise has many users, VLANs have to be allocated to all users who are not allowed
to communicate with each other. This user isolation method uses a large number of VLANs
and makes configuration more complex, increasing the maintenance workload of the network
administrator.
Huawei provides intra-VLAN Layer 2 isolation technologies including port isolation, MUX
VLAN, and Modular QoS Command-Line Interface (MQC).
Port Isolation
Port isolation can isolate interfaces in a VLAN. You can add interfaces to a port isolation
group to disable Layer 2 packet transmission between the interfaces. Interfaces in different
port isolation groups or out of port isolation groups can exchange packets with other
interfaces. In addition, interfaces can be isolated unidirectionally, providing more secure and
flexible networking.
For details about port isolation, see Configuring Port Isolation in "Ethernet Interface
Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide -
Interface Management.
MUX VLAN
Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources using
VLANs. It can implement inter-VLAN communication and intra-VLAN isolation.
For example, an enterprise has the following requirements:

l Employees can communicate with each other but customers are isolated.
l Both employees and customers can access enterprise servers.
You can deploy the MUX VLAN to meet the preceding requirements.
For details about the MUX VLAN feature, see 7 MUX VLAN Configuration.
Intra-VLAN Layer 2 Isolation Based on the Traffic Policy

A traffic policy is configured by binding traffic classifiers to traffic behaviors. You can define
traffic classifiers on a switch to match packets with certain characteristics and associate the
traffic classifiers with the permit or deny behavior in a traffic policy. The switch then permits
or denies packets matching the traffic classifiers. In this way, intra-VLAN unidirectional or
bidirectional isolation is implemented based on the traffic policy.
The switch supports intra-VLAN Layer 2 isolation based on MQC and ACL-based simplified
traffic polices. For details about MQC and ACL-based simplified traffic polices, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in the S1720, S2700,
S5700, and S6720 V200R011C10 Configuration Guide - QoS.
5.2.10 Inter-VLAN Layer 3 Isolation
After inter-VLAN Layer 3 connectivity is implemented between two VLANs, all users in the
VLANs can communicate. In some scenarios, communication between some users needs to
be prevented or only unidirectional communication is allowed. For example, user hosts and
servers often use unidirectional communication, and visitors to an enterprise are often allowed
to access only the Internet or some servers. In these scenarios, you need to configure inter-
VLAN isolation.
Inter-VLAN isolation is often implemented using a traffic policy. You can define traffic
classifiers on a switch to match packets with certain characteristics and associate the traffic
classifiers with the permit or deny behavior in a traffic policy. The switch then permits or
rejects the packets matching the traffic classifiers. This technology implements flexible inter-
VLAN isolation.
The switch supports inter-VLAN Layer 3 isolation based on MQC and ACL-based simplified
traffic policies. For details about MQC and ACL-based simplified traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in the S1720, S2700,
S5700, and S6720 V200R011C10 Configuration Guide - QoS.
5.2.11 mVLAN
To use a remote network management system (NMS) to manage devices in a centralized
manner, configure a management IP address on the switch. You can then use the management
IP address to log in to the switch using STelnet and manage the switch. If a user-side interface
is added to the VLAN corresponding to the management IP address, users connected to the
interface can also log in to the switch. This poses security risks to the switch.
To enhance security, you can configure the VLAN as the management VLAN (mVLAN).
Access or Dot1q tunnel interfaces cannot be added to the mVLAN. (The VLANs not specified
as the mVLAN are service VLANs.) Access and Dot1q tunnel interfaces are often connected
to users. When these interfaces are prevented from joining the mVLAN, users connected to
the interfaces cannot log in to the device, improving device security.

5.2.12 Protocol Packet Transparent Transmission in a VLAN

When a gateway device or Layer 2 switch is enabled with snooping functions such as DHCP/
IGMP/MLD snooping, the device needs to parse and process protocol packets such as ARP,
DHCP, and IGMP packets. That is, protocol packets received by an interface are sent to the
CPU for processing. The interface sends protocol packets without differentiating VLANs. If
the preceding functions are deployed, protocol packets from all VLANs are sent to the CPU
for processing.
If the device works as the gateway or provides the snooping functions for only some VLANs,
the device does not need to process protocol packets in other VLANs. After the protocol
packets in other VLANs are sent to the CPU, the CPU needs to forward them to other devices.
This mechanism is called software forwarding. Protocol packet processing in software
forwarding decreases the forwarding efficiency.
To address this issue, deploy protocol packet transparent transmission in VLANs where
protocol packets do not need to be processed. This function enables the device to
transparently transmit the protocol packets in the VLANs to other devices, which improves
the forwarding efficiency.
NOTE
Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this function.
5.3 Application Scenarios for VLANs
5.3.1 Using VLAN Assignment to Implement Layer 2 Isolation

Interface-based VLAN Assignment
As shown in Figure 5-16, there are multiple companies in a building. These companies share
network resources to reduce costs. Networks of the companies connect to different interfaces
of the same Layer 2 switch and access the Internet through an egress.

Figure 5-16 Networking of interface-based VLAN assignment
Internet
L3 Switch
L2 Switch
Company_1 Company_2 Company_3

VLAN 2 VLAN 3 VLAN 4
To isolate services and ensure service security of different companies, add interfaces
connected to the companies to different VLANs. Each company has a virtual router and each
VLAN is a virtual work group.
MAC Address-based VLAN Assignment

As shown in Figure 5-17, a company has two office areas that connect to the company's
network through Switch_2 and Switch_3 respectively. Employees often move between the
two office areas.
Figure 5-17 Networking of MAC address-based VLAN assignment

Switch_1
Server
VLAN 10
Switch_2 Switch_3
Office Office
area 1 area 2
User_1 User_1
VLAN 10 VLAN 10

To enable employees to access network resources such as servers after they move from one
office area to the other, configure MAC address-based VLAN assignment on Switch_2 and
Switch_3. As long as the MAC address of User_1 remains unchanged, the user belongs to the
same VLAN and can still access the company's network resources after changing the location.
IP Subnet-based VLAN Assignment

As shown in Figure 5-18, a company has two departments: departments 1 and 2. The two
departments are assigned fixed IP network segments. Employees' locations often change to
strengthen learning and communication, but the company requires that network resource
access rights remain unchanged.
Figure 5-18 Networking of IP subnet-based VLAN assignment
Server of department 1
Switch_1 VLAN 10
Server of department 2
VLAN 20
Switch_2 Switch_3
Department 1 Department 2
10.1.1.2 10.1.2.2 10.1.1.3 10.1.2.3

VLAN 10 VLAN 20 VLAN 10 VLAN 20
To ensure that employees retain the rights to access network resources after changing
locations, configure IP subnet-based VLAN assignment on the company's central switch.
Different network segments of servers are assigned to different VLANs to isolate data flows
of different application services, improving security.
5.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer 3

Connectivity
VLANIF interfaces are used to implement inter-VLAN Layer 3 connectivity when devices are
connected to the same Layer 3 switch or different Layer 3 switches.
Inter-VLAN Layer 3 Connectivity Between Devices Connected to the Same Layer

3 Switch
As shown in Figure 5-19, departments 1 and 2 of a small-scale company belong to VLAN 2
and VLAN 3, respectively, and connect to a Layer 3 switch (Switch) through Layer 2
switches. Packets exchanged between the two departments need to pass the Layer 3 switch.

Figure 5-19 Using VLANIF interfaces to implement inter-VLAN communication through the
same Layer 3 switch
Switch
(L3)
VLANIF 2 VLANIF 3
Switch_1 Switch_2
(L2) (L2)
PC_1 PC_2
VLAN 2 VLAN 3
Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently
transmit VLAN packets to the Layer 3 switch, and configure a VLANIF interface for each
VLAN on the Layer 3 switch to allow communication between VLAN 2 and VLAN 3.
Inter-VLAN Layer 3 Connectivity Between Devices Connected to Different Layer

3 Switches
As shown in Figure 5-20, departments 1 and 2 of a medium- or large-scale company are
connected across two or more Layer 3 switches, and belong to VLAN 2 and VLAN 3
respectively. Packets exchanged between the two departments need to pass the Layer 3
switches.
Figure 5-20 Using VLANIF interfaces to implement inter-VLAN communication through

multiple Layer 3 switches
Switch_1 Switch_2
(L3) (L3)
Layer 3 network
VLANIF 2 VLANIF 3
L2 Switch L2 Switch
PC_1 PC_2
VLAN 2 VLAN 3

Assign VLANs on the Layer 2 switches, and configure the Layer 2 switches to transparently
transmit VLAN packets to Layer 3 switches. Configure a VLANIF interface for each user
VLAN and interconnected VLANs on Switch_1 and Switch_2, and configure VLANIF
interfaces for interconnected VLANs on other Layer 3 devices. In addition, configure static
routes or a dynamic routing protocol between Switch_1 and Switch_2 (a dynamic routing
protocol is recommended when devices are connected across more than two Layer 3
switches).
5.3.3 Using a Traffic Policy to Implement Inter-VLAN Access

Control
As shown in Figure 5-21, to ensure communication security, a company divides the network
into visitor area, employee area, and server area, and assigns VLAN 10, VLAN 20, and
VLAN 30 to the areas respectively. The company has the following requirements:
l Employees, visitors, and servers can access the Internet.
l Visitors cannot communicate with employees and can access only Server_1 in the server
area.
Figure 5-21 Using a traffic policy to implement inter-VLAN access control
Internet
Router
Switch VLANIF 100

(L3)
VLANIF 10 VLANIF 30
VLANIF 20
L2 Switch L2 Switch L2 Switch
Visitor Employee Server

area area area
Visitor_1 Employee_1 Server_1
10.1.1.2/24 10.1.2.2/24 10.1.3.2/24
After the central switch (Switch) is configured with VLANIF 10, VLANIF 20, VLANIF 30,
and VLANIF 100 and a route to the router, employees, visitors, and servers can access the
Internet and communicate with each other. To control access rights of visitors, configure a
traffic policy on the central switch and define the following rules:
l ACL rule 1: denies the packets sent from the IP network segment of visitors to the IP
segment of employees.

l ACL rule 2: permits the packets from the IP network segment of visitors to the IP
address of Server_1, and denies the packets from the IP network segment of visitors and
to the IP segment of servers.
l ACL rule 3: denies the packets from the IP network segment of employees to the IP
segment of visitors.
l ACL rule 4: denies the packets from the IP network segment of servers to the IP segment
of visitors.
Apply the traffic policy to the inbound and outbound direction of the switch interface
connected to the visitor area. Visitors can then only access Server_1 and cannot communicate
with employees.
5.3.4 Using a VLANIF Interface to Implement Layer 3

Connectivity Between the Switch and Router
To reduce costs, most enterprises use switches to connect internal devices and an egress router
to connect to an ISP network, as shown in Figure 5-22.
Figure 5-22 Connection between the switch and router
Egress
Core switch
router
Enterprise intranet GE0/0/1 ISP
VLANIF10 GE1/0/1.1 network
10.1.1.1/24 10.1.1.2/24
To access the ISP network, the core Layer 3 switch and egress router need to interwork at
Layer 3. Most Layer 3 switches do not support routed interfaces or support limited routed
interfaces. Generally, a VLANIF interface is used as a Layer 3 interface to communicate with
the Layer 3 sub-interface of the router, and then static route or a dynamic routing protocol is
configured to implement Layer 3 connectivity between the core switch and egress router.
5.4 Summary of VLAN Configuration Tasks

Table 5-5 describes the VLAN configuration tasks. Figure 5-23 illustrates the logical
relationship between configuration tasks.

Figure 5-23 Logical relationship between configuration tasks
Assign VLANs
Configure VLANIF Configure protocol

Configure MQC-based
interfaces to packet transparent
intra-VLAN Layer 2 Configure mVLAN
implement inter-VLAN transmission in a
isolation
communication VLAN
Configure MQC to
implement inter-VLAN
isolation
Table 5-5 VLAN configuration tasks

Configuration Task Description
Assign VLANs: VLANs can isolate the hosts that do not need to
l Configuring Interface-based communicate with each other, which improves
VLAN Assignment network security, reduces broadcast traffic, and
mitigates broadcast storms.
l Configuring MAC Address-
based VLAN Assignment
l Configuring IP Subnet-based
VLAN Assignment
l Configuring Protocol-based
VLAN Assignment
l Configuring Policy-based
VLAN Assignment
Configuring Inter-VLAN After VLANs are assigned, users in different

Communication VLANs cannot directly communicate with each
other. If users in different VLANs need to
communicate, configure VLANIF interfaces to
implement inter-VLAN Layer 3 connectivity.

Configuration Task Description
Configuring a Traffic Policy to After VLANs are assigned, users in the same
Implement Intra-VLAN Layer 2 VLAN can directly communicate with each other.
Isolation If some users in the same VLAN need to be
isolated, configure MQC-based intra-VLAN Layer
2 isolation.
NOTE
Intra-VLAN isolation can also be implemented using
port isolation. For details about port isolation, see
Configuring Port Isolation in "Ethernet Interface
Configuration" in the S1720, S2700, S5700, and S6720
V200R011C10 Configuration Guide - Interface
Management.
Configuring a Traffic Policy to After VLANIF interfaces are configured to

Implement Inter-VLAN Layer 3 implement inter-VLAN connectivity, users in
Isolation different VLANs can communicate at Layer 3. If
some users in different VLANs require
unidirectional communication or need to be
isolated, configure a traffic policy.
Configuring an mVLAN To use the NMS to manage devices in a

centralized manner, assign VLANs and configure a
VLAN as the management VLAN.
Configuring Transparent An interface sends protocol packets of all VLANs

Transmission of Protocol Packets in to the CPU for processing, affecting the
a VLAN forwarding efficiency. You can configure protocol
packet transparent transmission in a VLAN so that
the switch sends only protocol packets in a
specified VLAN. This function improves the
forwarding efficiency.
5.5 Licensing Requirements and Limitations for VLANs

VLAN technology configuration commands are available only after the S1720GW,
S1720GWR, and S1720X have the license (WEB management to full management Electronic
RTU License) loaded and activated and the switches are restarted. VLAN technology
configuration commands on other models are not under license control.

Table 5-6 Products and versions supporting VLAN technology

Series Products Software Version
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700 S2700SI V100R005C01, V100R006(C00&C01&C03&C05)
S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00

Series Products Software Version
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE

Feature Limitations
l Table 5-7 describes the specifications of VLAN technology.
Table 5-7 Specifications of VLAN technology
Item Specification
Maximum number of VLANs in the 4096 (VLAN 0 and VLAN 4095 are
system reserved)
Maximum number of VLANIF interfaces l S2710SI/S5710-C-LI: 1

in the system l S2700SI/S2700EI/S1720GFR/S5710-
X-LI: 8
l S2720EI (V200R006C10,
V200R009C00, V200R010C00): 8
l S2720EI (V200R011C10): 1024
l S3700SI/S3700EI/S3700HI/S5700SI/
S5700EI: 256
l S1720GW/S1720GWR/S1720X/
S1720GW-E/S1720GWR-E/S1720X-
E/S5700HI/S5730SI/S5730S-EI/
S5720EI/S5720HI/S5710HI/S5720SI/
S5720S-SI/S5720LI/S5720S-LI/
S6720LI/S6720S-LI/S6720SI/
S6720S-SI/S6720EI/S6720S-EI: 1024
l S2750EI/S5700LI/S5700S-LI: 1 in
earlier versions of V200R005 and 8 in
V200R005 and later versions
l S5710EI/S6700EI: 256 in earlier
versions of V200R005 and 1024 in
V200R005 version
l If LNP is used to dynamically negotiate the link type (LNP is enabled by default), it is
recommended that each interface should be added to a maximum of 1000 VLANs and a
maximum of 200 interfaces should be configured on a switch. If 4094 VLANs are
configured globally, it is recommended that a maximum of 50 interfaces should be
enabled with LNP. Otherwise, the alarm about a high CPU usage is generated for a short
time.
l You are advised to plan service and management VLANs so that any broadcast storms in
service VLANs do not affect switch management.
l In practice, specify VLANs from which packets need to be transparently transmitted by a
trunk interface. Do not use the port trunk allow-pass vlan all command if possible.
l In earlier versions of V200R005, before changing the interface type, restore the default
VLAN of the interface.
l In earlier versions of V200R005, before deleting a VLAN where a VLANIF interface
has been configured, run the undo interface vlanif vlan-id command to delete the
VLANIF interface.

l All interfaces join VLAN 1 by default. When unknown unicast, multicast, or broadcast
packets of VLAN 1 exist on the network, broadcast storms may occur. When VLAN 1 is
used, pay attention to the following points:
– You are not advised to use VLAN 1 as the management VLAN or service VLAN.
– Remove the interfaces that do not need to join VLAN 1 from VLAN 1 to prevent
loops. A trunk interface often permits packets from VLAN 1 to pass through. If a
trunk interface rejects packets from VLAN 1, some protocol packets transmitted in
VLAN 1 may be incorrectly discarded. To prevent such faults, take measures to
prevent potential risks when packets of VLAN 1 are allowed to pass through.
– If a spanning tree protocol is used and a trunk interface on the switch rejects packets
from VLAN 1, run the stp bpdu vlan command to enable the switch to encapsulate
the specified VLAN ID in outgoing STP BPDUs so that the spanning tree protocol
runs properly.
– You are advised to remove interfaces from VLAN 1 in Eth-Trunk or ring
networking.
– When the switch connects to an access device, to prevent broadcast storms in
VLAN 1, do not configure the uplink interface of the access device to transparently
transmit packets from VLAN 1.
– When an interface is bound to a VLANIF interface for Layer 3 forwarding, remove
the interface from VLAN 1 to prevent Layer 2 loops in VLAN 1.
5.6 Default Settings for VLANs
Table 5-8 Default setting for VLANs

Default Interf l S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E,

configu ace S1720GWR-E, S1720X-E, S2720EI, S2750, S5700LI, S5700S-LI,
ration type S5720LI, S5720S-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI,
of an S6720SI, S6720S-SI, S5710-X-LI, S5720SI, and S5720S-SI:
interfac negotiation-auto
e l Other models: negotiation-desirable
Defa VLAN 1
ult
VLA
N
VLA l VLAN 1 that access interfaces join in untagged mode (port default
N vlan 1)
that l VLANs 1 to 4094 that trunk interfaces join in tagged mode (port
an trunk allow-pass vlan 1 to 4094)
interf
ace
joins

Damping time 0s
for a VLANIF
interface in
Down state
Traffic statistics Disabled

collection in a
VLAN
Traffic statistics Disabled

collection on a
VLANIF
interface
5.7 Configuring VLANs
5.7.1 Configuring Interface-based VLAN Assignment (Statically

Configured Interface Type)
Context
Interface-based VLAN assignment is the simplest and most effective method. VLANs are
assigned based on interfaces. After an interface is added to a VLAN, the interface can forward
packets from the VLAN. Interface-based VLAN assignment allows hosts in the same VLAN
to communicate and prevents hosts in different VLANs from communicating, so broadcast
packets are limited in a VLAN.
Ethernet interfaces are classified into access, trunk, and hybrid interfaces according to the
objects connected to the Ethernet interfaces and number of VLANs from which untagged
frames are permitted (see Interface Types):
l Access interface
The switch processes only tagged frames and an access interface connected to devices
only receives and sends untagged frames, so the access interface needs to add a VLAN
tag to received frames. That is, you must configure the default VLAN for the access
interface. After the default VLAN is configured, the access interface joins the VLAN.
An access interface needs to process only untagged frames. If a user connects a
switching device to a user-side interface without permission, the user-side interface may
receive tagged frames. You can configure the user-side interface to discard tagged
frames, preventing unauthorized access.
l Trunk interface
When a trunk interface connects to a device such as an AP or a voice terminal that can
receive and send tagged and untagged frames simultaneously, you need to configure the
default VLAN for the trunk interface so that the trunk interface can add the VLAN tag to
untagged frames.
l Hybrid interface

When a hybrid interface connects to an AP, a voice terminal, a hub, a host, or a server
that sends untagged frames to the switch, you need to configure the default VLAN for
the hybrid interface so that the hybrid interface can add the VLAN tag to untagged
frames.
Frames sent by a switch all carry VLAN tags. In some scenarios, VLAN tags need to be
removed from frames sent by a hybrid interface. For example, in VLAN stacking
scenarios, before packets from multiple VLANs on an ISP network enter a user network,
outer VLAN tags need to be removed from the packets. A trunk interface allows
untagged packets from only one VLAN, so the interface must be configured as hybrid.
For details about VLAN stacking, see QinQ Configuration.
On the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-
E, S2720EI, S2750, S5700LI, S5700S-LI, S5720LI, S5720S-LI, S5730SI, S5730S-EI,
S6720LI, S6720S-LI, S6720SI, S6720S-SI, S5710-X-LI, S5720SI, and S5720S-SI, the type
of an interface is negotiation-auto by default. The type of an interface is negotiation-desirable
by default on other models.
Procedure
l Configuring the default VLAN for an access interface
a. Run system-view
b. Run vlan vlan-id
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
c. Run quit
d. Run interface interface-type interface-number
The view of the Ethernet interface to be added to the VLAN is displayed.
e. Run port link-type access
The Ethernet interface is configured as the access interface.
f. Run port default vlan vlan-id
The default VLAN is configured for the interface and the interface is added to the
specified VLAN.
g. (Optional) Run port discard tagged-packet
The interface is configured to discard incoming tagged packets.
l Configuring the default VLAN for a trunk interface
a. Run system-view
b. Run vlan vlan-id
VLAN is displayed.
c. Run quit

e. Run port link-type trunk

The Ethernet interface is configured as the trunk interface.
f. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLAN.
g. (Optional) Run port trunk pvid vlan vlan-id
The default VLAN is configured for the trunk interface.
NOTE
If the VLAN allowed by an interface is the default VLAN of the interface, packets from the
VLAN are forwarded in untagged mode.
l Configuring the default VLAN for a hybrid interface
a. Run system-view
b. Run vlan vlan-id
VLAN is displayed.
c. Run quit
e. Run port link-type hybrid
The Ethernet interface is configured as the hybrid interface.
f. Run the following commands as required.
n Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is added to the VLAN in untagged mode.
n Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is added to the VLAN in tagged mode.
g. (Optional) Run port hybrid pvid vlan vlan-id
The default VLAN is configured for the hybrid interface.
----End
Configuration Tips
Configuring a name for a VLAN
When multiple VLANs are created on the device, you are advised to configure names for the
VLANs to facilitate management. After a name is configured for a VLAN, you can directly
enter the VLAN view using the name.
# Set the name of VLAN 10 to huawei.
[HUAWEI] vlan 10
[HUAWEI-vlan10] name huawei
# After a name is configured for a VLAN, you can directly enter the VLAN view using the
name.

[HUAWEI] vlan vlan-name huawei

Adding interfaces to a VLAN in a batch
To perform the same VLAN configuration for multiple Ethernet interfaces, use the port group,
which can reduce the workload. To add access interfaces to a VLAN in a batch, you can also
run the port interface-type { interface-number1 [ to interface-number2 ] }&<1-10> command
in the VLAN view. For details, see Adding Interfaces to a VLAN in a Batch.
Restoring the default VLAN configuration of an interface
If the VLAN planning of an interface is changed, you need to delete the original VLAN
configuration of the interface. If many noncontiguous VLANs are configured on the interface,
you need to delete the original VLAN configuration multiple times. To reduce deletion
operations, restore the default VLAN configuration of the interface. For details, see Restoring
the Default VLAN Configuration of an Interface.
Changing the interface type
When the interface planning changes or the current interface type is different from the
configured one, the interface type needs to be changed. For details, see Changing the Link
Type of an Interface.
Deleting a VLAN
If a VLAN is not in use, you are advised to delete it immediately to save VLAN resources and
reduce packets on a network. For details, see Deleting a VLAN or VLANs in a Batch.

l Run the display port vlan [ interface-type interface-number | active ] * command in any
view to check information about interfaces of the VLAN.
l Run the display vlan command in any view to check information about VLANs.
5.7.2 Configuring Interface-based VLAN Assignment (LNP

Dynamically Negotiates the Link Type)
Context
The switch supports the following link types on an Ethernet interface: access, hybrid, trunk,
and QinQ. The four link types are applicable to different network positions and are manually
specified. If the network topology changes, link types of Ethernet interfaces also need to be
reconfigured and the configuration is complex. To simplify the configuration, LNP supports
auto-negotiation of the link types on Ethernet interfaces and allows Ethernet interfaces to join
VLANs after the auto-negotiation.
When Link-type Negotiation Protocol (LNP) is deployed, the VLAN Central Management
Protocol (VCMP) needs to be deployed so that VLANs can be created and deleted in a
centralized manner and user configurations are simplified. For details about VCMP, see 13
VCMP Configuration.
Procedure

Step 2 Run undo lnp disable

Global LNP is enabled.
By default, global LNP is enabled. That is, LNP is enabled on all interfaces.
The view of the Ethernet interface that needs to be enabled with LNP is displayed.
Step 4 Run undo port negotiation disable
LNP is enabled on the Layer 2 Ethernet interface.
By default, LNP is enabled on all interfaces of the device.
NOTE
When performing this step, ensure that the interface is a Layer 2 interface. If the interface is not a Layer
2 interface, run the portswitch command to configure the interface as a Layer 2 interface.
When an LNP-capable device is used with an LNP-incapable device, the LNP-capable device
continuously sends LNP packets, which wastes bandwidth. You can run the port negotiation disable
command in the Layer 2 Ethernet interface view to disable LNP.
To ensure successful negotiation, ensure that LNP is enabled globally and in the interface view.
Step 5 Run port link-type { negotiation-desirable | negotiation-auto }

An LNP mode is configured.
By default, the LNP mode of a Layer 2 Ethernet interface on the S1720GFR, S1720GW,
S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750, S5700LI,
S5700S-LI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5710-X-LI, S5730SI, S5730S-EI,
S6720SI, S6720S-SI, S5720SI, and S5720S-SI is negotiation-auto, and the LNP negotiation
mode of a Layer 2 Ethernet interface on other models is negotiation-desirable.
There are limitations on the interface where the LNP mode is set to negotiation-desirable or
negotiation-auto:
l The sub-interface cannot be created.
l The MUX VLAN cannot be enabled.
l The voice VLAN in auto mode cannot be configured on the interface.
Step 6 Configure the VLAN allowed by an interface.
l When a trunk interface is negotiated, perform the following operations.
a. Run port trunk allow-pass only-vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
none }
The VLAN allowed by the trunk interface is configured.
By default, a trunk interface allows all VLANs.
b. (Optional) Run port trunk pvid vlan vlan-id
The default VLAN of the interface is configured.
When the interface that connects to an AP or voice terminal receives untagged and
tagged frames, configure the default VLAN for the interface so that interface adds
the VLAN tag to untagged frames.
By default, the default VLAN of a trunk interface is VLAN 1.
l When an access interface is negotiated, perform the following operation.
Run port default vlan vlan-id

The default VLAN is configured for the access interface and the access interface is
added to a specified VLAN.
By default, the default VLAN of an access interface and the VLAN that an access
interface joins are both VLAN 1.
----End

l Run the display lnp { interface interface-type interface-number | summary } command
in any view to check LNP negotiation information on a Layer 2 Ethernet interface.
5.7.3 Configuring MAC Address-based VLAN Assignment
Context
In MAC address-based VLAN assignment mode, when physical locations of users change,
you do not need to reconfigure VLANs for the users. This improves security and access
flexibility on a network.
The switch that has MAC address-based VLAN assignment enabled processes only untagged
frames, and treats tagged frames in the same manner as interface-based VLAN assignment.
When receiving an untagged frame, an interface matches the source MAC address of the
frame against the MAC-VLAN table.
l If an entry is matched, the interface forwards the frame based on the VLAN ID and
priority in the entry.
l If no entry is found, the interface matches the frame against other matching rules.
The total number of MAC-VLAN entries is the number of configured MAC-VLAN entries
multiplied by the number of interfaces where MAC-VLAN entries are delivered. On different
models, the number of MAC-VLAN entries is different:
l The S5720HI, S5720EI, S5720SI, S5720S-SI, S6720EI, and S6720S-EI support a
maximum of 1024 MAC-VLAN entries and a maximum of 64 MAC-VLAN entries with
the mask.
l The S2720EI, S5710-X-LI, S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E,
S1720GWR-E, S1720X-E, S5720S-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI,
S6720LI, S6720S-LI, S5700S-28X-LI-AC and S5700S-52X-LI-AC of S5700S-LI and
S5720LI support a maximum of 512 MAC-VLAN entries and a maximum of 64 MAC-
VLAN entries with the mask.
l Other models support a maximum of 512 MAC-VLAN entries and a maximum of 32
MAC-VLAN entries with the mask.
Procedure
Step 2 Run vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.

The VLAN ID ranges from 1 to 4094. If VLANs need to be created in a batch, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a batch, and then
run the vlan vlan-id command to enter the view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
The vlan configuration command completes the VLAN configuration when the VLAN is not created.
Step 3 Run mac-vlan mac-address mac-address [ mac-address-mask | mac-address-mask-length ]

[ priority priority ]
A MAC address is associated with a VLAN.
NOTE
When the mac-vlan mac-address command with the same MAC address specified is executed multiple
times, MAC-VLAN entries take effect according to the longest match principle. On the S5720EI,
S6720EI, and S6720S-EI, MAC-VLAN entries take effect according to the longest match principle only
when the mask has 47 bits or less than 47 bits, and the MAC-VLAN entry with the 48-bit mask has the
lowest priority.
l The MAC address is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits,
such as 00e0 and fc01. If you enter fewer than four digits, 0s are padded before the input
digits. For example, if e0 is entered, 00e0 is displayed. The MAC address cannot be all
Fs, all 0s, or a multicast MAC address.
l If a MAC-VLAN entry with the mask specified (excluding the 48-bit mask or mask with
all Fs), run the undo mac-vlan mac-address command to delete the MAC-VLAN entry
and then run the mac-vlan mac-address command to change the priority.
l priority specifies the 802.1p priority of a MAC address-based VLAN. The value ranges
from 0 to 7. A larger value indicates a higher priority. The default value is 0. After the
802.1p priority of a MAC address-based VLAN is specified, the switch first forwards
high-priority frames in the case of congestion.
Step 4 Run quit
Step 5 Configure attributes for the Ethernet interface.

The view of the interface that allows the MAC address-based VLAN is displayed.
2. Run port link-type hybrid
The interface is configured as the hybrid interface.
It is recommended that MAC address-based VLAN assignment should be configured on
the hybrid interface.
3. Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
On access and trunk interfaces, MAC address-based VLAN assignment can be used only
when the MAC address-based VLAN is the same as the PVID. It is recommended that
MAC address-based VLAN assignment be configured on hybrid interfaces.
Step 6 (Optional) Run vlan precedence mac-vlan
The device is configured to preferentially use MAC address-based VLAN assignment.

By default, the device preferentially uses MAC address-based VLAN assignment.

NOTE
Only the S1720X, S1720X-E, S5720EI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI,
S5720SI, S5720S-SI, S6720EI, and S6720S-EI support the vlan precedence command.
S1720X, S1720X-E, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S5730SI, S5730S-EI, S5720SI and S5720S-
SI supports the vlan precedence command only in the system view. Other switches support the vlan
precedence command only in the interface view.
On the S5720EI, S6720EI, and S6720S-EI, if both the subnet VLAN and MAC VLAN with a mask are
configured, the MAC VLAN with a mask is first matched regardless of whether the vlan precedence
command is used.
Step 7 Run mac-vlan enable

MAC address-based VLAN assignment is enabled.
By default, MAC address-based VLAN assignment is disabled.
NOTE
MAC address-based VLAN assignment cannot be used with the MUX VLAN and MAC address
authentication on the same interface.
On the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E,
S2720EI, S5720HI, S2750, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5710-X-
LI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI, and S5700S-LI, MAC address-based VLAN
assignment is invalid for packets with the VLAN ID of 0, regardless of whether the mask of the MAC
VLAN is specified. On other models, MAC address-based VLAN assignment is invalid for packets with
the VLAN ID of 0 only when the mask of the MAC VLAN is specified.
----End

l Run the display mac-vlan { mac-address { all | mac-address [ mac-address-mask |
mac-address-mask-length ] } | vlan vlan-id } command in any view to check the
configuration of MAC address-based VLAN assignment.
5.7.4 Configuring IP Subnet-based VLAN Assignment

Context
Both IP subnet-based and protocol-based VLAN assignment are called network layer-based
VLAN assignment, which reduces manual VLAN configuration workload and allows users to
easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN. IP subnet-
based VLAN assignment applies to scenarios where there are high requirements for mobility
and simplified management and low requirements for security, for example, scenario where a
PC configured with multiple IP addresses needs to access servers on different network
segments and scenario where the switch adds PCs to other VLANs when the PCs' IP
addresses change.
The switch that has IP subnet-based VLAN assignment enabled processes only untagged
frames, and treats tagged frames in the same manner as interface-based VLAN assignment.
After receiving untagged frames from an interface, the switch determines the VLANs to
which the frames belong according to source IP addresses or network segments and transmits
the frames in specified VLANs.

Procedure
NOTE
Step 3 Run ip-subnet-vlan [ ip-subnet-index ] ip ip-address { mask | mask-length } [ priority

priority ]
An IP subnet is associated with a VLAN.
l ip-subnet-index specifies the index of an IP subnet. The index of an IP subnet can be
configured manually or automatically generated by the system according to the sequence
in which IP subnets were associated with a VLAN.
l ip-address specifies the source IP address or network segment associated with a VLAN.
The value is in dotted decimal notation.
l priority specifies the 802.1p priority of a VLAN associated with an IP address or a
network segment. The value ranges from 0 to 7. A larger value indicates a higher
priority. The default value is 0. After the 802.1p priority of a VLAN associated with an
IP address or a network segment is specified, the switch first forwards high-priority
frames in the case of congestion.
Step 4 Run quit
On access and trunk interfaces, IP subnet-based VLAN assignment can be used only
when the IP subnet-based VLAN is the same as the PVID. It is recommended that IP
subnet-based VLAN assignment be configured on hybrid interfaces.
3. port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is configured to allow the IP subnet-based VLAN.
Step 6 (Optional) Run vlan precedence ip-subnet-vlan
The device is configured to preferentially use IP subnet-based VLAN assignment.

By default, the device preferentially uses MAC address-based VLAN assignment.
NOTE
Only the S1720X, S1720X-E, S5720EI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI,
S5720SI, S5720S-SI, S6720EI, and S6720S-EI support the vlan precedence command.
S1720X, S1720X-E, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S5730SI, S5730S-EI, S5720SI and S5720S-
SI supports the vlan precedence command only in the system view. Other switches support the vlan
precedence command only in the interface view.
On the S5720EI, S6720EI, and S6720S-EI, if both the subnet VLAN and MAC VLAN with a mask are
configured, the MAC VLAN with a mask is first matched regardless of whether the vlan precedence
command is used.
Step 7 Run ip-subnet-vlan enable
IP subnet-based VLAN assignment is enabled.
By default, IP subnet-based VLAN assignment is disabled.

E, S2750, S2720EI, S5720SI, S5720S-SI, S5700LI, S5720LI, S5720S-LI, S5710-X-LI, and
S5700S-LI, when the ip error-packet-check disable command is used to disable IP packet
check, IP subnet-based VLAN assignment and policy-based VLAN assignment do not take
effect.
NOTE
IP subnet-based VLAN assignment is invalid for packets with the VLAN ID of 0 on the S5720HI.
----End

l Run the display ip-subnet-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command in any
view to check information about IP subnets associated with VLANs.
5.7.5 Configuring Protocol-based VLAN Assignment
Context
Both IP subnet-based and protocol-based VLAN assignment are called network layer-based
VLAN assignment, which reduces manual VLAN configuration workload and allows users to
easily join a VLAN, transfer from one VLAN to another, and exit from a VLAN. The switch
that has protocol-based VLAN assignment enabled processes only untagged frames, and treats
tagged frames in the same manner as interface-based VLAN assignment.
When receiving an untagged frame from an interface, the switch identifies the protocol profile
of the frame and then determines the VLAN that the frame belongs to.
l If protocol-based VLANs are configured on the interface and the protocol profile of the
frame matches a protocol-based VLAN, the switch adds the VLAN tag to the frame.
l If protocol-based VLANs are configured on the interface and the protocol profile of the
frame matches no protocol-based VLAN, the switch adds the PVID of the interface to
the frame.

Procedure
NOTE
Step 3 Run protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii | llc | raw | snap } |
mode { ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id | snap-etype etype-id2 } }
Protocols are associated with VLANs and a protocol profile is specified.
l protocol-index specifies the index of a protocol profile.
A protocol profile depends on protocol types and encapsulation formats, and a VLAN
associated with a protocol can be defined in a protocol profile.
l When specifying the source and destination service access points, pay attention to the
following points:
– dsap-id and ssap-id cannot be both set to 0xaa.
– dsap-id and ssap-id cannot be both set to 0xe0. 0xe0 indicates llc, encapsulation
format of IPX packets.
– dsap-id and ssap-id cannot be both set to 0xff. 0xff indicates raw, encapsulation
format of IPX packets.
The view of the interface that allows the protocol-based VLAN is displayed.
On access and trunk interfaces, protocol-based VLAN assignment can be used only
when the protocol-based VLAN is the same as the PVID. It is recommended that
protocol-based VLAN assignment be configured on hybrid interfaces.
The hybrid interface is configured to allow the protocol-based VLAN.
4. Run protocol-vlan vlan vlan-id { all | protocol-index1 [ to protocol-index2 ] } [ priority
priority ]
The interface is associated with a protocol-based VLAN.
– vlan-id must be the ID of a protocol-based VLAN.

– priority specifies the 802.1p priority of a protocol-based VLAN. The value ranges
from 0 to 7. A larger value indicates a higher priority. The default value is 0. After
the 802.1p priority of a protocol-based VLAN is specified, the switch first forwards
high-priority frames in the case of congestion.
NOTE
Protocol-based VLAN assignment is invalid for packets with the VLAN ID of 0 on the S5720HI.
----End

l Run the display protocol-vlan vlan { all | vlan-id1 [ to vlan-id2 ] } command in any
view to check the types and indexes of the protocols associated with VLANs.
l Run the display protocol-vlan interface { all | interface-type interface-number }
command in any view to check the protocol-based VLAN configuration on a specified
interface or all interfaces.
5.7.6 Configuring Policy-based VLAN Assignment
Context
Policy-based VLAN assignment implements plug-and-play of user terminals and provides
secure data isolation for terminal users.
The switch provides policy-based VLAN assignment based on MAC and IP addresses or
based on MAC and IP addresses and interfaces.
To configure policy-based VLAN assignment, configure MAC and IP addresses or interfaces

of terminals on the switch and associate MAC and IP addresses or interfaces with VLANs.
Only terminals matching a policy can be added to a specific VLAN. If the IP or MAC
addresses of terminals added to a VLAN are changed, they will exit from the VLAN.
The switch that has policy-based VLAN assignment enabled processes only untagged frames,
and treat tagged frames in the same manner as VLANs configured based on ports.
When receiving an untagged frame, the switch determines the VLAN according to the policy
matching both MAC and IP addresses of the frame, and transmits the frame in the VLAN.
Procedure

NOTE
Step 3 Run policy-vlan mac-address mac-address ip ip-address [ interface interface-type interface-

number ] [ priority priority ]
Policy-based VLAN assignment is configured.
If interface interface-type interface-number is not specified, MAC-IP binding policies are
applied to all interfaces in a specified VLAN. Otherwise, MAC-IP binding policies are only
applied to a specified interface in a specified VLAN.
Step 4 Run quit
The view of the interface that allows the policy-based VLAN is displayed.
The hybrid interface is configured to allow the policy-based VLAN.
On access and trunk interfaces, policy-based VLAN assignment can be used only when
the policy-based VLAN is the same as the PVID. It is recommended that policy-based
VLAN assignment be configured on hybrid interfaces.
NOTE
Policy-based VLAN assignment is invalid for packets with the VLAN ID of 0.

On the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750,
S2720EI, S5720SI, S5720S-SI, S5700LI, S5720LI, S5720S-LI, S5710-X-LI, and S5700S-LI, when the
ip error-packet-check disable command is used to disable IP packet check, IP subnet-based VLAN
assignment and policy-based VLAN assignment do not take effect.
----End

l Run the display policy-vlan { all | vlan vlan-id } command in any view to check the
configuration of policy-based VLAN assignment.
5.7.7 Configuring Inter-VLAN Communication
Context
After VLANs are assigned, users in the same VLAN can communication with each other
while users in different VLANs cannot. If some users in different VLANs need to
communicate, configure inter-VLAN communication. A VLANIF interface is a Layer 3

logical interface and can implement inter-VLAN Layer 3 connectivity. It is simple to

configure a VLANIF interface, so the VLANIF interface is the most commonly used
technology. Each VLAN corresponds to a VLANIF interface. After an IP address is
configured for a VLANIF interface, the VLANIF interface is used as the gateway of the
VLAN and forwards packets across network segments at Layer 3 based on IP addresses.
Generally, a VLANIF interface requires only IP address. In some scenarios, you need to
configure multiple IP addresses for the VLANIF interface. For example, a switch connects to
a physical network through an interface, and hosts on this network belong to multiple network
segments (multiple PCs connect to the network through hubs or simplified Layer 2 switches,
or one PC uses dual network adapters to connect to the network). To enable the switch to
communicate with all hosts on the physical network, configure a primary IP address and
multiple secondary IP addresses for this interface.
If a VLAN goes Down because all interfaces in the VLAN go Down, the system immediately
reports the VLAN Down event to the corresponding VLANIF interface, instructing the
VLANIF interface to go Down. To avoid network flapping caused by the change of the
VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last
interface in Up state in a VLAN goes Down, the device enabled with VLAN damping starts a
delay timer and informs the corresponding VLANIF interface of the VLAN Down event after
the timer expires. If an interface in the VLAN goes Up during the delay, the VLANIF
interface remains Up.
The Maximum Transmission Unit (MTU) determines the maximum number of bytes each
time a sender can send. If the size of packets exceeds the MTU supported by a receiver or a
transit node, the receiver or transit node fragments the packets or even discards them,
aggravating the network transmission load. To avoid this problem, set the MTU of the
VLANIF interface.
After configuring bandwidth for a VLANIF interface, you can use the NMS to query the
bandwidth. This facilitates traffic monitoring.
Before configuring inter-VLAN communication, complete the following tasks:
l Perform the task of assign VLANs.

l Configure the default gateway address of hosts as the IP address of the VLANIF
interface.
Procedure
Step 2 Run interface vlanif vlan-id
The VLANIF interface view is displayed.
A VLANIF interface goes Up only when at least one physical interface in the corresponding
VLAN is in Up state.
Step 3 (Optional) Run description description
The description of the VLANIF interface is configured.


An IP address is configured for the VLANIF interface to implement Layer 3 connectivity.
If IP addresses assigned to VLANIF interfaces belong to different network segments, you
need to configure a routing protocol on the device to provide reachable routes.
Each VLANIF interface can be configured with one primary IP address and 31 secondary IP
addresses.
NOTE
An IP address of a VLANIF interface can be statically configured or dynamically obtained using DHCP.
For details about DHCP, see DHCP Configuration in the S1720, S2700, S5700, and S6720
V200R011C10 Configuration Guide - IP Services.
Step 5 (Optional) Run damping time delay-time

The delay of VLAN damping is set.
The value ranges from 0 to 20, in seconds. By default, the delay is 0 seconds, indicating that
VLAN damping is disabled.
Step 6 (Optional) Run mtu mtu
The MTU of the VLANIF interface is set.
By default, the value is 1500 bytes.
NOTE
l After using the mtu command to change the MTU of an interface, restart the interface to make the
new MTU take effect. To restart the interface, run the shutdown command and then the undo
shutdown command, or run the restart command in the interface view.
l The MTU plus the Layer 2 frame header of a VLANIF interface must be smaller than the maximum
frame length of the remote interface by the jumboframe command; otherwise, some frames may be
discarded.
----End

l Run the display interface vlanif [ vlan-id | main ] command to check the status,
configuration, and traffic statistics of the VLANIF interface.
NOTE
Only the VLANIF interface in Up state can forward packets at Layer 3. When the VLANIF
interface goes Down, rectify the fault according to 5.10.2 A VLANIF Interface Goes Down.
5.7.8 Configuring a Traffic Policy to Implement Intra-VLAN

Layer 2 Isolation
Context
After VLANs are assigned, users in the same VLAN can communication with each other. If
users in a VLAN need to be isolated unidirectionally or bidirectionally, configure a traffic
policy. A traffic policy is configured by binding traffic classifiers to traffic behaviors. The
switch classifies packets according to packet information, and associates a traffic classifier

with a traffic behavior to reject the packets matching the traffic classifier, implementing intra-
VLAN isolation.
The switch provides intra-VLAN Layer 2 isolation based on MQC and based on the ACL-
based simplified traffic policy.
Before configuring a traffic policy to implement intra-VLAN Layer 2 isolation, perform the
task of assign VLANs.
Procedure
l Configure MQC to implement intra-VLAN Layer 2 isolation.
Perform the following MQC configurations to implement intra-VLAN Layer 2 isolation:

– Specify permit or deny in the traffic behavior.
– Apply the traffic policy to a VLAN or an interface that allows the VLAN.
For details about how to configure MQC, see Configuring Packet Filtering in "Packet
Filtering Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10
Configuration Guide - QoS.
l Configure an ACL-based simplified traffic policy to implement intra-VLAN Layer 2
isolation.
For details about how to configure an ACL-based simplified traffic policy, see
Configuring ACL-based Packet Filtering in "ACL-based Simplified Traffic Policy
Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration
Guide - QoS.
----End
5.7.9 Configuring a Traffic Policy to Implement Inter-VLAN

Layer 3 Isolation
Context
After inter-VLAN Layer 3 connectivity is configured, if some users in different VLANs
require unidirectional access or need to be isolated, configure inter-VLAN Layer 3 isolation.
Inter-VLAN Layer 3 isolation is implemented using a traffic policy. A traffic policy is
configured by binding traffic classifiers to traffic behaviors. The switch classifies packets
according to IP addresses or other information in packets, and associates a traffic classifier
with a traffic behavior to reject the packets matching the traffic classifier, implementing inter-
VLAN Layer 3 isolation.
The switch provides inter-VLAN Layer 3 isolation based on MQC and based on the ACL-
based simplified traffic policy. You can select one of them according to your needs.
Before configuring a traffic policy to implement inter-VLAN Layer 3 isolation, perform the
task of 5.7.7 Configuring Inter-VLAN Communication.

Procedure
l Configure MQC to implement inter-VLAN Layer 3 isolation.
Perform the following MQC configurations to implement inter-VLAN Layer 3 isolation:

– Specify permit or deny in the traffic behavior.
– Apply the traffic policy to a VLAN or an interface that allows the VLAN.
For details about how to configure MQC, see Configuring Packet Filtering in "Packet
Filtering Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10
Configuration Guide - QoS.
l Configure an ACL-based simplified traffic policy to implement inter-VLAN Layer 3
isolation.
For details about how to configure an ACL-based simplified traffic policy, see
Configuring ACL-based Packet Filtering in "ACL-based Simplified Traffic Policy
Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration
Guide - QoS.
----End
5.7.10 Configuring an mVLAN
Context
Management VLAN (mVLAN) allows you to use the VLANIF interface of the mVLAN to
log in to the management switch to manage devices in a centralized manner. To use a remote
network management system (NMS) to manage devices in a centralized manner, configure a
management IP address on the switch. You can then log in to the switch in Telnet mode and
manage the switch by using the management IP address. The management IP address can be
configured on a management interface or VLANIF interface. If a user-side interface is added
to the VLAN, users connected to the interface can also log in to the switch. This brings
security risks to the switch.
After a VLAN is configured as an mVLAN, no access interface or Dot1q tunnel interface can
be added to the VLAN. Access and Dot1q tunnel interfaces are often connected to users.
When these interfaces are prevented from joining the mVLAN, users connected to the
interfaces cannot log in to the device, improving device security.
Generally, a VLANIF interface needs to be configured with only one management IP

addresses. In specified scenarios, for example, users in the same mVLAN belong to multiple
different network segments, you need to configure a primary management IP address and
multiple secondary management IP addresses.
You can only log in to the local device using the management interface, whereas you can log
in to both local and remote devices using a VLANIF interface of an mVLAN. When logging
in to the remote device using the VLANIF interface of an mVLAN, you need to configure
VLANIF interfaces on both local and remote devices and assign IP addresses on the same
network segment to them.
Before configuring an mVLAN, perform the task of assign VLANs.

NOTE
Only trunk and hybrid interfaces can join the mVLAN.
Procedure
Step 3 Run management-vlan
The VLAN is configured as the mVLAN.
VLAN 1 cannot be configured as the mVLAN.
Step 4 Run quit
Exit from the VLAN view.
A VLANIF interface is created and its view is displayed.
An IP address is assigned to the VLANIF interface.
----End
Follow-up Procedure
Log in to the switch to implement centralized management through the NMS. Select either of
the following login modes according to your needs:
l To manage local devices, log in to the local switch using Telnet, STelnet, HTTPS. For
details, see Configuring Telnet Login, Configuring STelnet Login, or Web System Login
Configuration in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration
Guide - Basic Configurations.
l To manage remote devices, log in to the local device using Telnet or STelnet and log in
to remote devices using Telnet or STelnet from the local device. For details, see
(Optional) Using Telnet to Log In to Another Device From the Local Device in
"Configuring Telnet Login", or (Optional) Logging In to Another Device From the Local
Device Using STelnet in "Configuring STelnet Login" in the S1720, S2700, S5700, and
S6720 V200R011C10 Configuration Guide - Basic Configurations.
The login IP address is the IP address of the VLANIF interface of an mVLAN.

l Run the display vlan command to check the mVLAN configuration. In the command
output, the VLAN marked with a * is the mVLAN.

5.7.11 Configuring Transparent Transmission of Protocol Packets

in a VLAN
Context
When the device used as the gateway or Layer 2 switches is enabled with snooping functions
such as DHCP/IGMP/MLD snooping, the device needs to parse and process protocol packets
such as ARP, DHCP, and IGMP packets. That is, protocol packets received by an interface are
sent to the CPU for processing. The interface sends protocol packets without differentiating
VLANs. If the preceding functions are deployed, protocol packets from all VLANs are sent to
the CPU for processing.
If the device is a gateway of some VLANs or snooping functions is deployed in some
VLANs, the device does not need to process protocol packets in other VLANs. After the
protocol packets in other VLANs are sent to the CPU, the CPU needs to forward them to
other devices. This mechanism is called software forwarding. Software forwarding affects the
forwarding speed and efficiency of protocol packets because protocol packets need to be
processed.
To address this issue, deploy transparent transmission of protocol packets in VLANs where
protocol packets do not need to be processed. This function enables the device to
transparently transmit the protocol packets in the VLANs to other devices, which improves
the forwarding speed and efficiency.
The switch can transparently transmit the following protocol packets: CFM/ARP/BFD/
DHCP/DHCPV6/HTTP/IGMP/MLD/ND/PIM/PIMv6/PPPoE/TACACS.
NOTE
Procedure
l Configure transparent transmission of protocol packets in a VLAN.
a. Run system-view
b. Run vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the specified VLAN has
been created, the VLAN view is directly displayed.
c. Run protocol-transparent
Transparent transmission of protocol packets in a VLAN is configured.
By default, transparent transmission of protocol packets in a VLAN is disabled.
l Configure transparent transmission of protocol packets in multiple VLANs.
a. Run system-view
b. Run vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10>
Create one or more VLANs.
c. Run vlan range { vlan-id1 [ to vlan-id2 ] } &<1-10>
A temporary VLAN range is created and its view is displayed. If the VLAN range
has been created, this command directly displays the VLAN-Range view.

Uncreated VLANs cannot be added to a temporary VLAN range.

d. Run protocol-transparent
Transparent transmission of protocol packets in VLANs is configured.
By default, transparent transmission of protocol packets is disabled in VLANs of a
temporary VLAN range.
NOTE
l The vlan range command configuration is not saved in the configuration file. If services are
configured in the VLAN-Range view, the service configurations of all the VLANs in the VLAN
range will be saved in the configuration file.
l After transparent transmission of protocol packets is configured in a VLAN, the VLAN cannot be
configured as the multicast VLAN or control VLAN.
l Before running this command, ensure that IGMP or MLD snooping has been disabled in the VLAN.
Otherwise, the configuration may fail.

Run the display this command in the VLAN view to check the configuration of transparent
transmission of protocol packets in a VLAN.
5.8 Maintaining VLANs
5.8.1 Collecting VLAN Traffic Statistics
Context
You can enable traffic statistics collection in a VLAN or on a VLANIF interface and view
traffic statistics about the VLAN or VLANIF interface to monitor VLAN traffic.
Procedure
l Check VLAN traffic statistics.
a. (Optional) Run the vlan statistics interval command in the system view to set the
interval for VLAN traffic statistics collection.
b. (Optional) Run the vlan statistics { by-packets | by-bytes } command in the
system view to set the VLAN traffic statistics collection mode. You can configure
the switch to collect VLAN traffic statistics based on packets or bytes.
NOTE
Only the S1720GW, S1720GWR, S1720X, S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E,

S2720EI, S2750EI, S5700LI, S5700S-LI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5710-X-
LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720S-SI, and S5720SI support this command.
c. Run the statistic enable command in the VLAN view to enable VLAN traffic
statistics collection.
d. Run the display vlan vlan-id statistics command in any view to check traffic
statistics about a specified VLAN.
l Check traffic statistics about a VLANIF interface.
a. Run the statistic enable command in the VLANIF interface view to enable traffic
statistics collection.

NOTE
Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this command.
b. Run the display interface vlanif [ vlan-id ] command in any view to check traffic
statistics about a VLANIF interface.
----End
5.8.2 Clearing VLAN Traffic Statistics
Context
Before collecting traffic statistics in a given period of time on an interface, clear existing
statistics on the interface.
The cleared VLAN traffic statistics cannot be restored. Exercise caution when you use the
reset vlan command.
To clear VLAN traffic statistics, run the reset vlan statistics command in the user view.
Procedure
l Run the reset vlan vlan-id statistics command to clear traffic statistics about a specified
VLAN.
----End
5.8.3 Clearing Packet Statistics on a VLANIF Interface
Context
Before collecting the packet statistics on a VLANIF interface within a certain period, clear
existing packet statistics on the VLANIF interface.
The cleared statistics cannot be restored. Exercise caution when you run the reset command.
Procedure
l Run the reset counters interface [ interface-type [ interface-number ] ] command to
clear the packet statistics on the specified VLANIF interface.
----End
5.8.4 Clearing LNP Packet Statistics

Context
The cleared LNP packet statistics cannot be restored. Exercise caution when you run the reset
lnp statistics command.
Procedure
l Run the reset lnp statistics [ interface interface-type interface-number ] command in
the user view to clear LNP packet statistics.
----End
5.8.5 Enabling GMAC Ping to Detect Layer 2 Network

Connectivity
Context
Similar to IP ping, GMAC ping detects whether a fault occurs on an Ethernet link or monitors
the link quality. GMAC ping efficiently detects and locates Ethernet faults.
GMAC ping is applicable to networks where no MD, MA, or MEP is configured.
NOTE
The S1720GFR does not support this function.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ping mac enable command to enable GMAC ping globally.
By default, GMAC ping is disabled.
After GMAC ping is enabled on the device, the device can ping the remote device and
respond to received GMAC ping packets.
Step 3 Run the ping mac mac-address vlan vlan-id [ interface interface-type interface-number | -c
count | -s packetsize | -t timeout | -p priority-value ] * command to perform GMAC ping to
check connectivity of the link between the local and remote devices.
A MEP is not required to initiate GMAC ping. The destination node cannot be a MEP or MIP.
You can perform GMAC ping without configuring the MD, MA, or MEP on the source
device, intermediate device, and destination device.
The two devices must be configured with IEEE 802.1ag of the same version. If the local
device is configured with IEEE 802.1ag Draft 7 and the remote device is configured with
IEEE Standard 802.1ag-2007, the ping mac command does not take effect. That is, the local
device cannot ping the remote device.
----End

5.8.6 Enabling GMAC Trace to Locate Faults
Context
Similar to IP traceroute, GMAC ping detects whether a fault occurs on an Ethernet link or
monitors the link quality. GMAC trace efficiently detects and locates Ethernet faults.
GMAC trace is applicable to the network where no MD, MA, or MEP is configured.
NOTE
The S1720GFR does not support this function.
Procedure
Step 1 Configure the devices on both ends of a link and the intermediate device.
Perform the following operations on the devices at both ends of the link to be tested and
intermediate device.
1. Run the system-view command to enter the system view.

2. Run the trace mac enable to enable GMAC trace globally.
By default, GMAC trace is disabled (except the S5720HI).
After GMAC ping is enabled on the device, the device can ping the remote device and
respond to received GMAC ping packets.
Step 2 Perform GMAC trace.
Perform the following operations on the device at one end of the link to be tested.
1. Run the system-view command to enter the system view.

2. Run the trace mac mac-address vlan vlan-id [ interface interface-type interface-number
| -t timeout | -h ]* command to enable the device to locate connectivity faults between the
local and remote devices.
A MEP is not required to initiate GMAC trace. The destination node cannot be a MEP or
MIP. That is, GMAC trace can be implemented without configuring the MD, MA, or
MEP on the source device, intermediate device, and destination device. All the
intermediate devices can respond with an LTR.
The two devices must be configured with IEEE 802.1ag of the same version. If the local
device is configured with IEEE 802.1ag Draft 7 and the remote device is configured with
IEEE Standard 802.1ag-2007, the trace mac command does not take effect. That is, the
connectivity fault cannot be located.
----End
5.9 Configuration Examples for VLANs

5.9.1 Example for Configuring Interface-based VLAN Assignment

(Statically Configured Link Type)
As shown in Figure 5-24, multiple user terminals are connected to switches in an enterprise.
Users who use the same service access the enterprise network using different devices.
To ensure the communication security and avoid broadcast storms, the enterprise wants to
allow users who use the same service to communicate with each other and isolate users who
use different services.
Configure interface-based VLAN assignments on the switch and add interfaces connected to
terminals of users who use the same service to the same VLAN. Users in different VLANs
communicate at Layer 2, and users in the same VLAN can communicate directly.
Figure 5-24 Networking of interface-based VLAN assignment

GE0/0/3 GE0/0/3
SwitchA SwitchB
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
User1 User3 User2 User4

VLAN2 VLAN3 VLAN2 VLAN3
1. Create VLANs and add interfaces connecting to user terminals to VLANs to isolate
Layer 2 traffic between users who use different services.
2. Configure the type of link between SwitchA and SwitchB and VLANs to allow users
who use the same service to communicate.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on SwitchA, and add interfaces connected to user terminals to
different VLANs. The configuration of SwitchB is similar to that of SwitchA, and is not
mentioned here.
[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 2
Step 2 Configure the type of the interface connected to SwitchB on SwitchA and VLANs. The
configuration of SwitchB is similar to that of SwitchA, and is not mentioned here.


[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3

Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24; add
User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
Only User1's and User2's terminals can ping each other, and only User3's and User4's
terminals can ping each other.
----End
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
SwitchB configuration file

#
sysname SwitchB
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
Related Content
Videos
l Configuring Interface-based VLAN Assignment
l Configuring Interface-based VLAN Assignment(FAQ)

l Deploying a Layer 2 Switch on a LAN
5.9.2 Example for Configuring Interface-based VLAN Assignment

(LNP Dynamically Negotiates the Link Type)
Switching devices and user terminals are deployed on the network shown in Figure 5-25. To
implement Layer 2 connectivity, configure the link type for each interface and add interfaces
to VLANs. If the network scale is large, the configuration is complex. To simplify
configurations, switches are connected through the trunk link, and switches and user terminals
are connected through access links and added to VLANs.
Figure 5-25 Networking of interface-based VLAN assignment (LNP dynamically negotiates

the link type)
Network
Switch3
GE0/0/1 GE0/0/2
GE0/0/2 GE0/0/2
Switch1 …… Switch2
GE0/0/1 GE0/0/3 GE0/0/1 GE0/0/3
……
1. Enable LNP in the system view and interface view to implement auto-negotiation.
Because PCs do not support LNP, switch interfaces connected to terminals are used as
access interfaces and interfaces between switches are used as trunk interfaces through
negotiation.
2. Create VLANs and add interfaces to VLANs to implement Layer 2 connectivity.

Procedure
Step 1 Enable global LNP.
By default, global LNP is enabled. If LNP is disabled, run the undo lnp disable command in
the system view to enable LNP.
Step 2 Create VLANs.
You can create VLANs on each switch, or create VLANs on Switch3 and use the VLAN
Central Management Protocol (VCMP) to synchronize created VLANs to other switches. The
following describes how to create VLANs. If VCMP is used, you need to configure Switch3
as the VCMP server and Switch1 and Switch2 as the VCMP clients. For details, see 13
VCMP Configuration.
# Create VLAN 10 and VLAN 20 on Switch3. The configuration of Switch1 and Switch2 is
similar to the configuration of Switch3, and is not mentioned here.
[Switch3] vlan batch 10 20
Step 3 Enable LNP on interfaces, and add switch interfaces connected to PCs to a VLAN as access
interfaces and interfaces between switches to VLANs as trunk interfaces.
NOTE
l If the interface is not a Layer 2 interface, you need to run the portswitch command to set the
interface to work in Layer 2 mode.
l By default, LNP is enabled. If LNP is disabled, run the undo port negotiation disable command to
enable LNP on the interface.
# Configure Switch1. The configuration of Switch2 is similar to the configuration of Switch1,

and is not mentioned here.
[Switch1] interface GigabitEthernet 0/0/1
[Switch1-GigabitEthernet0/0/1] port default vlan 10
[Switch1-GigabitEthernet0/0/2] port trunk allow-pass only-vlan 10 20
NOTE
The port trunk allow-pass only-vlan 10 20 command configures the interface to allow only VLAN 10
and VLAN 20.

After the preceding configuration is complete, run the display lnp interface interface-type
interface-number command to view auto-negotiation on the specified Layer 2 interface.
[Switch1] display lnp interface gigabitethernet0/0/2
LNP information for GigabitEthernet0/0/2:

Port link type: trunk

Negotiation mode: desirable
Hello timer expiration(s): 7
Negotiation timer expiration(s): 0
Trunk timer expiration(s): 278
FSM state: trunk
Packets statistics
56 packets received
0 packets dropped
bad version: 0, bad TLV(s): 0, bad port link type: 0,
bad negotiation state: 0, other: 0
58 packets output
0 packets dropped
other: 0
Run the display lnp summary command to view auto-negotiation information on all
interfaces of the Layer 2 device.
[Switch1] display lnp summary
Global LNP : Negotiation enable
-------------------------------------------------------------------------------
C: Configured; N: Negotiated; *: Negotiation disable;
Port link-type(C) link-type(N) InDropped OutDropped FSM
-------------------------------------------------------------------------------
GE0/0/1 desirable access 0 0 access
GE0/0/2 desirable trunk 0 0 trunk
GE0/0/3 desirable access 0 0 access
----End
Configuration Files
#
sysname Switch1
#
vlan batch 10 20
#
port default vlan 10
#
port trunk allow-pass only-vlan 10 20
#
#
return

#
sysname Switch2
#
vlan batch 10 20
#
#
#
#
return

#
sysname Switch3
#
vlan batch 10 20
#
#
#
return
5.9.3 Example for Configuring MAC Address-based Assignment

(the Switch Connects to Downstream Terminals)
On a company intranet, the network administrator adds the PCs in a department to the same
VLAN. To improve information security, only employees in this department are allowed to
access the intranet.
As shown in Figure 5-26, only PC1, PC2, and PC3 are allowed to access the intranet through
the switch.
You can assign VLANs based on MAC addresses and associate MAC addresses of PCs with
the specified VLAN.
Figure 5-26 Networking of MAC address-based assignment
Enterprise
network
GE0/0/1
Switch
GE0/0/2 GE0/0/4
GE0/0/3
MAC:22-22-22 MAC:33-33-33 MAC:44-44-44

PC1 PC2 PC3
VLAN 10
1. Create VLANs and determine which VLAN the PCs of employees belong to.
2. Add Ethernet interfaces to VLANs so that packets of the VLANs can pass through the
interfaces.

3. Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that the
VLAN of the packets can be determined based on the source MAC address.
Procedure
Step 1 Configure the Switch.
# Create VLANs.
[Switch] vlan batch 10
# Add interfaces to the VLANs. The configuration of GE0/0/3 or GE0/0/4 is similar to that of
GE0/0/2, and is not mentioned here.
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10
# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.
[Switch] vlan 10
[Switch-vlan10] mac-vlan mac-address 22-22-22
# Enable MAC address-based VLAN assignment on GE0/0/2. The configuration of GE0/0/3

or GE0/0/4 is similar to that of GE0/0/2, and is not mentioned here.
[Switch-GigabitEthernet0/0/2] mac-vlan enable

PC1, PC2, and PC3 can access the intranet, whereas other PCsusers cannot access the
intranet.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
vlan 10
mac-vlan mac-address 0022-0022-0022 priority 0
#
port hybrid tagged vlan 10
#

mac-vlan enable
#
mac-vlan enable
#
mac-vlan enable
#
return
5.9.4 Example for Configuring MAC Address-based VLAN

Assignment (the Switch Connects to Downstream Layer 2
Switching Devices)
On an enterprise network, the network administrator assigns different VLANs to different
departments. PCs of each department connect to the enterprise network through a Layer 2
switch. To improve information security, the enterprise allows only employees in the same
department to communicate with each other.
As shown in Figure 5-27, PC1 and PC2 belong to the same department, and access the
enterprise network and communicate with each other through VLAN 10. PC3 and PC4 belong
to the other department, and access the enterprise network and communicate with each other
through VLAN 20. Employees in the two departments are not allowed to communicate with
each other even if their PCs are moved to the same area.

Figure 5-27 Networking of MAC address-based VLAN assignment
Enterprise
network
GE0/0/2
Switch1
GE0/0/1
Layer 2
switch
VLAN 10 VLAN 20
PC1 PC2 PC3 PC4

MAC:11-11-11 MAC:22-22-22 MAC:33-33-33 MAC:44-44-44
1. Create VLANs and determine the VLANs to which the PCs belong.
2. Associate PCs' MAC addresses with VLANs so that VLANs are assigned based on
source MAC addresses in packets.
3. Add interfaces to VLANs to implement Layer 2 forwarding.
Procedure
Step 1 Configure Switch1.
# Create VLANs.
# Associate MAC addresses of PC1 and PC2 with VLAN 10 and MAC addresses of PC3 and
PC4 with VLAN 20.
[Switch1] vlan 10
[Switch1-vlan10] mac-vlan mac-address 11-11-11
[Switch1] vlan 20
# Enable MAC address-based VLAN assignment.


[Switch1-GigabitEthernet0/0/1] mac-vlan enable
# Configure GE0/0/1 connected to the Layer 2 switch as a hybrid interface and add it to the
VLANs associated with MAC addresses in untagged mode.
[Switch1-GigabitEthernet0/0/1] port link-type hybrid
[Switch1-GigabitEthernet0/0/1] port hybrid untagged vlan 10 20
# Configure GE0/0/2 connected to the enterprise network to transparently transmit packets

from the VLANs associated with MAC addresses.
[Switch1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20

l PC1 and PC2 access the enterprise network through VLAN 10, and PC3 and PC4 access
the enterprise network through VLAN 20.
l PCs of visitors cannot access the enterprise network.
----End
Configuration Files
Switch1 configuration file
#
sysname Switch1
#
vlan batch 10 20
#
vlan 10
vlan 20
#
port hybrid untagged vlan 10 20
mac-vlan enable
#
#
return
5.9.5 Example for Configuring IP Subnet-based VLAN

Assignment
A company has multiple services, including IPTV, VoIP, and Internet access. Each service
uses a different IP subnet. To facilitate management, the company requires that packets of the
same service be transmitted in the same VLAN and packets of different services in different
VLANs.

As shown in Figure 5-28, the Switch receives packets of multiple services such as data, IPTV,
and voice services. User devices of these services use IP addresses on different IP subnets.
The Switch needs to assign VLANs to packets of different services so that the router can
transmit packets with different VLAN IDs to different servers.
Figure 5-28 Networking of IP subnet-based VLAN assignment

IPTV
server
Router
GE0/0/1
GE0/0/2
Switch
GE0/0/1
Simplified Layer 2
switch
User host Multimedia terminal Phone

192.168.1.2/24 192.168.2.2/24 192.168.3.2/24
1. Create VLANs and add interfaces to VLANs so that the interfaces allow the IP subnet-
based VLANs.
2. Enable IP subnet-based VLAN assignment and associate IP subnets with VLANs so that
the Switch determines VLANs according to IP addresses or network segments of
packets.
NOTE
You do not need to perform any configuration on a simplified Layer 2 switch. To enable the router to
transmit packets with different VLAN IDs to different servers, perform the following operations:
l Add the router interface connected to the Switch to all service VLANs in tagged mode.
l Add each interface of each service network to a service VLAN and configure a VLANIF interface.
For details, see the router configuration guide.

Procedure
# Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.
[Switch] vlan batch 100 200 300
Step 2 Configure interfaces.
# On the Switch, configure GE0/0/1 as the hybrid interface, add GE0/0/1 to VLAN 100,
VLAN 200, and VLAN 300 in untagged mode, and enable IP subnet-based VLAN
assignment.
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200 300
[Switch-GigabitEthernet0/0/1] ip-subnet-vlan enable
# On the Switch, configure GE0/0/2 as the trunk interface, add GE0/0/2 to VLAN 100, VLAN
200, and VLAN 300 in tagged mode,
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 200 300
Step 3 Configure IP subnet-based VLAN assignment.
# On the Switch, associate IP subnet 192.168.1.2/24 with VLAN 100 and set the 802.1p
priority of VLAN 100 to 2.
[Switch] vlan 100
[Switch-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2
[Switch] vlan 200
[Switch] vlan 300
Run the display ip-subnet-vlan vlan all command on the Switch. The following information
is displayed:
[Switch] display ip-subnet-vlan vlan all
----------------------------------------------------------------
Vlan Index IpAddress SubnetMask Priority
----------------------------------------------------------------
100 1 192.168.1.2 255.255.255.0 2
200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4

----------------------------------------------------------------
ip-subnet-vlan count: 3 total count: 3
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 200 300
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
vlan 300
#
port hybrid untagged vlan 100 200 300
ip-subnet-vlan enable
#
port trunk allow-pass vlan 100 200 300
#
return
5.9.6 Example for Configuring Protocol-based VLAN Assignment

A company has multiple services, including IPTV, VoIP, and Internet access. Each service
uses a different protocol. To facilitate network management, each service is added to a
different VLAN.
As shown in Figure 5-29, Swithc1 receives packets of multiple services that use different
protocols. Users in VLAN 10 use IPv4 to communicate with remote users, and users in
VLAN 20 use IPv6 to communicate with the servers. Switch1 needs to assign VLANs to
packets of different services and transmit packets with different VLAN IDs to different
servers.

Figure 5-29 Networking diagram for protocol-based VLAN assignment
Voice
Network Internet
RouterA RouterB
GE0/0/2 GE0/0/3
Switch
GE0/0/1
GE0/0/1
Switch1
GE0/0/2 GE0/0/3
IPv4 IPv6
VLAN 10 VLAN 20
1. Create VLANs and determine which VLAN each service belongs to.
2. Associate protocols with VLANs so that the VLANs that received packets belong to can
be assigned based on protocols.
3. Add interfaces to VLANs so that packets of the protocol-based VLANs can pass through
the interfaces.
4. Associate interfaces with VLANs.
After the Switch receives a frame of a specified protocol, it assigns the VLAN ID
associated with the protocol to the frame.
Procedure
Step 2 Configure protocol-based VLAN assignment.

# Associate IPv4 with VLAN 10 on Switch1.
[Switch1] vlan 10
[Switch1-vlan10] protocol-vlan ipv4
# Associate IPv6 with VLAN 20 on Switch1.

[Switch1] vlan 20
[Switch1-vlan20] protocol-vlan ipv6
Step 3 Associate interfaces with protocol-based VLANs.
# Associate GE0/0/2 with VLAN 10 and set the 802.1p priority of VLAN 10 to 5 on Switch1.
[Switch1-GigabitEthernet0/0/2] protocol-vlan vlan 10 all priority 5
# Associate GE0/0/3 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6 on Switch1.
[Switch1-GigabitEthernet0/0/3] protocol-vlan vlan 20 all priority 6
Step 4 Configure interfaces.
# Add GE0/0/1 to VLAN 10 and VLAN 20 in trunk mode on Switch1.

[Switch1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20
# Add GE0/0/2 to VLAN 10 in untagged mode on Switch1.

[Switch1-GigabitEthernet0/0/2] port hybrid untagged vlan 10
# Add GE0/0/3 to VLAN 20 in untagged mode on Switch1.

# Add GE0/0/1 to VLAN 10 and VLAN 20 in trunk mode on the switch.

[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20
# Add GE0/0/2 to VLAN 10 in trunk mode on the switch.

# Add GE0/0/3 to VLAN 20 in trunk mode on the switch.

After the configuration is complete, run the display protocol-vlan interface all command on
Switch1 to view the protocol-based VLAN assignment.

[Switch1] display protocol-vlan interface all

-------------------------------------------------------------------------------
Interface VLAN Index Protocol Type Priority
-------------------------------------------------------------------------------
GigabitEthernet0/0/2 10 0 IPv4 5
GigabitEthernet0/0/3 20 0 IPv6 6
----End
Configuration Files
#
sysname Switch1
#
vlan batch 10 20
#
vlan 10
protocol-vlan 0 ipv4
vlan 20
protocol-vlan 0 ipv6
#
#
protocol-vlan vlan 10 0 priority 5
#
protocol-vlan vlan 20 0 priority 6
#
return

#
sysname Switch
#
#
#
#
return
5.9.7 Example for Configuring VLANIF Interfaces to Implement

Inter-VLAN Communication
Different user hosts of a company transmit the same service, and are located on different
network segments. User hosts transmitting the same service belong to different VLANs and
need to communicate.

As shown in Figure 5-30, User1 and User2 use the same service but belong to different
VLANs and are located on different network segments. User1 and User2 need to
communicate.
Figure 5-30 Configuring VLANIF interfaces to implement inter-VLAN communication

Switch
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
User1 User2
10.10.10.3/24 10.10.20.3/24
1. Create VLANs and determine VLANs that users belong to.
2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 connectivity.
NOTE
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
Procedure
# Create VLANs.
# Add interfaces to VLANs.

# Assign IP addresses to VLANIF interfaces.

[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24

[Switch-Vlanif10] quit
Configure the IP address of 10.10.10.3/24 and default gateway address as 10.10.10.2/24

(VLANIF 10's IP address) for User1 in VLAN 10.
Configure the IP address of 10.10.20.3/24 and default gateway address as 10.10.20.2/24

(VLANIF 20's IP address) for User2 in VLAN 20.
After the configuration is complete, User1 in VLAN 10 and User2 in VLAN 20 can
communicate.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
#
#
return
Related Content
Videos
Deploying a Layer 3 Switch on a LAN

Intra-VLAN Communication
As shown in Figure 5-31, Switch_1 and Switch_2 are connected to Layer 2 networks that
VLAN 10 belongs to. Switch_1 communicates with Switch_2 through a Layer 3 network
where OSPF is enabled.
PCs of the two Layer 2 networks need to be isolated at Layer 2 and interwork at Layer 3.

Figure 5-31 Configuring VLANIF interfaces to implement intra-VLAN communication
Switch_1 Switch_2
GE0/0/2 OSPF GE0/0/2
GE0/0/1 GE0/0/1
GE0/0/2 Switch_3 Switch_4 GE0/0/2
GE0/0/1 GE0/0/1
VLAN10 VLAN10
1. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
2. Configure IP addresses for VLANIF interfaces to implement Layer 3 connectivity.
3. Configure basic OSPF functions to implement interworking.
Procedure
Step 1 Configure Switch_1.
# Create VLAN 10 and VLAN 30.
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 10 30
# Add GE0/0/1 to VLAN 10 and GE0/0/2 to VLAN 30.

[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet0/0/1] quit
# Configure IP addresses of 10.10.10.1/24 and 10.10.30.1/24 for VLANIF 10 and VLANIF

30 respectively.
[Switch_1] interface vlanif 10
[Switch_1-Vlanif10] ip address 10.10.10.1 24
[Switch_1-Vlanif10] quit

# Configure basic OSPF functions.

[Switch_1] router id 1.1.1.1
[Switch_1] ospf
[Switch_1-ospf-1] area 0
[Switch_1-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[Switch_1-ospf-1-area-0.0.0.0] quit

[Switch_2] vlan batch 10 30
# Add GE0/0/1 to VLAN 10 and GE0/0/2 to VLAN 30.

# Configure IP addresses of 10.10.20.1/24 and 10.10.30.2/24 for VLANIF 10 and VLANIF

30 respectively.

[Switch_2] router id 2.2.2.2
[Switch_2] ospf

# Create VLAN 10, add GE0/0/1 to VLAN 10 in untagged mode and GE0/0/2 to VLAN 10 in
tagged mode. The configuration of Switch_4 is similar to that of Switch_3, and is not
mentioned here.
[Switch_3] vlan batch 10
[Switch_3-GigabitEthernet0/0/1] port link-type access
[Switch_3-GigabitEthernet0/0/1] port default vlan 10

On the PC of the Layer 2 network connected to Switch_1, set the default gateway address to
the IP address of VLANIF10, that is, 10.10.10.1.

On the PC of the Layer 2 network connected to Switch_2, set the default gateway address to
the IP address of VLANIF10, that is, 10.10.20.1.
After the configuration is complete, PCs on the two Layer 2 networks are isolated at Layer 2
and interwork at Layer 3.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return

#
sysname Switch_2
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.20.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return


#
sysname Switch_3
#
vlan batch 10
#
#
#
return

#
sysname Switch_4
#
vlan batch 10
#
#
#
return
Related Content
Videos

Communication of Hosts on Different Network Segments in the
Same VLAN
On the enterprise network shown in Figure 5-32, hosts in the same VLAN belong to network
segments of 10.1.1.1/24 and 10.1.2.1/24. Hosts on the two network segments are required to
access the Internet through the Switch and communicate.

Figure 5-32 Configuring VLANIF interfaces to implement communication of hosts on

different network segments in the same VLAN
Internet
Router 10.10.10.2/24
VLANIF10
Primary IP: 10.1.1.1/24
GE0/0/3 Secondary IP: 10.1.2.1/24
VLANIF20
Switch
10.10.10.1/24
GE0/0/1 GE0/0/2
VLAN10
Host1 Host2
10.1.1.2/24 10.1.2.2/24
If only one IP address is configured for the VLANIF interface on the Switch, only hosts on
one network segment can access the Internet through the Switch. To enable all hosts on the
LAN to access the Internet through the Switch, configure a secondary IP address for the
VLANIF interface. To enable hosts on the two network segments to communicate, the hosts
on the two network segments need to use the primary and secondary IP addresses of the
VLANIF interface as default gateway addresses.
2. Configure VLANIF interfaces and assign IP addresses to them so that hosts on the two
network segments can communicate.
3. Configure a routing protocol so that hosts can access the Internet through the Switch.
Procedure
# Add GE0/0/1 and GE0/0/2 to VLAN 10 and GE0/0/3 to VLAN 20.



Step 2 Configure VLANIF interfaces.

# Create VLANIF 10 and configure the primary IP address of 10.1.1.1/24 and secondary IP
address of 10.1.2.1/24 for VLANIF 10, and create VLANIF 20 and configure the IP address
of 10.10.10.1/24 for VLANIF 20.
[Switch-Vlanif10] ip address 10.1.2.1 24 sub
Step 3 Configure a routing protocol.

# Configure basic OSPF functions and configure OSPF to advertise network segments of
hosts and the network segment between the Switch and router.
[Switch] ospf
[Switch-ospf-1] area 0
[Switch-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] quit
[Switch-ospf-1] quit
NOTE
Perform the following configurations on the router:

l Add the interface connected to the Switch to VLAN 20 in tagged mode and specify an IP address
for VLANIF 20 on the same network segment as 10.10.10.1.
l Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Switch and router.
For details, see the router documentation.

Configure the IP address of 10.1.1.2/24 and default gateway address of 10.1.1.1 (primary IP
address of VLANIF 10) for Host1; configure the IP address of 10.1.2.2/24 and default
gateway address of 10.1.2.1 (secondary IP address of VLANIF 10) for Host2.
After the configuration is complete, Host1 and Host2 can ping each other successfully, and
they can ping 10.10.10.2/24, IP address of the router interface connected to the Switch. That
is, they can access the Internet.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#

interface Vlanif10
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
#
interface Vlanif20
ip address 10.10.10.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.10.10.0 0.0.0.255
#
return
Related Content
Videos
5.9.10 Example for Configuring a Traffic Policy to Implement

Inter-VLAN Layer 3 Isolation
As shown in Figure 5-33, to ensure communication security, a company assigns visitors,
employees, and servers to VLAN 10, VLAN 20, and VLAN 30 respectively. The
requirements are as follows:
l Employees, visitors, and servers can access the Internet.
l Visitors can access only the Internet, and cannot communicate with employees in any
other VLANs.
l Employee A can access all resources in the server area, and other employees can access
port 21 (FTP service) of server A.

Figure 5-33 Configuring a traffic policy to implement inter-VLAN Layer 3 isolation
Internet
Router
VLANIF100
GE0/0/4 10.1.100.1/24
GE0/0/1 GE0/0/3
Switch_4 GE0/0/2
GE0/0/2 GE0/0/3 GE0/0/2

Switch_1 Switch_2 Switch_3
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
Visitor Employee Server

area area area
Visitor A Employee A Employee B Server A
10.1.1.2/24 10.1.2.2/24 10.1.2.3/24 10.1.3.2/24
VLAN10 VLAN20 VLAN30
1. Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of
visitors, employees, and servers.
2. Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
3. Configure a routing protocol so that visitors, employees, and servers can access the
Internet through the Switch.
4. Configure and apply a traffic policy so that employee A can access all resources in the
server area, other employees can access only port 21 (FTP service) of server A,
employees can access only servers, and visitors can access only the Internet.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of visitors,
employees, and servers.
# Create VLAN 10 on Switch_1, add GE0/0/1 to VLAN 10 in untagged mode and GE0/0/2 to
VLAN 10 in tagged mode. The configurations of Switch_2 and Switch_3 are similar to the
configuration of Switch_1, and are not mentioned here.
[Switch_1] vlan batch 10


[Switch_1-GigabitEthernet0/0/1] port link-type access
[Switch_1-GigabitEthernet0/0/1] port default vlan 10
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 on Switch_4, and add GE0/0/1-
GE0/0/4 to VLAN 10, VLAN 20, VLAN 30, and VLAN 100 in tagged mode.
[Switch_4] vlan batch 10 20 30 100
Step 2 Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
# On Switch_4, create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 and assign IP
addresses of 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.100.1/24 to them respectively.
Step 3 Configure a routing protocol so that visitors, employees, and servers can access the Internet
through the Switch.
# Configure basic OSPF functions on Switch_4 and configure OSPF to advertise network
segments of hosts and the network segment between Switch_4 and the router.
[Switch_4] ospf
[Switch_4-ospf-1] quit

NOTE
Perform the following configurations on the router:

l Add the interface connected to the Switch to VLAN 100 in tagged mode and specify an IP address
for VLANIF 100 on the same network segment as 10.1.100.1.
l Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Switch and router.
For details, see the router documentation.
Step 4 Configure and apply a traffic policy to control access of employees, visitors, and servers.
1. Configure ACLs to define flows.
# Configure ACL 3000 on Switch_4 to prevent visitors from accessing employees' PCs
and servers.
[Switch_4] acl 3000
[Switch_4-acl-adv-3000] rule deny ip destination 10.1.2.1 0.0.0.255
[Switch_4-acl-adv-3000] quit
# Configure ACL 3001 on Switch_4 so that employee A can access all resources in the
server area and other employees can access only port 21 of server A.
[Switch_4] acl 3001
[Switch_4-acl-adv-3001] rule permit ip source 10.1.2.2 0 destination 10.1.3.1
0.0.0.255
[Switch_4-acl-adv-3001] rule permit tcp destination 10.1.3.2 0 destination-
port eq 21
[Switch_4-acl-adv-3001] quit
2. Configure traffic classifiers to differentiate different flows.

# Configure traffic classifiers c_custom, and c_staff on Switch_4 and reference ACLs
3000, and 3001 in the traffic classifiers respectively.
[Switch_4] traffic classifier c_custom
[Switch_4-classifier-c_custom] if-match acl 3000
[Switch_4-classifier-c_custom] quit
[Switch_4] traffic classifier c_staff
[Switch_4-classifier-c_staff] if-match acl 3001
[Switch_4-classifier-c_staff] quit
3. Configure a traffic behavior and define an action.

# Configure a traffic behavior named b1 on Switch_4 and define the permit action.
[Switch_4] traffic behavior b1
[Switch_4-behavior-b1] permit
[Switch_4-behavior-b1] quit
4. Configure traffic policies and associate traffic classifiers with the traffic behavior in the
traffic policies.
# Create traffic policies p_custom and p_staff on Switch_4, and associate traffic
classifiers c_custom and c_staff with traffic behavior b1.
[Switch_4] traffic policy p_custom
[Switch_4-trafficpolicy-p_custom] classifier c_custom behavior b1
[Switch_4-trafficpolicy-p_custom] quit
[Switch_4] traffic policy p_staff
[Switch_4-trafficpolicy-p_staff] classifier c_staff behavior b1
[Switch_4-trafficpolicy-p_staff] quit
5. Apply the traffic policies to control access of employees, visitors, and servers.
# On Switch_4, apply traffic policies p_custom and p_staff in the inbound direction of
VLAN 10 and VLAN 20 respectively.
[Switch_4] vlan 10
[Switch_4-vlan10] traffic-policy p_custom inbound

[Switch_4-vlan10] quit
[Switch_4] vlan 20
[Switch_4-vlan20] traffic-policy p_staff inbound
[Switch_4-vlan20] quit

Configure the IP address of 10.1.1.2/24 and default gateway address of 10.1.1.1 (VLANIF
10's IP address) for visitor A; configure the IP address of 10.1.2.2/24 and default gateway
address of 10.1.2.1 (VLANIF 20's IP address) for employee A; configure the IP address of
10.1.2.3/24 and default gateway address of 10.1.2.1 (VLANIF 20's IP address) for employee
B; configure the IP address of 10.1.3.2/24 and default gateway address of 10.1.3.1 (VLANIF
30's IP address) for server A.
After the configuration is complete, the following situations occur:
l Visitor A fails to ping employee A or server A, and employee A and server A fail to ping
visitor A.
l Employee A can successfully ping server A. That is, employee A can use server A and
the FTP service of server A.
l Employee B fails to ping server A, and can only use the FTP service of server A.
l Visitors, employees A and B, and server A all can ping 10.1.100.2/24, IP address of the
router interface connected to Switch_4. That is, they can access the Internet.
----End
Configuration Files
#
sysname Switch_1
#
vlan batch 10
#
#
#
return

#
sysname Switch_2
#
vlan batch 20
#
#
#
#
return


#
sysname Switch_3
#
vlan batch 30
#
#
#
return

#
sysname Switch_4
#
vlan batch 10 20 30 100
#
acl number 3000
rule 5 deny ip destination 10.1.2.0 0.0.0.255
acl number 3001
rule 5 permit tcp destination 10.1.3.2 0 destination-port eq ftp
rule 10 permit ip source 10.1.2.2 0 destination 10.1.3.0 0.0.0.255
#
traffic classifier c_custom operator and
if-match acl 3000
traffic classifier c_staff operator and
if-match acl 3001
#
traffic behavior b1
permit
#
traffic policy p_custom match-order config
classifier c_custom behavior b1
traffic policy p_staff match-order config
classifier c_staff behavior b1
#
vlan 10
traffic-policy p_custom inbound
vlan 20
traffic-policy p_staff inbound
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.1.100.1 255.255.255.0
#
#
#


#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.100.0 0.0.0.255
#
return
5.9.11 Example for Configuring an mVLAN to Implement Remote

Management
As shown in Figure 5-34, users need to securely log in to the Switch for remote management.
There is no idle management interface on the Switch.
Figure 5-34 Configuring an mVLAN to implement remote management
10.1.1.1/24 10.10.10.2/24
IP GE0/0/1
Network
PC Switch
A management interface or VLANIF interface of an mVLAN can be used to log in to the
device for remote management. The device has no idle management interface, so the mVLAN
is used. STelnet is used to ensure login security. The configuration roadmap is as follows:
1. Configure an mVLAN on the Switch and add an interface to the mVLAN.

2. Configure a VLANIF interface and assign an IP address to it on the Switch.
3. Enable STelnet on the Switch and configure an SSH user.
4. Log in to the Switch using STelnet from a user PC.
NOTE
l The user PC needs to be configured with the software for logging in to the SSH server, key pair
generation software, and public key conversion software.
l To ensure device security, change the password periodically.
Procedure
Step 1 Configure an mVLAN and add an interface to the mVLAN.

# Create VLAN 10 on the Switch and specify VLAN 10 as the mVLAN, and add GE0/0/1 to
VLAN 10 in tagged mode.
[Switch] vlan 10
[Switch-vlan10] management-vlan
Step 2 Configure a VLANIF interface and assign an IP address to the VLANIF interface.
# Create VLANIF 10 on the Switch and configure the IP address of 10.10.10.2/24 for it.
Step 3 Enable the STelnet service and configure an SSH user.

1. Configure the Switch to generate a local key pair.
[Switch] rsa local-key-pair create
The key name will be: Switch_Host
The range of public key size is (2048 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]: //Press Enter.
Generating keys...
...................+++++
........................++
....++++
...........++
2. Configure an SSH user.

# Configure the VTY user interface on the Switch.
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] authentication-mode aaa
[Switch-ui-vty0-14] protocol inbound ssh
[Switch-ui-vty0-14] quit
# Create an SSH user named client001 on the Switch and configure password
authentication.
[Switch] aaa
[Switch-aaa] local-user client001 password irreversible-cipher Huawei@123
[Switch-aaa] local-user client001 privilege level 3
[Switch-aaa] local-user client001 service-type ssh
[Switch-aaa] quit
[Switch] ssh user client001 authentication-type password
3. Enable the STelnet service.

# Enable the STelnet service on the Switch.
[Switch] stelnet server enable
# Configure the STelnet service for SSH user client001.

[Switch] ssh user client001 service-type stelnet
NOTE
The PC connects to the switch through the intermediate device. The intermediate device needs to
transparently transmit packets from mVLAN 10 and has a route from 10.1.1.1/24 to 10.10.10.2/24.

After the configuration is complete, the user can log in to the Switch from the PC using
password authentication.
# Run the Putty software on the user PC. The dialog box shown in Figure 5-35 is displayed.
Enter 10.10.10.2 (IP address of the Switch) and select SSH.
Figure 5-35 Configuring an mVLAN to implement remote management
# Click Open. On the page that is displayed on the Switch, enter the user name and password,
and press Enter.
login as: client001
SSH server: User Authentication
Using keyboard-interactive authentication.
Password:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2014-02-25 05:45:41+00:00.
<Switch>
The user can successfully log in to the Switch for remote management.
----End
Configuration Files

#
sysname Switch
#
vlan batch 10
#
vlan 10
management-vlan
#
aaa
local-user client001 password irreversible-cipher $1a$EqZEVTq=/
@T2XM0q0W{Ec[Fs2@&4YII@-=(lbr[K>4Dq76]3#BgqMOAxu^%$$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
#
user-interface vty 0 14
authentication-mode aaa
#
return
5.9.12 Example for Configuring Transparent Transmission of

Protocol Packets in a VLAN
NOTE
A company has multiple subsidiary companies. When the parent company communicates with
a subsidiary company through the core switch, the core switch processes the packets before
forwarding them. If multiple subsidiary companies communicate with the parent company
simultaneously, processing capabilities of the core switch deteriorate. As a result, the
communication efficiency is lowered and communication costs increases. Transparent
transmission of protocol packets in a VLAN can be configured on the core switch to solve this
problem.
As shown in Figure 5-36, after transparent transmission of protocol packets in a VLAN is
enabled, the Switch forwards data from the specified VLAN without sending the data to its
CPU. This improves the processing efficiency, reduces communication costs, and minimizes
the probability of malicious attacks on the Switch.

Figure 5-36 VLAN transparent transmission
Parent Company
Pac
ket
GE0/0/2
so
f VL
Switch
AN
GE0/0/1 GE0/0/3
20
VLAN 10 VLAN 20
SwitchA SwitchB
Sub Company 1 Sub Company 2
1. Create VLANs.
2. Enable transparent transmission of protocol packets in a VLAN.
3. Add Ethernet interfaces to VLANs.
Procedure
# Create VLANs.
# Enable transparent transmission of protocol packets in a VLAN.

[Switch] vlan 20
[Switch-vlan20] protocol-transparent
# Add interfaces to the VLANs.



[Switch-GigabitEthernet0/0/2] port hybrid tagged vlan 10 20
Step 2 Configure SwitchA and SwitchB. Add upstream interfaces on SwitchA and SwitchB to
VLAN 10 and VLAN 20 in tagged mode, and add downstream interfaces to VLAN 10 and
VLAN 20 in default mode. The configuration details are not mentioned here.
# After the configuration is complete, run the display this command in the view of VLAN 20.
The command output shows that transparent transmission of protocol packets in a VLAN is
enabled.
[Switch] vlan 20
[Switch-vlan20] display this
#
vlan 20
protocol-transparent
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
vlan 20
protocol-transparent
#
#
#
#
return
5.10 Troubleshooting VLANs
5.10.1 A VLANIF Interface Fails to Be Created

Fault Symptom
When a user attempts to create a VLANIF interface, the system displays an error message. As
a result, the VLANIF interface fails to be created.
Procedure
Step 1 Check the error message during VLANIF interface creation.
Rectify the fault according to the error message. See Table 5-9.
Table 5-9 Fault rectification according to the error message
Message Cause Analysis and Solution

Check Method
Error: Can not create this The number of created Run the undo interface
interface because the interface VLANIF interfaces on the vlanif vlan-id command
number of this type has reached device has reached the to delete unnecessary
its maximum. limit. VLANIF interfaces, and
Run the display interface then create a specified
brief command to check VLANIF interface.
the number of VLANIF
interfaces, and check
whether the number of
VLANIF interfaces has
reached the limit in Table
5-7.
Error: The VLAN is used by The VLAN corresponding Create a VLANIF

XXX. to the VLANIF interfaces interface corresponding to
NOTE is a dynamic, control, or another VLAN.
XXX indicates a feature, such as reserved VLAN.
stack, ERPS, RRPP, SEP, Smart
Run the display vlan
Link, GVRP, or VBST.
summary command to
check whether the value
of the Dynamic vlan or
Reserved vlan field is the
VLAN corresponding to
the VLANIF interface.
Step 2 If the fault persists, collect alarms and logs and contact technical support personnel.
----End
5.10.2 A VLANIF Interface Goes Down
Fault Symptom
A VLANIF interface goes Down.

Common Causes and Solutions

Table 5-10 describes common causes and solutions.
Table 5-10 Common causes and solutions

Common Cause Solution
The VLAN corresponding to the VLANIF Run the vlan vlan-id command to create a
interface is not created. VLAN corresponding to the VLANIF
interface.
The interface is not added to the VLAN. Run the following commands as required.
NOTE l Run the port default vlan vlan-id [ step
l The port trunk pvid vlan vlan-id command step-number [ increased | decreased ] ]
only configures the PVID on a trunk command in the interface view to add an
interface, but does not add a trunk interface access interface to a VLAN.
to a VLAN.
l Run the port trunk allow-pass vlan
l The port hybrid pvid vlan vlan-id command
only configures the PVID on a hybrid { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
interface, but does not add a hybrid interface all } command in the interface view to
to a VLAN. add a trunk interface to a VLAN.
l You can add a hybrid interface to a
VLAN in tagged or untagged mode. Run
the port hybrid tagged vlan { { vlan-
id1 [ to vlan-id2 ] }&<1-10> | all }
command to add a hybrid interface to a
VLAN in tagged mode, or run the port
hybrid untagged vlan { { vlan-id1 [ to
vlan-id2 ] }&<1-10> | all } command to
add a hybrid interface to a VLAN in
untagged mode.
The physical status of all interfaces added to Rectify this fault. A VLANIF interface goes
the VLAN is Down. Up as long as one interface in the VLAN is
Up.
No IP address is assigned to the VLANIF Run the ip address command in the

interface. VLANIF interface view to assign an IP
address to the VLANIF interface.
The VLANIF interface is shut down. Run the undo shutdown command in the
VLANIF interface view to start the
VLANIF interface.
5.10.3 Users in a VLAN Cannot Communicate

Fault Symptom
Users in a VLAN cannot communicate.

Procedure
Step 1 Check whether the interfaces connected to user terminals are in Up state.
Run the display interface interface-type interface-number command in any view to check the
status of the interfaces.
l If the interface is Down, rectify the interface fault.

l If the interface is Up, go to Step 2.
Step 2 Check whether the IP addresses of user terminals are on the same network segment. If they
are on different network segments, change the IP addresses of the user terminals to be on the
same network segment. If the fault persists, go to Step 3.
Step 3 Check whether the MAC address entry is correct.
Run the display mac-address command on the Switch to check whether MAC addresses,
interfaces, and VLANs in the learned MAC address entries are correct. If the learned MAC
address entries are incorrect, run the undo mac-address mac-address vlan vlan-id command
in the system view to delete MAC address entries so that the Switch can learn MAC address
entries again.
After the MAC address table is updated, check the MAC address entries again.
l If the MAC address entries are incorrect, go to Step 4.
l If the MAC address entries are correct, go to Step 5.
Step 4 Check whether the VLAN is properly configured.
Check the VLAN configuration according to the following table.
Check Item Method
Whether the Run the display vlan vlan-id command in any view to check whether
VLAN has been the VLAN has been created. If not, run the vlan command in the
created system view to create the VLAN.
Whether the Run the display vlan vlan-id command in any view to check whether
interfaces are the VLAN contains the interfaces. If not, add the interfaces to the
added to the VLAN.
VLAN NOTE
If the interfaces are located on different switches, add the interfaces
connecting the switches to the VLAN.
The default type of an interface is Negotiation. You can run the port link-type
command to change the link type of an interface.
l Add an access interface to the VLAN by using either of the
following methods. Run the port default vlan command in the
interface view, or run the port command in the VLAN view.
l Add a trunk interface to the VLAN. Run the port trunk allow-
pass vlan command in the interface view.
l Add a hybrid interface to the VLAN by using either of the
following methods. Run the port hybrid tagged vlan command
in the interface view, or run the port hybrid untagged vlan
command in the interface view.

Check Item Method
Whether Correctly connect user terminals to device interfaces.

connections
between interfaces
and user terminals
are correct
After the preceding operations, if the MAC address entries are correct, go to Step 5.
Step 5 Check whether port isolation is configured.
Run the interface interface-type interface-number command in the system view to enter the
interface view, and then run the display this command to check whether port isolation is
configured on the interface.
l If port isolation is not configured, go to Step 6.
l If port isolation is configured, run the undo port-isolate enable command on the
interface to disable port isolation. If the fault persists, go to Step 6.
Step 6 Check whether correct static Address Resolution Protocol (ARP) entries are configured on the
user terminals. If the static ARP entries are incorrect, modify them. Otherwise, go to Step 7.
Step 7 Collect logs and alarms and contact technical support personnel.
----End
5.10.4 IP Addresses of the Connected Interfaces Between Switches

Cannot Be Pinged
Fault Symptom
As shown in Figure 5-37, the IP address of VLANIF 10 on Switch_2 cannot be pinged from
Switch_1. Similarly, the IP address of VLANIF 10 on Switch_1 cannot be pinged from
Switch_2.
Figure 5-37 Connected switches

Switch_1 Switch_2
VLANIF10
VLANIF10
Procedure
Step 1 Check whether the VLANIF interface is Up.
Run the display interface vlanif vlan-id command on Switch_1 and Switch_2 and check the
current state and Line protocol current state fields.
l If the value of any one of the two fields is DOWN, the VLANIF interface is Down.
Rectify this fault according to 5.10.2 A VLANIF Interface Goes Down.

l If the values of the two fields are UP, the VLANIF interface is Up. Go to Step 2.
Step 2 Check whether the connected Ethernet interfaces between switches join a VLAN.
Run the display vlan vlan-id command on Switch_1 and Switch_2 and check the Ports field.
Check whether the connected Ethernet interfaces exist in the VLAN.
l If the connected Ethernet interfaces do not exist in the VLAN, add the connected
Ethernet interfaces to the VLAN.
l If the connected Ethernet interfaces exist in the VLAN and at least one of them joins the
VLAN in untagged mode (UT displayed before the interface), change the untagged mode
to tagged mode.
l If the connected Ethernet interfaces exist in the VLAN but the interfaces go Down (D
displayed after the interface), rectify the fault according to An Ethernet Interface Is
Physically Down in "Ethernet Interface Configuration" in the S1720, S2700, S5700, and
S6720 V200R011C10 Configuration Guide - Interface Management.
l If none of the preceding configurations exists, go to Step 3.
Step 3 Check whether the PVID values on the connected Ethernet interface between switches are the
same.
Run the display port vlan interface-type interface-number command on Switch_1 and
Switch_2 to check the PVID values.
l If the PVID values are different, change them to be the same.
l If the PVID values are the same, go to Step 4.
Step 4 Collect logs and alarms and contact technical support personnel.
----End
5.11 FAQ About VLANs
5.11.1 How Do I Create VLANs in a Batch?

Run the vlan batch command in the system view to create VLANs in a batch.
l Create 10 contiguous VLANs: VLAN 11 to VLAN 20.

[HUAWEI] vlan batch 11 to 20
l Create 10 noncontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to VLAN 30.
[HUAWEI] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 noncontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four noncontiguous VLAN ranges.
5.11.2 How Do I Add Interfaces to a VLAN in a Batch?

You can add interfaces to a VLAN in a batch using a port group, and can directly add access
interfaces to a VLAN in a batch in the system view.

l Access interface
# Add GE0/0/1-GE0/0/5 to VLAN 10 in a batch.
– Add interfaces to a VLAN in a batch using a port group.
[HUAWEI] port-group pg1
[HUAWEI-port-group-pg1] group-member gigabitethernet0/0/1 to
gigabitethernet0/0/5
[HUAWEI-port-group-pg1] port link-type access
[HUAWEI-port-group-pg1] port default vlan 10
– Add interfaces to a VLAN in a batch in the VLAN view.

[HUAWEI] vlan 10
[HUAWEI-vlan10] port gigabitethernet 0/0/1 to 0/0/5
NOTE
Before performing this operation, configure interfaces to be added to a VLAN as access

interface.
l Trunk interface
# Add GE0/0/1-GE0/0/5 to VLAN 10 and VLAN 20 in a batch.
[HUAWEI-port-group-pg1] port link-type trunk
[HUAWEI-port-group-pg1] port trunk allow-pass vlan 10 20
l Hybrid interface
# Add GE0/0/1-GE0/0/5 to VLAN 10 and VLAN 20 in a batch.
[HUAWEI-port-group-pg1] port link-type hybrid
[HUAWEI-port-group-pg1] port hybrid tagged vlan 10
[HUAWEI-port-group-pg1] port hybrid untagged vlan 20
5.11.3 How Do I Restore the Default VLAN Configuration of an

Interface?
The default VLAN configuration of an interface involves the default VLAN of the interface
and the VLAN that the interface joins. By default, the default VLAN configuration of an
interface is as follows:
l Access: The default VLAN is VLAN 1, and an access interface joins VLAN 1 in
untagged mode.
l Trunk: The default VLAN is VLAN 1, and a trunk interface joins VLAN 1 to VLAN
4094 in tagged mode. That is, a trunk interface allows all VLANs.
l Hybrid: The default VLAN is VLAN 1, and a hybrid interface joins VLAN 1 in
untagged mode.
l Dot1q-tunnel: The default VLAN is VLAN 1, and a dot1q-tunnel interface joins VLAN .
1
l Negotiation-auto or Negotiation-desirable: If the interface is negotiated as an access
interface, the default VLAN configuration of the interface is the same as that of the
access interface. If the interface is negotiated as a trunk interface, the default VLAN is

VLAN 1 and the interface joins VLANs 1 to 4094 in tagged mode. That is, the interface
allows all VLANs.
Run the display this include-default | include link-type command in the interface view to
check the link type of the interface, and then perform one of the following configurations to
restore the default configuration of the interface.
l Restore the default VLAN configuration of an access or dot1q-tunnel interface.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] undo port default vlan
l Restore the default VLAN configuration of a trunk interface.

[HUAWEI-GigabitEthernet0/0/1] undo port trunk pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port trunk allow-pass vlan all
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 1
l Restore the default VLAN configuration of a hybrid interface.

[HUAWEI-GigabitEthernet0/0/1] undo port hybrid pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid vlan all
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 1
l Restore the default VLAN configuration of the Negotiation-auto or Negotiation-

desirable interface.
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan all
5.11.4 How Do I Change the Link Type of an Interface?

The link type of an interface can be access, trunk, hybrid, or dot1q-tunnel. The methods used
to change the link type of an interface in different versions are different.
l In V200R005 and later versions, run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command and enter y or n as prompted. When the interface uses the
default VLAN configuration, the system does not display any message. The link type of
the interface is changed directly.
– When you enter y and press Enter, the device automatically deletes the non-default
VLAN configuration of the interface and set the link type of the interface to the
specified one.
– When you enter n and press Enter, the device retains the current link type and
VLAN configuration of the interface.
Change the link type of the interface to hybrid.
[HUAWEI] interface GigabitEthernet0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
Warning: This command will delete VLANs on this port. Continue?[Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment...done.
l In earlier versions of V200R005, an interface joins VLAN 1 by default, and the PVID of
an interface is VLAN 1. You can run the port link-type { access | trunk | hybrid |
dot1q-tunnel } command to change the link type of the interface.
– Change the link type of the interface to access.

[HUAWEI-GigabitEthernet0/0/1] port link-type access

[HUAWEI-GigabitEthernet0/0/1] port default vlan 10
– Change the link type of the interface to trunk.

[HUAWEI-GigabitEthernet0/0/1] port link-type trunk
[HUAWEI-GigabitEthernet0/0/1] port trunk pvid vlan 10
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 10 20
– Change the link type of the interface to hybrid.

[HUAWEI-GigabitEthernet0/0/1] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 2 10
[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 20
– Change the link type of the interface to dot1q-tunnel.

[HUAWEI-GigabitEthernet0/0/1] port link-type dot1q-tunnel
[HUAWEI-GigabitEthernet0/0/1] port default vlan 10
When you change the link type of an interface that does not use the default VLAN
configuration, the system displays the message "Error: Please renew the default
configurations."
You need to restore the default configuration of the interface, and then change the link
type of the interface.
– Restore the default VLAN configuration of an access or dot1q-tunnel interface.
– Restore the default VLAN configuration of a trunk interface.

[HUAWEI-GigabitEthernet0/0/1] undo port trunk allow-pass vlan all
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 1
– Restore the default configuration of a hybrid interface.

[HUAWEI-GigabitEthernet0/0/1] undo port hybrid pvid vlan
[HUAWEI-GigabitEthernet0/0/1] undo port hybrid vlan all
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 1
5.11.5 How Do I Rapidly Query the Link Types and Default

VLANs of All Interfaces?
Run the display port vlan command to check the link types and default VLANs of all
interfaces. Example:
l V200R005 and later versions
<HUAWEI> display port vlan
Port Link Type PVID Trunk VLAN List
------------------------------------------------------------------------------
-
Eth-Trunk2 auto 1 1-4094
Eth-Trunk3 hybrid 1 -
Eth-Trunk5 auto 1 1-4094
Ethernet0/0/1 auto 1 1-4094


Ethernet0/0/6 auto 0 -
Ethernet0/0/21 access 20 -
Ethernet0/0/24 access 4094 -
GigabitEthernet0/0/1 auto 0 -
GigabitEthernet0/0/2 auto 1 1-4094
l Earlier versions of V200R005 (excluding V200R005)

<HUAWEI> display port vlan
Port Link Type PVID Trunk VLAN List
------------------------------------------------------------------------------
-
GigabitEthernet0/0/1 trunk 1 1
GigabitEthernet0/0/2 hybrid 1 -
GigabitEthernet0/0/5 access 10 -
The Link Type field indicates the link type of an interface, the PVID field indicates the
default VLAN, and the Trunk VLAN List field indicates the list of VLANs allowed by a
trunk interface. If the interface does not join any VLAN, the Trunk VLAN List field is
displayed as -. If the link type of an interface is negotiation-desirable or negotiation-auto,
the Trunk VLAN List field is displayed as 1 to 4094.
5.11.6 How Do I Delete a Single VLAN or VLANs in a Batch?

The device supports deletion of a single VLAN or VLANs in a batch.
l Delete VLAN 10.

[HUAWEI] undo vlan 10
l Delete VLAN 10 to VLAN 20 in a batch.

[HUAWEI] undo vlan batch 10 to 20
NOTE
In the earlier versions of V200R005, before deleting a VLAN where a VLANIF interface has been
configured, run the undo interface vlanif command to delete the VLANIF interface.
5.11.7 Can Multiple Network Segments Be Configured in a

VLAN?
Hosts on multiple network segments in the same VLAN can communicate after the primary
and secondary IP addresses for a VLANIF interface are configured.
As shown in Figure 5-38, Host_1 and Host_2 in VLAN 10 belong to 10.1.1.1/24 and
10.1.2.1/24 respectively. The two hosts need to communicate.
Figure 5-38 Communication for hosts on multiple network segments in the same VLAN
Switch
VLANIF 10
Primary IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
GE0/0/1 GE0/0/2
VLAN10
Host_1 Host_2
10.1.1.2/24 10.1.2.2/24
Configure the Switch.

[Switch-Vlanif10] ip address 10.1.2.1 24 sub
After the preceding configurations are performed, Host_1 and Host_2 can communicate.
5.11.8 How Is the Inter-VLAN Communication Fault Rectified?

The possible causes for the fault of inter-VLAN communication through the VLANIF
interface are as follows:
1. The VLANIF interface is not Up.

Run the display interface vlanif vlan-id to check the current state and Line protocol
current state fields.
<HUAWEI> display interface vlanif 2
Vlanif2 current state : UP
Line protocol current state : UP
Last line protocol up time : 2014-12-26 11:09:08 UTC-08:00
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.2/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4c1f-
cc41-3a64
Current system time: 2014-12-26 11:09:12-08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
If the value of any one of the two fields is DOWN, the VLANIF interface is Down.
Rectify this fault according to Table 5-11.
Table 5-11 Common causes and solutions to the VLANIF interface Down event
The VLAN corresponding to the Run the vlan vlan-id command to create a
VLANIF interface is not created. VLAN corresponding to the VLANIF
interface.
The interface is not added to the VLAN. Run the following commands as required.
NOTE l Run the port default vlan vlan-id
l The port trunk pvid vlan vlan-id command in the interface view to add
command only configures the PVID on a an access interface to a VLAN.
trunk interface, but does not add a trunk
interface to a VLAN. l Run the port trunk allow-pass vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
l The port hybrid pvid vlan vlan-id
command only configures the PVID on a | all } command in the interface view
hybrid interface, but does not add a hybrid to add a trunk interface to a VLAN.
interface to a VLAN. l You can add a hybrid interface to a
VLAN in tagged or untagged mode.
Run the port hybrid tagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in tagged mode,
or run the port hybrid untagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in untagged
mode.
The physical status of all interfaces added Rectify this fault. A VLANIF interface
to the VLAN is Down. goes Up as long as one interface in the
VLAN is Up.
No IP address is assigned to the VLANIF Run the ip address ip-address { mask |

interface. mask-length } command to configure an
IP address for the VLANIF interface.

The VLANIF interface is shut down. That Run the undo shutdown command in the
is, the value of current state is VLANIF interface view to start the
Administratively DOWN. VLANIF interface.
2. No corresponding routing entry is generated.

When inter-VLAN communication is implemented across Layer 3 switches, the routing
entries must exist on the switches. As shown in Figure 5-39, the routing entry with
destination IP address 10.2.1.0/24 and next hop address 10.1.4.2 must exist on Switch1,
and the routing entry with destination IP address 10.1.1.0/24 and next hop address
10.1.4.1 must exist on Switch2.
Figure 5-39 Inter-VLAN communication across switches
VLANIF 2 VLANIF 3
IP address：10.1.1.1 Switch_1 Switch_2 IP address：10.1.2.1
VLANIF 4 VLAN4 VLANIF 4
IP address：10.1.4.1 IP address：10.1.4.2
VLAN2 VLAN3
PC1 PC2
IP：10.1.1.2 IP：10.1.2.2
网关：10.1.1.1 网关：10.1.2.1
If routing entries do not exist, run the ip route-static command to configure a static
route.
– Switch1: ip route-static 10.1.2.0 255.255.255.0 10.1.4.2
– Switch2: ip route-static 10.1.1.0 255.255.255.0 10.1.4.1
5.11.9 Do VLANs Need to Be Assigned on the Intermediate

Device That Transparently Transmits Packets?
Figure 5-40 Layer 2 device networking
Switch1 Switch Switch2
GE0/0/2 GE0/0/3
GE0/0/1 GE0/0/1
As shown in Figure 5-40, the switch has been configured to transparently transmit Layer 2
packets. Do VLANs need to be assigned?
l If Switch1 and Switch2 where VLANs are not assigned use default VLAN configuration,
VLANs do not need to be assigned on the switch.
l If VLANs are assigned on Switch1 and Switch2, VLANs need to be assigned on the
switch.

For example, GE0/0/1 interfaces connecting Switch1 and Switch2 to the switch
transparently transmit packets from VLAN 10 and VLAN 20, so GE0/0/2 and GE0/0/3
on the switch need be configured to transparently transmit packets from VLAN 10 and
VLAN 20. Perform the following configurations.
[HUAWEI] vlan batch 10 20
[HUAWEI-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20
[HUAWEI-GigabitEthernet0/0/2] quit
[HUAWEI-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20
5.11.10 Why Are MAC-VLAN Entries Invalid?

MAC-VLAN entries are only valid for untagged packets. If MAC-VLAN entries are invalid,
check whether incoming packets carry VLAN tags.
5.11.11 Can the Switch Collect Statistics on Only Traffic Destined

for the VLANIF Interface Enabled with Traffic Statistics?
Context
When the VLANIF interface is enabled with traffic statistics, the switch counts Layer 3 traffic
in the VLAN corresponding to the VLANIF interface. That is, statistics on all traffic passing
the VLANIF interface are collected.

Configuration Guide - Ethernet Switching 6 VLAN Aggregation Configuration
6 VLAN Aggregation Configuration
About This Chapter
This chapter describes how to configure VLAN aggregation. VLAN aggregation allows for
communication between hosts on the same network segment that are in different VLANs. A
network can conserve IP addresses with VLAN aggregation technology.
6.1 Overview of VLAN Aggregation

6.2 Understanding VLAN Aggregation
6.3 Application Scenarios for VLAN Aggregation
6.4 Licensing Requirements and Limitations for VLAN Aggregation
6.5 Default Settings for VLAN Aggregation
6.6 Configuring VLAN Aggregation
6.7 Example for Configuring VLAN Aggregation

6.8 FAQ About VLAN Aggregation
6.1 Overview of VLAN Aggregation
Definition
VLAN aggregation, also called super-VLAN, partitions a broadcast domain into multiple
VLANs (sub-VLANs) on a physical network and aggregates the sub-VLANs into a single
logical VLAN (super-VLAN). The sub-VLANs use the same IP subnet and default gateway
address, so the number of IP addresses used is reduced.
Purpose
VLAN technology is commonly used on packet switching networks because it can flexibly
control broadcast domains and is easy to deploy. Usually, a Layer 3 switch uses a Layer 3

logical interface in each VLAN to allow hosts in different broadcast domains to communicate.
This wastes IP addresses. On a subnet corresponding to a VLAN, the subnet ID, directed
broadcast address, and subnet default gateway address all cannot be used as IP addresses of
hosts in the VLAN. In addition, IP addresses available in a subnet may exceed the number of
hosts. These excess IP addresses cannot be used by other VLANs.
In Figure 6-1, VLAN 2 requires 10 host addresses. The subnet 10.1.1.0/28 with a 28-bit mask
is assigned to VLAN 2, where 10.1.1.0 is the subnet ID, 10.1.1.15 is the directed broadcast
address, and 10.1.1.1 is the default gateway address. Hosts cannot use these three addresses,
but the other 13 addresses ranging from 10.1.1.2 to 10.1.1.14 are available to them.
At least three IP addresses are wasted for VLAN 2, and at least nine IP addresses are wasted
for three VLANs. Although VLAN 2 requires only 10 IP addresses, the remaining 3 IP
addresses cannot be used by other VLANs and are wasted. If more VLANs are added, the
problem is exacerbated.
Figure 6-1 Networking of a common VLAN

L3 Switch
VLANIF 2:10.1.1.1 VLANIF 4:10.1.1.25
VLANIF 3:10.1.1.17

10.1.1.0/28 10.1.1.16/29 10.1.1.24/30
VLAN aggregation is used to solve the preceding problem. VLAN aggregation maps each
sub-VLAN to a broadcast domain, associates a super-VLAN with multiple sub-VLANs, and
then assigns just one IP subnet to the super-VLAN. This ensures that all sub-VLANs use the
IP address of the associated super-VLAN as the gateway IP address to implement Layer 3
connectivity.
Sub-VLANs share one gateway address to reduce the number of subnet IDs, subnet default
gateway addresses, and directed broadcast IP addresses used is reduced. The switch assigns IP
addresses to hosts in sub-VLANs according to the number of hosts. This ensures that each
sub-VLAN acts as an independent broadcast domain, conserves IP addresses, and implements
flexible addressing.
6.2 Understanding VLAN Aggregation

VLAN aggregation defines the super-VLAN and sub-VLAN. A sub-VLAN is an independent
broadcast domain that contains only physical interfaces. A super-VLAN contains no physical
interface and is used for creating a Layer 3 VLANIF interface. By mapping a super-VLAN to
sub-VLANs, VLAN aggregation associates the Layer 3 VLANIF interface with physical

interfaces so that all sub-VLANs share one gateway to communicate with an external
network. In addition, proxy ARP can be used to implement Layer 3 connectivity between sub-
VLANs.
Implementation
VLAN aggregation defines the super-VLAN and sub-VLAN. A sub-VLAN is an independent
broadcast domain that contains only physical interfaces. A super-VLAN contains no physical
interface and is used for creating a Layer 3 VLANIF interface. By mapping a super-VLAN to
sub-VLANs, VLAN aggregation associates the Layer 3 VLANIF interface with physical
interfaces so that all sub-VLANs share one gateway to communicate with an external
network. In addition, proxy ARP can be used to implement Layer 3 connectivity between sub-
VLANs. The super-VLAN and sub-VLAN are different from common VLANs that contain a
Layer 3 logical interface and multiple physical interfaces.
l Sub-VLAN: contains only physical interfaces, and is used to isolate broadcast domains.
A sub-VLAN cannot be used to create a Layer 3 VLANIF interface. Hosts in each sub-
VLAN use the VLANIF interface of the associated super-VLAN to communicate with
external devices over Layer 3.
l Super-VLAN: is only used for creating a Layer 3 VLANIF interface and contains no
physical interfaces. Its IP address is used as the subnet gateway. A VLANIF interface in
a super-VLAN is Up as long as a physical interface in any associated sub-VLAN is Up.
This is unlike a VLANIF interface, which is Up as long as a physical interface is Up.
A super-VLAN can contain one or more sub-VLANs. A sub-VLAN does not occupy an
independent subnet. In a super-VLAN, the IP address of a host is the same subnet segment as
the super-VLAN regardless of which sub-VLAN belongs to. Therefore, sub-VLANs share the
same gateway.
Sub-VLANs share one gateway address to reduce the number of subnet IDs, subnet default
gateway addresses, and directed broadcast IP addresses used. This allows different broadcast
domains to use the same subnet address, allows for flexible addressing, and conserves IP
addresses.
6.1 Overview of VLAN Aggregation shows an example network topology. VLAN 10 is
configured as the super-VLAN and assigned the subnet address 10.1.1.0/24. VLAN 2, VLAN
3, and VLAN 4 are configured as sub-VLANs of super-VLAN 10.

Figure 6-2 Networking of VLAN aggregation

L3 Switch Super-VLAN10
VLANIF10：10.1.1.1/24
Sub-VLAN 2 Sub-VLAN 3 Sub-VLAN 4

10.1.1.2-10.1.1.11 10.1.1.12-10.1.1.16 10.1.1.17
Gateway: Gateway: Gateway:
10.1.1.1/24 10.1.1.1/24 10.1.1.1/24
Sub-VLAN 2, sub-VLAN 3, and sub-VLAN 4 share a subnet (10.1.1.1/24). The subnet ID

(10.1.1.0), default gateway address (10.1.1.1), and directed broadcast address of the subnet
(10.1.1.255) cannot be used as host IP addresses. VLAN aggregation allows the switch to
assign IP addresses to hosts in sub-VLANs according to the actual number of hosts. For
example, when sub-VLAN 2 requires 10 addresses, 10.1.1.2-10.1.1.11 are assigned to sub-
VLAN 2.
Communication Between Sub-VLANs

VLAN aggregation allows different sub-VLANs to use IP addresses on the same network
segment, but cannot implement Layer 3 forwarding between sub-VLANs. In a super-VLAN,
hosts in all sub-VLANs use IP addresses on the same network segment and share a gateway
address. However, hosts in different sub-VLANs can use only Layer 2 forwarding and cannot
communicate with each other over Layer 3.
To address this issue, configure proxy ARP.
NOTE
For details about proxy ARP, see Proxy ARP in "ARP Configuration" in the S1720, S2700, S5700, and
S6720 V200R011C10 Configuration Guide - IP Services.
Figure 6-2 shows an example of using proxy ARP to implement Layer 3 communication
between sub-VLANs. To allow Host_1 in sub-VLAN 2 to communicate with Host_2 in sub-
VLAN 3, enable proxy ARP on the VLANIF interface of super-VLAN 10.

Figure 6-3 Using proxy ARP to implement Layer 3 communication between sub-VLANs
Super-VLAN10
L3 Switch VLANIF10：10.1.1.1/24
Proxy ARP
Host_1 Host_2 Host_3

Sub-VLAN2 Sub-VLAN3 Sub-VLAN4
10.1.1.2/24 10.1.1.12/24 10.1.1.17/24
Host_1 in sub-VLAN 2 communicates with Host_2 in sub-VLAN 3 as follows (assume that

the ARP table of Host_1 in sub-VLAN 2 has no entry for Host_2 in sub-VLAN 3):
1. Host_1 compares the IP address of Host_2 in sub-VLAN 3 with its IP address, and finds
that both IP addresses are on the same network segment 10.1.1.0/24. However, the ARP
table of Host_1 has no entry for Host_2 in sub-VLAN 3.
2. Host_1 broadcasts an ARP Request packet with the destination IP address of 10.1.1.12 to
request the MAC address of Host_2.
3. The Layer 3 switch (gateway) is enabled with proxy ARP between sub-VLANs. After
receiving the ARP Request packet from Host_1 in sub-VLAN 2, the Layer 3 switch
searches its routing table for the destination IP address in the ARP Request packet. The
Layer 3 switch finds a matched route in its routing table where the next-hop address is
the directly connected network segment (10.1.1.0/24 of VLANIF 10). The Layer 3
switch then broadcasts an ARP Request packet to all sub-VLANs in super-VLAN 10,
requesting the MAC address of Host_2.
4. After receiving the ARP Request packet, Host_2 sends an ARP Reply packet.
5. After receiving the ARP Reply packet, the Layer 3 switch encapsulates the ARP Reply
packet with its MAC address and sends it to Host_1.
6. Subsequent packets sent by Host_1 to Host_2 are first sent to the gateway. The gateway
then forwards the packets across Layer 3.
The packets sent by Host_2 to Host_1 in sub-VLAN 2are processed in the same way as the
packets sent by Host_1 to Host_2.
Layer 3 Communication Between Hosts in Sub-VLANs and on an External

Network
In Figure 6-4, user hosts and servers are on different network segments, sub-VLANs 2 to 4
and VLAN 10 are configured on Switch_1, and VLAN 10 and VLAN 20 are configured on
Switch_2.

Figure 6-4 Layer 3 communication between hosts in sub-VLANs and on an external network
Switch_2 VLANIF20
10.1.2.1/24
VLANIF10
10.1.10.2/24 Server
10.1.2.2/24
VLANIF10
10.1.10.1/24
Super-VLAN4
Switch_1 VLANIF4
10.1.1.1/24
Host_1 Host_2
Sub-VLAN2 Sub-VLAN3
10.1.1.2/24 10.1.1.12/24
When Host_1 in sub-VLAN 2 wants to communicate with the server connected to Switch_2,
the packet forwarding process is as follows (assume that a route to 10.1.2.0/24 has been
configured on Switch_1, a route to 10.1.1.0/24 has been configured on Switch_2, and no
Layer 3 forwarding entry exists on either switch):
1. Host_1 compares the server's IP address (10.1.2.2) with its network segment 10.1.1.0/24
and finds that they are on different network segments. Host_1 then sends an ARP
Request packet to its gateway to request the gateway's MAC address. The ARP Request
packet carries an all-F destination MAC address and destination IP address 10.1.1.1.
2. After receiving the ARP Request packet, Switch_1 searches its ARP table for a mapping
between the super-VLAN and sub-VLANs. Switch_1 then sends an ARP Reply packet
with the MAC address of VLANIF 4 (corresponding to super-VLAN 4) from an
interface of sub-VLAN 2 to Host_1.
3. After learning the gateway's MAC address, Host_1 sends a packet with the MAC address
of VLANIF 4 (corresponding to super-VLAN 4) as the destination MAC address and a
destination IP address of 10.1.2.2.
4. After receiving the packet from Host_1, Switch_1 determines that the packet should be
forwarded at Layer 3 according to the mapping between the super-VLAN and sub-
VLANs and the destination MAC address. Switch_1 searches its Layer 3 forwarding
table for a matching entry, but no entry is found. Switch_1 sends the packet to the CPU,
and the CPU searches its routing table and obtains the next-hop address of 10.1.10.2 and
the outbound interface of VLANIF 10. Switch_1 determines the outbound interface
according to the ARP entry and MAC address entry, and sends the packet to Switch_2.
5. Switch_2 sends the packet to the server though Layer 3 forwarding.
After receiving the packet from Host_1, the server sends a response packet with the
destination IP address of 10.1.1.2 and the MAC address of VLANIF 20 on Switch_2 as the
destination MAC address. Then the following process occurs:
1. The response packet reaches Switch_1 through Layer 3 forwarding. When the response
packet reaches Switch_1, the destination MAC address is changed to the MAC address
of VLANIF 10 on Switch_1.

2. After receiving the packet, Switch_1 determines that the packet should be forwarded at
Layer 3 according to the destination MAC address. Switch_1 searches its Layer 3
forwarding table for a matching entry, but no entry is found. Switch_1 sends the packet
to the CPU, and the CPU searches its routing table and obtains the next-hop address of
10.1.1.2 and the outbound interface of VLANIF 4. Switch_1 searches the mapping
between the super-VLAN and sub-VLANs and determines that the packet should be sent
to Host_1 from an interface in sub-VLAN 2 according to the ARP entry and MAC
address entry.
3. The response packet reaches Host_1.
Layer 2 Communication Between Hosts in Sub-VLANs and Other Devices

Figure 6-5 shows an example network for Layer 2 communication between hosts in sub-
VLANs and other devices. In this example:
l Sub-VLAN 2, sub-VLAN 3, and super-VLAN 4 are configured on Switch_1.
l IF_1 and IF_2 on Switch_1 are access interfaces.
l IF_3 is a trunk interface that allows both VLAN 2 and VLAN 3.
l The interface of Switch_2 connected to Switch_1 is a trunk interface and allows both
VLAN 2 and VLAN 3.
Figure 6-5 Layer 2 communication between hosts in sub-VLANs and on an external network
Internet
Switch_2
Trunk IF_1
Allowed VLAN=2,3 IF_3
Super-VLAN4
Switch_1 VLANIF4
10.1.1.1/24
IF_1 IF_2
Host_1 Host_2
Sub-VLAN2 Sub-VLAN3
10.1.1.2/24 10.1.1.12/24
A tag with VLAN 2 is added to packets sent from Host_1 to Switch_1. Although sub-VLAN
2 belongs to super-VLAN 4, Switch_1 does not change the tag with VLAN 2 to a tag with
VLAN 4 in packets. Therefore, packets sent from IF_3 of Switch_1 still carry VLAN 2.
Switch_1 does not send packets from VLAN 4. When another device sends packets from
VLAN 4 to Switch_1, Switch_1 discards the packets because there is no physical interface

corresponding to super-VLAN 4 on Switch_1. IF_3 on Switch_1 does not allow packets from
super-VLAN 4. For other devices, only sub-VLAN 2 and sub-VLAN 3 are valid.
The communication between Switch_1 configured with VLAN aggregation and other devices
is similar to normal Layer 2 communication without super-VLAN.
6.3 Application Scenarios for VLAN Aggregation

In Figure 6-6, a company has multiple departments using different switches. To improve
service security, the company adds different departments to different VLANs, but IP
addresses of the company are limited.
The requirements are as follows:
l All departments want to access the Internet.

l Department 1 and department 2 need to communicate with each other.
l Department 3 and department 4 need to communicate with each other.
Internet
Switch
Proxy ARP
L2 switch L2 switch L2 switch L2 switch
Super VLAN 2 Super VLAN 3
Sub VLAN 21 Sub VLAN 22 Sub VLAN 31 Sub VLAN 32
VLAN aggregation can be deployed to meet the preceding requirements. Deploy super-
VLAN 2 and super-VLAN 3 on the switch, and add sub-VLAN 21 and sub-VLAN 22 to
super-VLAN 2 and sub-VLAN 31 and sub-VLAN 32 to super-VLAN 3. After IP addresses
are assigned to super-VLAN 2 and super-VLAN 3 on the switch, users in department 1 and
department 2 can access the Internet using the IP address of super-VLAN 2, and users in
department 3 and department 4 can access the Internet using the IP address of super-VLAN 3.
Therefore, VLAN aggregation allows all departments to access the Internet access and
conserves IP addresses.

To allow communication between department 1 and 2 and departments 3 and 4, configure

proxy ARP on the switch in super-VLAN 2 and super-VLAN 3.
6.4 Licensing Requirements and Limitations for VLAN

Aggregation

VLAN aggregation, also called super-VLAN, is a basic feature of a switch and is not under
license control.
Table 6-1 Products and versions supporting VLAN aggregation

Model
S1700 S1720GFR Not supported
S1720GW, Not supported

S1720GWR
S1720GW- Not supported

E,
S1720GWR-
E
S1720X, Not supported

S1720X-E

S2700 S2700SI Not supported
S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI Not supported
S2720EI Not supported
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)


Model
S3700HI V100R006C01, V200R001C00
S5700 S5700LI Not supported
S5700S-LI Not supported
S5710-C-LI Not supported
S5710-X-LI Not supported
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, Not supported

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI

NOTE
Feature Limitations
l VLAN 1 cannot be configured as a super-VLAN.
l A physical interface cannot be added to a VLAN configured as a super-VLAN.
l A VLAN that has been configured as a guest VLAN cannot be configured as a super-
VLAN.
l A traffic policy takes effect in a super-VLAN only after the traffic policy is configured in
all sub-VLANs of the super-VLAN.
l When the dot1q termination vid or qinq termination pe-vid ce-vid command is used
to configure a VLAN for the VLAN termination sub-interface, the VLAN cannot be
configured as the super-VLA or sub-VLAN.
l An IP address must have been assigned to the VLANIF interface corresponding to the
super-VLAN. Otherwise, proxy ARP cannot take effect.
6.5 Default Settings for VLAN Aggregation
Table 6-2 Default setting for VLAN aggregation
Super-VLAN Not configured
Proxy ARP on a VLANIF interface Disabled

corresponding to a super-VLAN
6.6 Configuring VLAN Aggregation
6.6.1 Creating a Sub-VLAN
Context
In VLAN aggregation, physical interfaces can be added to a sub-VLAN but a VLANIF
interface cannot be created for the sub-VLAN. All the interfaces in a sub-VLAN use the same
IP address of the VLANIF interface associated with the super-VLAN. VLAN aggregation
reduces subnet IDs, subnet default gateway addresses, and directed broadcast IP addresses,
and allows the switch to assign IP addresses to hosts in sub-VLANs according to the number
of hosts.

Procedure
A VLAN is created and the VLAN view is displayed.
NOTE
Step 4 Configure the link type of the interface.
Run either of the following commands as needed:
l Set the link type of the interface to Access.

a. Run port link-type access
The link type of the interface is set to Access.
b. Run port default vlan vlan-id
The interface is added to the sub-VLAN.
l Set the link type of the interface to Trunk.
a. Run port link-type trunk
The link type of the interface is set to Trunk.
b. Run port trunk allow-pass vlan vlan-id
l Set the link type of the interface to Hybrid.
a. Run port link-type hybrid
The link type of the interface is set to Hybrid.
b. Run port hybrid tagged vlan vlan-id or port hybrid untagged vlan vlan-id
Step 5 Run quit
----End
6.6.2 Creating a Super-VLAN

Context
A super-VLAN consists of several sub-VLANs. No physical interface can be added to a
super-VLAN, but a VLANIF interface can be configured for the super-VLAN and an IP
address can be assigned to the VLANIF interface.
Procedure
A VLAN is created and the VLAN view is displayed.
The VLAN ID of a super-VLAN must be different from each sub-VLAN ID.
Step 3 Run aggregate-vlan
A super-VLAN is created.
A super-VLAN cannot contain any physical interfaces.
VLAN 1 cannot be configured as a super-VLAN.
Step 4 Run access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
A sub-VLAN is added to a super-VLAN.
Before adding any sub-VLANs to a super-VLAN, ensure that they are not configured with
VLANIF interfaces.
----End
6.6.3 Configuring a VLANIF Interface Corresponding to a Super-

VLAN
Context
The IP address of the VLANIF interface associated with a super-VLAN must contain the
subnets that users in sub-VLANs belong to. All the sub-VLANs will use that IP address to
conserve IP addresses.
Procedure
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run ip address ip-address { mask | mask-length }

An IP address is assigned to the VLANIF interface.
----End
6.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface

Corresponding to a Super-VLAN
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other over Layer 3.
PCs in common VLANs can communicate with each other over Layer 3 using different
gateway addresses. VLAN aggregation enables PCs in a super-VLAN to use the same subnet
address and gateway address. Because PCs in different sub-VLANs belong to one subnet,
they can only communicate with PCs in their sub-VLAN. PCs in different sub-VLANs cannot
communicate with each other.
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another
sub-VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are
created, proxy ARP must be enabled to allow the super-VLAN to forward or process ARP
Request and Reply packets.
NOTE
After proxy ARP is enabled on the VLANIF interface corresponding to a super-VLAN, PCs in all sub-
VLANs of the super-VLAN can communicate. If PCs in some sub-VLANs of the super-VLAN need to
communicate, see 6.8.1 How Do I Implement Communication Between Specific Sub-VLANs in a
Super-VLAN.
VLAN aggregation simplifies configurations for networks where many VLANs are
configured and PCs in different VLANs need to communicate with each other.
Procedure
The view of the VLANIF interface corresponding to the super-VLAN is displayed.
Step 3 Run arp-proxy inter-sub-vlan-proxy enable
Proxy ARP is enabled between sub-VLANs.
----End
6.6.5 Verifying the VLAN Aggregation Configuration

Procedure
l Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to
check information about all VLANs or a specified VLAN.
l Run the display interface vlanif [ vlan-id ] command to check the VLANIF interface
configuration.

l Run the display sub-vlan [ vlan-id ] command to check the sub-VLAN configuration.
l Run the display super-vlan [ vlan-id ] command to check the super-VLAN
configuration.
----End
6.7 Example for Configuring VLAN Aggregation

In Figure 6-7, a company has many departments on the same network segment. To improve
service security, the company adds different departments to different VLANs (VLAN 2 and
VLAN 3). Each department that wants to access the Internet and PCs in different departments
need to communicate with each other.
Internet
Router
GE0/0/1
VLAN10
SwitchB Super-VLAN 4
GE0/0/5
GE0/0/5
SwitchA
GE0/0/1 GE0/0/4
GE0/0/2 GE0/0/3
VLAN2 VLAN3
Configure VLAN aggregation on SwitchB to add VLANs of different departments to a super-
VLAN so that PCs in different departments can access the Internet using the super-VLAN.
Deploy proxy ARP in the super-VLAN so that PCs in different departments can communicate
with each other. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on SwitchA and SwitchB, add PCs from different
departments to different VLANs, and configure interfaces to transparently transmit
packets from VLANs to SwitchB.
2. Configure a super-VLAN, a VLANIF interface, and a static route on SwitchB so that
PCs in different departments can access the Internet.

3. Configure proxy ARP in the super-VLAN on SwitchB so that PCs in different

departments can communicate at Layer 3.
Procedure
Step 1 Configure VLANs and interfaces on SwitchA and SwitchB, add PCs from different
departments to different VLANs, and configure interfaces to transparently transmit packets
from VLANs to SwitchB.
1. Configure SwitchA.
# Configure GE0/0/1 as an access interface. The configurations of GE0/0/2, GE0/0/3,
and GE0/0/4 are similar to the configuration of GE0/0/1, and are not mentioned here.
# Create VLAN 2 and add GE0/0/1 and GE0/0/2 to VLAN 2.

[SwitchA] vlan 2
[SwitchA-vlan2] port gigabitethernet 0/0/1 0/0/2
[SwitchA-vlan2] quit
# Create VLAN 3 and add GE0/0/3 and GE0/0/4 to VLAN 3.

[SwitchA] vlan 3
[SwitchA-vlan3] port gigabitethernet 0/0/3 0/0/4
[SwitchA-vlan3] quit
# Configure the interface of SwitchA connected to SwitchB to transparently transmit

packets from VLAN 2 and VLAN 3 to SwitchB.
2. Configure SwitchB.
# Create VLAN 2, VLAN 3, VLAN 4, and VLAN 10 and configure the interface of
SwitchB connected to SwitchA to transparently transmit packets from VLAN 2 and
VLAN 3 to SwitchB.
[SwitchB] vlan batch 2 3 4 10
[SwitchB] interface gigabitethernet 0/0/5
[SwitchB-GigabitEthernet0/0/5] port link-type trunk
[SwitchB-GigabitEthernet0/0/5] port trunk allow-pass vlan 2 3
[SwitchB-GigabitEthernet0/0/5] quit
Step 2 Configure a super-VLAN and a VLANIF interface corresponding to the super-VLAN.

# Configure super-VLAN 4 on SwitchB and add VLAN 2 and VLAN 3 to super-VLAN 4 as
sub-VLANs.
[SwitchB] vlan 4
[SwitchB-vlan4] aggregate-vlan
[SwitchB-vlan4] access-vlan 2 to 3
[SwitchB-vlan4] quit
# Create and configure VLANIF 4 so that PCs in different departments can access the Internet
using super-VLAN 4.
[SwitchB] interface vlanif 4
[SwitchB-Vlanif4] ip address 10.1.1.1 255.255.255.0
[SwitchB-Vlanif4] quit

Step 3 Configure a static route.

# Configure the uplink interface GE0/0/1 on SwitchB to transparently transmit packets from
the VLAN that SwitchB and router belong to.
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the IP
address for connecting SwitchB and the router (egress gateway).
[SwitchB-Vlanif10] ip address 10.10.1.1 255.255.255.0
# Configure a static route to the router on SwitchB so that PCs can access the Internet.
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
NOTE
Configure the router interface connected to SwitchB and assign the IP address of 10.10.1.2 to the router
interface. See the router configuration manual.
Step 4 Assign IP addresses to PCs.

Configure an IP address for each PC and make the PCs reside on the same network segment
as VLAN 4.
After the configuration is complete, PCs in each department can access the Internet, and PCs
in VLAN 2 and VLAN 3 cannot ping each other.
Step 5 Configure proxy ARP.
# Configure proxy ARP in super-VLAN 4 on SwitchB so that PCs in different departments
can communicate at Layer 3.
[SwitchB-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

After the configuration is complete, PCs in VLAN 2 and VLAN 3 can ping each other and
access the Internet.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 2
#

port default vlan 3
#
port default vlan 3
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 4 10
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface Vlanif10
ip address 10.10.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
#
return
6.8 FAQ About VLAN Aggregation

6.8.1 How Do I Implement Communication Between Specific
Sub-VLANs in a Super-VLAN
When VLAN aggregation is configured, hosts in a super-VLAN use IP addresses on the same
network segment and share the same gateway address. Hosts in different sub-VLANs belong
to the same subnet, so the switch forwards packets between the hosts by searching for ARP
entries but not through the gateway. Proxy ARP allows the switch to establish ARP entries for
all sub-VLANs for interworking.
To implement communication between some sub-VLANs, configure static ARP entries to

bind destination IP addresses to the gateway MAC address on hosts in the sub-VLANs.
For example, if host A with the gateway MAC address of 00-aa-00-62-c6-09 wants to access
host B with the IP address of 10.10.10.2/24, perform the following operations:
1. Choose Start > Run, enter cmd, and press Enter.

2. Enter arp -s 10.10.10.2 00-aa-00-62-c6-09.

After the preceding configuration is complete, host A can access host B. If host B needs to
access host A, configure a static ARP entry to bind host A's IP address to the gateway MAC
address on host B.
6.8.2 How Can a Traffic Policy Be Configured in a Super-VLAN

or Sub-VLAN to Make the Traffic Policy Take Effect
The packets received and sent by the switch configured with VLAN aggregation carry sub-
VLAN tags but not super-VLAN tags, so a traffic policy must be configured in all sub-
VLANs of a super-VLAN. A traffic policy only in the super-VLAN will not take effect.

Configuration Guide - Ethernet Switching 7 MUX VLAN Configuration
7 MUX VLAN Configuration
About This Chapter
This chapter describes how to configure the Multiplex VLAN (MUX VLAN). The MUX
VLAN allows communication between some users, and prohibits communication between
other users.
7.1 Overview of MUX VLANs
7.2 Licensing Requirements and Limitations for MUX VLANs
7.3 Default Settings for MUX VLANs
7.4 Configuring MUX VLANs
7.5 Configuration Examples for MUX VLANs
7.1 Overview of MUX VLANs

Background
The MUX VLAN function is used to control network resources based on VLANs.
For example, both enterprise employees and customers can access the servers on an enterprise
network. The enterprise allows employees to communicate with each other but prevents
customers from communicating with each other.
To allow all users to access the enterprise servers, inter-VLAN communication must be
configured. If there are a large number of users in an enterprise, VLANs need to be assigned
to the users that the enterprise wishes to restrict communication. This wastes VLAN IDs and
adds significant workload to network configuration and maintenance.
MUX VLAN provides Layer 2 isolation to allow enterprise employees to communicate and
isolate customers.

Basic Concepts
A MUX VLAN consists of principal VLANs and subordinate VLANs; subordinate VLANs
are classified into separate VLANs and group VLANs. See Table 7-1 for a description of
these roles.
Table 7-1 Roles in MUX VLAN

MUX VLAN VLAN Type Associated Access Authority
Interface
Principal - Principal A principal interface can

VLAN interface communicate with all interfaces in a
MUX VLAN.
Subordinate Separate Separate A separate interface can

VLAN VLAN interface communicate only with a principal
interface and is isolated from other
types of interfaces.
Each separate VLAN must be
bound to a principal VLAN.
Group VLAN Group A group interface can communicate

interface with a principal interface and the
other interfaces in the same group,
but cannot communicate with
interfaces in other groups or a
separate interface.
Each group VLAN must be bound
to a principal VLAN.
Communication in the MUX VLAN

As shown in Figure 7-1, the principal port connects to the enterprise server; the separate port
connects to enterprise customers; the group port connects to enterprise employees.
Accordingly, both enterprise customers and employees can access the enterprise server,
enterprise employees can communicate with each other, enterprise customers cannot
communicate with each other, and enterprise customers and employees cannot communicate
with each other.

Figure 7-1 MUX VLAN at the access layer

Switch
Principal port
Group port Separate port

Enterprise
server
Enterprise Enterprise
employee customer
On an aggregation device, you can create a VLANIF interface for the principal VLAN. The IP
address of the VLANIF interface can be used as the gateway address for servers or user hosts.
As shown in Figure 7-2, MUX VLAN is configured on the aggregation device Switch1 to
implement user isolation or interworking.
Figure 7-2 MUX VLAN at the aggregation layer
Internet
Switch2
Switch1 Server
VLAN 2
(Principal VLAN)
HostB HostC HostD HostE

VLAN 3(Group VLAN) VLAN 4(Separate VLAN)

7.2 Licensing Requirements and Limitations for MUX

VLANs

MUX VLAN configuration commands are available only after the S1720GW, S1720GWR,
License) loaded and activated and the switches are restarted. MUX VLAN configuration
Table 7-2 Products and versions supporting MUX VLAN
Product Product Software Versions

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10


Model

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10


Model
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
Feature Limitations
l Table 7-3 describes the specifications of the MUX VLAN.
Table 7-3 Specifications of the MUX VLAN

Item Specification
Maximum number of principal VLANs 128

on a switch
Maximum number of separate VLANs in 1

each principal VLAN
Maximum number of group VLANs in 128

each principal VLAN NOTE
Each principal VLAN supports a total of 128
separate and group VLANs. That is, if one
separate VLAN is configured, a maximum of
127 group VLANs can be configured.
l The VLAN ID assigned to a principal VLAN cannot be used to configure the super-
VLAN or sub-VLAN. Additionally, it is not recommended that this VLAN ID be used to
configure VLAN mapping and VLAN stacking.
l The VLAN ID assigned to a group or separate VLAN cannot be used to configure a
VLANIF interface, super-VLAN, or sub-VLAN. Additionally, it is not recommended
that this VLAN ID be used to configure VLAN mapping and VLAN stacking.
l Disabling MAC address learning or limiting the number of learned MAC addresses on a
port will compromise the performance of the MUX VLAN feature.

l MUX VLAN and port security cannot be configured on the same port.
l MUX VLAN and MAC address authentication cannot be configured on the same port.
l MUX VLAN and 802.1x authentication cannot be configured on the same port.
l When both DHCP snooping and MUX VLAN are configured, if DHCP snooping is
configured in the subordinate VLAN and DHCP clients are configured in the principal
VLAN, the DHCP clients may fail to obtain IP addresses. In this case, configure the
DHCP server in the principal VLAN.
l After the MUX VLAN feature is enabled on a port, VLAN mapping or VLAN stacking
cannot be configured on the port.
l You cannot create a VLANIF interface for a subordinate group VLAN or separate
VLAN. However, you can create a VLANIF interface for a principal VLAN on the
device excluding the S1720GFR, S2750EI, S5700LI, S5700S-28P-LI-AC, S5700S-28P-
PWR-LI-AC, and S5700S-52P-LI-AC.
l When MUX VLAN is enabled on an interface and a PVID is configured using the port
trunk pvid vlan command, do not configure the PVID as the ID of the principal VLAN
or subordinate VLAN of the MUX VLAN. For example, VLAN 10 is the principal
VLAN, VLAN 11 is a subordinate group VLAN, and VLAN 12 is a subordinate separate
VLAN. After the port mux-vlan enable 10 command is used on the interface to enable
MUX VLAN, do not run the port trunk pvid vlan command to set the PVID to VLAN
11 or VLAN 12.
7.3 Default Settings for MUX VLANs
Table 7-4 Default setting for MUX VLANs

MUX VLAN on an interface Disabled
7.4 Configuring MUX VLANs
7.4.1 Configuring a Principal VLAN for MUX VLANs
Context
Interfaces in a principal VLAN can communicate with other interfaces in the same MUX
VLAN.
Procedure

A VLAN is created and the VLAN view is displayed. If the VLAN already exists, the VLAN
view is displayed.
The VLAN ID ranges from 1 to 4094. To create VLANs in a batch, run the vlan batch { vlan-
id1 [ to vlan-id2 ] } &<1-10> command. Then run the vlan vlan-id command to enter the
view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configure names for the VLANs to facilitate VLAN
management.
Step 3 Run mux-vlan
The VLAN is configured as a principal VLAN.
The VLAN ID assigned to a principal VLAN cannot be used to configure the super-VLAN or
sub-VLAN. Additionally, it is not recommended that this VLAN ID be used to configure
VLAN mapping and VLAN stacking.
----End
7.4.2 Configuring a Group VLAN for a Subordinate VLAN
Context
A VLAN associated with a group interface is called a group VLAN. Group interfaces in a
group VLAN can communicate with each other.
Procedure
The view of a created principal VLAN is displayed.
Step 3 Run subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>
A group VLAN is configured for the subordinate VLAN.
A maximum of 128 group VLANs can be configured for a principal VLAN.
The VLAN ID assigned to a group VLAN cannot be used to configure a VLANIF interface,
super-VLAN, or sub-VLAN. Additionally, it is not recommended that this VLAN ID be used
to configure VLAN mapping and VLAN stacking.
----End
7.4.3 Configuring a Separate VLAN for a Subordinate VLAN

Context
A VLAN associated with separate interfaces is called a separate VLAN. Interfaces in a
separate VLAN cannot communicate with each other.
Procedure
The view of a created principal VLAN is displayed.
Step 3 Run subordinate separate vlan-id
A separate VLAN is configured for a subordinate VLAN.
Only one separate VLAN can be configured for a principal VLAN.
Group and separate VLANs in one MUX VLAN must use different VLAN IDs.
The VLAN ID assigned to a separate VLAN cannot be used to configure a VLANIF interface,
super-VLAN, or sub-VLAN. Additionally, it is not recommended that this VLAN ID be used
to configure VLAN mapping and VLAN stacking.
----End
7.4.4 Enabling the MUX VLAN Function on an Interface
Context
You must enable the MUX VLAN function to implement the following functions:
l The principal VLAN and subordinate VLAN can communicate with each other.
l Interfaces in a group VLAN can communicate with each other.
l Interfaces in a separate VLAN cannot communicate with each other.
Before enabling MUX VLAN function, complete the following tasks:
l Add the interface to a principal or subordinate VLAN as an access, hybrid, or trunk
interface.
l Configure the interface to allow multiple common VLANs. The interface can join only
one MUX VLAN.
Procedure

Step 3 Run port link-type { hybrid | access | trunk }
The link type of the interface is set.
Step 4 Run port mux-vlan enable vlan vlan-id
The MUX VLAN function is enabled.
After the MUX VLAN function is enabled on an interface, VLAN mapping or VLAN
stacking cannot be configured on the interface.
You cannot create a VLANIF interface for a subordinate group VLAN or separate VLAN.
However, you can create a VLANIF interface for a principal VLAN on the device excluding
the S1720GFR, S2750EI, S5700LI, S5700S-28P-LI-AC, S5700S-28P-PWR-LI-AC, and
S5700S-52P-LI-AC.
The port mux-vlan enable command is not supported on a negotiation-auto or negotiation-

desirable port.
NOTE
l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface
will compromise the performance of the MUX VLAN function.
l MUX VLAN and port security cannot be configured on the same interface.
l MUX VLAN and MAC address authentication cannot be configured on the same interface.
l MUX VLAN and 802.1x authentication cannot be configured on the same interface.
l If a DHCP server is configured in the subordinate VLAN and DHCP clients are configured in the
principal VLAN, the DHCP clients may fail to obtain IP addresses. Therefore, when the DHCP
snooping function is configured, configure the DHCP server in the principal VLAN.
----End
7.4.5 Verifying the MUX VLAN Configuration
Procedure
l Run the display mux-vlan command to check information about the MUX VLAN.
----End
7.5 Configuration Examples for MUX VLANs
7.5.1 Example for Configuring MUX VLAN on the Access Device
All users on an enterprise network are allowed to access the enterprise server. The enterprise
allows communication between some employees and prohibits communication between
others.
As shown in Figure 7-3, MUX VLAN can be configured on the Switch connecting to user
hosts. MUX VLAN meets the enterprise's requirements, conserves VLAN resources, and has
fewer requirements on network maintenance.

Figure 7-3 MUX VLAN configuration
Switch
GE0/0/1 Server
VLAN2
(Principal VLAN)
GE0/0/2 GE0/0/5
GE0/0/3 GE0/0/4

VLAN3(Group VLAN) VLAN4(Separate VLAN)
1. Configure a principal VLAN.
2. Configure a group VLAN.
3. Configure a separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function.
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4.
[Switch] vlan batch 2 3 4
# Configure a group VLAN and a separate VLAN.

[Switch] vlan 2
[Switch-vlan2] mux-vlan
[Switch-vlan2] subordinate group 3
[Switch-vlan2] subordinate separate 4
[Switch-vlan2] quit
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[Switch-GigabitEthernet0/0/1] port mux-vlan enable vlan 2


The server, HostB, HostC, HostD, and HostE are on the same subnet.
The server can communicate with HostB, HostC, HostD, and HostE at Layer 2.
HostB can communicate with HostC at Layer 2.
HostD cannot communicate with HostE at Layer 2.
HostB and HostC cannot communicate with HostD and HostE at Layer 2.
----End
Configuration Files
#
sysname Switch
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
port default vlan 2
port mux-vlan enable vlan 2
#
port default vlan 3
#
port default vlan 3
#
port default vlan 4
#
port default vlan 4
#
return

7.5.2 Example for Configuring MUX VLAN on the Aggregation

Device
All employees of an enterprise can access the server on the enterprise network. The enterprise
allows communication between some employees and prohibits communication between
others.
As shown in Figure 7-4, Switch1 is located at the aggregation layer and used as the gateway
of user hosts. Switch2, Switch3, Switch4, Switch5, and Switch6 are access devices. You can
configure MUX VLAN on Switch1 to conserve VLAN IDs on the enterprise network and has
fewer requirements on network maintenance.
Figure 7-4 Networking of the MUX VLAN
Internet
Switch2
Switch1 GE0/0/2
Server
GE0/0/3 GE0/0/6 VLAN 2
GE
(Principal VLAN)
/4
0/0
0/0
GE
/5

VLAN 3(Group VLAN) VLAN 4(Separate VLAN)
1. Configure a principal VLAN and a VLANIF interface. The IP address of the VLANIF
interface is used as the gateway IP address of user hosts and server.
2. Configure a group VLAN.
3. Configure a separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
5. Add interfaces of access switches to VLANs.

Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4, and VLANIF 2 on Switch1. The IP address of
VLANIF 2 is used as the gateway IP address for user hosts and server.
[Switch1] vlan batch 2 3 4
[Switch1] interface vlanif 2
[Switch1-Vlanif2] ip address 192.168.100.100 24
[Switch1-Vlanif2] quit
# Configure a group VLAN and a separate VLAN on Switch1.

[Switch1] vlan 2
[Switch1-vlan2] mux-vlan
[Switch1-vlan2] subordinate group 3
[Switch1-vlan2] subordinate separate 4
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[Switch1-GigabitEthernet0/0/2] port mux-vlan enable vlan 2
Step 2 Add interfaces of access switches to VLANs. The configuration details are not mentioned
here.
The server can communicate with HostB, HostC, HostD, and HostE at Layer 2.
HostB can communicate with HostC at Layer 2.
HostD cannot communicate with HostE at Layer 2.
HostB and HostC cannot communicate with HostD and HostE at Layer 2.
----End

Configuration Files
Switch1 configuration file
#
sysname Switch1
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Vlanif2
ip address 192.168.100.100 255.255.255.0
#
#
#
#
#
#
return

Configuration Guide - Ethernet Switching 8 VLAN Termination Configuration
8 VLAN Termination Configuration
About This Chapter
This chapter describes how to configure VLAN termination. The VLAN termination function
includes two sub-functions: Dot1q termination and QinQ termination. Dot1q termination
implements inter-VLAN communication. Use the Dot1q termination and QinQ termination
together to implement LAN and WAN interconnection.
8.1 Overview of VLAN Termination

8.2 Application Scenarios for VLAN Termination
8.3 Summary of VLAN Termination Configuration Tasks
8.4 Licensing Requirements and Limitations for VLAN Termination
8.5 Default Settings for VLAN Termination
8.6 Configuring a Dot1q Termination Sub-interface to Implement Inter-VLAN
Communication
8.7 Configuring a Dot1q Termination Sub-interface and Connecting It to an L2VPN
8.8 Configuring a Dot1q Termination Sub-interface and Connecting It to an L3VPN
8.9 Configuring a QinQ Termination Sub-interface and Connecting It to an L2VPN
8.10 Configuring a QinQ Termination Sub-interface and Connecting It to an L3VPN
8.11 Configuration Examples for VLAN Termination
8.1 Overview of VLAN Termination

Definition
VLAN termination is a VLAN tag processing mechanism. After VLAN termination is
enabled on a device, the device identifies VLAN tags in received packets, removes single or
double tags from the packets, and then forwards packets at Layer 3 or takes other actions.

These VLAN tags are only useful before termination, and are not used in Layer 3 forwarding
or other processing.
A device with VLAN termination enabled processes incoming and outgoing packets as
follows:
l Removes VLAN tags from the packets received on interfaces, and then forwards the
packets at Layer 3 or takes other actions.
l Adds VLAN tags to the packets that will be sent out through interfaces.
Classification
Depending on the modes in which VLAN tagged packets are processed, VLAN termination
has the following sub-functions:
l Dot1q termination: removes the outer VLAN tag from the received single-tagged or
double-tagged packets, and adds a VLAN tag to the packets to be sent by an interface.
l QinQ termination: removes double VLAN tags from the received double-tagged packets,
and adds double VLAN tags to the packets to be sent by an interface.
Generally, VLAN termination is configured on sub-interfaces. A sub-interface that terminates
single tags in packets is called a Dot1q termination sub-interface, and a sub-interface that
terminates double tags in packets is called a QinQ termination sub-interface.
NOTE
Dot1q and QinQ VLAN tag termination sub-interfaces do not support transparent transmission of
packets that do not contain a VLAN tag, and discard received packets that do not contain a VLAN tag.
Purpose
After VLANs are assigned on a network, hosts in the same VLAN can communicate with
each other at Layer 2, whereas hosts in different VLANs cannot. You can use VLANIF
interfaces on a Layer 3 switch to implement inter-VLAN Layer 3 connectivity. As shown in
Figure 8-1, when a Layer 3 switch uses only one Layer 3 Ethernet interface to connect to
users or a network, this interface needs to transmit packets from multiple VLANs. A VLANIF
interface cannot provide this function. You can virtualize a Layer 3 Ethernet interface into
multiple logical sub-interfaces. The Layer 3 Ethernet interface is the main interface for the
logical sub-interfaces.

Figure 8-1 Networking of configuring sub-interfaces to implement interworking

Layer 3 switch
Port1.1 Port1.2
VLAN Trunk
Layer 2 switch
Host1 Host2 Host3 Host4

VLAN 2 VLAN 3
By default, a Layer 3 Ethernet sub-interface treats received VLAN packets as invalid packets
and discards them; therefore, VLAN termination needs to be configured on the Layer 3
Ethernet sub-interface so that the sub-interface can remove VLAN tags from packets.
8.2 Application Scenarios for VLAN Termination
8.2.1 Using a Dot1q Termination Sub-interface to Implement

Inter-VLAN Communication
As shown in Figure 8-2, SwitchA is a Layer 3 switch configured with sub-interfaces and
SwitchB is a Layer 2 switch. SwitchA connects to SwitchB through a Layer 3 Ethernet
interface. User hosts are assigned to VLAN 2 and VLAN 3, and need to communicate with
each other.

Figure 8-2 Using a Dot1q termination sub-interface to implement inter-VLAN

communication
SwitchA
Port1.1 Port1.2
VLAN Trunk
SwitchB
Host1 Host2 Host3 Host4

VLAN2 VLAN3
Perform the following operations to implement inter-VLAN communication:
l Create sub-interfaces Port1.1 and Port1.2 on the Ethernet interface connecting SwitchA
to SwitchB.
l Configure Dot1q termination on Port1.1 and Port1.2 to remove VLAN tags in packets
sent by SwitchB.
l Assign IP addresses to Port1.1 and Port1.2.
l Configure the IP addresses of Port1.1 and Port1.2 as the default gateway addresses for
user hosts.
After the preceding operations are performed, user hosts in VLAN 2 and VLAN 3 can
communicate at Layer 3. When a host in VLAN 2 sends packets to a host in VLAN 3, the
process is as follows:
1. Port1.1 removes the VLAN tag of the packets sent from VLAN 2 through SwitchB, and
forwards the packets to Port1.2 at Layer 3.
2. Before sending the packets out, Port1.2 adds VLAN 3 to the packets so that the packets
can reach user hosts in VLAN 3.
The process is reversed when a host in VLAN 3 sends packets to a host in VLAN 2.
8.2.2 Using a Dot1q Termination Sub-interface to Connect to a

VPN
Using a Dot1q Termination Sub-interface to Connect to a PWE3/VLL/VPLS

Network
As shown in Figure 8-3, different branches of an enterprise are interconnected through a
carrier's PWE3/VLL/VPLS network. PEs serve as edge devices of the carrier's PWE3/VLL/
VPLS network and connect to branch networks through sub-interfaces, and packets sent by

CEs to PEs carry one or double VLAN tags. User hosts in different branches need to
Figure 8-3 Using a Dot1q termination sub-interface to connect to a PWE3/VLL/VPLS

network
ISP
PWE3/VLL/VPLS
PE1 PE2
Port1.1 Port1.1
CE1 CE2
Branch1 Branch2
Single-tagged packet
Dot1q termination and PWE3/VLL/VPLS are configured on sub-interfaces of PE1 and PE2.
When branch 1 sends packets to branch 2, the process is as follows:
1. PE1 checks the outer VLAN tag of data packets sent from CE1. When the VLAN tag is
the same as that specified in the Dot1q termination configuration on Port1.1, PE1
encapsulates double MPLS labels into the packets and forwards the packets to the
carrier's PWE3/VLL/VPLS network. VLAN tags are transparent to the carrier's
PWE3/VLL/VPLS network.
2. When receiving the packets, PE2 removes double MPLS labels from the packets, and
forwards the packets to CE2 according to the Dot1q termination configuration on
Port1.1.
3. CE2 forwards packets to user hosts to implement interworking of different branches.
The process is reversed when branch 2 sends packets to branch 1.
Using a Dot1q Termination Sub-interface to Connect to an L3VPN

carrier's MPLS L3VPN. PEs serve as edge devices of the carrier's MPLS L3VPN and connect
to branch networks through sub-interfaces, and packets sent by CEs to PEs carry one or
double VLAN tags. Hosts in different branches need to use the same services.

Figure 8-4 Using a Dot1q termination sub-interface to connect to an L3VPN
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
PE1 PE2
Port1.1 ISP Port1.1
MPLS L3VPN
Port1.2 Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
Dot1q termination and L3VPN are configured on sub-interfaces of PE1 and PE2. When a host
in branch 1 of VPN 1 sends packets to a host in branch 2 of VPN 1, the process is as follows:
1. According to the Dot1q termination configuration on Port1.1, PE1 removes the outer
VLAN tag of the packets sent from CE1.
2. PE1 binds the outer VLAN tag to the VPN instance VPN1, and forwards the packets to
the L3VPN.
3. After the packets reach PE2, PE2 determines that the packets are destined for CE3
according to the VPN instance.
4. PE2 adds an outer VLAN tag to the packets according to the Dot1q termination
configuration on Port1.1, and then forwards the packets to CE3.
5. CE3 forwards the packets to the destination user host to implement communication.
The process is reversed when a host in branch 2 of VPN 1 sends packets to branch 1 of VPN
1.
8.2.3 Using a QinQ Termination Sub-interface to Connect to a

VPN
Using a QinQ Termination Sub-interface to Connect to a PWE3/VLL/VPLS

Network
carrier's PWE3/VLL/VPLS network. PEs serve as edge devices of the carrier's PWE3/VLL/
VPLS network and connect to branch networks through sub-interfaces, and packets sent by
CEs to PEs carry double VLAN tags. User hosts in different branches need to communicate
with each other.

Figure 8-5 Using a QinQ termination sub-interface to connect to a PWE3/VLL/VPLS

network
ISP
PWE3/VLL/VPLS
PE1 PE2
Port1.1 Port1.1
CE1 CE2
Branch 1 Branch 2
Double-tagged packet
QinQ termination and PWE3/VLL/VPLS are configured on sub-interfaces of PE1 and PE2.
When branch 1 sends packets to branch 2, the process is as follows:
1. PE1 checks the inner and outer VLAN tags of data packets sent from CE1. When these
VLAN tags are the same as those specified in the QinQ termination configuration on
Port1.1, PE1 encapsulates double MPLS labels into the packets and forwards the packets
to the carrier's PWE3/VLL/VPLS network. VLAN tags are transparent to the carrier's
PWE3/VLL/VPLS network.
2. When receiving the packets, PE2 removes double MPLS labels from the packets, and
forwards the packets to CE2 according to the QinQ termination configuration on Port1.1.
3. CE2 forwards packets to user hosts to implement interworking of different branches.
The process is reversed when branch 2 sends packets to branch 1.
Using a QinQ Termination Sub-interface to Connect to an L3VPN

carrier's MPLS L3VPN. PEs serve as edge devices of the carrier's MPLS L3VPN and connect
to branch networks through sub-interfaces, and packets sent by CEs to PEs carry double
VLAN tags. Hosts in different branches need to use the same services.

Figure 8-6 Using a QinQ termination sub-interface to connect to an L3VPN
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
PE1 PE2
Port1.1 ISP Port1.1
MPLS L3VPN
Port1.2 Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
QinQ termination and L3VPN are configured on sub-interfaces of PE1 and PE2. When a host
in branch 1 of VPN 1 sends packets to a host in branch 2 of VPN 1, the process is as follows:
1. According to the Dot1q termination configuration on Port1.1, PE1 removes the inner and
outer VLAN tags of the packets sent from CE1.
2. PE1 binds the inner and outer VLAN tags to the VPN instance VPN1, and forwards the
packets to the L3VPN.
3. After the packets reach PE2, PE2 determines that the packets are destined for CE3
according to the VPN instance.
4. PE2 adds inner and outer VLAN tags to the packets according to the QinQ termination
configuration on Port1.1, and then forwards the packets to CE3.
5. CE3 forwards the packets to the destination user host to implement communication.
The process is reversed when a host in branch 2 of VPN 1 sends packets to branch 1 of VPN
1.
8.3 Summary of VLAN Termination Configuration Tasks

Table 8-1 describes the VLAN termination configuration tasks. The configuration tasks can
be performed in any sequence.

Table 8-1 VLAN termination configuration tasks

Configuration Applicable Scenario
Task
8.6 Configuring A Layer 3 switch connects to user hosts residing in different VLANs
a Dot1q through a Layer 3 Ethernet interface, and these user hosts need to
Termination communicate with each other.
Sub-interface to
Implement
Inter-VLAN
Communication
8.7 Configuring A carrier's network provides the L2VPN service for users. PEs
a Dot1q function as user access devices and connect to CEs through sub-
Termination interfaces to access user networks. The data packets that CEs send to
Sub-interface PEs carry one VLAN tag. Interworking is required between user
and Connecting networks.
It to an L2VPN
a Dot1q function as user access devices and connect to CEs through sub-
Sub-interface PEs carry one VLAN tag. Interworking is required between user
It to an L3VPN
a QinQ function as user access devices and connect to CEs through sub-
Sub-interface PEs carry double VLAN tags. Interworking is required between user
It to an L2VPN
a QinQ function as user access devices and connect to CEs through sub-
Sub-interface PEs carry double VLAN tags. Interworking is required between user
It to an L3VPN

Termination


VLAN termination, that is, QinQ and Dot1q on a sub-interface, is a basic feature of a switch
and is not under license control.
Software Requirements
Table 8-2 Products and versions supporting VLAN termination

Model

S1720GWR

E,
S1720GWR-
E
S1720X, Not supported

S1720X-E

S3700HI Not supported
S5700 S5700LI, Not supported

S5700S-LI
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)


Model
S5720EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S5720SI, Not supported

S5720S-SI

S5720S-LI
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R007C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5730S-EI Not supported
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10

S6720S-LI

S6720S-SI
NOTE
Feature Limitations
l Termination sub-interfaces cannot be configured on an Eth-Trunk member interface.
l You are advised to add member interfaces to an Eth-Trunk and configure termination
sub-interfaces on the Eth-Trunk in sequence. Termination sub-interfaces can be
configured successfully on an Eth-Trunk only when the device where member interfaces
reside support termination sub-interfaces.
l The VLAN IDs terminated by a sub-interface cannot be created in the system view or be
displayed using a display command.
l When VLAN IDs terminated by a sub-interface are used for Layer 3 forwarding, only
the first VLAN takes effect even if multiple inner VLAN IDs are specified.


l When the dot1q termination vid or qinq termination pe-vid ce-vid command is used
to configure a VLAN for the VLAN termination sub-interface, the VLAN cannot be
configured as the super-VLA or sub-VLAN.
l If the PW-side interface is a Layer 3 interface switched by the undo portswitch
command, the AC-side interface cannot be a Layer 3 interface or subinterface belonging
to a Layer 3 interface; otherwise, traffic forwarding is abnormal. This rule applies to
S5720EI, S6720EI, and S6720S-EI.
8.5 Default Settings for VLAN Termination
Table 8-3 Default setting for VLAN termination

Dot1q termination and QinQ termination on Not configured

each sub-interface
ARP broadcast on each sub-interface Disabled
8.6 Configuring a Dot1q Termination Sub-interface to

Implement Inter-VLAN Communication
Context
When a Layer 3 switch connects to users on different network segments across different
VLANs, configure Dot1q termination and IP addresses for the sub-interfaces to implement
Layer 3 connectivity.
NOTE
l To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding sub-interface as the default gateway address.
l When VLAN IDs terminated by a sub-interface are used for Layer 3 forwarding, only the first
VLAN takes effect even if multiple inner VLAN IDs are specified.
Procedure
Step 3 Run port link-type { hybrid | trunk }

Step 4 Run quit

Exit from the interface view.
Step 5 Run interface interface-type interface-number.subinterface-number
The sub-interface view is displayed.
An IP address is assigned to the sub-interface.
Step 7 Run dot1q termination vid low-pe-vid [ to high-pe-vid ]
Dot1q termination is configured on the sub-interface.
Sub-interfaces of different main interfaces can be associated with the same VLAN, but sub-
interfaces of the same main interface cannot be associated with the same VLAN.
Step 8 Run arp broadcast enable
ARP broadcast is enabled on the sub-interface.
When you enable or disable ARP broadcast on a sub-interface, the routing status on the sub-
interface alternates between Down and Up. This may result in route flapping on the entire
network, and affects normal operation of services.
----End
8.7 Configuring a Dot1q Termination Sub-interface and

Connecting It to an L2VPN
Before configuring a Dot1q termination sub-interface and connecting it to an L2VPN,
complete the following tasks:
l Connect devices correctly.
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that each
packet sent from CEs to PEs carries one VLAN tag.
l Ensure that the device is not a VCMP client.
8.7.1 Configuring a Dot1q Termination Sub-interface
Context
When a VPN connects to an ISP network through a sub-interface, the sub-interface needs to
remove VLAN tags of the packets that the VPN has sent to the ISP network. When each
packet that CEs send to PEs carries one VLAN tag, the sub-interface terminates the single
VLAN tag. This sub-interface is called Dot1q termination sub-interface.
Procedure
Step 1 On the PE device, run system-view

The port link-type is set.
Step 4 Run quit
The view of the sub-interface connecting the PE to the CE is displayed.
NOTE
If the PW-side interface is a Layer 3 interface switched by the undo portswitch command, the AC-side
interface cannot be a Layer 3 interface or subinterface belonging to a Layer 3 interface; otherwise, traffic
forwarding is abnormal. This rule applies to S5720EI, S6720EI, and S6720S-EI.
Step 6 Run dot1q termination vid low-pe-vid [ to high-pe-vid ]
After a VLANIF interface is configured, the corresponding VLAN cannot be configured as a

VLAN for Dot1q termination sub-interfaces or an outer VLAN for QinQ termination sub-
interfaces.
----End
8.7.2 Configuring L2VPN
Context
After a Dot1q termination sub-interface is configured, you need to configure the virtual
private network (VPN) service on the sub-interface so that users at both ends of the L2VPN
can communicate with each other.
Virtual leased line (VLL) technology emulates leased lines on an IP network to provide
inexpensive, asymmetrical digital data network (DDN) services. As a point-to-point (P2P)
L2VPN technology, VLL can support almost all link layer protocols.
For details about L2VPN, see VLL Configuration in the S1720, S2700, S5700, and S6720
V200R011C10 Configuration Guide - VPN.
NOTE
A Dot1q termination sub-interface can be bound to a VLL that provides homogeneous or heterogeneous
transport in the following modes:
l Local Kompella connection
l Remote Kompella connection
l Local Martini connection
l Remote Martini connection

8.7.3 Verifying the Configuration of a Dot1q Termination Sub-

interface and Its Connection to an L2VPN
Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display mpls static-l2vc command to check static VC information.
l Run the display mpls l2vc command on the PE to check Martini VLL information on
the local PE.
l Run the display mpls l2vc remote-info command on the PE to check Martini VLL
information on the remote PE.
l Run the display vll ccc [ ccc-name | type { local | remote } ] command to check CCC
connection information.
----End
8.8 Configuring a Dot1q Termination Sub-interface and

Before configuring a Dot1q termination sub-interface and connecting it to an L3VPN,
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that each
packet sent from CEs to PEs carries one VLAN tag.
8.8.1 Configuring a Dot1q Termination Sub-interface

Context
When a VPN connects to an ISP network through a sub-interface, the sub-interface needs to
remove VLAN tags of the packets that the VPN has sent to the ISP network. When each
packet that CEs send to PEs carries one VLAN tag, the sub-interface terminates the single
VLAN tag. This sub-interface is called Dot1q termination sub-interface.
Procedure
l Configure an IPv4 address for a sub-interface.
a. On the PE device, run system-view

c. Run port link-type { hybrid | trunk }

d. Run quit
e. Run interface interface-type interface-number.subinterface-number
f. Run ip address ip-address { mask | mask-length }
An IPV4 address is configured for the sub-interface.
g. Run dot1q termination vid low-pe-vid [ to high-pe-vid ]
After a VLANIF interface is configured, the corresponding VLAN cannot be
configured as a VLAN for Dot1q termination sub-interfaces or an outer VLAN for
QinQ termination sub-interfaces.
h. Run arp broadcast enable
The sub-interface is enabled to forward ARP broadcast packets.
b. Run ipv6
IPv6 packet forwarding is enabled.
d. Run port link-type { hybrid | trunk }
e. Run quit
f. Run interface interface-type interface-number.subinterface-number
g. Run ipv6 enable
The IPv6 function is enabled on the interface.
h. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
i. Run dot1q termination vid low-pe-vid [ to high-pe-vid ]
configured as a VLAN for Dot1q termination sub-interfaces or an outer VLAN for
QinQ termination sub-interfaces.
j. Run ipv6 nd ns multicast-enable
The sub-interface is enabled to send NS multicast packets.


After a Dot1q termination sub-interface is configured, you need to configure the VPN service
so that users at both ends of the L3VPN can communicate with each other.
Configure L3VPN on the CE, PE, and P. For details, see BGP/MPLS IP VPN Configuration
or BGP/MPLS IPv6 VPN Configuration in the S1720, S2700, S5700, and S6720
8.8.3 Verifying the Configuration of a Dot1q Termination Sub-

Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
VPN instance information.
----End
8.9 Configuring a QinQ Termination Sub-interface and

Before configuring a QinQ termination sub-interface and connecting it to an L2VPN,
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags.
Configuration Process
8.9.1 Configuring a QinQ Sub-interface
Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. When data packets sent by CEs to PEs carry double VLAN
tags, the sub-interface terminates double VLAN tags. This sub-interface is called QinQ
termination sub-interface.

Procedure
Step 1 On the PE device, run system-view
Step 4 Run quit
NOTE
If the PW-side interface is a Layer 3 interface switched by the undo portswitch command, the AC-side
interface cannot be a Layer 3 interface or subinterface belonging to a Layer 3 interface; otherwise, traffic
forwarding is abnormal. This rule applies to S5720EI, S6720EI, and S6720S-EI.
Step 6 (Optional) Run qinq termination l2 { symmetry | asymmetry }
The attributes of the sub-interface for QinQ VLAN tag termination are set.
By default, access attributes are not configured on a sub-interface for QinQ VLAN tag
termination.
When a sub-interface for QinQ VLAN tag termination is connected to the L2VPN, the PE
processes packets based on the QinQ termination configuration, attributes of the sub-interface
for QinQ VLAN tag termination when the sub-interface connects to the PWE3, VLL, or
VPLS network, and encapsulation mode.
NOTE
Select the encapsulation mode according to encapsulation (VSI view) or mpls l2vc.
Table 8-4 Packet processing on the inbound interface in the VPLS scenario
Inbound Interface Type Ethernet Encapsulation VLAN Encapsulation
Symmetrical mode Removes the outer tag. Reserves double tags. No

action is required.
Asymmetrical mode Removes double tags. Removes the outer tag.
Default Removes double tags. Reserves double tags. No

action is required.

Table 8-5 Packet processing on the outbound interface in the VPLS scenario
Symmetrical mode Removes the MPLS label Removes the MPLS label
and adds the outer tag and replaces the outer tag
specified by pe-vid that is with the tag specified by pe-
configured on the sub- vid that is configured on the
interface for QinQ VLAN sub-interface for QinQ
tag termination. VLAN tag termination if
packets carry the inner tag,
or removes the MPLS label
and adds the outer tag
specified by pe-vid that is
configured on the sub-
interface for QinQ VLAN
tag termination if packets do
not carry the inner tag.

Asymmetrical mode S5720HI: removes the S5720HI: removes the

MPLS label and adds double MPLS label and adds
tags according to ce-vid and double tags according to ce-
pe-vid configured on the vid and pe-vid configured
sub-interface for QinQ on the sub-interface for
VLAN tag termination. QinQ VLAN tag
Other models: removes the termination if packets do
MPLS label and adds double not carry the inner tag, or
tags according to ce-vid and removes the MPLS label,
pe-vid configured on the removes the inner tag, and
sub-interface for QinQ adds double tags according
VLAN tag termination if to ce-vid and pe-vid
packets do not carry the configured on the sub-
inner tag, or removes the interface for QinQ VLAN
MPLS label, removes the tag termination if packets
inner tag, and adds double carry the inner tag.
tags according to ce-vid and Other models: removes the
pe-vid configured on the MPLS label and adds
sub-interface for QinQ double tags according to ce-
VLAN tag termination if vid and pe-vid configured
packets carry the inner tag. on the sub-interface for
QinQ VLAN tag
termination if packets do
not carry the inner tag;
removes the MPLS label,
removes one inner tag, and
adds double tags according
to ce-vid and pe-vid
tag termination if packets
carry one inner tag; removes
the MPLS label, removes
double inner tags, and adds
double tags according to ce-
vid and pe-vid configured
on the sub-interface for
QinQ VLAN tag
termination if packets carry
double inner tags.

Default S5720HI: removes the Removes the MPLS label

MPLS label and adds double and transparently transmits
tags according to ce-vid and packets.
pe-vid configured on the
sub-interface for QinQ
VLAN tag termination.
Other models: removes the
MPLS label and adds double
tags according to ce-vid and
VLAN tag termination if
packets do not carry the
inner tag, or removes the
MPLS label, removes the
inner tag, and adds double
tags according to ce-vid and
VLAN tag termination if
packets carry the inner tag.
Table 8-6 Packet processing on the inbound interface in the VLL or PWE3 scenario
Inbound Interface Type Raw Encapsulation Tagged Encapsulation
Symmetrical mode Removes the outer tag. Reserves double tags. No

action is required.
Asymmetrical mode Removes double tags. Removes the outer tag.
Default Removes the outer tag. Reserves double tags. No

action is required.

Table 8-7 Packet processing on the outbound interface in the VLL or PWE3 scenario
Symmetrical mode Removes the MPLS label Removes the MPLS label
configured on the sub- vid that is configured on the
interface for QinQ VLAN sub-interface for QinQ
tag termination. VLAN tag termination if
packets carry the inner tag,
or removes the MPLS label
and adds the outer tag
specified by pe-vid that is
tag termination if packets do

Asymmetrical mode S5720HI: removes the S5720HI: removes the

MPLS label and adds double MPLS label and adds
tags according to ce-vid and double tags according to ce-
pe-vid configured on the vid and pe-vid configured
sub-interface for QinQ on the sub-interface for
VLAN tag termination. QinQ VLAN tag
Other models: removes the termination if packets do
MPLS label and adds double not carry the inner tag, or
tags according to ce-vid and removes the MPLS label,
pe-vid configured on the removes the inner tag, and
sub-interface for QinQ adds double tags according
VLAN tag termination if to ce-vid and pe-vid
packets do not carry the configured on the sub-
inner tag, or removes the interface for QinQ VLAN
MPLS label, removes the tag termination if packets
inner tag, and adds double carry the inner tag.
tags according to ce-vid and Other models: removes the
pe-vid configured on the MPLS label and adds
sub-interface for QinQ double tags according to ce-
VLAN tag termination if vid and pe-vid configured
packets carry the inner tag. on the sub-interface for
QinQ VLAN tag
not carry the inner tag;
removes the MPLS label,
removes one inner tag, and
adds double tags according
to ce-vid and pe-vid
tag termination if packets
carry one inner tag; removes
the MPLS label, removes
double inner tags, and adds
double tags according to ce-
vid and pe-vid configured
on the sub-interface for
QinQ VLAN tag
termination if packets carry
double inner tags.

Default Removes the MPLS label Removes the MPLS label

configured on the sub- vid on the sub-interface for
interface for QinQ VLAN QinQ VLAN tag
tag termination. termination if packets carry
the inner tag, or removes the
MPLS label and adds the
outer tag specified by pe-
vid on the sub-interface for
QinQ VLAN tag
Step 7 Run qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
QinQ termination is configured on the sub-interface.
After a VLANIF interface is configured, the corresponding VLAN cannot be configured as an

outer VLAN for the sub-interface for QinQ VLAN tag termination.
----End
Context
Virtual leased line (VLL) technology emulates leased lines on an IP network to provide
inexpensive, asymmetrical digital data network (DDN) services. As a point-to-point (P2P)
L2VPN technology, VLL can support almost all link layer protocols.
For details about L2VPN, see VLL Configuration in the S1720, S2700, S5700, and S6720
NOTE
A QinQ termination sub-interface can be bound to a VLL that provides homogeneous or heterogeneous
transport in the following modes:
l Local CCC connection
l Remote CCC connection
l Remote SVC connection
l Local Kompella connection
l Remote Kompella connection
l Remote Martini connection
A QinQ termination sub-interface supports the following VPLS connections:
l Martini VPLS
l Kompella VPLS

8.9.3 Verifying the Configuration of a QinQ Termination Sub-

Procedure
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
l Run the display vll ccc [ ccc-name | type { local | remote } ] command to check CCC
connection information.
l Run the display mpls static-l2vc command to check static VC information.
l Run the display mpls l2vc command on the PE to check Martini VLL information on
the local PE.
l Run the display mpls l2vc remote-info command on the PE to check Martini VLL
information on the remote PE.
----End
8.10 Configuring a QinQ Termination Sub-interface and

Before configuring a QinQ termination sub-interface and connecting it to an L3VPN,
l Configure VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags.
Configuration Process
8.10.1 Configuring a QinQ Sub-interface

Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. When data packets sent by CEs to PEs carry double VLAN
tags, the sub-interface terminates double VLAN tags. This sub-interface is called QinQ
termination sub-interface.
Procedure


d. Run quit
f. Run ip address ip-address { mask | mask-length }
g. Run qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
configured as an outer VLAN for the sub-interface for QinQ VLAN tag
termination.
h. Run arp broadcast enable
The sub-interface is enabled to forward ARP broadcast packets.
b. Run ipv6
IPv6 packet forwarding is enabled.
d. Run port link-type { hybrid | trunk }
e. Run quit
f. Run interface interface-type interface-number.subinterface-number
g. Run ipv6 enable
The IPv6 function is enabled on the interface.
h. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
i. Run qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
configured as an outer VLAN for the sub-interface for QinQ VLAN tag
termination.
j. Run ipv6 nd ns multicast-enable
The sub-interface is enabled to send NS multicast packets.


After a QinQ termination sub-interface is configured, you need to configure the VPN service
so that users at both ends of the L3VPN can communicate with each other.
Configure L3VPN on the CE, PE, and P. For details, see BGP/MPLS IP VPN Configuration
or BGP/MPLS IPv6 VPN Configuration in the S1720, S2700, S5700, and S6720
8.10.3 Verifying the Configuration of QinQ Termination Sub-

Procedure
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
VPN instance information.
----End
8.11 Configuration Examples for VLAN Termination
8.11.1 Example for Configuring Dot1q Termination Sub-interfaces

to Implement Inter-VLAN Communication
An enterprise's departments are located on different network segments and use the same
services such as Internet access and VoIP. To allow the departments in different VLANs to use
the same service, inter-VLAN communication must be implemented.
In the networking example shown in Figure 8-7, both department 1 and department 2 located
in different VLANs and network segments need to use the Internet access service, and users
in department 1 and department 2 need to communicate with each other.

Figure 8-7 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication
Switch
GE0/0/1.1 GE0/0/2.1
10.10.10.1/24 10.10.20.1/24
GE0/0/2 GE0/0/2
SwitchA SwitchB
GE0/0/1 GE0/0/1
PC1 PC2
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
The configuration roadmap is as follows.
1. Configure the ID of the VLAN to which each interface belongs.
2. Configure Dot1q termination sub-interfaces.
3. Assign IP addresses to the sub-interfaces.
NOTE
VLAN termination sub-interfaces cannot be created on a VCMP client.
Procedure
Step 1 Add the uplink interface of SwitchA to VLAN 10 in tagged mode and the user-side interface
to VLAN 10 in untagged mode, and add the uplink interface of SwitchB to VLAN 20 in
tagged mode and the user-side interface to VLAN 20 in untagged mode. Configure VLANs
on interfaces of SwitchA and SwitchB.
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet0/0/1
[SwitchB] vlan batch 20
[SwitchB] interface gigabitethernet0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type access
[SwitchB-GigabitEthernet0/0/1] port default vlan 20


Step 2 Configure the interface on the Switch connected to SwitchA.

# Create and configure the Ethernet sub-interface GE0/0/1.1.
[Switch] vcmp role silent
[Switch] interface gigabitethernet0/0/1
[Switch] interface gigabitethernet0/0/1.1
[Switch-GigabitEthernet0/0/1.1] dot1q termination vid 10
[Switch-GigabitEthernet0/0/1.1] ip address 10.10.10.1 24
[Switch-GigabitEthernet0/0/1.1] arp broadcast enable
[Switch-GigabitEthernet0/0/1.1] quit
Step 3 Configure the interface on the Switch connected to SwitchB.

# Create and configure the Ethernet sub-interface GE0/0/2.1.
[Switch] interface gigabitethernet0/0/2
[Switch] interface gigabitethernet 0/0/2.1
[Switch-GigabitEthernet0/0/2.1] dot1q termination vid 20
[Switch-GigabitEthernet0/0/2.1] ip address 10.10.20.1 24
[Switch-GigabitEthernet0/0/2.1] arp broadcast enable
[Switch-GigabitEthernet0/0/2.1] quit

On PC1 in VLAN 10, set the default gateway address to 10.10.10.1/24, which is the IP
address of GE0/0/1.1.
On PC2 in VLAN 20, set the default gateway address to 10.10.20.1/24, which is the IP
address of GE0/0/2.1.
After the configuration is complete, PC1 in VLAN 10 and PC2 in VLAN 20 can
----End
Configuration Files
#
sysname Switch
#
vcmp role silent
#
#
interface GigabitEthernet0/0/1.1
dot1q termination vid 10
ip address 10.10.10.1 255.255.255.0
arp broadcast enable
#
#

ip address 10.10.20.1 255.255.255.0

#
return

#
sysname SwitchA
#
vlan batch 10
#
#
#
return

#
sysname SwitchB
#
vlan batch 20
#
#
#
return
8.11.2 Example for Configuring Dot1q Termination Sub-interfaces

to Implement Inter-VLAN Communication Across Different
Networks
On the network shown in Figure 8-8, SwitchA and SwitchB are connected to Layer 2
networks that VLAN 10 and VLAN 20 belong to. SwitchA communicates with SwitchB
through a Layer 3 network where OSPF is running.
PCs of the two Layer 2 networks need to be isolated at Layer 2 and interwork at Layer 3.

Figure 8-8 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication across a network
SwitchA SwitchB
GE0/0/2 GE0/0/1
OSPF
GE0/0/1.1 GE0/0/2.1
VLAN 10 VLAN 20
PC A PC B
10.10.10.2/24 10.10.20.2/24
1. Configure VLANs that interfaces belong to.
2. Assign IP addresses to VLANIF interfaces.
3. Set the encapsulation mode of sub-interfaces.
4. Configure VLANs allowed by sub-interfaces.
5. Assign IP addresses to the sub-interfaces.
6. Configure basic OSPF functions.
NOTE
l The VLANs allowed by a sub-interface cannot be created in the system view.

Procedure
Step 1 Configure SwitchA.
# Create a VLAN.
# Add an interface to the VLAN.

# Assign an IP address to a VLANIF interface.

[SwitchA] interface vlanif 30

[SwitchA-Vlanif30] ip address 10.10.30.1 24
[SwitchA-Vlanif30] quit
# Create and configure GE0/0/1.1.

[SwitchA] vcmp role silent
[SwitchA-GigabitEthernet0/0/1] port link-type hybrid
[SwitchA] interface gigabitethernet 0/0/1.1
[SwitchA-GigabitEthernet0/0/1.1] dot1q termination vid 10
[SwitchA-GigabitEthernet0/0/1.1] ip address 10.10.10.1 24
[SwitchA-GigabitEthernet0/0/1.1] arp broadcast enable
[SwitchA-GigabitEthernet0/0/1.1] quit

[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] return
Step 2 Configure SwitchB.
# Create a VLAN.
[SwitchB] vlan batch 30
# Add an interface to the VLAN.

# Assign an IP address to a VLANIF interface.

[SwitchB-Vlanif30] ip address 10.10.30.2 24
# Create and configure GE0/0/2.1.

[SwitchB] vcmp role silent
[SwitchB-GigabitEthernet0/0/2] port link-type hybrid
[SwitchB] interface gigabitethernet 0/0/2.1
[SwitchB-GigabitEthernet0/0/2.1] dot1q termination vid 20
[SwitchB-GigabitEthernet0/0/2.1] ip address 10.10.20.1 24
[SwitchB-GigabitEthernet0/0/2.1] arp broadcast enable
[SwitchB-GigabitEthernet0/0/2.1] quit

[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] return

On the PCs residing on the Layer 2 network connected to SwitchA, set the default gateway
address to 10.10.10.1/24, which is the IP address of GE0/0/1.1. The switch connected to
SwitchA allows VLAN 10.
On the PCs residing on the Layer 2 network connected to SwitchB, set the default gateway
address to 10.10.20.1/24, which is the IP address of GE0/0/2.1. The switch connected to
SwitchA allows VLAN 20.
After the configuration is complete, PCs on the two Layer 2 networks are isolated at Layer 2
and interwork at Layer 3.
----End
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vcmp role silent
#
vlan batch 30
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
#
ip address 10.10.10.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vcmp role silent
#
vlan batch 30
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#

#
ip address 10.10.20.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
8.11.3 Example for Connecting Dot1q Sub-interfaces to a VLL

Network
On the network shown in Figure 8-9, CE1 and CE2 are respectively connected to PE1 and
PE2 through VLANs.
A Martini VLL is created between CE1 and CE2 so that users residing on the networks
connected to CE1 and CE2 can communicate with each other.
Figure 8-9 Networking diagram for connecting Dot1q sub-interfaces to a VLL network
Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/2 GE0/0/1
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/1 Martini GE0/0/1
CE1 CE2
Switch Interface VLANIF Interface IP Address
PE1 GigabitEthernet0/0/1 GigabitEthernet0/0/1.1 -
- GigabitEthernet0/0/2 VLANIF 20 10.1.1.1/24
- Loopback1 - 1.1.1.1/32
PE2 GigabitEthernet0/0/1 VLANIF 30 10.2.2.1/24

- GigabitEthernet0/0/2 GigabitEthernet0/0/2.1 -
- Loopback1 - 3.3.3.3/32
P GigabitEthernet0/0/1 VLANIF 30 10.2.2.2/24
- Loopback1 - 2.2.2.2/32
CE1 GigabitEthernet0/0/1 VLANIF 10 10.10.10.1/24
1. Configure a routing protocol on PE and P of the backbone network to implement
interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP to transmit data.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to implement VLL
access.
NOTE
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP addresses
to VLANIF interfaces according to Figure 8-9.
# Configure CE1 to ensure that each packet that CE1 sends to PE1 carries one VLAN tag.
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface gigabitethernet 0/0/1
[CE1-GigabitEthernet0/0/1] port link-type trunk
[CE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[CE1-GigabitEthernet0/0/1] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.10.10.1 24
[CE1-Vlanif10] quit
# Configure CE2 to ensure that each packet that CE2 sends to PE2 carries one VLAN tag.
[CE2] vlan batch 10


[CE2-Vlanif10] quit
# Configure PE1.
[HUAWEI] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 0/0/2
[PE1-GigabitEthernet0/0/2] port link-type hybrid
[PE1-GigabitEthernet0/0/2] port hybrid pvid vlan 20
[PE1-GigabitEthernet0/0/2] port hybrid tagged vlan 20
[PE1-GigabitEthernet0/0/2] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] ip address 10.1.1.1 24
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P] vlan batch 20 30
[P] interface gigabitethernet 0/0/1
[P-GigabitEthernet0/0/1] port link-type hybrid
[P-GigabitEthernet0/0/1] port hybrid pvid vlan 30
[P-GigabitEthernet0/0/1] port hybrid tagged vlan 30
[P-GigabitEthernet0/0/1] quit
[P] interface vlanif 20
[P-Vlanif20] ip address 10.1.1.2 24
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure an IGP, for example, OSPF, on the MPLS backbone network.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.1 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
[P] router id 2.2.2.2
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.2 32
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command to verify that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command to verify that the PEs
learn the route to the Loopback1 interface of each other. The following is the display on PE1:
[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.1

Neighbors
Area 0.0.0.0 interface 10.1.1.1(Vlanif20)'s neighbors

Router ID: 2.2.2.2 Address: 10.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
Dead timer due in 34 sec
Retrans timer interval: 5
Neighbor is up for 00:01:16
Authentication Sequence: [ 0 ]
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack1

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
Step 3 Configure basic MPLS functions and LDP on the MPLS backbone network.

# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.2
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 4 Create remote LDP sessions between PEs.

# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. An LDP session is set up between PE1 and PE2 as shown in the
following display:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.2:0 Operational DU Passive 0000:15:29 3717/3717
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.

Step 5 Enable MPLS L2VPN on PEs and establish VC connections.

# On PE1, create a VC connection on GigabitEthernet0/0/1.1 connected to CE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] vcmp role silent
[PE1] interface gigabitethernet0/0/1
[PE1] interface gigabitethernet0/0/1.1
[PE1-GigabitEthernet0/0/1.1] dot1q termination vid 10
[PE1-GigabitEthernet0/0/1.1] mpls l2vc 3.3.3.3 101
[PE1-GigabitEthernet0/0/1.1] quit

[PE2] mpls l2vpn
[PE2-l2vpn] quit

Check L2VPN connections on PEs. You can see that an L2VC connection has been set up and
is in Up state.
The following is the display on PE1:
[PE1] display mpls l2vc interface gigabitethernet0/0/1.1
*client interface : GigabitEthernet0/0/1.1 is up
Administrator PW : no
session state : up
AC status : up
Ignore AC state : disable
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
destination : 3.3.3.3
local group ID : 0 remote group ID : 0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --

PW template name : --
primary or secondary : primary
load balance type : flow
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10031
Backup TNL type : lsp , TNL ID : 0x0
create time : 1 days, 22 hours, 15 minutes, 9 seconds
up time : 0 days, 22 hours, 54 minutes, 57 seconds
last change time : 0 days, 22 hours, 54 minutes, 57 seconds
VC last up time : 2010/10/09 19:26:37
VC total up time : 1 days, 20 hours, 42 minutes, 30 seconds
CKey : 8
NKey : 3
PW redundancy mode : --
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : --
Color : --
DomainId : --
Domain Name : --
CE1 and CE2 can ping each other.

The following is the display on CE1:
[CE1] ping 10.10.10.2
PING 10.10.10.2: 56 data bytes, press CTRL_C to break
Reply from 10.10.10.2: bytes=56 Sequence=1 ttl=255 time=31 ms
--- 10.10.10.2 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/15/31 ms
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return
l PE1 configuration file

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role

silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#


#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10

ip address 10.10.10.2 255.255.255.0

#
#
return
8.11.4 Example for Connecting QinQ Termination Sub-interfaces

to a VLL Network
On the network shown in Figure 8-10, CE1 and CE2 are respectively connected to PE1 and
PE2 through VLANs.
A Martini VLL is set up between CE1 and CE2.
Switch1 is connected to CE1 and PE1.
Selective QinQ needs to be configured on the interfaces connected to CEs so that the Switch
adds the VLAN tags specified by the carrier to the packets sent from CEs.
When the Switch is connected to multiple CEs, the Switch can add the same VLAN tag to the
packets from different CEs, thereby saving VLAN IDs on the public network.
Figure 8-10 Networking diagram for connecting QinQ termination sub-interfaces to a VLL
network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/2 GE0/0/1
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2

- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
1. Configure a routing protocol on PE and P of the backbone network to implement
2. Use the default tunnel policy to create an LSP and configure the LSP to transmit data.
4. Configure QinQ sub-interfaces on PE interfaces connected to the switches to implement
VLL access.
5. Configure selective QinQ on the switch interfaces connected to CEs.
NOTE
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP addresses
to VLANIF interfaces according to Figure 8-10.
# Configure CE1 to ensure that each packet sent from CE1 to Switch1 carries one VLAN tag.

[CE1] vlan batch 10

[CE1-Vlanif10] quit
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit

Step 2 Configure selective QinQ on interfaces of the Switch and specify the VLANs allowed by the
interfaces.
[Switch1] vlan 100
[Switch1] interface gigabitethernet0/0/2
[Switch1-GigabitEthernet0/0/2] port hybrid tagged vlan 100
[Switch1-GigabitEthernet0/0/1] qinq vlan-translation enable
[Switch1-GigabitEthernet0/0/1] port vlan-stacking vlan 10 stack-vlan 100
[Switch2] vlan 100
Step 3 Configure an IGP, for example, OSPF, on the MPLS backbone network.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.


[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls


[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 5 Set up a remote LDP session between PEs.

# Configure PE1.
# Configure PE2.
view the LDP session setup. You can see an LDP session has been set up between PE1 and
PE2.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and set up VC connections.

# On PE1, create a VC connection on GigabitEthernet0/0/1.1 connected to Switch1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet0/0/1.1] qinq termination pe-vid 100 ce-vid 10

[PE2] mpls l2vpn
[PE2-l2vpn] quit


Check the L2VPN connections on PEs. You can see that an L2VC connection has been set up
and is in Up state.

session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up
Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3

Service Class : --
Color : --
DomainId : --
Domain Name : --

The following is the display on CE1:
[CE1] ping 10.10.10.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#
qinq vlan-translation enable
port vlan-stacking vlan 10 stack-vlan 100
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent

#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#


#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
#
sysname Switch2
#
vlan batch 100
#


#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
return
8.11.5 Example for Connecting Dot1q Termination Sub-interfaces

to a VPLS Network
On the network shown in Figure 8-11, VPLS is enabled on PE1 and PE2. CE1 is connected to
PE1 and CE2 is connected to PE2. CE1 and CE2 are on the same VPLS network. PWs are
established by using LDP as the VPLS signaling protocol, and VPLS is configured to connect
CE1 and CE2.
Figure 8-11 Networking diagram for connecting Dot1q termination sub-interfaces to a VPLS
network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/2
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/1 GE0/0/1
CE1 CE2

- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
1. Configure a routing protocol on the backbone network to implement interworking

between devices.
2. Configure Dot1q sub-interfaces on PE interfaces connected to CEs so that the Dot1q
sub-interfaces can connect to the VPLS network.
3. Set up a remote LDP session between PEs.
4. Establish tunnels between PEs to transmit service data.
5. Enable MPLS L2VPN on the PEs.
6. Create a VSI on PEs and specify the signaling protocol as LDP.
NOTE
Procedure
Step 1 Configure a VLAN to which each interface belongs and assign IP addresses to VLANIF
interfaces according to Figure 8-11.

NOTE
l The AC-side and PW-side physical interfaces of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
l Ensure that each packet sent from a CE to a PE carries a VLAN tag.
# Configure CE1.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.

[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure an IGP, for example, OSPF.

# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on PE1, P,
and PE2. You can view the routes that PE1, P, and PE2 have learned from each other. The
following is the display on PE1:
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20

3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20
Step 3 Configure basic MPLS functions and MPLS LDP.

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command on PE1, P,
and PE2. You can see that the peer relationships are set up between PE1 and P, and between P
and PE2. The status of the peer relationship is Operational. Run the display mpls ldp
command to view the MPLS LDP configuration. The following is the display on PE1:
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.


# Configure PE2.
After the configuration is complete, run the display mpls ldp session command on PE1 or
PE2. You can see that the status of the peer relationship between PE1 and PE2 is
Operational. That is, the peer relationship is set up. The following is the display on PE1:
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Enable MPLS L2VPN on the PEs.

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
Step 6 Configure a VSI on the PEs.

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] pwsignal ldp
[PE1-vsi-a2-ldp] vsi-id 2
[PE1-vsi-a2-ldp] peer 3.3.3.3
[PE1-vsi-a2-ldp] quit
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 7 Bind interfaces to VSIs on the PEs.

# Configure PE1.
[PE1-GigabitEthernet0/0/1.1] l2 binding vsi a2

# Configure PE2.
After the configuration is complete, run the display vsi name a2 verbose command on PE1.
You can see that the VSI a2 sets up a PW to PE2 and the VSI status is Up.
[PE1] display vsi name a2 verbose
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 5 minutes, 1 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 3.3.3.3
Negotiation-vc-id : 2
ignore-standby-state : no
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
Broadcast Tunnel ID : 0x22
Broad BackupTunnel ID : 0x0
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
Control Word : disable
Interface Name : gigabitethernet0/0/1.1

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
Total Up Time : 0 days, 0 hours, 1 minutes, 35 seconds
**PW Information:
*Peer Ip Address : 3.3.3.3

PW State : up
Local VC Label : 23552
Remote VC Label : 23552
Remote Control Word : disable
PW Type : label
Local VCCV : alert lsp-ping bfd
Remote VCCV : alert lsp-ping bfd

Tunnel ID : 0x22
Ckey : 0x2
Nkey : 0x1
Main PW Token : 0x22
Slave PW Token : 0x0
Tnl Type : LSP
OutInterface : Vlanif20
Backup OutInterface :
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03
PW Total Up Time : 0 days, 0 hours, 0 minutes, 50 seconds
CE1 (10.1.1.1) can ping CE2 (10.1.1.2) successfully.

[CE1] ping 10.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname PE1
#

router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls

mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1

area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return

to a VPLS Network
On the network shown in Figure 8-12, VPLS is enabled on PE1 and PE2. CE1 connects to
PE1 through Switch1 and CE2 connects to PE2 through Switch2. CE1 and CE2 are on the
same VPLS network. PWs are established by using LDP as the VPLS signaling protocol, and
VPLS is configured to connect CE1 and CE2.
Figure 8-12 Networking diagram for connecting QinQ termination sub-interfaces to a VPLS
network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/2 GE0/0/2
PE1 PE2
GE0/0/1 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2

- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
between devices.
2. Configure selective QinQ on Switch interfaces connected to CEs.
6. Create a VSI on PEs and specify the signaling protocol as LDP.
7. Configure QinQ termination sub-interfaces on PE interfaces connected to the Switch so
that QinQ interfaces can connect to the VPLS network.
NOTE
Procedure
Step 1 Configure the VLAN to which each interface belongs according to Figure 8-12, and assign IP
addresses to VLANIF interfaces.
NOTE
l Ensure that each packet sent from a CE to the Switch carries one VLAN tag.
# Configure CE1.

[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30


[PE2-Vlanif30] quit
interfaces.
[Switch1] vlan 100
[Switch2] vlan 100
Step 3 Configure an IGP, for example, OSPF.

# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0

[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20
Step 4 Configure basic MPLS functions and MPLS LDP.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.


[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
# Configure PE1.
# Configure PE2.
PE2. You can see that the status of the peer relationship between PE1 and PE2 is Operational.
That is, the peer relationship is set up. The following is the display on PE1:
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit


# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 8 Bind interfaces to VSIs on the PEs.

# Configure PE1.
# Configure PE2.

***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up

VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x22
Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

[CE1] ping 10.1.1.2

0.00% packet loss
----End
Configuration Files

#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname Switch2
#
vlan batch 100
#
#
#
return

#
sysname PE1
#

router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls

mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1

area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
8.11.7 Example for Connecting Dot1q Termination Sub-interfaces

to an L3VPN
On the network shown in Figure 8-13, CE1 and CE3 belong to VPN-A, and CE2 and CE4
belong to VPN-B. The VPN targets of VPN-A and VPN-B are 111:1 and 222:2 respectively.
Users in different VPNs cannot communicate with each other.
Figure 8-13 Networking diagram for connecting Dot1q termination sub-interfaces to an

L3VPN
VPN-A AS: 65410 AS: 65430 VPN-A
CE1 CE3
GE0/0/1 GE0/0/1
Loopback1
2.2.2.2/32
GE0/0/1 GE0/0/1
PE1 PE2
Loopback1 GE0/0/1 GE0/0/2 Loopback1
1.1.1.1/32 GE0/0/3 GE0/0/3 3.3.3.3/32
GE0/0/2 P GE0/0/2
MPLS backbone
AS: 100
GE0/0/1 GE0/0/1
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440
Switch Interface Layer 3 Interface IP Address
PE1 GigabitEthernet0/0/1 GigabitEthernet0/0/1.1 10.1.1.2/24
- GigabitEthernet0/0/2 GigabitEthernet0/0/2.1 10.2.1.2/24
- GigabitEthernet0/0/3 VLANIF30 7.7.7.7/24

P GigabitEthernet0/0/1 VLANIF30 7.7.7.8/24
CE1 GigabitEthernet0/0/1 VLANIF10 10.1.1.1/24
1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.
2. Configure OSPF on PEs to implement interworking between PEs.
3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.
4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-
IBGP) on PEs to exchange VPN routing information.
5. Configure EBGP on CEs and PEs to exchange VPN routing information.
6. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to connect the Dot1q
sub-interfaces to the L3VPN.
NOTE
Procedure
Step 1 Configure an IGP, for example, OSPF, on the MPLS backbone network so that PEs and the P
# Configure PE1.


[PE1] vlan batch 30
[PE1-GigabitEthernet0/0/3] port hybrid untagged vlan 30
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[HUAWEI] sysname P
[P-LoopBack1] quit
[P-GigabitEthernet0/0/1] port hybrid untagged vlan 30
[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 60
[PE2-Vlanif60] quit
[PE2] ospf
[PE2-ospf-1] area 0


[PE2-ospf-1] quit
After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command. You can see that the
PEs learn each other's routes to the Loopback1 interface.
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 7.7.7.8 Vlanif30
3.3.3.3/32 OSPF 10 2 D 7.7.7.8 Vlanif30
6.6.6.0/24 OSPF 10 2 D 7.7.7.8 Vlanif30
7.7.7.0/24 Direct 0 0 D 7.7.7.7 Vlanif30
7.7.7.7/32 Direct 0 0 D 127.0.0.1 Vlanif30

Neighbors

DR: 7.7.7.8 BDR: 7.7.7.7 MTU: 0
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit

[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. You can see that the
Status field is Operational. Run the display mpls ldp lsp command to view the MPLS LDP
configuration.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/1024 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 7.7.7.8 Vlanif30
2.2.2.2/32 1024/3 2.2.2.2 7.7.7.8 Vlanif30
3.3.3.3/32 NULL/1025 - 7.7.7.8 Vlanif30
3.3.3.3/32 1025/1025 2.2.2.2 7.7.7.8 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure a VPN instance on each PE and connect CEs to PEs.

# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both

[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 0/0/1.1
[PE1-GigabitEthernet0/0/1.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet0/0/1.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet0/0/1.1] arp broadcast enable
[PE1-GigabitEthernet0/0/2.1] ip binding vpn-instance vpnb
# Configure PE2.
# Assign IP addresses to interfaces on CE1 according to Figure 8-13. The configurations of

CE2, CE3, and CE4 are the same as the configuration of CE1, and are not mentioned here.
[CE1] vlan batch 10
[CE1-GigabitEthernet0/0/1] port link-type hybrid
[CE1-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[CE1-GigabitEthernet0/0/1] port hybrid tagged vlan 10
[CE1-Vlanif10] quit

After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to view the configurations of VPN instances. Each PE can successfully ping its connected
CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Interfaces : Gigabitethernet0/0/1.1
Address family ipv4
Create date : 2013-08-28 21:01:00+00:00
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per instance
Per-Instance Label : 4098
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Address family ipv4
Create date : 2013-08-28 21:01:00+00:00
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1

0.00% packet loss
Step 4 Set up EBGP peer relationships between PEs and CEs and configure CEs to import VPN
routes.
# Configure CE1. The configurations of CE2, CE3, and CE4 are the same as the configuration
of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
# Configure PE1. The configuration of PE2 is the same as the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna

[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410

[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. You can see that BGP peer relationships between PEs and CEs have been established
and are in the Established state.
The following is the peer relationship between PE1 and CE1:
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.1

Local AS number : 100
VPN-Instance vpna, Router ID 1.1.1.1:

Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State

PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established

1
Step 5 Set up an MP-IBGP peer relationship between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PEs. You can see that the BGP peer relationships have been established between
the PEs.
[PE1] display bgp peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down

State PrefRcv
3.3.3.3 4 100 12 6 0 00:02:21

Established 0
[PE1] display bgp vpnv4 all peer



PrefRcv
3.3.3.3 4 100 12 18 0 00:09:38 Established 0

Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
VPN-Instance vpnb, Router ID 1.1.1.1:
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1

Run the display ip routing-table vpn-instance command on a PE. You can view the routes to
the remote CE.
[PE1] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna
10.1.1.0/24 Direct 0 0 D 10.1.1.2

Gigabitethernet0/0/1.1
10.1.1.2/32 Direct 0 0 D 127.0.0.1
10.3.1.0/24 IBGP 255 0 RD 3.3.3.3 Vlanif30
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb
10.2.1.0/24 Direct 0 0 D 10.2.1.2

10.2.1.2/32 Direct 0 0 D 127.0.0.1
10.4.1.0/24 IBGP 255 0 RD 3.3.3.3 Vlanif30
CEs in the same VPN can successfully ping each other but CEs in different VPNs cannot.
For example, CE1 can successfully ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out

Request time out

Request time out
100.00% packet loss
----End
Configuration Files
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.7 255.255.255.0
mpls
mpls ldp
#
#
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
#
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
#
interface LoopBack1

ip address 1.1.1.1 255.255.255.255

#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 7.7.7.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.8 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 6.6.6.6 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 6.6.6.0 0.0.0.255
network 7.7.7.0 0.0.0.255

#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 60
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif60
ip address 6.6.6.7 255.255.255.0
mpls
mpls ldp
#
#
ip address 10.3.1.2 255.255.255.0
#
#
ip address 10.4.1.2 255.255.255.0
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#

ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 6.6.6.0 0.0.0.255
#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
peer 10.1.1.2 enable
#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE3

#
vlan batch 10
#
interface Vlanif10
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE4
#
vlan batch 20
#
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return

to an L3VPN
On the network shown in Figure 8-14, CE1 and CE3 belong to VPN-A, and CE2 and CE4
belong to VPN-B. The VPN targets of VPN-A and VPN-B are 111:1 and 222:2 respectively.
Users in different VPNs cannot communicate with each other.

Figure 8-14 Networking diagram for connecting QinQ termination sub-interfaces to an

L3VPN
AS:
VPN-A AS: 65430 VPN-A
65410
CE1 CE3
GE/0/1 GE0/0/1
GE0/0/1 GE0/0/1
Switch1 Loopback1 Switch3

GE0/0/2 2.2.2.2/32 GE0/0/1
GE0/0/1 PE1 PE2 GE0/0/2
Loopback1 GE0/0/1 GE0/0/2 Loopback1
1.1.1.1/32 GE0/0/3 GE0/0/3 3.3.3.3/32
GE0/0/2 P GE0/0/2
GE0/0/2 MPLS backbone GE0/0/2
Switch2 AS: 100 Switch4
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440

1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.
2. Configure OSPF on PEs to implement interworking between PEs.
3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.
4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-
IBGP) on PEs to exchange VPN routing information.
5. Configure EBGP on CEs and PEs to exchange VPN routing information.
6. Configure QinQ termination sub-interfaces on PE interfaces connected to the Switch, so
that the QinQ termination sub-interfaces can connect to the L3VPN.
7. Configure selective QinQ on Switch interfaces connected to CEs.
NOTE
Procedure
interfaces.
[Switch1] vlan 100
[Switch2] vlan 200

[Switch3] vlan 100
[Switch4] vlan 200
Step 2 Configure an IGP, for example, OSPF, on the MPLS backbone network so that PEs and the P
# Configure PE1.
[PE1] vlan batch 30
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.

[HUAWEI] sysname P
[P-LoopBack1] quit
[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 60
[PE2-Vlanif60] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF neighbor
relationship status is Full. Run the display ip routing-table command. You can see that the
PEs learn each other's routes to the Loopback1 interface.
------------------------------------------------------------------------------


2.2.2.2/32 OSPF 10 1 D 7.7.7.8 Vlanif30
3.3.3.3/32 OSPF 10 2 D 7.7.7.8 Vlanif30
6.6.6.0/24 OSPF 10 2 D 7.7.7.8 Vlanif30
7.7.7.0/24 Direct 0 0 D 7.7.7.7 Vlanif30
7.7.7.7/32 Direct 0 0 D 127.0.0.1 Vlanif30

Neighbors

DR: 7.7.7.8 BDR: 7.7.7.7 MTU: 0
Step 3 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. You can see that the

Status field is Operational. Run the display mpls ldp lsp command to view the MPLS LDP
configuration.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/1024 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 7.7.7.8 Vlanif30
2.2.2.2/32 1024/3 2.2.2.2 7.7.7.8 Vlanif30
3.3.3.3/32 NULL/1025 - 7.7.7.8 Vlanif30
3.3.3.3/32 1025/1025 2.2.2.2 7.7.7.8 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 4 Configure a VPN instance on each PE and connect CEs to PEs.
# Configure PE1.
[PE1] interface GigabitEthernet 0/0/1
[PE1] interface GigabitEthernet 0/0/1.1


# Configure PE2.
# Assign IP addresses to interfaces on CE1 according to Figure 8-14. The configurations of

CE2, CE3, and CE4 are the same as the configuration of CE1, and are not mentioned here.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to check the VPN instance configuration. Each PE can successfully ping its connected
CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Address family ipv4
Create date : 2013-08-28 21:01:00+00:00
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Address family ipv4
Create date : 2013-08-28 21:01:00+00:00
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1

0.00% packet loss
Step 5 Set up EBGP peer relationships between PEs and CEs and configure CEs to import VPN
routes.
# Configure CE1. The configurations of CE2, CE3, and CE4 are the same as the configuration
of CE1, and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
# Configure PE1. The configuration of PE2 is the same as the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. You can see that BGP peer relationships between PEs and CEs have been established
and are in the Established state.
The following is the peer relationship between PE1 and CE1:
[PE1] display bgp vpnv4 vpn-instance vpna peer




PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established

1
Step 6 Set up an MP-IBGP peer relationship between PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp vpnv4 all peer
command on PEs. You can see that the BGP peer relationships have been established between
the PEs.
[PE1] display bgp peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down

State PrefRcv
3.3.3.3 4 100 12 6 0 00:02:21

Established 0
[PE1] display bgp vpnv4 all peer


PrefRcv
3.3.3.3 4 100 12 18 0 00:09:38 Established 0

Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
VPN-Instance vpnb, Router ID 1.1.1.1:
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1

Run the display ip routing-table vpn-instance command on a PE. You can view the routes to
the remote CE.
[PE1] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna
10.1.1.0/24 Direct 0 0 D 10.1.1.2

10.1.1.2/32 Direct 0 0 D 127.0.0.1
10.3.1.0/24 IBGP 255 0 RD 3.3.3.3 Vlanif30
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb
10.2.1.0/24 Direct 0 0 D 10.2.1.2

10.2.1.2/32 Direct 0 0 D 127.0.0.1
10.4.1.0/24 IBGP 255 0 RD 3.3.3.3 Vlanif30
CEs in the same VPN can successfully ping each other but CEs in different VPNs cannot.
For example, CE1 can successfully ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
----End
Configuration Files
#
sysname PE1
#

router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 30
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.7 255.255.255.0
mpls
mpls ldp
#
#
ip address 10.1.1.2 255.255.255.0
#
#
ip address 10.2.1.2 255.255.255.0
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#

import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 7.7.7.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 7.7.7.8 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 6.6.6.6 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 7.7.7.0 0.0.0.255
network 6.6.6.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 60
#
ipv4-family

#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif60
ip address 6.6.6.7 255.255.255.0
mpls
mpls ldp
#
#
ip address 10.3.1.2 255.255.255.0
#
#
ip address 10.4.1.2 255.255.255.0
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0

network 6.6.6.0 0.0.0.255

#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE3
#
vlan batch 10
#
interface Vlanif10
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast

import-route direct
#
return

#
sysname CE4
#
vlan batch 20
#
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname Switch2
#
vlan batch 200
#
#
#
return

#
sysname Switch3
#

vlan batch 100

#
#
#
return

#
sysname Switch4
#
vlan batch 200
#
#
#
return

Configuration Guide - Ethernet Switching 9 Voice VLAN Configuration
9 Voice VLAN Configuration
About This Chapter
This chapter describes how to configure voice VLAN. A voice VLAN changes the priority of
voice data packets to improve voice data transmission quality.
9.1 Overview of Voice VLANs

9.2 Voice VLAN Typical Networking
9.3 Understanding Voice VLANs
9.4 Application Scenarios for Voice VLANs
9.5 Licensing Requirements and Limitations for Voice VLAN
9.6 Default Settings for Voice VLANs
9.7 Configuring a MAC Address-based Voice VLAN
9.8 Configuring a VLAN ID-based Voice VLAN
9.9 Configuration Examples for Voice VLANs
9.1 Overview of Voice VLANs

Definition
Voice VLAN is a technology that transmits voice data.
Purpose
Data, voice, and video services are often transmitted simultaneously over a network. Voice
services, in particular, require a higher forwarding priority than data or video services. When
bandwidth is limited, voice data must have transmission preference over other types of data.
This can be ensured by configuring a voice VLAN on the switch to transmit voice data and
setting QoS parameters in the voice VLAN so that voice data is given preference when
congestion occurs.

Related Content
Videos
Huawei Switches Voice VLAN Feature Introduction
9.2 Voice VLAN Typical Networking

As shown in Figure 9-1, a PC and an IP phone connect to a switch interface simultaneously.
Therefore, the switch interface transmits both voice and data services.
Figure 9-1 Connecting a PC and an IP phone to a switch
Network
PC IP Phone Switch
The connection mode in Figure 9-1 is widely used on networks.
Figure 9-2 shows another connection mode, in which only an IP phone connects to a switch
interface.
Figure 9-2 Connecting an IP phone to a switch
Network
IP Phone Switch
Some IP phones (for example, Cisco 7962) send tagged voice packets and some IP phones
(for example, Huawei MC850) send untagged voice packets. The following sections describe
how the MAC address-based voice VLAN and VLAN ID-based voice VLAN transmit tagged
and untagged voice packets.
9.3 Understanding Voice VLANs

Some IP phones (for example, Cisco 7960) send tagged voice packets, and others (for
example, Huawei MC850) send untagged voice packets. This section discusses how MAC
address-based voice VLAN and VLAN ID-based voice VLAN transmit tagged and untagged
voice packets.
A switch configured with voice VLAN can:

l Identify voice data.
l Increase the priority of voice data.
l Forward the voice data based on the increased priority.
The switch identifies voice data based on:
l Source MAC addresses of the received packets

The switch identifies data packets as voice data when the source MAC address matches
the organizationally unique identifier (OUI). The OUI must be preconfigured and is used
in scenarios where IP phones send untagged voice packets.
l Source VLAN tags of the received packets
The switch identifies data packets as voice data when the VLAN ID matches the
configured VLAN ID. This simplifies configurations when many IP phones connect to
the switch. IP phones must be able to obtain voice VLAN information from the switch to
use this mode.
The switch can identify voice data flows based on MAC addresses and VLAN IDs regardless
of whether the packets carry VLAN tags. However, OUIs must be configured in order for the
switch to differentiate untagged voice packets from data packets. If the voice packets are
tagged, configuring VLAN ID-based voice VLAN simplifies configuration when many IP
phones connect to the switch.
MAC Address-based Voice VLAN

l OUI
An OUI is the first 24 bits of a 48-bit MAC address assigned to each vendor by the
Institute of Electrical and Electronics Engineers (IEEE). Voice packets sent by IP phones
can be identified by the MAC address ranges requested by IP phone vendors.
In voice VLAN, the OUI is user-defined and not necessarily 24 bits long. The OUI is the
result of the AND operation between the MAC address and mask in the voice-vlan mac-
address command.
l Implementation
In Figure 9-3, after receiving an untagged packet from the PC and IP phone, the switch
processes the packet as follows:
– If the source MAC address matches the configured OUI, the switch adds the voice
VLAN tag to the packet and increases the packet priority. (If the result of the AND
operation between the MAC address and mask is the OUI, the source MAC address
matches the OUI.)
– If the source MAC address does not match the configured OUI, the switch adds the
VLAN tag with the PVID to the packet so that voice packets are preferentially sent.
Figure 9-3 MAC address-based voice VLAN

Data packet Low-priority data packet
Network
PC IP Phone Switch
Voice packet High-priority voice packet
VLAN ID-based Voice VLAN

After receiving packets from the PC and IP phone, the switch determines whether the VLAN
IDs in the packets match the configured voice VLAN ID. If they match, the switch considers

data as voice data and increases the priority. The switch adds the VLAN tag of the PVID to
untagged packets from the PC. When VLAN ID-based voice VLAN is configured, the IP
phone must be able to obtain voice VLAN information from the switch.
LLDP is one of multiple methods in which an IP phone can obtain voice VLAN information
from a switch.
Figure 9-4 VLAN ID-based voice VLAN

Data packet Low-priority data packet
Network
PC IP phone Switch
1 Send an LLDPDU
2 Encapsulate the voice VLAN 4 High-priority voice packet
ID in the LLDPDU
3 Send the tagged voice
packet to the switch
Figure 9-4 shows a PC and an IP phone connecting to a switch. The IP phone obtains voice
VLAN information from the switch through LLDP as follows:
1. After the IP phone goes online, it sends an LLDPDU to the switch.
2. After receiving the LLDPDU, the switch encapsulates voice VLAN information in the
LLDPDU and sends it to the IP phone.
3. After receiving the LLDPDU, the IP phone sends tagged voice packets.
4. The switch receives tagged voice packets. If the tag matches the voice VLAN ID on the
switch, the switch increases the priority of the packets and forwards them.
When receiving untagged packets, the switch still sends them in the VLAN specified by the
PVID. When congestion occurs, the switch preferentially sends voice packets.
9.4 Application Scenarios for Voice VLANs

Figure 9-5 shows PCs and IP phones connecting to the Internet through switches. Because the
voice service is sensitive to delay and jitter, the priority of voice data flows needs to be
increased so that they can be preferentially forwarded when congestion occurs.

Figure 9-5 Application scenarios for voice VLAN

Switch Switch1
Internet
IP Phone A
IP Phone C
IP Phone B
PC A PC C
Configure a voice VLAN based on the type of voice packets sent by IP phones:
l Configure MAC address-based voice VLAN when voice packets are untagged or tagged
with VLAN 0.
l Configure VLAN ID-based voice VLAN when IP phones can obtain voice VLAN
information on the switch.
9.5 Licensing Requirements and Limitations for Voice

VLAN

Voice VLAN configuration commands are available only after the S1720GW, S1720GWR,
License) loaded and activated and the switches are restarted. Voice VLAN configuration

Table 9-1 Products and versions supporting the voice VLAN

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00


Model
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE

Feature Limitations
l VLAN 1 cannot be configured as a voice VLAN.
l To transmit different services, ensure that the voice VLAN and default VLAN on an
interface are different VLANs.
l Only one VLAN on an interface can be configured as a voice VLAN at a time.
l After a voice VLAN is configured on an interface, VLAN mapping, VLAN stacking, or
traffic policies cannot be configured on the interface.
l Do not set the VLAN ID to 0 on an IP phone.
l The S5720HI does not support the automatic mode.
l In auto mode, access, negotiation-auto, or negotiation-desirable interfaces cannot be
added to a voice VLAN. To add the interface to the voice VLAN, run the port link-type
command to change the link type of the interface to trunk or hybrid.
l When an IP phone is connected to a switch through the OUI-based voice VLAN, disable
LLDP on the interface. If LLDP is enabled on the interface, the switch will allocate a
voice VLAN ID to the IP phone. The IP phone sends tagged packets to the switch,
whereas the switch sends untagged packets to the IP phone. As a result, the IP phone
cannot go online.
l In V200R003 and later versions, the automatic mode takes effect only when the voice-
vlan remark-mode mac-address command is configured to increase the priority of
voice packets based on MAC addresses and the voice-vlan enable command without
include-untagged specified is configured to enable voice VLAN on the interface.
l When the remark (user group view) and voice-vlan remark commands are used
together to modify the user packet priority, if the services conflict:
– For S5720HI, the priority configured using the remark (user group view)
command takes effect.
– For S5720EI, S6720EI, and S6720S-EI, the priority configured using the voice-
vlan remark command takes effect.
9.6 Default Settings for Voice VLANs

Voice VLAN on an interface Disabled
Increase in voice VLAN VLAN ID-based

priority
Adding an interface to voice Manual

VLAN
802.1p priority of the voice 6

VLAN
DSCP priority of the voice 46

VLAN
Working mode of the voice Normal

VLAN

Interworking with voice devices Disabled

of other vendors
9.7 Configuring a MAC Address-based Voice VLAN
9.7.1 Enabling the Voice VLAN Function

Context
To implement the voice VLAN function, configure the VLAN used to forward voice packets
on the switch as a voice VLAN and enable the voice VLAN. You are advised to configure
different VLANs for voice and data services to facilitate management.
Procedure
Step 3 Run voice-vlan vlan-id enable [ include-untagged | include-tag0 ]*

A voice VLAN is configured and the voice VLAN function is enabled on the interface.
By default, the voice VLAN function is disabled on an interface.
NOTE

l To transmit different services, ensure that the voice VLAN and default VLAN on an interface are
different VLANs.
l Only one voice VLAN on an interface can be configured as a voice VLAN at a time.
l After a voice VLAN is configured on an interface, VLAN mapping, VLAN stacking, or traffic
policies cannot be configured on the interface.
l When an IP phone sends packets tagged with VLAN 0, include-tag0 must be specified on the
S5720EI, S6720EI, and S6720S-EI. On other models, include-untagged takes effect for untagged
packets and packets tagged with VLAN 0.
l If a VLAN is associated with a BD, it cannot be configured as a voice VLAN.
----End

9.7.2 Configuring a Mode in Which the Priority of Voice Packets

Is Increased Based on MAC Addresses
Context
The switch can identify voice data flows according to the source MAC address of the received
data packets. The switch considers data packets with the source MAC address matching the
Organizationally Unique Identifier (OUI) as voice data flows.
Procedure
Step 3 Run voice-vlan remark-mode mac-address
A mode in which the priority of voice packets is increased is configured.
By default, the priority of voice packets is increased based on VLAN IDs.
----End
9.7.3 Configuring an OUI for a Voice VLAN

Context
An OUI is the first 24 bits of a 48-bit MAC address assigned to each vendor by the Institute
of Electrical and Electronics Engineers (IEEE). Voice packets sent by IP phones can be
identified by the MAC address ranges requested by IP phone vendors.
In voice VLAN, the OUI is user-defined and not necessarily 24 bits long. The OUI is the
result of the AND operation between the MAC address and mask in the voice-vlan mac-
address command.
Procedure
Step 2 Run voice-vlan mac-address mac-address mask oui-mask [ description text ]
An OUI is configured for a voice VLAN.
By default, no OUI address is set.
When configuring an OUI for a voice VLAN, note the following:
l The MAC address cannot be all 0s, multicast address, or broadcast address.
l The S5720HI, S5720EI, S6720EI, and S6720S-EI support a maximum of 100 OUIs.
When the switch is configured with 100 OUIs, subsequent configurations will not take

effect. Other models support a maximum of 16 OUIs. When the switch is configured
with 16 OUIs, subsequent configurations will not take effect.
l When you run the undo voice-vlan mac-address mac-address command to delete an
OUI, set mac-address to the result of the logical AND operation between the OUI and
the OUI mask that you set.
----End
9.7.4 Configuring a Mode in Which an Interface Is Added to a

Voice VLAN
Context
Based on MAC addresses, an interface can be added to a voice VLAN in auto or manual
mode. You can configure a mode in which an interface is added to a voice VLAN according
to data flows on the interface.
l Auto
The system adds the interface connected to a voice device to the voice VLAN if the
source MAC address of packets sent from the voice device matches the OUI.
l Manual
In manual mode, the interface connected to a voice device must be added to the voice
VLAN manually after the voice VLAN function is enabled on the interface. Otherwise,
the voice VLAN does not take effect on the interface.
Procedure
Step 3 Run port link-type hybrid
Step 4 Run voice-vlan mode { auto | manual }
A mode in which an interface is added to a voice VLAN is configured.
By default, an interface is added to a voice VLAN in manual mode.
NOTE
l S5720HI does not support this configuration.

l In auto mode, access, negotiation-auto, or negotiation-desirable interfaces cannot be added to a voice
VLAN. To add the interface to the voice VLAN, run the port link-type command to change the link
type of the interface to trunk or hybrid.
l The automatic mode takes effect only when the voice-vlan remark-mode mac-address command is
configured to increase the priority of voice packets based on MAC addresses and the voice-vlan
enable command without include-untagged specified is configured to enable voice VLAN on the
interface and add voice VLAN IDs to only tagged packets.

Step 5 (Optional) Add an interface to a voice VLAN in manual mode according to 5.7.1
Configuring Interface-based VLAN Assignment (Statically Configured Interface Type).
----End
9.7.5 (Optional) Configuring the Secure or Normal Mode of a

Voice VLAN
Context
Based on the data filtering mechanism, a voice VLAN works in either secure or normal mode.
Table 9-2 describes the voice VLAN working modes.
Table 9-2 Security and normal modes

Wor Scenario Packet Processing Configuration Note
king
Mod
e
Secu The inbound interface If the source MAC The secure mode takes
re enabled with the voice address does not match effect only when the
VLAN function allows the OUI, the interface voice-vlan remark-mode
only the voice packets in does not change the mac-address command is
which the source MAC priority of voice packets configured to increase the
address matches the OUI and prevents the voice priority of voice packets
address of the voice packets from being based on MAC addresses.
VLAN, and discards non- forwarded in the voice
voice packets from the VLAN.
voice VLAN and If the source MAC
forwards packets from address matches the OUI,
other VLANs. the interface changes the
priority of voice packets
and allows the voice
packets to be forwarded
in the voice VLAN.

Wor Scenario Packet Processing Configuration Note

king
Mod
e
Nor The inbound interface If the source MAC Transmitting voice and
mal enabled with the voice address does not match service data at the same
VLAN function transmits the OUI, the interface time in a voice VLAN is
both voice packets and does not change the not recommended. If a
non-voice packets. In priority of voice packets voice VLAN must
normal mode, the and allows the voice transmit both voice and
interface is vulnerable to packets to be forwarded service data, ensure that
attacks from malicious in the voice VLAN. the voice VLAN works in
data traffic. If the source MAC normal mode.
address matches the OUI,
the interface changes the
priority of voice packets
and allows the voice
packets to be forwarded
in the voice VLAN.
Procedure
l Configuring the secure mode
a. Run system-view
c. Run voice-vlan security enable
The voice VLAN is configured to work in secure mode.
By default, a voice VLAN works in normal mode.
l Configuring the normal mode
a. Run system-view
c. Run undo voice-vlan security enable
The voice VLAN is configured to work in normal mode.
By default, a voice VLAN works in normal mode.
----End

9.7.6 (Optional) Configuring the 802.1p Priority and DSCP

Priority for a Voice VLAN
Context
By default, the 802.1p priority and DSCP priority for a voice VLAN are 6 and 46
respectively. You can dynamically configure 802.1p priority and DSCP priority to plan
priorities for different voice services.
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN
frame. This field determines the transmission priority for data packets when a switching
device is congested.
l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4
packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP
networks. The traffic controller on the network gateway takes actions merely based on
the information carried by the 6 bits.
Procedure
Step 2 Run voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *

The 802.1p priority and DSCP priority are configured for a voice VLAN.
respectively.
----End
9.7.7 Verifying the MAC Address-based Voice VLAN

Configuration
Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about a
voice VLAN, including the status, working mode, 802.1p priority and DSCP priority of
the voice VLAN, and interface enabled with voice VLAN.
l Run the display voice-vlan oui command to check the organizationally unique identifier
(OUI), OUI mask, and OUI description of the voice VLAN.
----End
9.8 Configuring a VLAN ID-based Voice VLAN

9.8.1 Enabling the Voice VLAN Function

Context
To implement the voice VLAN function, configure the VLAN used to forward voice packets
on the switch as a voice VLAN and enable the voice VLAN. You are advised to configure
different VLANs for voice and data services to facilitate management.
Procedure
Step 3 Run voice-vlan vlan-id enable [ include-untagged | include-tag0 ]*

A voice VLAN is configured and the voice VLAN function is enabled on the interface.
By default, the voice VLAN function is disabled on an interface.
NOTE

l To transmit different services, ensure that the voice VLAN and default VLAN on an interface are
different VLANs.
l Only one voice VLAN on an interface can be configured as a voice VLAN at a time.
l After a voice VLAN is configured on an interface, VLAN mapping, VLAN stacking, or traffic
policies cannot be configured on the interface.
l When an IP phone sends packets tagged with VLAN 0, include-tag0 must be specified on the
S5720EI, S6720EI, and S6720S-EI. On other models, include-untagged takes effect for untagged
packets and packets tagged with VLAN 0.
l If a VLAN is associated with a BD, it cannot be configured as a voice VLAN.
----End
9.8.2 Configuring a Mode in Which the Priority of Voice Packets

Is Increased Based on VLAN IDs
Context
If the VLAN ID in packets received by a switch interface is the same as the voice VLAN ID,
the switch considers the packets as voice packets and increases the packet priority.
Procedure

Step 3 Run voice-vlan remark-mode vlan

A mode in which the priority of voice packets is increased is configured.
By default, the priority of voice packets is increased based on VLAN IDs.
----End
9.8.3 Configuring a Mode in Which an Interface Is Added to a

Voice VLAN
Context
When a VLAN ID-based voice VLAN is used, the interface connected to a voice device must
be added to the voice VLAN manually so that the voice VLAN can take effect.
Procedure
Step 1 Add an interface to a voice VLAN in manual mode according to 5.7.1 Configuring
Interface-based VLAN Assignment (Statically Configured Interface Type).
----End
9.8.4 Configuring the Switch to Advertise Voice VLAN

Information to an IP Phone
Context
Generally, IP phones that can send tagged voice packets can obtain voice VLAN information
from the switch using a protocol such as LLDP (LLDP is used as an example). LLDP needs to
be enabled. When the switch receives an LLDPDU from an IP phone, the switch encapsulates
voice VLAN information in the LLDPDU and sends it to the IP phone. The IP phone then
sends tagged voice packets.
The switch can encapsulate voice VLAN information into LLDPDUs and send them to
connected IP phones. However, IP phones of some vendors send Cisco Discovery Protocol
(CDP) packets. You can run the voice-vlan legacy enable command to enable CDP-
compatible function so that the switch encapsulates voice VLAN information in CDP packets
and sends them to connected IP phones.
Procedure
l Configuring the switch to advertise voice VLAN information to an IP phone through
LLDP
a. Run system-view
b. Run lldp enable
LLDP is enabled globally.
By default, LLDP is enabled globally.


d. Run lldp enable
LLDP is enabled on the interface.
After LLDP is enabled in the system view, all interfaces are enabled with LLDP.
l Configuring Cisco Discovery Protocol (CDP)-compatible Voice VLAN function
a. Run system-view


c. Run voice-vlan legacy enable
CDP-compatible Voice VLAN function is enabled so that the switch encapsulates

voice VLAN information in CDP packets and sends them to the IP phone.
By default, CDP-compatible Voice VLAN function is disabled.
----End
9.8.5 (Optional) Configuring the 802.1p Priority and DSCP

Priority for a Voice VLAN
Context
respectively. You can dynamically configure 802.1p priority and DSCP priority to plan
priorities for different voice services.
l The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN
frame. This field determines the transmission priority for data packets when a switching
device is congested.
l The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4
packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP
networks. The traffic controller on the network gateway takes actions merely based on
the information carried by the 6 bits.
Procedure
Step 2 Run voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *
The 802.1p priority and DSCP priority are configured for a voice VLAN.
respectively.
----End

9.8.6 Verifying the VLAN ID-based Voice VLAN Configuration

Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about a
voice VLAN, including the status, 802.1p priority and DSCP priority of the voice
VLAN, and interface enabled with voice VLAN.
----End
9.9 Configuration Examples for Voice VLANs

9.9.1 Example for Configuring a MAC Address-based Voice
VLAN (IP Phones Send Untagged Voice Packets)
As shown in Figure 9-6, the switch connects to IP phones and a PC. The switch uses VLAN 2
to transmit voice packets and VLAN 3 to transmit data packets. PC A connects to IP phone A
and they connect to the switch, and IP phone B separately connects to the switch. IP phones
send untagged voice packets. Users require high quality of the VoIP service; therefore, voice
data flows must be transmitted with a high priority to ensure the call quality.
Figure 9-6 Networking for configuring a MAC address-based voice VLAN

Switch Switch1
Internet
GE0/0/1 GE0/0/2
IP Phone A GE0/0/1
MAC:0003-6B00-0001
Mask:ffff-ff00-0000
IP Phone C
IP Phone B
MAC:0003-6B00-0002
Mask:ffff-ff00-0000
PC A PC C
286E-D400-0001
Because voice and data packets received by the switch are untagged, you need to configure
OUIs to differentiate voice and data traffic. The configuration roadmap is as follows:
1. Create VLANs on the switch and add interfaces to VLANs to implement Layer 2
connectivity.

2. Configure an OUI so that the switch adds a VLAN tag to voice packets in which the
source MAC address matches the OUI.
3. Configure VLAN 2 as the voice VLAN and configure the interface to allow voice
packets to pass through.
Procedure
Step 1 Configure VLANs and interfaces on the Switch.
# Create VLANs.
# Configure VLANs allowed by GE0/0/1.

[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 2 to 3
Step 2 Configure an OUI.

[Switch] voice-vlan mac-address 0003-6B00-0000 mask ffff-ff00-0000
Step 3 # Enable the voice VLAN function on GE0/0/1. The configuration of GE0/0/2 is similar to the
configuration of GE0/0/1, and is not mentioned here.
[Switch-GigabitEthernet0/0/1] voice-vlan 2 enable include-untagged
[Switch-GigabitEthernet0/0/1] voice-vlan remark-mode mac-address

Run the display voice-vlan 2 status command to check the voice VLAN configuration.
[Switch] display voice-vlan 2 status
Voice VLAN Configurations:
-----------------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
-----------------------------------------------------------
Port Information:
-------------------------------------------------------------------------------
Port Add-Mode Security-Mode Legacy PribyVLAN Untag
-------------------------------------------------------------------------------
GigabitEthernet0/0/2 Manual Normal Disable Disable Enable
GigabitEthernet0/0/1 Manual Normal Disable Disable Enable
----End
Configuration Files
#
sysname Switch

#
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000
#
vlan batch 2 to 3
#
voice-vlan 2 enable include-untagged
voice-vlan remark-mode mac-address
port hybrid untagged vlan 2 to 3
#
voice-vlan 2 enable include-untagged
voice-vlan remark-mode mac-address
#
return
9.9.2 Example for Configuring a VLAN ID-based Voice VLAN (IP

Phones Send Tagged Voice Packets)
As shown in Figure 9-7, the switch connects to IP phones and a PC. The switch uses VLAN 2
to transmit voice packets and VLAN 3 to transmit data packets. PC A connects to IP phone A
and they connect to the switch, and IP phone B separately connects to the switch. IP phones
can obtain voice VLAN information through LLDP and send tagged voice packets. Users
require high quality of the VoIP service; therefore, voice data flows must be transmitted with
a high priority to ensure the call quality. In addition, the administrator manages many IP
phones and requires simplified configurations.
Figure 9-7 Networking for configuring a VLAN ID-based voice VLAN

Switch Switch1
Internet
GE0/0/1 GE0/0/2
GE0/0/1
IP Phone A
IP Phone C
IP Phone B
PC A PC C

1. Create VLANs on the switch and add interfaces to VLANs to implement Layer 2
connectivity.
2. Enable LLDP so that IP phones can obtain voice VLAN information through LLDP.
3. Configure VLAN 2 as the voice VLAN and configure the interface to allow voice
packets to pass through. Configure a VLAN ID-based voice VLAN, which relieves you
from configuring OUIs.
Procedure
Step 1 Configure VLANs and interfaces on the Switch.
# Create VLANs.
# Configure VLANs allowed by GE0/0/1.

Step 2 Enable LLDP.

[Switch] lldp enable
Step 3 # Enable the voice VLAN function on GE0/0/1. The configuration of GE0/0/2 is similar to the
configuration of GE0/0/1, and is not mentioned here.
[Switch-GigabitEthernet0/0/1] voice-vlan 2 enable
[Switch-GigabitEthernet0/0/1] voice-vlan remark-mode vlan

Run the display voice-vlan 2 status command to check the voice VLAN configuration.
[Switch] display voice-vlan 2 status
Voice VLAN Configurations:
-----------------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
-----------------------------------------------------------
Port Information:
-------------------------------------------------------------------------------
Port Add-Mode Security-Mode Legacy PribyVLAN Untag
-------------------------------------------------------------------------------
GigabitEthernet0/0/2 Manual Normal Disable Enable Disable
GigabitEthernet0/0/1 Manual Normal Disable Enable Disable
----End
Configuration Files

#
sysname Switch
#
vlan batch 2 to 3
#
lldp enable
#
voice-vlan 2 enable
#
voice-vlan 2 enable
#
return

Configuration Guide - Ethernet Switching 10 QinQ Configuration
10 QinQ Configuration
About This Chapter
This chapter describes how to configure 802.1Q-in-802.1Q (QinQ).
10.1 Overview of QinQ

10.2 Understanding QinQ
10.3 Application Scenarios for QinQ
10.4 Summary of QinQ Configuration Tasks
10.5 Licensing Requirements and Limitations for QinQ
10.6 Configuring Basic QinQ
10.7 Configuring Selective QinQ
10.8 Configuring the TPID Value in an Outer VLAN Tag
10.9 Configuring QinQ Stacking on a VLANIF Interface
10.10 Configuring the Device to Add Double VLAN Tags to Untagged Packets
10.11 Configuring QinQ Mapping
10.12 Displaying VLAN Translation Resource Usage
10.13 Configuration Examples for QinQ
10.14 Troubleshooting QinQ
10.15 FAQ About QinQ
10.1 Overview of QinQ
Definition
QinQ expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged packets. It
allows services in a private VLAN to be transparently transmitted over a public network. A

packet transmitted on the backbone network carries two 802.1Q tags: a public VLAN tag and
a private VLAN tag.
Purpose
Ethernet is widely used on ISP networks, but 802.1Q VLANs are unable to identify and
isolate large numbers of users on metro Ethernet networks because the 12-bit VLAN tag field
defined in IEEE 802.1Q only identifies a maximum of 4096 VLANs. QinQ was developed to
expand VLAN space beyond 4096 VLANs so that a larger number of users can be identified
on a metro Ethernet network.
QinQ was originally developed to expand VLAN space by adding an additional 802.1Q tag to
an 802.1Q-tagged packet. In this way, the number of VLANs increases to 4094 x 4094.
In addition to expanding VLAN space, QinQ is applied in other scenarios with the
development of metro Ethernet networks and carriers' requirements on refined service
operation. The outer and inner VLAN tags can be used to differentiate packets based on users
and services. For example, the inner tag represents a user, while the outer tag represents a
service. Moreover, QinQ is used as a simple and practical VPN technology because inner tags
of QinQ packets are transparently transmitted over a public network. It extends core MPLS
VPN services to metro Ethernet networks to establish an end-to-end VPN.
Since QinQ technology is easy to use, it has been widely applied in Internet Service Provider
(ISP) networks. For example, QinQ is combined with multiple services in metro Ethernet
solutions. Selective QinQ (VLAN stacking) makes QinQ more popular among ISPs. As the
metro Ethernet develops, equipment vendors have developed their own metro Ethernet
solutions, in which the simple and flexible QinQ technology plays an important role.
Benefits
QinQ offers the following benefits:
l Extends the VLAN space to isolate and identify more users.
l Facilitates service deployment by allowing the inner and outer tags to represent different
information. For example, the inner tag identifies a user and the outer tag identifies a
service.
l Allows ISPs to implement refined service operation by providing diversified
encapsulation and termination modes.
10.2 Understanding QinQ
10.2.1 QinQ Fundamentals

QinQ expands VLAN space by adding an additional 802.1Q VLAN tag to an 802.1Q-tagged
packet. Devices forward packets over the public network according to outer VLAN tags of the
packets, and learn MAC addresses from the outer VLAN tags. The private VLAN tags in the
packets are forwarded as payload of the packets.

Figure 10-1 Typical QinQ application

VLAN 1~20 VLAN 1~10
CE2 CE3 CE4

Customer Customer
network B network A
VLAN 4 VLAN 3
PE1 Pubilc PE2

network
VLAN 3 VLAN 4
Customer Customer
network A network B
CE1 CE2
VLAN 1~10 VLAN 1~20
As shown in Figure 10-1, customer network A is divided into private VLANs 1 to 10, and
customer network B is divided into private VLANs 1 to 20. The carrier allocates public
VLANs 3 and 4 to customer networks A and B respectively. When tagged packets from
networks A and B arrive at the carrier network, the packets are tagged outer VLANs 3 and 4.
Therefore, the packets from different customer networks are separated on the carrier network,
even though the customer networks use overlapping VLAN ranges. When the packets reach
the PE on the other side of the carrier network, the PE removes public VLAN tags from the
packets and forwards the packets to the CE of the respective customer network.
QinQ Packet Encapsulation Format

A QinQ packet has a fixed format, in which an 802.1Q tag is added outside the existing
802.1Q tag of the packet. A QinQ packet has 4 more bytes than an 802.1Q packet.
NOTE
Because a QinQ packet has 4 more bytes than an 802.1Q packet, the maximum frame length allowed by
each interface on the carrier network should be at least 1504 bytes. The default frame length allowed by
interfaces of a switch is larger than 1504 bytes, so you do not need to adjust it. For details on how to
configure the frame length allowed by an interface, see Setting the Jumbo Frame Length Allowed on an
Interface in "Ethernet Interface Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10
Configuration Guide - Interface Management.

Figure 10-2 802.1Q encapsulation

802.1Q Encapsulation
DA SA 802.1Q TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
QinQ
Encapsulation
DA SA 802.1Q TAG 802.1Q TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 4 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
TPID Priority CFI VLAN ID
QinQ Implementation
QinQ can be implemented in either of the following ways:
1. Basic QinQ
Basic QinQ is implemented based on interfaces. After basic QinQ is configured on an
interface, the device adds the default VLAN tag of this interface to all packets regardless
of whether the packets carry VLAN tags.
– If a single-tagged packet is received, the packet becomes a double-tagged packet.
– If an untagged packet is received, the packet is tagged with the default VLAN ID of
the local interface.
2. Selective QinQ
Selective QinQ is implemented based on interfaces and VLAN IDs. That is, an interface
can forward packets based on a single VLAN tag or double VLAN tags. In addition, the
device processes packets received on an interface as follows based on their VLAN IDs:
– Adds different outer VLAN tags to packets carrying different inner VLAN IDs.
– Marks outer 802.1p fields and adds different outer VLAN tags to packets according
to the 802.1p fields in inner VLAN tags.
In addition to separating carrier and customer networks, selective QinQ provides
extensive service features and allows flexible networking.
QinQ Encapsulation
QinQ encapsulation changes a single-tagged packet into a double-tagged packet, and is
usually performed on underlayer provider edge (UPE) interfaces connected to customer
networks.
Depending on the data encapsulated, QinQ encapsulation is applied as interface-based or
flow-based QinQ encapsulation. Additionally, QinQ encapsulation can be performed on
routed sub-interfaces.
l Interface-based QinQ encapsulation
This encapsulation mode is also called QinQ tunneling. It encapsulates packets arriving
at the same interface with the same outer VLAN tag, and therefore cannot distinguish
users and services at the same time.

l Flow-based QinQ encapsulation

This encapsulation mode classifies packets arriving at an interface into different flows,
and then determines whether to add outer VLAN tags and which outer VLAN tags to add
on a per flow basis. This mode is also called selective QinQ.
Traffic can be classified based on VLAN ID ranges if a customer uses different VLAN
IDs for different services. For example, PC users access the Internet through VLANs 101
to 200, IPTV users through VLANs 201 to 300, and VIPs through VLANs 301 to 400.
When receiving service data, the UPE adds outer tag 100 to packets from PCs, outer tag
300 to packets from IPTV users, and outer tag 500 to packets from VIPs.
l QinQ encapsulation on sub-interfaces
QinQ encapsulation can be performed on both Layer 2 interfaces and Layer 3 sub-
interfaces.
When service data is transparently transmitted over an MPLS/IP core network using
PWE3/VLL/VPLS, a network-end provider edge (NPE) sub-interface adds an outer
VLAN tag to a packet based on the inner VLAN tag. Then the packet is transmitted on
the VLL/PWE3/VPLS network using the outer VLAN tag. Packets from multiple private
VLANs can be transparently transmitted through a sub-interface, which is called a QinQ
stacking sub-interface.
QinQ encapsulation on a sub-interface is also a form of flow-based QinQ encapsulation.
The QinQ stacking sub-interface must be used with the L2VPN service (PWE3/VLL/
VPLS), and cannot support Layer 3 forwarding.
10.2.2 Basic QinQ

Basic QinQ, also called QinQ tunneling, is performed based on interfaces. After basic QinQ is
configured on an interface, packets received on the interface are tagged with the default
VLAN ID of the interface. After being processed by basic QinQ on an interface, single-tagged
packets change into double-tagged packets, and untagged packets change into single-tagged
packets with the default VLAN tag of the interface.
Basic QinQ can be configured to expand VLAN space when multiple VLANs are required.
As shown in Figure 10-3, Department 1 has two offices and Department 2 has three offices.
These offices are connected to PE1 and PE2 respectively. Department 1 and Department 2 can
plan their own VLANs as required.

Figure 10-3 Networking diagram of QinQ tunneling

PE2
Port1 Port2
…… Port3 ……
PE1 Port4
Port1 Port2
Port3
…… ……
……
VLAN2 VLAN500 VLAN1000 VLAN2000 VLAN100 VLAN500
Department 1 Department 2 Department 1
Table 10-1 shows the outer VLAN tag plan for Department 1 and Department 2.
Table 10-1 VLAN plan for Department 1 and Department 2

Department VLAN ID Range Outer VLAN ID
Department 1 2 to 500 10
Department 2 500 to 4094 20
QinQ tunneling is configured on PE1 and PE2 in the following way to implement
communication within each department and isolate the two departments:
l Configure PE1 to add the outer VLAN 10 to packets received on Port1 and Port2 and
outer VLAN 20 to packets received on Port3.
l Configure PE2 to add the outer VLAN 20 to packets received on Port1 and Port2.
l Configure Port4 on PE1 and Port3 on PE2 to allow packets of VLAN 20 to pass.
10.2.3 Selective QinQ

Selective QinQ, also called VLAN stacking or QinQ stacking, is performed based on
interfaces and VLAN IDs. In addition to basic QinQ functions, selective QinQ has the
following functions:

l VLAN ID-based selective QinQ: adds outer VLAN tags based on inner VLAN IDs.
l 802.1p priority-based selective QinQ: adds outer VLAN tags based on 802.1p priorities
in inner VLAN tags.
l Traffic policy-based selective QinQ: adds outer VLAN tags based on traffic policies so
that differentiated services can be provided based on service types.
Selective QinQ is an extension of basic QinQ and is more flexible. The difference is as
follows:
l Basic QinQ: adds the same outer VLAN tag to all packets arriving at a Layer 2 interface.
l Selective QinQ: adds different outer VLAN tags to packets arriving at a Layer 2
interface based on inner VLAN tags.
As shown in Figure 10-4, Department 1 and Department 2 have multiple offices.
Figure 10-4 Networking diagram of selective QinQ

PE2
Port1 Port2
…… Port3 ……
PE1 Port3
VLAN1000 VLAN4094 Port2 VLAN500 VLAN2500

Port1
……
……
……
VLAN100 VLAN500
Department 1
Table 10-2 VLAN plan for Department 1 and Department 2

Device Interface VLAN ID Range Outer VLAN ID
PE1 Port1 2 to 500 10

Device Interface VLAN ID Range Outer VLAN ID
Port1 1000 to 2000 20
Port2 100 to 500 10
PE2 Port1 1000 to 4094 20
Port2 500 to 2500 20
l Department 1 uses VLANs 2 to 500.

l Department 2 uses VLANs 500 to 4094.
l Port1 on PE1 receives packets from VLANs of Department 1 and Department 2
simultaneously.
Selective QinQ is configured on PE1 and PE2 in the following way to implement
communication within each department and isolate the two departments.
l Configure outer VLAN tags for packets received on interfaces of PE1 and PE2 according
to Table 10-2.
l Configure Port3 on PE1 and Port3 on PE2 to allow packets of VLAN 20 to pass.
10.2.4 VLAN Stacking on a VLANIF Interface

As shown in Figure 10-5, DeviceA is connected to DeviceB through a third-party network.
DeviceB is configured with the management VLAN. The management VLAN ID is the same
as the VLAN ID of the downstream user connected to DeviceA but different from the S-
VLAN ID.
Figure 10-5 Networking diagram of VLAN stacking on a VLANIF interface

IP 10 20 DeviceB
Internet
DeviceA
IP 10 Management VLAN 10
Interface VLANIF 10
user2
user1
VLAN 10
To log in to DeviceB and manage VLANs from DeviceA, you can configure VLAN stacking
on the VLANIF interface corresponding to the management VLAN on DeviceB.

l If the double-tagged packets sent to the ISP network have the same outer VLAN tags as
the S-VLAN tags, the packets can be transparently transmitted to DeviceB over the ISP
network.
DeviceB enabled with QinQ stacking compares the VLAN tag of the received packets
with the VLAN tag on the VLANIF interface. If the packets have the same outer tag as
that on the VLANIF interface, DeviceB removes the outer VLAN tag and sends the
packet to the IP layer for processing.
l The VLANIF interface enabled with QinQ stacking on DeviceB adds outer VLAN tags
to received data packets. The outer VLAN tag is the same as the S-VLAN tag. In this
case, the double-tagged packets can be transparently transmitted to DeviceA over the ISP
network. After receiving the packets, DeviceA removes the outer VLAN tag and
forwards the packets to local users.
10.2.5 TPID
The Tag Protocol Identifier (TPID) specifies the protocol type of a VLAN tag. The TPID
value defined in IEEE 802.1Q is 0x8100.
Figure 10-6 shows the Ethernet packet format defined in IEEE 802.1Q. An IEEE 802.1Q tag,
containing the TPID, lies between the Source Address field and the Length/Type field. A
device checks the TPID value in a received packet to determine whether the VLAN tag is an
S-VLAN tag or C-VLAN tag. The device compares the configured TPID value with the TPID
value in the packet. For example, if a frame carries the VLAN tag with TPID 0x8100 but the
TPID configured for a customer network on a device is 0x8200, the device considers the
frame untagged.
Figure 10-6 802.1Q encapsulation

802.1Q Encapsulation
DA SA 802.1Q TAG Length/Type Data FCS
6 Bytes 6 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
TPID 2 Bytes TCI 2 Bytes

0X8100 Priority CFI VLAN ID
3bits 1bit 12bits
Carrier's systems may use different TPID values in outer VLAN tags. When a Huawei device
needs to interoperate with such a carrier system, set the TPID value to the value used by the
carrier so that QinQ packets sent from the Huawei device can be transmitted across the carrier
network. To prevent errors in packet forwarding and processing, do not set the TPID to any of
values listed in Table 10-3.
Table 10-3 Protocol types and values
Protocol Type Value
ARP 0x0806

Protocol Type Value
RARP 0x8035
IP 0x0800
IPv6 0x86DD
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
LACP 0x8809
802.1x 0x888E
HGMP 0x88A7
Reserved 0xFFFD/0xFFFE/0xFFFF
10.2.6 QinQ Mapping

Implementation
QinQ mapping is performed after packets are received on the inbound interface and before
packets are forwarded through the outbound interface.
l Before sending a packet from a local VLAN, a sub-interface replaces the VLAN tag of
the packet sent with a specified VLAN tag.
l After receiving a packet, a sub-interface replaces the VLAN tag of packet with a local
VLAN tag.
In real-world applications, QinQ mapping can map customer VLAN (C-VLAN) tags to a
service VLAN (S-VLAN) tag to shield different customer VLANs.
QinQ mapping is generally deployed on edge devices of a metro Ethernet and often used to
map a VLAN tag carried in a packet to a specified VLAN tag before the packet is transmitted
on the public network. QinQ mapping applies to the following scenarios:
l The VLAN IDs deployed in new sites and old sites conflict, but new sites need to
communicate with old sites.
l Sites connected to the public network use conflicting VLAN IDs but do not need to
communicate with one another.
l The VLAN IDs on both ends of the public network are different.
Currently, the device supports the following QinQ mapping modes:
l 1-to-1 mapping
When a sub-interface receives a single-tagged packet, it maps the VLAN tag to a
specified tag.
l 2-to-1 mapping
When a sub-interface receives a double-tagged packet, it maps the outer VLAN tag to a
specified tag and retains the inner VLAN tag.

Figure 10-7 QinQ mapping

IP 50 IP 50
Device2 ISP Device3
GE0/0/2 VLAN Tag:50
GE0/0/2
GE0/0/1.1 GE0/0/1.1
QinQ Mapping
IP 20 IP 40
Device1 Device4
PC1 PC2
172.16.0.1/24 172.16.0.7/24
As shown in Figure 10-7, 1-to-1 QinQ mapping is configured on GE0/0/1.1 interfaces of

Device2 and Device3. Frames sent from PC1 to PC2 are processed as follows:
1. PC1 sends an untagged frame to Device1. After receiving the frame, Device1 adds
VLAN tag 20 to the frame.
2. Device1 forwards the frame with VLAN tag 20 to Device2. Device2 replaces VLAN tag
20 with S-VLAN tag 50 on sub-interface GE0/0/1.1.
3. Device2 sends the frame with S-VLAN tag 50 through GE0/0/2.
4. The frame is transparently transmitted on the ISP network.
5. When the frame arrives at GE0/0/1.1 of Device3, Device3 replaces VLAN tag 50 with
VLAN tag 40.
Frames sent from PC2 to PC1 are processed in a similar way.
QinQ mapping allows PC1 to communicate with PC2.
Comparison Between QinQ Mapping and VLAN Mapping

Table 10-4 compares QinQ mapping and VLAN mapping.
Table 10-4 Comparison between QinQ mapping and VLAN mapping
Mapping Similarity Difference
1-to-1 The interface maps the tag l QinQ mapping is performed on sub-
in a received single-tagged interfaces and used for VPLS access.
packet to a specified tag. l VLAN mapping is performed on main
interfaces and applies to Layer 2 networks
where packets are forwarded based on
VLANs.

Mapping Similarity Difference
2-to-1 The interface maps the l QinQ mapping is performed on sub-

outer tag of a received interfaces and used for VPLS access.
double-tagged packet to a l VLAN mapping is performed on main
specified tag and retains interfaces and applies to Layer 2 networks
the inner tag. The inner tag where packets are forwarded based on
is transparently transmitted VLANs.
as service data.
10.3 Application Scenarios for QinQ
10.3.1 Public User Services on a Metro Ethernet Network

Figure 10-8 QinQ application on a metro Ethernet network
Core Network
NPE NPE
VLAN 1001 VLAN 1XX
VLAN 2001 VLAN 3XX
VLAN 1000 VLAN 1XX VRRP VLAN 3001 VLAN 5XX
VLAN 2000 VLAN 3XX Metro
VLAN 3000 VLAN 5XX Ethernet
UPE
VLAN 101 VLAN 101
VLAN 301 VLAN 301
VLAN 501 VLAN 501
HSI VOIP IPTV HSI VOIP IPTV
PVC101
PVC301
PVC501
As shown in Figure 10-8, the digital subscriber line access multiplexers (DSLAMs) support
multiple permanent virtual channels (PVCs) so that a same user can use multiple services,

such as High-Speed Internet (HSI), Internet Protocol Television (IPTV), and voice over IP
(VoIP).
The carrier assigns different PVCs and VLAN ranges to HSI, IPTV, and VoIP services, as
described in Table 10-5.
Table 10-5 Example of VLAN assignment

Service VLAN Range
HSI 101 to 300
VoIP 301 to 500
IPTV 501 to 700
A user accesses the VoIP service. When a VoIP packet reaches a DSLAM through a specified
PVC, the DSLAM marks the packet with a VLAN in the VLAN range mapped to the PVC,
such as 301. When the VoIP packet reaches the UPE, the UPE tags the packets with an outer
VLAN ID mapping the VoIP VLAN ID range, such as 2000. The inner VLAN ID represents
user information and the outer VLAN ID represents service information and the location of
the DSLAM (packets from different DSLAMs are tagged with different outer VLAN IDs).
When the packet reaches the NPE indicated by the outer VLAN tag, the VLAN tag is
terminated on the QinQ termination sub-interface. According to the core network
configuration, the packet is forwarded on the IP network or enters the corresponding VPN.
HSI and IPTV services are processed in the same manner, except that VLAN tags of HSI
services are terminated on a broadband remote access server (BRAS).
The NPE can perform HQoS scheduling based on double tags and generate a DHCP binding
table to avoid network attacks. In addition, the NPE can implement DHCP authentication
based on double tags or other information. You can also configure VRRP on QinQ
termination sub-interfaces to ensure service reliability.
10.3.2 Enterprise Network Connection Through Private Lines

As shown in Figure 10-9, an enterprise has two sites in different places. Each site has three
networks: Finance, Marketing, and Others. To ensure network security, the enterprise requires
that users belonging to different networks be unable to communicate with each other.

Figure 10-9 Private line connection between enterprise users

Outside:VLAN 1000 Inside:VLAN 100 Outside:VLAN 1000 Inside:VLAN 100
ME MPLS/IP ME
UPE NPE NPE UPE
Others Others
Finance Finance VLAN 300
VLAN 300
VLAN 100 VLAN 100
Marketing Marketing
VLAN 200 VLAN 200
The carrier uses VPLS technology on the MPLS/IP core network and QinQ technology on the
metro Ethernet network. Each site is assigned three VLANs 100, 200 and 300, which
represent Finance, Marketing, and Others departments respectively. The UPEs at two ends tag
received packets with outer VLAN 1000 (different outer VLAN tags are allowed on two
ends), and the same VSI is configured on the NPEs. This configuration ensures that only users
of the same VLAN in different sites can communicate with each other.
10.4 Summary of QinQ Configuration Tasks

Table 10-6 describes the QinQ configuration tasks.
Table 10-6 QinQ configuration tasks
Configure basic QinQ After basic QinQ is 10.6 Configuring Basic

configured, the switch adds QinQ
a public tag to incoming
packets so that user packets
can be forwarded on the
public network.
Configure selective QinQ Selective QinQ based on the 10.7 Configuring Selective
VLAN ID enables the QinQ
switch to add different outer
VLAN tags to received data
frames according to VLAN
IDs in the frames.

Set the TPID value in an This configuration allows a 10.8 Configuring the TPID
outer VLAN tag Huawei device to Value in an Outer VLAN
communicate with a non- Tag
Huawei device.
Configure QinQ stacking on To log in to a remote device 10.9 Configuring QinQ

a VLANIF interface and manage the device, Stacking on a VLANIF
configure QinQ stacking on Interface
the VLANIF interface
corresponding to the
management VLAN of the
remote device.
Configure the device to add The device can be 10.10 Configuring the
double VLAN tags to configured to add double Device to Add Double
untagged packets VLAN tags to untagged VLAN Tags to Untagged
packets. Packets
Configure QinQ mapping QinQ mapping maps C- 10.11 Configuring QinQ

VLAN tags to S-VLAN tags Mapping
to shield different C-VLAN
tags.
10.5 Licensing Requirements and Limitations for QinQ

QinQ configuration commands are available only after the S1720GW, S1720GWR, and
S1720X have the license (WEB management to full management Electronic RTU License)
loaded and activated and the switches are restarted. QinQ configuration commands on other
models are not under license control.
Table 10-7 Products and versions supporting QinQ

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10


Model
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)

NOTE
The S2700EI does not support selective QinQ.
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10


Model
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE

Feature Limitations
l For the points of attention when configuring QinQ on a sub-interface, see 8.4 Licensing
Requirements and Limitations for VLAN Termination.
l The devices listed in Table 10-8 can add double tags to untagged packets.
Table 10-8 Products and versions supporting the function of adding double tags to
untagged packets

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR
-E
S1720X, V200R011C00, V200R011C10

S1720X-E
Other Models that cannot be configured using commands. For

S1700 details about features and versions, see S1700
models Documentation Bookshelf.
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S5700 S5700LI V200R003 (C00&C02&C10), V200R005C00SPC300,

V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R003C00, V200R005C00SPC300, V200R006C00,

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10


Model
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5710EI V200R003C00, V200R005 (C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V200R002C00, V200R003C00, V200R005

(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V200R003C00, V200R005 (C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
l The switch forwards packets based only on their outer VLAN tags and learns MAC
address entries based on the outer VLAN tags.
l Selective QinQ is recommended to be enabled on a hybrid interface and the qinq vlan-
translation enable command must have been executed to enable VLAN translation.
Selective QinQ can only take effect on the interface in the inbound direction.
l When an interface configured with VLAN stacking needs to remove the outer tag from
outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged

mode. If the outer VLAN does not need to be removed, the interface must join the
VLAN specified by stack-vlan in tagged mode.
l The device configured with selective QinQ can only add an outer VLAN tag to a frame
with an inner VLAN tag on an interface, and the outer VLAN ID must exist. Otherwise,
the services where selective QinQ is configured are unavailable.
l If only single-tagged packets from a VLAN need to be transparently transmitted, do not
specify the VLAN as the inner VLAN for selective QinQ. After selective QinQ is
configured on the S3700EI, S3700SI, or S5700EI, VLAN mapping, for example, port
vlan-mapping vlan 20 map-vlan 20, must be configured to map the VLAN to itself
from which single-tagged packets need to be transparently transmitted.
l When VLAN stacking is configured, do not configure stack-vlan to the VLAN
corresponding to the VLANIF interface.
l VLAN-based flow mirroring allows the device to identify only outer VLAN tags of
QinQ packets.
l The globally configured traffic-limit command that takes effect for all interfaces in the
inbound direction is invalid for QinQ packets.
l ND snooping and adding double tags to untagged packets can be configured together on
the S5720EI, S5720HI, S6720EI and S6720S-EI.
l SAVI and adding double tags to untagged packets can be configured together on the
S5720EI, S5720HI, S6720EI and S6720S-EI.
l If the PW-side interface is a Layer 3 interface switched by the undo portswitch
command, the AC-side interface cannot be a Layer 3 interface or subinterface belonging
to a Layer 3 interface; otherwise, traffic forwarding is abnormal. This rule applies to
S5720EI, S6720EI, and S6720S-EI.
10.6 Configuring Basic QinQ
Background
Basic QinQ enables the device to add a public tag to incoming packets so that user packets
can be forwarded on the public network. To separate private networks from public networks
and conserve VLAN resources, configure double 802.1Q tags on QinQ interfaces of the
device. Private VLAN tags are used on private networks such as enterprise networks, and
public VLAN tags are used on external networks such as ISP networks. QinQ expands VLAN
space to 4094x4094 and allows packets on different private networks with the same VLAN
IDs to be transparently transmitted.
Procedure
A VLAN used on the public network is created.
Step 3 Run quit
Exit from the VLAN view.


The interface can be a physical interface or an Eth-Trunk interface.
Step 5 Run port link-type dot1q-tunnel
The link type of the interface is set to Dot1q-tunnel.
By default, the link type of an interface on the S1720GFR, S1720GW, S1720GWR, S1720X,
S5720SI, and S5720S-SI is negotiation-auto, and the link type of an interface on other
models is negotiation-desirable.
Dot1q-tunnel interfaces do not support Layer 2 multicast.
Step 6 Run port default vlan vlan-id
The VLAN ID of the public VLAN tag, that is, the default VLAN of the interface, is
configured.
By default, VLAN 1 is the default VLAN of all interfaces.
----End

l Run the display current-configuration interface interface-type interface-number
command to check the QinQ configuration on the interface.
10.7 Configuring Selective QinQ

Selective QinQ is implemented based on interfaces and VLAN IDs.
Before configuring selective QinQ, create the outer VLAN.
10.7.1 Configuring VLAN ID-based Selective QinQ
Context
VLAN ID-based selective QinQ allows an interface to add outer VLAN tags to packets based
on VLAN IDs of the packets.

NOTE
l Selective QinQ is recommended to be enabled on a hybrid interface and the qinq vlan-translation
enable command must have been executed to enable VLAN translation. Selective QinQ can only take
effect on the interface in the inbound direction.
l The device configured with selective QinQ can only add an outer VLAN tag to a frame with an inner
VLAN tag on an interface, and the outer VLAN ID must exist. Otherwise, the services where selective
QinQ is configured are unavailable.
l When an interface configured with VLAN stacking needs to remove the outer tag from outgoing frames,
the interface must join the VLAN specified by stack-vlan in untagged mode. If the outer VLAN does not
need to be removed, the interface must join the VLAN specified by stack-vlan in tagged mode.
Procedure
The interface can be a physical interface or an Eth-Trunk interface.
The link type of the interface is set to hybrid.
Step 4 Run port hybrid untagged vlan vlan-id
The interface is added to the VLAN in untagged mode.
The specified VLAN ID in the command must exist on the device. You do not need to create a
VLAN specified by the original VLAN tag of a received packet.
Step 5 Run qinq vlan-translation enable
VLAN translation is enabled on the interface.
Step 6 When configuring selective QinQ, perform the following configurations as required:
l Configure only selective QinQ.
Run the port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
[ remark-8021p 8021p-value1 ] command to configure only selective QinQ.
By default, the priority in the outer VLAN tag is the same as that in the inner VLAN tag.
l Configure selective QinQ and VLAN mapping.
Run the port vlan-stacking vlan vlan-id1 stack-vlan vlan-id2 [ remark-8021p 8021p-
value1 ] map-vlan vlan-id4 [ remark-inner-8021p 8021p-value2 ] command to
configure selective QinQ and VLAN mapping.
By default, the priority in the outer VLAN tag is the same as that in the inner VLAN tag.

NOTE
When map-vlan vlan-id4 is configured to perform VLAN stacking and VLAN mapping
concurrently, on switches other than the S5720EI, S5720HI, S6720EI, and S6720S-EI, the same
outer VLAN tag cannot be added to packets from different user VLANs. On the S5720EI,
S5720HI, S6720EI, and S6720S-EI, the same outer VLAN tag cannot be added to packets from
different user VLANs, and different inner VLAN tags in packets from different user VLANs
cannot be matched to the same VLAN tag. For example, if packets containing VLAN IDs 10 and
20 respectively are received on an interface, the port vlan-stacking vlan 10 stack-vlan 100 map-
vlan 200 and port vlan-stacking vlan 20 stack-vlan 100 map-vlan 200 commands cannot be
configured together.
Step 7 Run quit
The view of another interface is displayed.
This interface is the outbound interface for QinQ packets, different from the interface
specified in step 2.
Step 9 Run port link-type trunk
The link type of the interface is set to trunk.
Step 10 Run port trunk allow-pass vlan vlan-id3
The outer VLAN ID (stack-vlan) added to the original tagged packet is set.
----End

l Run the display current-configuration interface interface-type interface-number
command to check the selective QinQ configuration on the interface.
Configuration Tips
Deleting QinQ configuration
Use either of the following methods to delete the selective QinQ configuration on an
interface:
l Run the undo port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] [ stack-vlan vlan-id3 ]
command in the interface view to delete a selective QinQ entry on the interface.
l Run the undo port vlan-stacking all command in the interface view to delete all the
selective QinQ entries on the interface.
10.7.2 Configuring MQC-based Selective QinQ
Context
A traffic policy is configured by associating traffic classifiers with traffic behaviors. You can
specify a VLAN ID or other information in a traffic classifier and associate the traffic
classifier with a traffic behavior to implement selective QinQ. Then the device adds the
specified outer VLAN tag to packets matching the traffic classifier.

Traffic policy-based selective QinQ enables the device to provide differentiated services
based on service types.
NOTE
Only the S1720X, S1720X-E, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI
support this configuration.
Procedure
a. Run system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
that:
The logical operator or means that packets match the traffic classifier as long as
they match one of rules in the classifier.
Rule
Outer if-match vlan-id start-vlan-id [ to -

VLAN ID end-vlan-id ] [ cvlan-id cvlan-id ]
or inner
and outer
VLAN IDs
of QinQ
packets

VLAN IDs id ]
in QinQ
packets


Rule

packets the traffic classifier as long as
it matches any one of the
802.1p priorities, regardless
of whether the relationship
between rules in the traffic
classifier is AND or OR.

address

address

in the
Ethernet
frame
header
All if-match any -

packets

matches the traffic
classifier as long as it
matches any one of the
DSCP values, regardless
of whether the
AND or OR.
traffic classifier
simultaneously.


Rule

is AND.
command, a packet
matches the traffic
classifier as long as it
matches any one of the IP
precedence values,
AND or OR.

protocol
type

packet urg }

view.

AND or OR.


Rule

the ACL6.
d. Run quit
a. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.
b. Run add-tag vlan-id vlan-id
The outer VLAN ID is specified in the traffic behavior.
You must specify an existing VLAN ID on the device in this command. You do not
need to create a VLAN specified by the original VLAN tag of a received packet.
c. Run quit
Exit from the traffic behavior view.
d. Run quit
a. Run system-view
b. Run traffic policy policy-name
existing traffic policy is displayed.
matching order.
NOTE

c. Run classifier classifier-name behavior behavior-name

d. Run quit
e. Run quit
i. Run system-view
iii. Run traffic-policy policy-name { inbound | outbound }
i. Run system-view
Only one traffic policy can be applied to a VLAN in the inbound or outbound
direction.
After a traffic policy is applied, the system performs traffic policing for the
packets that belong to a VLAN and match traffic classification rules in the
inbound or outbound direction.
i. Run system-view
simultaneously.

switch.

[ vlan-id ] ] { inbound | outbound } [ verbose ] command to check traffic actions and
ACL rules associated with the system, a VLAN, or an interface.
[ vlan-id ] | global } [ inbound | outbound ] command to check the traffic policy
configuration on the device.
10.8 Configuring the TPID Value in an Outer VLAN Tag
Context
Devices from different vendors or in different network plans may use different TPID values in
VLAN tags of VLAN packets. To adapt to an existing network plan, the switch supports TPID
value configuration. You can set the TPID value on the switch to be the same as the TPID
value in the network plan to ensure compatibility with the current network.
NOTE
l To implement interoperability with a non-Huawei device, ensure that the protocol type in the outer
VLAN tag added by the switch can be identified by the non-Huawei device.
l The qinq protocol command identifies incoming packets, and adds or changes the TPID value of
outgoing packets.
l The protocol ID configured on an interface by the qinq protocol command must be different from
other commonly used protocol IDs; otherwise, the interface cannot distinguish packets of these
protocols. For example, protocol-id cannot be set to 0x0806, which is the ARP protocol ID.
Procedure

Step 3 Run qinq protocol protocol-id
The protocol type in the outer VLAN tag is set.
The qinq protocol command cannot be used on Dot1q-tunnel interfaces.
By default, the TPID value in the outer VLAN tag is 0x8100.
----End

Run the display this command in the interface view to check the configured protocol type of
the outer VLAN tag.
10.9 Configuring QinQ Stacking on a VLANIF Interface
Context
To log in to a remote device from the local device to manage the remote device, configure
QinQ stacking on the VLANIF interface corresponding to the management VLAN on the
remote device. As shown in Figure 10-10, SwitchA is connected to SwitchB through a third-
party network. The management VLAN on SwitchB is the same as the VLAN for users
connected to SwitchA and is different from the VLAN provided by the carrier.
Figure 10-10 Networking for QinQ stacking on a VLANIF interface

20 10 IP SwitchB
Internet
SwitchA
10 IP Management VLAN 10
Interface VLANIF 10
user2
user1
VLAN 10
To log in to SwitchB from SwitchA, you can configure QinQ stacking on the VLANIF
interface corresponding to the management VLAN on SwitchB.

l Packet sent from SwitchA to SwitchB

The user-side interface on SwitchA configured with QinQ sends double-tagged packets
to the ISP network. The outer VLAN tag is the same as the VLAN tag provided by the
carrier so that the packets can be transparently transmitted to SwitchB over the ISP
network.
When SwitchB receives a double-tagged packet, it compares the VLAN tag of the packet
with the VLAN tag configured on the VLANIF interface. If the outer tag of the packet is
the same as the VLAN tag configured on the VLANIF interface, SwitchB removes the
outer tag and sends the packet to the IP layer for processing.
l Packet sent from SwitchB to SwitchA
When the VLANIF interface of SwitchB receives a data packet, SwitchB adds a VLAN
tag to the packet according to the QinQ stacking configuration. The new outer VLAN tag
is the same as the VLAN tag provided by the carrier so that the double-tagged data
packet can be transparently transmitted to SwitchA over the ISP network. SwitchA
removes the outer VLAN tag of the packet and forwards the packet.
Before configuring QinQ stacking on a VLANIF interface, complete the following tasks:
l Create a VLAN.
l Configure a management VLAN.
Procedure
The VLANIF interface corresponding to the management VLAN is created.
Before running this command, ensure that the management VLAN exists.
Step 3 Run qinq stacking vlan vlan-id
QinQ stacking is configured on the VLANIF interface.
NOTE
l When configuring QinQ stacking on a VLANIF interface, ensure that the VLANIF interface
corresponds to the management VLAN. VLANIF interfaces corresponding to other VLANs do not
support QinQ stacking.
l Before changing the configured outer VLAN, run the undo qinq stacking vlan command to delete
the original QinQ stacking.
l The qinq stacking vlan and icmp host-unreachable send commands cannot be used together, so
you must run the undo icmp host-unreachable send command before using the qinq stacking vlan
command.
l The outer VLAN added to packets must be an existing VLAN with no VLANIF interface
configured.
----End

Follow-up Procedure
l Run the display vlan [ vlan-id [ verbose ] ] command to check the management VLAN.
l Run the display this command in the VLANIF interface view to check the QinQ
stacking configuration.
10.10 Configuring the Device to Add Double VLAN Tags

to Untagged Packets
Context
Generally, two devices are required to add double tags to packets. Configuring one device to
add double VLAN tags to untagged packets can simplify configuration. In addition, a Layer 2
interface can add double tags to untagged packets to differentiate services or users.
Procedure
The outer VLAN is created.
Step 3 Run quit
The interface is added to the outer VLAN.
Step 8 Run port vlan-stacking untagged stack-vlan vlan-id1 stack-inner-vlan vlan-id2
The interface is configured to add double VLAN tags to untagged packets.

NOTE
To enable an interface to add double VLAN tags to an untagged packet, you must set the link type of the
interface to hybrid, and add the interface to the outer VLAN in untagged mode.
If the PVID of an interface is not VLAN 1, restore the PVID to VLAN 1 before running the port vlan-
stacking untagged command.
The port vlan-stacking untagged command actually configures a VLAN assignment mode. On the
S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750EI,
S2720EI, S5700LI, S5700S-LI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5710-X-LI, S5730SI,
S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI, different VLAN assignment modes are in
the following order of priority: interface-based VLAN assignment > voice VLAN include-untagged >
MAC address-based VLAN assignment > IP subnet-based VLAN assignment > port vlan-stacking
untagged > protocol-based VLAN assignment > interface-based VLAN assignment. On other models,
different VLAN assignment modes are in the following order of priority: policy-based VLAN
assignment > voice VLAN include-untagged > MAC address-based VLAN assignment > IP subnet-
based VLAN assignment > protocol-based VLAN assignment > interface-based VLAN assignment.
----End
10.11 Configuring QinQ Mapping
Before configuring QinQ mapping, complete the following tasks:
l Connect the device correctly.
l Configure the VLANs that users belong to so that user packets carry one or double
VLAN tags.
10.11.1 Configuring 1-to-1 QinQ Mapping
Context
1-to-1 QinQ mapping allows a sub-interface to map a tag in a received single-tagged packet to
a specified tag.
Procedure
Step 4 Run quit

The view of the CE-side Ethernet or Eth-Trunk sub-interface of the PE is displayed.
Step 6 Run qinq mapping vid vlan-id1 [ to vlan-id2 ] map-vlan vid vlan-id3
The sub-interface is configured to map a tag of a packet to a specified tag.
The original VLAN IDs of single-tagged packets specified in the command must be different
from the outer VLAN IDs specified on all the other sub-interfaces.
NOTE
l QinQ mapping cannot be used with stacking, QinQ termination, and Dot1q termination commands
on the same sub-interface.
l If the PW-side interface is a Layer 3 interface switched by the undo portswitch command, the AC-
side interface cannot be a Layer 3 interface or subinterface belonging to a Layer 3 interface;
otherwise, traffic forwarding is abnormal. This rule applies to S5720EI, S6720EI, and S6720S-EI.
----End
10.11.2 Configuring 2-to-1 QinQ Mapping
Context
2-to-1 QinQ mapping allows a sub-interface to map an outer tag in a received double-tagged
packet to a specified tag and retain the inner VLAN tag.
Procedure
Step 4 Run quit
The view of the CE-side Ethernet or Eth-Trunk sub-interface of the PE is displayed.
Step 6 Run qinq mapping pe-vid vlan-id1 ce-vid vlan-id2 [ to vlan-id3 ] map-vlan vid vlan-id4
The sub-interface is configured to map the outer tag of double-tagged packets to a specified
tag.
The original outer tag of double-tagged packets specified in the command must be different
from outer tags specified on all the other sub-interfaces.

NOTE
l QinQ mapping cannot be used with stacking, QinQ termination, and Dot1q termination commands
on the same sub-interface.
l If the PW-side interface is a Layer 3 interface switched by the undo portswitch command, the AC-
side interface cannot be a Layer 3 interface or subinterface belonging to a Layer 3 interface;
otherwise, traffic forwarding is abnormal. This rule applies to S5720EI, S6720EI, and S6720S-EI.
----End
Context
During QinQ configuration (excluding basic QinQ configuration), VLAN translation
resources may be insufficient. You can run commands to view the total number of inbound/
outbound VLAN translation resources, the number of used VLAN translation resources, and
the number of remaining VLAN translation resources. The command output helps you locate
faults.
Procedure
Step 1 Run the display vlan-translation resource [ slot slot-number ] command in any view to view
VLAN translation resource usage.
NOTE
Step 2 Run the display spare-bucket resource [ slot slot-number ] command in any view to view
the usage of backup resources when VLAN translation resources conflict.
NOTE
Only the S5720HI supports this command.
----End
10.13 Configuration Examples for QinQ
10.13.1 Example for Configuring Basic QinQ
As shown in Figure 10-11, there are two enterprises on the network, Enterprise 1 and
Enterprise 2. Both of them have two office locations, which connect to SwitchA and SwitchB
of the ISP network. A non-Huawei device on the ISP network uses the TPID value of 0x9100.
The requirements are as follows:

l Enterprise 1 and Enterprise 2 use independent VLAN plans that do not affect each other.

l Traffic of an enterprise's branches is transparently transmitted on the ISP network. Users

accessing the same service in an enterprise are allowed to communicate, and users
accessing different services are isolated.
You can configure QinQ to meet the preceding requirements. VLAN 100 and VLAN 200
provided by the ISP network can be used to transmit traffic for Enterprise 1 and Enterprise 2
respectively, thereby implementing communication within an enterprise and isolating the two
enterprises. To implement interoperation with the non-Huawei device, set the TPID value in
outer VLAN tags to 0x9100 on the interfaces of the Huawei devices connected to the non-
Huawei device.
Figure 10-11 Networking for configuring basic QinQ
ISP
VLAN 100,200
TPID=0x9100
GE0/0/3 GE0/0/3
Switch A Switch B
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Enterprise 1 Enterprise 2 Enterprise 1 Enterprise 2

VLAN 10 to 50 VLAN 20 to 60 VLAN 10 to 50 VLAN 20 to 60
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB. Configure interfaces
connected to the two enterprises as QinQ interfaces and add them to VLAN 100 and
VLAN 200 respectively, so that packets from the two enterprises are tagged with
different outer VLAN tags.
2. Add interfaces of SwitchA and SwitchB connected to the ISP network to VLAN 100 and
VLAN 200 so that packets from the two VLANs are allowed to pass through.
3. On the interfaces of SwitchA and SwitchB connected to the ISP network, set the TPID in
outer VLAN tags to the value used on the non-Huawei device so that SwitchA and
SwitchB can interwork with the non-Huawei device.
Procedure
# Create VLAN 100 and VLAN 200 on SwitchA.

# Create VLAN 100 and VLAN 200 on SwitchB.

[SwitchB] vlan batch 100 200
Step 2 Set the link type of interfaces to Dot1q-tunnel.

# Configure GE0/0/1 and GE0/0/2 on SwitchA as QinQ interfaces, and set the default VLAN
of GE0/0/1 to VLAN 100 and the default VLAN of GE0/0/2 to VLAN 200. The configuration
of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA-GigabitEthernet0/0/1] port link-type dot1q-tunnel
[SwitchA-GigabitEthernet0/0/2] port link-type dot1q-tunnel
Step 3 Configure the interfaces of SwitchA and SwitchB connected to the ISP network.
# Add GE0/0/3 of SwitchA to VLAN 100 and VLAN 200. The configuration of SwitchB is
similar to the configuration of SwitchA, and is not mentioned here.
Step 4 Configure the TPID value in outer VLAN tags.

# Set the TPID value in outer VLAN tags to 0x9100 on SwitchA.
[SwitchA-GigabitEthernet0/0/3] qinq protocol 9100
# Set the TPID value in outer VLAN tags to 0x9100 on SwitchB.

[SwitchB-GigabitEthernet0/0/3] qinq protocol 9100

In Enterprise 1, ping a PC in a VLAN of a branch from a PC in the same VLAN of another
branch. If the ping operation is successful, internal users of Enterprise 1 can communicate.
In Enterprise 2, ping a PC in a VLAN of a branch from a PC in the same VLAN of another
branch. If the ping operation is successful, internal users of Enterprise 2 can communicate.
Ping a PC in any VLAN of Enterprise 2 from a PC in the same VLAN of Enterprise 1. If the
ping operation fails, users in Enterprise 1 and Enterprise 2 are isolated.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#

port link-type dot1q-tunnel

#
#
qinq protocol 9100
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
#
#
qinq protocol 9100
#
return
Related Content
Videos
Configuring QinQ
10.13.2 Example for Configuring Selective QinQ
As shown in Figure 10-12, Internet access users (using PCs) and VoIP users (using VoIP
terminals) connect to the ISP network through SwitchA and SwitchB and communicate with
each other through the ISP network.
The enterprise assigns VLAN 100 to PCs and VLAN 300 to VoIP terminals. Packets from
PCs and VoIP terminals need to be transmitted over the ISP network in VLAN 2 and VLAN 3
respectively.

Figure 10-12 Networking diagram for configuring selective QinQ
SwitchA SwitchB
GE0/0/2 Carrier GE0/0/2
network
GE0/0/1 GE0/0/1
PC VoIP VoIP PC
1. Create VLANs on SwitchA and SwitchB.
2. Configure link types of interfaces on SwitchA and SwitchB and add the interfaces to
VLANs.
3. Configure selective QinQ on interfaces of SwitchA and SwitchB.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
Step 2 Configure selective QinQ on interfaces.

# Configure GE0/0/1 on SwitchA.
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet0/0/1] qinq vlan-translation enable
[SwitchA-GigabitEthernet0/0/1] port vlan-stacking vlan 100 stack-vlan 2

# Configure GE0/0/1 on SwitchB.

[SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 2 3
[SwitchB-GigabitEthernet0/0/1] qinq vlan-translation enable
[SwitchB-GigabitEthernet0/0/1] port vlan-stacking vlan 100 stack-vlan 2
[SwitchB-GigabitEthernet0/0/1] port vlan-stacking vlan 300 stack-vlan 3
Step 3 Configure other interfaces.

# Add GE0/0/2 to VLAN 2 and VLAN 3 on SwitchA.
# Add GE0/0/2 to VLAN 2 and VLAN 3 on SwitchB.


If the configurations on SwitchA and SwitchB are correct, the following situations occur:
l PCs can communicate with each other through the ISP network.
l VoIP terminals can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#


#
#
return
10.13.3 Example for Configuring Selective QinQ and VLAN

Mapping
As shown in Figure 10-13, Internet access, IPTV, and VoIP services are provided for users
through home gateways.
The corridor switches allocate VLANs to the services as follows:
l VLANs for the Internet access service of different users: VLAN 1000 to VLAN 1100
l Shared VLAN for the IPTV service: VLAN 1101
l Shared VLAN for the VoIP service: VLAN 1102
l Shared VLAN for home gateways: VLAN 1103
Each community switch is connected to 50 downstream corridor switches, and maps VLAN
IDs in packets of the Internet access service from the corridor switches to VLANs 101-150.
The aggregation switch of the carrier is connected to 50 downstream community switches,

and adds outer VLAN IDs 21-70 to packets sent from the community switches.
Figure 10-13 Networking diagram for configuring selective QinQ and VLAN mapping
ME60
Internet
Aggregate switch of carrier SwitchA

GE0/0/1
…… ……
GE0/0/2
Community SwitchB
switch GE0/0/1
…… …… …… ……
Corridor
switch
…… …… …… ……
Home
gateway

2. Configure VLAN mapping on SwitchB and add GE 0/0/1 and GE 0/0/2 to VLANs.
3. Configure selective QinQ on SwitchA and add GE 0/0/1 to VLANs.
4. Add other downlink interfaces of SwitchA and SwitchB to VLANs. The configurations
are similar to the configurations of GE 0/0/1 interfaces, and are not mentioned here.
5. Configure other community switches. The configuration is similar to the configuration of
SwitchB, and is not mentioned here.
Procedure
# Create VLANs.
[SwitchA] vlan batch 21 to 70 1101 to 1103
# Add downlink interface gigabitethernet 0/0/1 to VLANs.

[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 21
[SwitchA-GigabitEthernet0/0/1] port hybrid tagged vlan 1101 to 1103
# Configure selective QinQ on gigabitethernet 0/0/1.

[SwitchA-GigabitEthernet0/0/1] port vlan-stacking vlan 101 to 150 stack-vlan 21

# Create VLANs.
[SwitchB] vlan batch 101 to 150 1000 to 1103
# Add interfaces to VLANs.

[SwitchB-GigabitEthernet0/0/1] port hybrid tagged vlan 101 1000 to 1103
[SwitchB-GigabitEthernet0/0/2] port hybrid tagged vlan 101 to 150 1101 to 1103
# Configure VLAN mapping on downlink interface gigabitethernet 0/0/1.

[SwitchB-GigabitEthernet0/0/1] qinq vlan-translation enable
[SwitchB-GigabitEthernet0/0/1] port vlan-mapping vlan 1000 to 1100 map-vlan 101

The Internet access service, IPTV service, and VoIP service are available.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 21 to 70 1101 to 1103
#
port hybrid tagged vlan 1101 to 1103
port vlan-stacking vlan 101 to 150 stack-vlan 21
#
return

#
sysname SwitchB
#
vlan batch 101 to 150 1000 to 1103
#
port hybrid tagged vlan 101 1000 to 1103
port vlan-mapping vlan 1000 to 1100 map-vlan 101
#
port hybrid tagged vlan 101 to 150 1101 to 1103
#
return
10.13.4 Example for Configuring Flow-based Selective QinQ
As shown in Figure 10-14, Internet access users (using PCs) and VoIP users (using VoIP
terminals) connect to the ISP network through SwitchA and SwitchB. These users
communicate with each other through the ISP network.
Packets from PCs and VoIP terminals need to be transmitted over the ISP network in VLAN 2
and VLAN 3 respectively.
You can configure a traffic policy to implement selective QinQ on the Switch.
NOTE
Only the S1720X, S1720X-E, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI
support this example.

Figure 10-14 Networking diagram for configuring flow-based selective QinQ
SwitchA SwitchB
GE0/0/2 Carrier GE0/0/2
network
GE0/0/1 GE0/0/1
PC VoIP VoIP PC
VLAN100~200 VLAN300~400 VLAN300~400 VLAN100~200
2. Configure traffic classifiers, traffic behaviors, and bind them in a traffic policy on
SwitchA and SwitchB.
3. Configure link types of interfaces on SwitchA and SwitchB, and add the interfaces to
VLANs.
4. Apply the traffic policy to interfaces of SwitchA and SwitchB to implement selective
QinQ.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs in the outer VLAN tags to be
added.
Step 2 Configure a traffic policy on SwitchA.

Configure traffic classifiers, traffic behaviors, and a traffic policy on SwitchA.
[SwitchA] traffic classifier name1
[SwitchA-classifier-name1] if-match vlan-id 100 to 200

[SwitchA-classifier-name1] quit
[SwitchA] traffic behavior name1
[SwitchA-behavior-name1] add-tag vlan-id 2
[SwitchA-behavior-name1] quit
[SwitchA] traffic classifier name2
[SwitchA-classifier-name2] if-match vlan-id 300 to 400
[SwitchA-classifier-name2] quit
[SwitchA] traffic behavior name2
[SwitchA-behavior-name2] add-tag vlan-id 3
[SwitchA-behavior-name2] quit
[SwitchA] traffic policy name1
[SwitchA-trafficpolicy-name1] classifier name1 behavior name1
[SwitchA-trafficpolicy-name1] classifier name2 behavior name2
[SwitchA-trafficpolicy-name1] quit
# Configure traffic classifiers, traffic behaviors, and a traffic policy on SwitchB.

[SwitchB] traffic classifier name1
[SwitchB-classifier-name1] if-match vlan-id 100 to 200
[SwitchB-classifier-name1] quit
[SwitchB] traffic behavior name1
[SwitchB-behavior-name1] add-tag vlan-id 2
[SwitchB-behavior-name1] quit
[SwitchB] traffic classifier name2
[SwitchB-classifier-name2] if-match vlan-id 300 to 400
[SwitchB-classifier-name2] quit
[SwitchB] traffic behavior name2
[SwitchB-behavior-name2] add-tag vlan-id 3
[SwitchB-behavior-name2] quit
[SwitchB] traffic policy name1
[SwitchB-trafficpolicy-name1] classifier name1 behavior name1
[SwitchB-trafficpolicy-name1] classifier name2 behavior name2
[SwitchB-trafficpolicy-name1] quit
Step 3 Apply the traffic policy to interfaces of SwitchA and SwitchB to implement selective QinQ.
# Configure GE 0/0/1 on SwitchA.

[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet0/0/1] traffic-policy name1 inbound
# Configure GE 0/0/1 on SwitchB.

[SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 2 3
[SwitchB-GigabitEthernet0/0/1] traffic-policy name1 inbound
Step 4 Configure other interfaces.
# Add GE 0/0/2 on SwitchA to VLAN 2 and VLAN 3.

# Add GE 0/0/2 on SwitchB to VLAN 2 and VLAN 3.


If the configurations on SwitchA and SwitchB are correct, the following situations occur:
l PCs can communicate with each other through the ISP network.
l VoIP terminals can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
traffic classifier name1 operator or
if-match vlan-id 100 to 200
#
traffic behavior name1
add-tag vlan-id 2
add-tag vlan-id 3
#
traffic policy name1
classifier name1 behavior name1
#
traffic-policy name1 inbound
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#
#
add-tag vlan-id 2
add-tag vlan-id 3
#
traffic policy name1
#
traffic-policy name1 inbound
#


#
return
10.13.5 Example for Connecting a Single-Tag VLAN Mapping

Sub-Interface to a VLL Network
As shown in Figure 10-15, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
NOTE
l Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this example.
Figure 10-15 Networking diagram for connecting a single-tag VLAN mapping sub-interface
to a VLL network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/2 GE0/0/1
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/1 Martini GE0/0/1
CE1 CE2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32

- Loopback1 - 2.2.2.2/32
1. Configure a routing protocol on PE and P devices of the backbone network to implement

2. Use the default tunnel policy to create an LSP for data transmission.
4. Create a sub-interface on the interface of PE1 connected to CE1, configure VLAN
mapping of a single tag on the sub-interface, and create a VC to connect the sub-
interface to the VLL network.
5. Configure a Dot1q sub-interface on the interface of PE2 connected to CE2, and create a
VC to connect the sub-interface to the VLL network.
Procedure
Step 1 Add interfaces of CEs, PEs, and P to VLANs and configure IP addresses for the VLANIF
interfaces according to Figure 10-15.
# Configure CE1 to ensure that packets sent from CE1 to PE1 carry a VLAN tag.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2 to ensure that packets sent from CE2 to PE2 carry a VLAN tag.
[CE2] vlan batch 20


[CE2-Vlanif20] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure an IGP on the MPLS backbone network. OSPF is used in this example.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit

# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
Step 3 Enable basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit

[PE1] mpls ldp

[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
# Configure PE1.
# Configure PE2.
view the LDP session setup. You can see that an LDP session has been set up between PE1
and PE2.
The output on PE1 is used as an example:

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Enable MPLS L2VPN on PEs and create VC connections.


[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet0/0/1.1] qinq mapping vid 10 map-vlan vid 20

[PE2] mpls l2vpn
[PE2-l2vpn] quit

On PEs, check the L2VPN connections. You can see that an L2VC connection has been set up
and is in Up state.
The output on PE1 is used as an example:
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up


Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3
Service Class : --
Color : --
DomainId : --
Domain Name : --

The output on CE1 is used as an example:
[CE1] ping 10.10.10.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#

vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping vid 10 map-vlan vid 20
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#


#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.10.10.2 255.255.255.0
#

#
return
10.13.6 Example for Connecting a Double-Tag VLAN Mapping

Sub-Interface to a VLL Network
VLANs.
A Martini VLL is set up between PE1 and PE2.
Selective QinQ is required on the switch interfaces connected to CEs to tag packets sent from
CEs with the VLAN IDs specified by the carrier.
When Switch1 and Switch2 add different VLAN tags to packets, configure double-tag VLAN
mapping on PE sub-interfaces and connect the sub-interfaces to the VLL network so that CE1
and CE2 can communicate with each other.
When a Switch is connected to multiple CEs, the Switch can add the same outer VLAN tag to
packets with different VLAN tags from different CEs, thereby saving VLAN IDs on the
public network.
NOTE
Figure 10-16 Networking diagram for connecting a double-tag VLAN mapping sub-interface
to a VLL network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/2 GE0/0/1
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2

Switch Interface VLANIF Interface IP address
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
4. Create a sub-interface on the PE1 interface connected to Switch1, configure double-tag
VLAN mapping, and create a VC to connect the QinQ sub-interface to a VLL network.
5. Create a sub-interface on the PE2 interface connected to Switch2, and create a VC to
connect the QinQ sub-interface to a VLL network.
Procedure
Step 1 Configure the VLANs on the CE, PE, and P devices, add interfaces to the VLANs, and assign
IP addresses to the corresponding VLANIF interfaces according to Figure 10-16.

[CE1] vlan batch 10

[CE1-Vlanif10] quit
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit

Step 2 Configure selective QinQ on switch interfaces and specify the VLANs allowed by the
interfaces.
[Switch1] vlan 100
[Switch2] vlan 200
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.


[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls


[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit

# Configure PE1.
# Configure PE2.
view the LDP session setup. You can see that an LDP session has been set up between PE1
and PE2.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and create VC connections.

[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet0/0/1.1] qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200

[PE2] mpls l2vpn
[PE2-l2vpn] quit


and is in Up state.
The display on PE1 is used as an example.

session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up
Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3
Service Class : --

Color : --
DomainId : --
Domain Name : --

The output on CE1 is used as an example:
[CE1] ping 10.10.10.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#

vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#


#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
#
sysname Switch2
#
vlan batch 200
#


#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
return
10.13.7 Example for Connecting a VLAN Stacking Sub-interface to

a VLL Network
VLANs.
Switch1 forwards the packets sent from CE1 without changing VLAN tags.
Selective QinQ needs to be configured on the interface connected to CE2 so that Switch2 adds
the carrier-specified VLAN tag to the packets sent from CE2.
The packets sent from Switch1 to PE1 contain only one VLAN tag, and the packets sent from
Switch2 to PE2 contain two VLAN tags. To allow CE1 and CE2 to communicate with each
other, configure VLAN stacking on the sub-interface of PE1 connected to Switch1, and
connect the sub-interface to a VLL network.
public network.
NOTE

Figure 10-17 Networking diagram for connecting a VLAN stacking sub-interface to a VLL
network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/2 GE0/0/1
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
Switch Interface VLANIF Interface IP address
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32


4. On PE1, configure VLAN stacking on the sub-interface connected to Switch1, and create
a VC to connect the sub-interface to a VLL network.
5. On PE2, configure a QinQ sub-interface on the interface connected to Switch2, and
create a VC connect the QinQ sub-interface to a VLL network.
6. On Switch1, add the interface connected to CE1 to a specified VLAN.
7. On Switch2, configure selective QinQ on the interface connected to CE2.
Procedure
Step 1 Create VLANs on the CE, PE, and P devices, add interfaces to the VLANs, and assign IP
addresses to VLANIF interfaces according to Figure 10-17.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.

[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
interfaces.
[Switch1] vlan 10
[Switch2] vlan 100

# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
------------------------------------------------------------------------------


2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
# Configure PE1.
# Configure PE2.
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and set up VC connections.

# On PE1, create a VC connection on GigabitEthernet0/0/1.1 that is connected to Switch1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet0/0/1.1] qinq stacking vid 10 pe-vid 100
# On PE2, create a VC connection on GigabitEthernet0/0/2.1 that is connected to Switch2.

[PE2] mpls l2vpn
[PE2-l2vpn] quit

and is in Up state.
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN


VCCV State : up
link state : up
Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3
Service Class : --
Color : --
DomainId : --
Domain Name : --

The display on CE1 is used as an example.
[CE1] ping 10.10.10.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#


#
return

#
sysname Switch1
#
vlan batch 10
#
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq stacking vid 10 pe-vid 100
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp

#
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname Switch2
#
vlan batch 100
#
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
return
10.13.8 Example for Connecting a Single-tag VLAN Mapping Sub-

interface to a VPLS Network
As shown in Figure 10-18, VPLS is enabled on PE1 and PE2. CE1 is connected to PE1 and
CE2 is connected to PE2. CE1 and CE2 are on the same VPLS network. To implement
communication between CE1 and CE2, use LDP as the VPLS signaling protocol to establish
PWs and configure VPLS.

NOTE
Figure 10-18 Networking diagram for connecting a single-tag VLAN mapping sub-interface
to a VPLS network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/2
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/1 GE0/0/1
CE1 CE2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32

between devices.
5. Create a VSI on the PEs and specify LDP as the signaling protocol.
6. Configure single-tag VLAN mapping on the PE1 sub-interface connected to CE1 and
bind the sub-interface the VSI to connect it to the VPLS network.
7. Configure a Dot1q sub-interface on the interface of PE2 connected to CE2 and bind the
sub-interface to the VSI to connect it to the VPLS network.
Procedure
Step 1 Create VLANs on the CE, PE, and P devices, add interfaces to the VLANs, and assign IP
addresses to VLANIF interfaces according to Figure 10-18.
NOTE
l After the configuration is complete, the packets sent from a CE to a PE must carry a VLAN tag.
# Configure CE1.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 20
[CE2-Vlanif20] quit
# Configure PE1.
[PE1] vlan batch 20


[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure an IGP protocol. OSPF is used in this example.

# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit

# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20
Step 3 Enable basic MPLS functions and MPLS LDP.

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit

[PE2] mpls ldp

[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
# Configure PE2.
PE2. You can see that the peer status is Operational, indicating that a peer relationship has
been set up between PE1 and PE2. The display on PE1 is used as an example.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit

# Configure PE1.

[PE1] vsi a2 static

[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 7 Bind sub-interfaces on the PEs to the VSI.
# Configure PE1.

[PE1-GigabitEthernet0/0/1.1] qinq mapping vid 10 map-vlan vid 20
# Configure PE2.
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2


VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x22
Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

[CE1] ping 10.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#

vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
#
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping vid 10 map-vlan vid 20
l2 binding vsi a2
#
#
interface LoopBack1

ip address 1.1.1.1 255.255.255.255

#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static

pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
10.13.9 Example for Connecting a Double-tag VLAN Mapping

Sub-interface to a VPLS Network
As shown in Figure 10-19, VPLS is enabled on PE1 and PE2. CE1 connects to PE1 through
Switch1 and CE2 connects to PE2 through Switch2. CE1 and CE2 are on the same VPLS
network. To implement communication between CE1 and CE2, use LDP as the VPLS
signaling protocol to establish PWs and configure VPLS.
You are required to configure selective QinQ on the switch interfaces connected to CEs so
that Switch1 and Switch2 add the VLAN tags specified by the carrier to the packets sent from
CEs.
When Switch1 and Switch2 allow different VLAN tags, configure a double-tag VLAN
mapping sub-interface on a PE and connect the sub-interface to the VPLS to enable
communication between CE1 and CE2.
When the Switch is connected to multiple CEs, the Switch can add the same outer VLAN tag
to packets with different VLAN tags from different CEs, thereby saving VLAN IDs on the
public network.
NOTE

Figure 10-19 Networking diagram for connecting a double-tag VLAN mapping sub-interface
to a VPLS network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/2 GE0/0/2
PE1 PE2
GE0/0/1 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32

1. Configure a routing protocol on the backbone network to implement interworking.
7. Configure double-tag VLAN mapping on the sub-interface connected to Switch1 on PE1
and bind the sub-interface to the VSI to connect it to the VPLS network.
8. Configure a QinQ sub-interface on the interface connected to Switch2 on PE2 and bind
the sub-interface to the VSI to connect it to the VPLS network.
Procedure
Step 1 Create VLANs on the devices, add interfaces to the VLANs, and assign IP addresses to
VLANIF interfaces according to Figure 10-19.
NOTE
# Configure CE1.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20

[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
interfaces.
[Switch1] vlan 100
[Switch2] vlan 200


# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20

5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20


# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.

# Configure PE2.
PE2. You can see that the status of the peer relationship between PE1 and PE2 is
Operational. That is, the peer relationship is set up. The display on PE1 is used as an
example.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 8 Bind sub-interfaces interfaces to the VSI on PEs.

# Configure PE1.
[PE1-GigabitEthernet0/0/1.1] qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
# Configure PE2.



***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x22

Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

<CE1> ping 10.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#


#
#
return
#
sysname Switch2
#
vlan batch 200
#
#
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
l2 binding vsi a2
#


#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#

mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
10.13.10 Example for Connecting a VLAN Stacking Sub-interface

to a VPLS Network
As shown in Figure 10-20, VPLS is enabled on PE1 and PE2. CE1 connects to PE1 through
Switch1 and CE2 connects to PE2 through Switch2. CE1 and CE2 are on the same VPLS
network. To implement communication between CE1 and CE2, use LDP as the VPLS
signaling protocol to establish PWs and configure VPLS.
Switch1 forwards the packets sent from CE1 without changing VLAN tags of the packets.
You are required to configure selective QinQ on the interface connected to CE2 so that
Switch2 adds the carrier-specified VLAN tag to the packets sent from CE2.
The packets sent from Switch1 to PE1 contain only one VLAN tag, and the packets sent from
Switch2 to PE2 contain two VLAN tags. In this case, you need to configure VLAN stacking
on the sub-interface of PE1 connected to Switch1 and connect the sub-interface to the VPLS
network to enable communication between CE1 and CE2.
public network.

NOTE
Figure 10-20 Networking diagram for connecting a VLAN stacking sub-interface to a VPLS
network
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/2 GE0/0/2
PE1 PE2
GE0/0/1 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32

1. Configure a routing protocol on the backbone network to implement interworking.
2. Add the interface of Switch1 connected to CE1 to a specified VLAN.
3. Configure selective QinQ on the interface of Switch2 connected to CE2.
8. Configure a VLAN stacking sub-interface on the interface of PE1 connected to Switch1
and bind the sub-interface to the VSI to connect it to the VPLS network.
9. Configure a QinQ sub-interface on the interface of PE2 connected to Switch2 and bind
the sub-interface to the VSI to connect the sub-interface to the VPLS network.
Procedure
Step 1 Create VLANs on the devices, add interfaces to the VLANs, and assign IP addresses to
VLANIF interfaces according to Figure 10-20.
NOTE
# Configure CE1.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 10


[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure P.
[HUAWEI] sysname P
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
interfaces.
[Switch1] vlan 10


[Switch2] vlan 100

# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 4.4.4.5 Vlanif20
3.3.3.3/32 OSPF 10 2 D 4.4.4.5 Vlanif20
4.4.4.0/24 Direct 0 0 D 4.4.4.4 Vlanif20
4.4.4.4/32 Direct 0 0 D 127.0.0.1 Vlanif20
5.5.5.0/24 OSPF 10 2 D 4.4.4.5 Vlanif20

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
------------------------------------------------------------------------------
------------------------------------------------------------------------------


------------------------------------------------------------------------------

# Configure PE1.
# Configure PE2.
PE2. You can see that the peer status is Operational, indicating that a peer relationship has
been set up between PE1 and PE2. The display on PE1 is used as an example.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 8 Bind sub-interfaces to the VSI on the PEs.

# Configure PE1.


[PE1-GigabitEthernet0/0/1.1] qinq stacking vid 10 pe-vid 100
# Configure PE2.

***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x22
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0

State : up
Access Port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:


PW State : up
PW Type : label
Tunnel ID : 0x22
Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

<CE1> ping 10.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#


#
return
#
sysname Switch1
#
vlan batch 10
#
#
#
return
#
sysname Switch2
#
vlan batch 100
#
#
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#


#
qinq stacking vid 10 pe-vid 100
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
#
return
#
sysname PE2
#
router id 3.3.3.3

#
vcmp role
silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
10.13.11 Example for Configuring QinQ Stacking on a VLANIF

Interface
As shown in Figure 10-21, SwitchA is connected to SwitchB through a third-party network.
The management VLAN is deployed on SwitchB. The management VLAN ID is the same as
the VLAN ID of SwitchA, and is different from the VLAN ID provided by the carrier. To
remotely log in to SwitchB from SwitchA, you can configure VLAN stacking.

Figure 10-21 Networking diagram for configuring QinQ stacking on a VLANIF interface
20 10 IP
SwitchB
GE0/0/2 GE0/0/2
Internet
SwitchA GE0/0/1
10 IP GE0/0/2
GE0/0/1 SwitchC
user1
VLAN 10
To remotely log in to SwitchB from SwitchA to manage VLAN services, configure QinQ
stacking on the VLANIF interface corresponding to the management VLAN on SwitchB.
NOTE
When configuring QinQ stacking on a VLANIF interface, ensure that the VLANIF interface
corresponds to the management VLAN. VLANIF interfaces corresponding to other VLANs do not
support QinQ stacking.
1. Configure QinQ on SwitchA.
2. Perform the following configurations on SwitchB:
a. Create VLAN 10 and configure VLAN 10 as the management VLAN.
b. Create VLANIF 10.
c. Configure QinQ stacking on a VLANIF interface.
Procedure
Step 1 Configure SwitchC.
# Configure SwitchC to allow packets from VLAN 10 to pass through GE0/0/1 and GE0/0/2.
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type hybrid
[SwitchC-GigabitEthernet0/0/1] port hybrid tagged vlan 10
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC-GigabitEthernet0/0/2] port link-type hybrid
[SwitchC-GigabitEthernet0/0/2] port hybrid tagged vlan 10

# Configure QinQ so that the packets sent from SwitchA to SwitchB carry double tags.
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 20
[SwitchA-GigabitEthernet0/0/2] port hybrid tagged vlan 20
# Configure SwitchB to allow packets from VLAN 20 to pass through GE0/0/2.

[SwitchB-GigabitEthernet0/0/2] port hybrid tagged vlan 10 20
# Configure QinQ stacking.

[SwitchB] vlan 10
[SwitchB-vlan10] management-vlan
[SwitchB-vlan10] quit
[SwitchB-Vlanif10] undo icmp host-unreachable send
[SwitchB-Vlanif10] qinq stacking vlan 20
[SwitchB-Vlanif10] ip address 10.10.10.1 24
You can log in to SwitchB from SwitchA to manage VLAN services.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20
#
#
#
return

l SwitchC configuration file

#
sysname SwitchC
#
vlan batch 10
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
vlan 10
management-vlan
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
undo icmp host-unreachable send
qinq stacking vlan 20
#
#
return
10.14 Troubleshooting QinQ
10.14.1 QinQ Traffic Forwarding Fails Because the Outer VLAN Is

Not Created
Fault Symptom
After selective QinQ is configured on an interface, traffic forwarding fails.
Procedure
1. Run the display this command in the view of the interface configured with selective
QinQ to check the outer VLAN tag.
2. Run the display vlan summary command in any view to check whether the outer
VLAN has been created.
<HUAWEI> display vlan summary
Static
vlan:
Total 3 static
vlan.
1 9 to
10

Dynamic
vlan:
Total 0 dynamic
vlan.
Reserved vlan:
Total 0 reserved vlan.
– If the command output contains the outer VLAN ID, the outer VLAN has been
created. Continue to check for other common misconfigurations.
– If the command output does not contain the outer VLAN ID, the outer VLAN is not
created. Run the vlan batch command to create a VLAN and check whether QinQ
traffic can be correctly transmitted. If traffic forwarding still fails, continue to check
for other common misconfigurations.
10.14.2 QinQ Traffic Forwarding Fails Because the Interface Does

Not Transparently Transmit the Outer VLAN ID
Fault Symptom
After selective QinQ is configured on an interface, traffic forwarding fails.
Procedure
1. Run the display this command in the view of the interface configured with selective
QinQ to check the outer VLAN tag.
2. Run the display vlan vlan-id command in any view to check whether the interface
configured with selective QinQ belongs to the outer VLAN. vlan-id specifies the outer
VLAN ID.
<HUAWEI> display vlan 3
------------------------------------------------------------------------------
--
U: Up; D: Down; TG: Tagged; UT:
Untagged;
MP: Vlan-mapping; ST: Vlan-
stacking;
#: ProtocolTransparent-vlan; *: Management-
vlan;
------------------------------------------------------------------------------
--
VID Type
Ports
------------------------------------------------------------------------------
--
3 common
UT:GE0/0/2(U)
VID Status Property MAC-LRN Statistics

Description
------------------------------------------------------------------------------
--
3 enable default enable disable VLAN 0003
– If the system displays the message "Error:The VLAN does not exist.", the outer
VLAN is not created. Run the vlan batch command to create the outer VLAN and
run the display vlan vlan-id command to check whether the interface belongs to the
VLAN.

– If there is no interface configured with selective QinQ, run the port hybrid
untagged vlan vlan-id command to add the interface to the VLAN in untagged
mode.
– If the command output does not display the interface configured with selective
QinQ but the flag before the interface is not UT, run the port hybrid untagged
vlan vlan-id command to add the interface to the VLAN in untagged mode.
– If the command output displays the interface configured with selective QinQ and
the interface has joined the VLAN in untagged mode, continue to check for other
common misconfigurations.
10.15 FAQ About QinQ
10.15.1 Does the Switch Support QinQ?

l The S2700EI supports only basic QinQ configured using the port link-type dot1q-
tunnel command, and does not support selective QinQ configured using the port vlan-
stacking vlan command.
l The S2700SI does not support basic QinQ or selective QinQ.
l Other models support both basic QinQ and selective QinQ.
10.15.2 What Are Causes for QinQ Traffic Forwarding Failures?

Traffic forwarding on an interface configured with selective QinQ fails in the following
situations:
l The outer VLAN specified for selective QinQ is not created.
l The interface is not added to the outer VLAN specified for selective QinQ in untagged
mode.
10.15.3 Can I Rapidly Delete All QinQ Configurations of an

Interface?
On a switch running V100R006 or a later version, the undo port vlan-stacking all command
can be used to quickly delete all selective QinQ configurations from an interface.
10.15.4 Can I Directly Delete Inner VLAN IDs from QinQ

Configuration?
l If the switch is running V100R005 or an earlier version, one or more inner VLAN IDs in
QinQ cannot be directly deleted. You must delete the current selective QinQ
configuration, and then reconfigure the inner VLAN IDs that do not need to be deleted.
For example, the port vlan-stacking vlan 10 to 20 stack-vlan 100 command is
configured on the switch. To delete inner VLAN 15, perform the following operations:
a. Run the undo port vlan-stacking vlan 10 to 20 stack-vlan 100 command to delete
the current selective QinQ configuration.
b. Run the port vlan-stacking vlan 10 to 14 stack-vlan 100 and port vlan-stacking
vlan 16 to 20 stack-vlan 100 commands to reconfigure the inner VLAN IDs that
do not need to be deleted.

l If the switch is running a version later than V100R005, one or more inner VLAN IDs in
QinQ can be directly deleted.
10.15.5 Can the Switch Add Double VLAN Tags to Untagged

Packets?
The switch running V200R003 and a later version can add double VLAN tags to untagged
packets, but the S5700EI and S5700SI do not support this function.
10.15.6 Which Tag Does the TPID Configured by the qinq

protocol Command Match?
The TPID configured by the qinq protocol command matches only the outer tag.
10.15.7 Which VLAN Does the Interface Enabled with VLAN

Mapping or QinQ Obtain Through MAC Address Learning?
The VLAN mapping or QinQ implementation is prior to the MAC address learning. Thus,
after the VLAN mapping or QinQ implementation, the interface obtains the outer VLAN ID
through MAC address learning.

Configuration Guide - Ethernet Switching 11 VLAN Mapping Configuration
11 VLAN Mapping Configuration
About This Chapter
This chapter describes how to configure VLAN mapping. VLAN mapping is configured on
the edge device of the public network so that the VLANs of private networks are isolated
from S-VLANs. This saves S-VLAN resources.
11.1 Overview of VLAN Mapping

11.2 Understanding VLAN Mapping
11.3 Application Scenarios for VLAN Mapping
11.4 Licensing Requirements and Limitations for VLAN Mapping
11.5 Configuring VLAN ID-based VLAN Mapping
11.6 Configuring MQC-based VLAN Mapping
11.8 Configuration Examples for VLAN Mapping
11.9 Troubleshooting VLAN Mapping
11.1 Overview of VLAN Mapping
Definition
VLAN mapping technology changes VLAN tags in packets to map different VLANs.
Purpose
Two Layer 2 user networks in the same VLAN can be connected through a backbone
network. To ensure Layer 2 connectivity between users, and to uniformly deploy Layer 2
protocols, the two user networks need to interwork seamlessly. However, the backbone
network cannot directly transmit VLAN packets from the user networks, because the VLAN
plans on the backbone and user networks are different.

To solve this problem, configure VLAN mapping. When VLAN packets from a user network
enter the backbone network, an edge device on the backbone network changes the customer
VLAN (C-VLAN) ID to the service VLAN (S-VLAN ID). After the packets are transmitted,
the edge device reverts the VLAN ID change. This ensures seamless interworking between
the two user networks. The other method is to configure a Layer 2 tunneling technology such
as QinQ or VPLS to encapsulate VLAN packets into packets on the backbone network so that
VLAN packets are transparently transmitted. However, this method increases extra cost
because packets are encapsulated. In addition, Layer 2 tunneling technology may not support
transparent transmission of packets of some protocol packets. The other method is to
configure VLAN mapping. When VLAN packets from a user network enter the backbone
network, an edge device on the backbone network changes the C-VLAN ID to the S-VLAN
ID. After the packets are transmitted to the other side, the edge device changes the S-VLAN
ID to the C-VLAN ID. This method implements seamless interworking between two user
networks.
Configuring VLAN mapping on the switch connecting the two user networks allows a user to
manage the two networks as a single Layer 2 network, despite the differing VLAN plans of
the user networks.
11.2 Understanding VLAN Mapping
Working Mechanism
Depending on whether a packet is tagged or untagged, the switch processes a received packet
as follows:
l Tagged packed: Based on the VLAN mapping mode, the switch determines whether a
single tag, double tags, or the outer tag is to be replaced. The switch then learns the
MAC addresses in the packet. The switch updates the MAC address entries in the VLAN
mapping table based on the source MAC address and mapped VLAN ID. It then searches
for the MAC address entries based on the destination MAC address and the mapped
VLAN ID. If the destination MAC address matches an entry, the switch forwards the
packet through the corresponding outbound interface. If not, the switch broadcasts the
packet in the specified VLAN.
l Untagged packet: Based on the VLAN creation mode, the switch determines whether to
add a VLAN tag. If the packet can be added to a VLAN, the switch adds a VLAN tag to
it and learns the MAC addresses. The switch then performs Layer 2 forwarding based on
the destination MAC address. If the packet cannot be added to a VLAN, the switch either
delivers the packet to the CPU or discards it.
Figure 11-1 shows VLAN mapping between VLAN 2 and VLAN 3 configured on PORT 1.
Before sending packets from VLAN 2 to VLAN 3, PORT 1 replaces the VLAN tags with
VLAN 3 tags. When receiving packets from VLAN 3 to VLAN 2, PORT 1 replaces the
VLAN tags with VLAN 2 tags. This implements communication between devices in VLAN 2
and VLAN 3.

Figure 11-1 VLAN mapping
VLAN 2 VLAN 3
2 3
PORT1
3
Switch Switch
A B
3
2
3
172.16.0.1/16 172.16.0.7/16
If devices in two VLANs need to communicate based on VLAN mapping, the IP addresses of
these devices must be on the same network segment. If their IP addresses are on different
network segments, communication between these devices must be implemented using Layer 3
routes, which makes VLAN mapping invalid.
VLAN Mapping Mode

The switch supports VLAN-based and MQC-based VLAN mapping:
l VLAN mapping
When the interface on a device configured with VLAN mapping receives a single-tagged
packet, the interface maps the VLAN tag in the packet to an S-VLAN tag. 1:1 VLAN
mapping maps a C-VLAN tag to an S-VLAN tag, whereas N:1 VLAN mapping maps
multiple C-VLAN tags to an S-VLAN tag.
l 2:1 VLAN mapping
When the interface on a device configured with VLAN mapping receives a double-
tagged packet, the interface maps the outer VLAN tag to an S-VLAN tag and
transparently transmits the inner VLAN tag.
l 2:2 VLAN mapping
When the interface on a device configured with VLAN mapping receives a double-
tagged packet, the interface maps the double VLAN tags to the double S-VLAN tags.
MQC-based VLAN mapping uses a traffic classifier to classify packets based on VLAN IDs.
It associates the traffic classifier with a traffic behavior defining VLAN mapping so that the
switch can re-mark the VLAN ID in packets matching the traffic classifier. MQC-based
VLAN mapping implements differentiated services.
11.3 Application Scenarios for VLAN Mapping

l 1:1 VLAN mapping
When receiving a single-tagged packet, the interface maps the VLAN tag to a specified
single VLAN tag.

1:1 VLAN mapping applies to the network shown in Figure 11-2.
Figure 11-2 1:1 VLAN mapping

VLAN 2
HSI
Residential
VLAN 3 Gateway
IPTV
VLAN 2->VLAN 201

VLAN 3->VLAN 301
VoIP VLAN 4 VLAN 4->VLAN 401
VLAN 2 Corridor
Switch
HSI VLAN 2->VLAN 202
Residential VLAN 3->VLAN 302
Gateway VLAN 4->VLAN 402
VLAN 3
IPTV
VLAN 201~VLAN 300->VLAN 501
VoIP VLAN 401~VLAN 500->VLAN 503
VLAN 4 Aggregation
VLAN 2 Switch
VLAN 211~VLAN 310->VLAN 501 Communtity
HSI VLAN 311~VLAN 410->VLAN 502 Switch
Residential
VLAN 3 Gateway
IPTV
VLAN 2->VLAN 211
VLAN 3->VLAN 311 Internet
VoIP Corridor
Switch
VLAN 4->VLAN 411
VLAN 4
VLAN 2
HSI
VLAN 2->VLAN 212
VLAN 3->VLAN 312
VLAN 3 VLAN 4->VLAN 412
IPTV
Residential
Gateway
VoIP
VLAN 4
In the networking diagram shown in Figure 11-2, services (HSI, IPTV, and VoIP) of
each user are transmitted on different VLANs. Same services are transmitted on the same
C-VLAN. To differentiate users, deploy Corridor Switch to allow the same services used
by different users to be transmitted on different VLANs, which implements 1:1 VLAN
mapping. 1:1 VLAN mapping requires a large number of VLANs to isolate services of
different users; however, the VLAN quantity provided by the network access device at
the aggregation layer is limited. To resolve this problem, configure the VLAN
aggregation function to allow the same services to be transmitted on the same VLAN (N:
1 VLAN mapping).
l 2:1 VLAN mapping

When the interface receives a double-tagged packet, the interface maps the outer VLAN
tag in the packet to an S-VLAN tag and transparently transmits the inner VLAN tag.
Internet
Aggregation Switch
Community
Switch IP 501 2~3
S5
IP 501 4
Corridor IP 201 2 ~3
S3 S4
Switch IP 401 4
Residential
S1 Gateway S2
HSI VoIP IPTV HSI VoIP IPTV

In the networking diagram shown in Figure 11-3, Residential Gateway, Corridor Switch,
and Community Switch are connected to the aggregation layer on the network. To
differentiate users and services to facilitate network management and charging, configure
the QinQ function for Corridor Switch. To save VLAN resources, configure VLAN
mapping on Community Switch to transmit the same services on the same VLAN.
l 2:2 VLAN mapping

Switch2 Switch3
Internet
outside tag:50
inner tag:60
Switch1 Switch4
outside tag:100 outside tag:200

inner tag:10 VLAN Mapping inner tag:20
In the networking diagram shown in Figure 11-4, QinQ is used to send double-tagged
packets, which prevents the conflict between C-VLAN IDs and S-VLAN IDs and
differentiates services and users. However, the interface will discard the packets because
C-VLAN IDs are different from S-VLAN IDs. To ensure communication continuity,
configure 2:2 VLAN mapping on the PE and replace double C-VLAN tags with double
S-VLAN tags.

Mapping

VLAN mapping configuration commands are available only after the S1720GW, S1720GWR,
License) loaded and activated and the switches are restarted. VLAN mapping configuration

Version Requirements of 1:1 and N:1 VLAN Mapping
Table 11-1 Products and versions supporting VLAN mapping

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)

NOTE
The S2752EI does not support N:1 VLAN mapping.
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10


Model
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
NOTE
The S5720HI does not support N:1 VLAN mapping.
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI

NOTE
Version Requirements of 2:1 VLAN Mapping
Table 11-2 Products and versions supporting 2:1 VLAN mapping

Model

S1720GWR

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S3700HI V100R006C01, V200R001C00

S5700S-LI

S5720S-LI
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)


Model
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10

S5720S-SI
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
Version Requirements of 2:2 VLAN Mapping
Table 11-3 Products and versions supporting 2:2 VLAN mapping

Model

S1720GWR


Model

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E


S5700S-LI

S5720S-LI
S5720EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10

S5720S-SI
S5720HI V200R009C00, V200R010C00, V200R011C00,

V200R011C10


Model
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI Not supported
S6720EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
Feature Limitations
l VLAN mapping can be configured only on a trunk or hybrid interface, and the hybrid
interface must be added to the translated VLAN in tagged mode.
l When N:1 VLAN mapping is configured, the interface needs to join the original VLAN
in tagged mode.
l When VLAN mapping is configured, it is not recommended that map-vlan be
configured for the VLAN corresponding to the VLANIF interface.
l If VLAN mapping and DHCP are configured on the same interface, it is recommended
to add the interface to the original VLANs (VLANs before mapping) in tagged mode.
l N:1 VLAN mapping is not supported in a stack scenario.
l Configuring MAC address limiting and N:1 VLAN mapping simultaneously causes a
high CPU usage on some low-end switches, so such configuration is not recommended.
11.5 Configuring VLAN ID-based VLAN Mapping
Before configuring VLAN ID-based VLAN mapping, complete the following tasks:
l Create the specified VLAN.
l Add the primary interface to the mapped VLAN.
11.5.1 Configuring 1:1 VLAN Mapping

Context
When receiving a tagged packet, an interface maps the VLAN ID in the packet to an S-VLAN
ID.

After the port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] map-vlan vlan-id3

[ remark-8021p 8021p-value ] command is used on an interface, vlan-id1 [ to vlan-id2 ] is
mapped to vlan-id3 in the inbound direction, and vlan-id3 is mapped to vlan-id1 [ to vlan-
id2 ] in the outbound direction.

E, S2750EI, S2720EI, S5700S-LI, S5700LI, S5720LI, S5720S-LI, S6720LI, S6720S-LI,
S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI, outbound
VLAN mapping cannot be used with a traffic policy. You can run the port vlan-mapping
ingress command to configure VLAN mapping in the inbound direction. The interface
configured with VLAN mapping maps vlan-id1 [ to vlan-id2 ] to vlan-id3 in the inbound
direction, and does not map vlan-id3 to vlan-id1 [ to vlan-id2 ] in the outbound direction.
NOTE
The port vlan-mapping ingress command is only supported by S1720GFR, S1720GW, S1720GWR,
S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S2720EI, S5700S-LI, S5700LI, S5720LI,
S5720S-LI, S6720LI, S6720S-LI, S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI,
and S5720S-SI.
Before configuring 1:1 VLAN mapping, complete the following tasks:
l Create the specified VLAN.

l Add the primary interface to the translated VLAN.
Procedure
Step 5 (Optional) Run port vlan-mapping ingress
VLAN mapping is configured in the inbound direction.
By default, VLAN mapping is valid for both inbound and outbound directions.
Step 6 Run port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] map-vlan vlan-id3 [ remark-8021p
8021p-value ]
Single-tagged VLAN mapping is configured on the interface.

NOTE
l VLAN mapping can be configured only on a trunk or hybrid interface, and the hybrid interface must
be added to the translated VLAN in tagged mode.
l When N:1 VLAN mapping is configured (VLAN IDs can be non-contiguous before mapping), the
interface needs to be added to these VLANs in tagged mode, and the VLAN specified by map-vlan
cannot be a VLAN corresponding to a VLANIF interface.
l If VLAN mapping and DHCP are configured on the same interface, it is recommended to add the
interface to the original VLANs (VLANs before mapping) in tagged mode.
l Configuring mac-limit and N:1 VLAN mapping simultaneously causes a high CPU usage on some
low-end switches. Therefore, such configuration is not recommended.
----End
Context
When receiving a tagged packet, an interface maps the VLAN ID in the packet to an S-VLAN
ID.
NOTE
Only the S1720X, S1720X-E, S5720HI, S5720EI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI,
S6720S-SI, S6720EI, and S6720S-EI support this configuration.
Procedure
Step 5 Run port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 [ to vlan-id3 ] map-vlan vlan-id4
[ remark-8021p 8021p-value ]
The outer VLAN tag is replaced.
----End
Context
QinQ is used to send double-tagged packets, which prevents the conflict between C-VLAN
IDs and S-VLAN IDs and differentiates services and users. However, the interface will

discard the packets because C-VLAN IDs are different from S-VLAN IDs. To ensure
communication continuity, configure 2:2 VLAN mapping on the PE and replace double C-
VLAN tags with double S-VLAN tags.
NOTE
S6720S-SI, S6720EI, and S6720S-EI support this configuration.
Procedure
The Ethernet interface view is displayed.
Step 5 Run port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 map-vlan vlan-id3 map-inner-
vlan vlan-id4 [ remark-8021p 8021p-value ]
The outer and inner VLAN tags are replaced.
----End
11.5.4 Verifying the VLAN ID-based VLAN Mapping

Configuration
Procedure
l Run the display vlan vlan-id command to check whether the interface is added to the
translated S-VLAN.
l Run the display current-configuration command to check the VLAN mapping
configuration on the interface.
----End
11.6 Configuring MQC-based VLAN Mapping

Context
A traffic policy is a QoS policy configured by binding traffic classifiers to traffic behaviors. A
traffic policy is bound to a traffic classifier and traffic behavior to implement VLAN mapping.
The traffic classifier defines rules based on VLAN IDs. VLAN mapping based on the traffic
policy implements differentiated services.

Procedure
a. Run system-view
that:
The logical operator or means that packets match the traffic classifier if they match
one of the rules in the classifier.
NOTE
Only the S5720EI, S6720EI, and S6720S-EI support traffic classifiers with advanced ACLs
containing the ttl-expired field.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the S5720HI
does not support remark 8021p [ 8021p-value | inner-8021p ], remark cvlan-id cvlan-id,
remark vlan-id vlan-id, or mac-address learning disable.

Rule
Outer if-match vlan-id start-vlan-id [ to Only the S1720X, S1720X-E,

VLAN ID end-vlan-id ] [ cvlan-id cvlan-id ] S5720EI, S5720HI, S5730SI,
or inner S5730S-EI, S6720LI,
and outer S6720S-LI, S6720SI,
VLAN IDs S6720S-SI, S6720EI, and
of QinQ S6720S-EI support the cvlan-
packets id cvlan-id parameter.

VLAN IDs id ] (S1720X, S1720X-E,
in QinQ S5720EI, S5720HI, S5730SI,
packets S5730S-EI, S6720LI, S6720S-LI,
S6720SI, S6720S-SI, S6720EI,
S6720S-EI)


Rule

packets the traffic classifier if it
matches any of the priorities,
relationship between rules in
the traffic classifier is AND
or OR.

802.1p value &<1-8> (S5720EI, S5720HI,
priority in S6720EI, S6720S-EI)
QinQ
packets
Drop if-match discard (S5720EI, A traffic classifier containing

packet S5720HI, S6720EI, S6720S-EI) this matching rule can only
be bound to traffic behaviors
containing traffic statistics
collection and flow mirroring
actions.

QinQ
packets

address

address

in the
Ethernet
frame
header

effect, and the other matching
rules in the same traffic
classifier will become
ineffective.


Rule

matches the traffic
of the DSCP values,
AND or OR.
traffic classifier
simultaneously.

is AND.
command, a packet
matches the traffic
of the IP precedence
or OR.

protocol
type

packet urg }


Rule

view.

(S5720EI, S5720HI, S6720EI, applied to the inbound
this matching rule cannot be
applied in the interface view.

AND or OR.

the ACL6.

(S5720EI, S6720EI, S6720S-EI) containing if-match flow-id
and the traffic behavior
traffic policies.
if-match flow-id can only be
applied to an interface, a
VLAN, or the system in the
inbound direction.
d. Run quit

a. Run traffic behavior behavior-name

A traffic behavior is created and the traffic behavior view is displayed.
b. Run remark vlan-id vlan-id
The traffic behavior is configured. The outer VLAN ID of the packet is re-marked.
c. (Optional) Run remark cvlan-id vlan-id
The traffic behavior is configured. The inner VLAN ID of the packet is re-marked.
NOTE
Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this configuration.
d. Run quit
Exit from the traffic behavior view.
e. Run quit
a. Run traffic policy policy-name [ match-order { auto | config } ]
existing traffic policy is displayed. If you do not specify a matching order for traffic
classifiers in the traffic policy, the default matching order config is used.
matching order.
NOTE
b. Run classifier classifier-name behavior behavior-name
c. Run quit
d. Run quit


i. Run system-view
i. Run system-view
Only one traffic policy can be applied to a VLAN in the inbound or outbound
direction.
After a traffic policy is applied, the system performs traffic policing for the
packets that belong to a VLAN and match traffic classification rules in the
inbound or outbound direction.
i. Run system-view
simultaneously.
switch.


traffic classifier configuration.
traffic behavior configuration.
[ vlan-id ] ] { inbound | outbound } [ verbose ] command to check information about
ACL-based simplified and MQC-based traffic policies applied to the system, a VLAN,
or an interface.
NOTE
Traffic policies can be applied to a sub-interface, but the display traffic-applied command cannot
be used to check information about ACL-based simplified and MQC-based traffic policies applied
to the sub-interface.
l Run the display traffic policy { interface [ interface-type interface-number
[.subinterface-number ] ] | vlan [ vlan-id ] | ssid-profile [ ssid-profile-name ] | global }
[ inbound | outbound ] command to check the traffic policy configuration.
NOTE
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support sub-interfaces.

Only the S5720HI supports ssid-profile [ ssid-profile-name ].
application record of a specified traffic policy.
Context
During VLAN Mapping configuration, VLAN translation resources may be insufficient. You
can run commands to view the total number of inbound/outbound VLAN translation
resources, the number of used VLAN translation resources, and the number of remaining
VLAN translation resources. The command output helps you locate faults.
Procedure
Step 1 Run the display vlan-translation resource [ slot slot-number ] command in any view to view
VLAN translation resource usage.
NOTE
Step 2 Run the display spare-bucket resource [ slot slot-number ] command in any view to view
the usage of backup resources when VLAN translation resources conflict.
NOTE
Only the S5720HI supports this command.
----End

11.8 Configuration Examples for VLAN Mapping
11.8.1 Example for Configuring VLAN ID-based 1:1 VLAN

Mapping
Users in different communities use the same services, such as the web, IPTV, and VoIP
services. To facilitate management, the network administrator of each community adds
different services to different VLANs. For communities in different VLANs to use the same
services, communication between VLANs must be implemented.
In Figure 11-5, community 1 and community 2 have the same services, but belong to
different VLANs. Communication between them needs to be implemented with low costs.
Figure 11-5 Networking diagram for configuring 1:1 VLAN mapping

PE1 PE2
GE0/0/1 ISP GE0/0/1
VLAN10
CE1 GE0/0/3 GE0/0/3 CE2
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Community1 Community2
VLAN6 VLAN5
172.16.0.2/16 172.16.0.6/16
172.16.0.1/16 172.16.0.3/16 172.16.0.5/16 172.16.0.7/16
1. Add the switch port connecting to community 1 to VLAN6 and add the switch port
connecting to community 2 to VLAN5.
2. Configure VLAN mapping on GE0/0/1 of PE1 and PE2 and map C-VLAN IDs to S-
VLAN IDs so that users in different VLANs can communicate with each other.
Procedure
Step 1 Add downlink interfaces on switches to specified VLANs.
# Configure CE1.

[CE1] vlan 6
[CE1-vlan6] quit
[CE1-GigabitEthernet0/0/1] port link-type access
[CE1-GigabitEthernet0/0/1] port default vlan 6
# Configure CE2.
[CE2] vlan 5
[CE2-vlan5] quit
Step 2 Configure VLAN mapping on the GE0/0/1 of PE1 and PE2.

# Configure PE1.
[PE1] vlan 10
[PE1-vlan10] quit
[PE1-GigabitEthernet0/0/1] port link-type trunk
[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[PE1-GigabitEthernet0/0/1] qinq vlan-translation enable
[PE1-GigabitEthernet0/0/1] port vlan-mapping vlan 6 map-vlan 10
# Configure PE2.
[PE2] vlan 10
[PE2-vlan10] quit
[PE2-GigabitEthernet0/0/1] port vlan-mapping vlan 5 map-vlan 10

Verify that users in community 1 and community 2 can communicate with each other.
----End

Configuration Files
#
sysname CE1
#
vlan batch 6
#
port default vlan 6
#
port default vlan 6
#
#
return

#
sysname CE2
#
vlan batch 5
#
port default vlan 5
#
port default vlan 5
#
#
return

#
sysname PE1
#
vlan batch 10
#
port vlan-mapping vlan 6 map-vlan 10
#
return

#
sysname PE2
#
vlan batch 10
#
port vlan-mapping vlan 5 map-vlan 10
#
return

11.8.2 Example for Configuring VLAN ID-based N:1 VLAN

Mapping
In Figure 11-6, a large number of switches need to be deployed at the corridor so that the
same service used by different users can be sent on different VLANs. To save VLAN
resources, configure the VLAN aggregation function (N:1) on the switches so that same
services are sent on the same VLAN.
Figure 11-6 Networking diagram for configuring N:1 VLAN mapping
Internet
Switch GE0/0/1
VLAN100~109
SwitchA
…… …… ……
SwitchB SwitchC SwitchD SwitchE
1. Create the original VLAN and the translated VLAN on the Switch and add GE0/0/1 to
the VLANs in tagged mode.
2. Configure VLAN mapping on GE0/0/1 on the Switch.
Procedure
# Create a VLAN.

[Switch] vlan batch 10 100 to 109
# Add GE0/0/1 to the VLAN.

[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10 100 to 109
# Configure VLAN mapping on GE0/0/1.

[Switch-GigabitEthernet0/0/1] qinq vlan-translation enable
[Switch-GigabitEthernet0/0/1] port vlan-mapping vlan 100 to 109 map-vlan 10

Verify that users in VLAN 100 to VLAN 109 can connect to the Internet through the Switch.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 100 to 109
#
interface gigabitethernet0/0/1
port vlan-mapping vlan 100 to 109 map-vlan 10
#
return
11.8.3 Example for Configuring VLAN ID-based 2 to 1 VLAN

Mapping
NOTE
S6720S-SI, S6720EI, and S6720S-EI support this example.
As shown in Figure 11-7, Residential Gateway, Corridor Switch, and Community Switch
allow users to connect to the aggregation layer. To save VLAN resources and isolate same
services used by different users, configure the QinQ function on the Corridor Switch and
configure VLAN mapping on the Community Switch.

Figure 11-7 Networking diagram for configuring 2 to 1 VLAN mapping
Internet
Aggregate switch of carrier
Community GE0/0/3
Switch IP 2 ~3 501
S5
GE0/0/2 GE0/0/1 IP 4 501
S3 GE0/0/2 GE0/0/2 IP 2 ~3 201

Corridor S4
GE0/0/1 GE0/0/1 IP 4 401
Switch
S1 GE0/0/4 GE0/0/4 S2
Residential
GE
/1
Gateway
1
GE
GE0/0/2
GE0/0/2
/0/
0/0
0
0
0
/0/
GE
GE
/0/
3
PC VoIP IPTV PC VoIP IPTV

1. Add switch ports connecting to users to specified VLANs to distinguish different
services.
2. Configure the QinQ function on the Corridor Switch to distinguish users and services.
3. Configure VLAN mapping on the Community Switch to save VLAN resources.
Procedure
Step 1 Add downlink interfaces of S1 and S2 to specified VLANs.
# Configure S1.
[HUAWEI] sysname S1
[S1] vlan batch 2 to 4
[S1] interface gigabitethernet 0/0/1
[S1-GigabitEthernet0/0/1] port link-type access
[S1-GigabitEthernet0/0/1] port default vlan 2
[S1-GigabitEthernet0/0/1] quit


[S1-GigabitEthernet0/0/4] port link-type trunk
[S1-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 4
# Configure S2.
[HUAWEI] sysname S2
[S2] vlan batch 2 to 4
[S2-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 4
Step 2 Configure the QinQ function on the Corridor Switch to allow the Corridor Switch to send
double-tagged packets to the Community Switch.
# Configure S3.
[HUAWEI] sysname S3
[S3] vlan batch 201 401
[S3-GigabitEthernet0/0/1] port link-type hybrid
[S3-GigabitEthernet0/0/1] port hybrid untagged vlan 201 401
[S3-GigabitEthernet0/0/1] qinq vlan-translation enable
[S3-GigabitEthernet0/0/1] port vlan-stacking vlan 2 to 3 stack-vlan 201
[S3-GigabitEthernet0/0/1] port vlan-stacking vlan 4 stack-vlan 401
[S3-GigabitEthernet0/0/2] port trunk allow-pass vlan 201 401
# Configure S4.
[HUAWEI] sysname S4
[S4] vlan batch 201 401
[S4-GigabitEthernet0/0/1] port link-type hybrid
[S4-GigabitEthernet0/0/1] port hybrid untagged vlan 201 401
[S4-GigabitEthernet0/0/1] port vlan-stacking vlan 2 to 3 stack-vlan 201
[S4-GigabitEthernet0/0/1] port vlan-stacking vlan 4 stack-vlan 401

[S4-GigabitEthernet0/0/2] port trunk allow-pass vlan 201 401

Step 3 Configure VLAN mapping on S5.

[HUAWEI] sysname S5
[S5] vlan batch 501
[S5-GigabitEthernet0/0/1] port trunk allow-pass vlan 501
[S5-GigabitEthernet0/0/1] port vlan-mapping vlan 201 inner-vlan 2 to 3 map-vlan
501
[S5-GigabitEthernet0/0/1] port vlan-mapping vlan 401 inner-vlan 4 map-vlan 501
[S5-GigabitEthernet0/0/2] port vlan-mapping vlan 201 inner-vlan 2 to 3 map-vlan
501
[S5-GigabitEthernet0/0/2] port vlan-mapping vlan 401 inner-vlan 4 map-vlan 501

Verify that users can connect to the network and that same services are sent on the same
VLAN.
----End
Configuration Files
l Configuration file of S1
#
sysname S1
#
vlan batch 2 to 4
#
port default vlan 2
#
port default vlan 3
#
port default vlan 4
#
#
return
#
sysname S2
#
vlan batch 2 to 4
#

port default vlan 2
#
port default vlan 3
#
port default vlan 4
#
#
return
#
sysname S3
#
vlan batch 201 401
#
#
#
return
#
sysname S4
#
vlan batch 201 401
#
#
#
return
#
sysname S5
#
vlan batch 501
#
port vlan-mapping vlan 201 inner-vlan 2 to 3 map-vlan
501
port vlan-mapping vlan 401 inner-vlan 4 map-vlan 501
#

port vlan-mapping vlan 201 inner-vlan 2 to 3 map-vlan
501
port vlan-mapping vlan 401 inner-vlan 4 map-vlan 501
#
#
return
11.8.4 Example for Configuring VLAN ID-based 2:2 VLAN

Mapping
NOTE
S6720S-SI, S6720EI, and S6720S-EI support this example.
QinQ is used to send double-tagged packets, which prevents the conflict between C-VLAN
IDs and S-VLAN IDs and differentiates services and users. However, the interface will
discard the packets because C-VLAN IDs are different from S-VLAN IDs. To ensure
communication continuity, configure 2:2 VLAN mapping on the PE and replace double C-
VLAN tags with double S-VLAN tags.
In Figure 11-8, users send double-tagged packets to the ISP network. These packets cannot be
sent successfully because the VLAN IDs are different from the S-VLAN IDs. To solve this
problem, ensure that the users of the Switch5 and Switch6 can communicate.

Figure 11-8 Networking diagram for configuring 2:2 VLAN mapping
Switch2 Switch3
ISP
outside tag:50
inner tag:60
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
Switch1 Switch4
GE0/0/1 GE0/0/1
GE0/0/2
GE0/0/2
Switch5 Switch6
GE0/0/1 GE0/0/1
VLAN 10 VLAN 30
VLAN Mapping
1. Add switch ports connecting to users to VLAN 10 and VLAN 30.

2. Configure the QinQ function on Switch1 and Switch4 so that packets sent to the ISP
network are double-tagged.
3. Configure 2:2 VLAN mapping on switches connected to the ISP network.
Procedure
Step 1 Add downlink interfaces on switches to specified VLANs.
[Switch5] vlan 10
[Switch5-GigabitEthernet0/0/1] port link-type access

[Switch6] vlan 30
[Switch6-GigabitEthernet0/0/1] port link-type access
Step 2 Configure the QinQ function on Switch1 and Switch4 so that packets sent to the ISP network
are double-tagged.
# Configure Switch 1.
[Switch1] vlan 20
# Configure Switch 4.
[Switch4] vlan 40
Step 3 Configure 2:2 VLAN mapping on switches connected to the ISP network.
[Switch2-GigabitEthernet0/0/1] port vlan-mapping vlan 20 inner-vlan 10 map-vlan
50 map-inner-vlan 60


[Switch3-GigabitEthernet0/0/1] port vlan-mapping vlan 40 inner-vlan 30 map-vlan
50 map-inner-vlan 60

Verify that users connected to Switch5 and users connected to Switch6 can communicate with
each other.
----End
Configuration Files
#
sysname Switch1
#
vlan batch 20
#
#
#
return

#
sysname Switch2
#
port vlan-mapping vlan 20 inner-vlan 10 map-vlan 50 map-inner-vlan 60
#
return

#
sysname Switch3
#
port vlan-mapping vlan 40 inner-vlan 30 map-vlan 50 map-inner-vlan 60
#
return

#
sysname Switch4
#
vlan batch 40
#
#

#
return

#
sysname Switch5
#
vlan batch 10
#
#
#
return

#
sysname Switch6
#
vlan batch 30
#
#
#
return
11.9 Troubleshooting VLAN Mapping
11.9.1 Communication Failure After VLAN Mapping

Configuration
Fault Symptom
In Figure 11-9, users in VLAN 6 need to communicate with users in VLAN 5 over an ISP
network. The carrier assigns VLAN 10 as the S-VLAN. Single-tag VLAN mapping is
configured on GE 0/0/1 of SwitchC and SwitchD to map C-VLANs 5 and 6 to S-VLAN 10.

Figure 11-9 VLAN mapping networking diagram
ISP network
VLAN10
SwitchC SwitchD
GE0/0/1 GE0/0/1
SwitchA SwitchB
VLAN6 GE0/0/1 GE0/0/1 VLAN5
GE0/0/2 GE0/0/3 GE0/0/3
GE0/0/2
172.16.0.1/16 172.16.0.2/16 172.16.0.3/16 172.16.0.5/16 172.16.0.6/16 172.16.0.7/16
After VLAN mapping is configured on the interfaces, users in different VLANs cannot
communicate with each other. This fault is commonly caused by one of the following:
l The translated VLAN (map-vlan) has not been created.
l The interfaces configured with VLAN mapping are not added to the translated VLAN.
l The translated VLAN ID configured on SwitchC and SwitchD is different from the S-
VLAN ID assigned by the carrier.
l The interfaces configured with VLAN mapping are faulty.
Procedure
1. In the user view, run the display vlan command to verify that the translated VLAN
(map-vlan) is created.
– If the translated VLAN has not been created, run the vlan command to create it.
– If the translated VLAN is created, go to the next step.
2. In the interface view, run the display this command to verify that the interfaces
configured with VLAN mapping have been added to the translated VLAN in tagged
mode.
NOTE
l VLAN mapping can be configured only on a trunk or hybrid interface, and the hybrid interface
must be added to the translated VLAN in tagged mode.
l If a range of original VLANs is specified by vlan-id1 to vlan-id2 on an interface, the interface must
be added to all the original VLANs in tagged mode, and the translated VLAN cannot have a
VLANIF interface.
l Limiting MAC address learning on an interface may affect N:1 VLAN mapping on the interface.
– If the interfaces configured with VLAN mapping have not been added to the
translated VLAN in tagged mode, run the port trunk allow-pass vlan or port

hybrid tagged vlan command in the interface view to add the interfaces to the
translated VLAN in tagged mode.
– If the interfaces have been added to the translated VLAN in tagged mode, go to the
next step.
3. In the interface view, run the display this command to verify that the translated VLAN
ID configured on the interface is the same as the S-VLAN ID assigned by the carrier.
– If the translated VLAN ID on an interface is different from the S-VLAN ID
assigned by the carrier, run the undo port vlan-mapping command on the interface
to delete the VLAN mapping configuration, and run the port vlan-mapping vlan
command to set the translated VLAN ID to the S-VLAN ID.
– If the translated VLAN ID is the same as the S-VLAN ID assigned by the carrier,
go to the next step.
4. In the user view, run the display vlan vlan-id command to verify that user-side interfaces
are added to C-VLANs.
If the user-side interfaces are not in the C-VLANs, run the port trunk allow-pass vlan,
port hybrid tagged vlan, or port default vlan command to add the interfaces to the C-
VLANs.

Configuration Guide - Ethernet Switching 12 GVRP Configuration
12 GVRP Configuration
About This Chapter
This chapter describes how to configure the Generic VLAN Registration Protocol (GVRP).
12.1 Overview of GVRP

12.2 Understanding GVRP
12.3 Application Scenarios for GVRP
12.4 Licensing Requirements and Limitations for GVRP
12.5 Default Settings for GVRP
12.6 Configuring GVRP
12.7 Clearing GVRP Statistics
12.8 Example for Configuring GVRP
12.9 FAQ About GVRP
12.1 Overview of GVRP
Definition
The Generic Attribute Registration Protocol (GARP) provides a mechanism for propagating
attributes so that a protocol entity can register and deregister attributes. By filling different
attributes into GARP packets, GARP supports various upper-layer applications.
The GARP VLAN Registration Protocol (GVRP) is used to register and deregister VLAN
attributes.
GARP identifies applications through destination MAC addresses. IEEE Std 802.1Q assigns
01-80-C2-00-00-21 to the VLAN application (GVRP).

Purpose
To deploy a VLAN on all devices on a network, a network administrator must manually
create it on each device. In Figure 12-1, three routers are connected through trunk links.
VLAN 2 is configured on SwitchA, and VLAN 1 is configured on SwitchB and SwitchC. To
forward packets of VLAN 2 from SwitchA to SwitchC, the network administrator must
manually create VLAN 2 on SwitchB and SwitchC.
Figure 12-1 GVRP application

SwitchA SwitchC
SwitchB
When a network is complex and the network administrator is unfamiliar with the network
topology, or when many VLANs are configured on the network, the manual configuration
workload is enormous. In addition, configuration errors may occur due to human error. GVRP
can be configured on the network to implement automatic registration of VLANs, reducing
configuration workload and the likelihood of configuration errors.
Benefits
GVRP is based on GARP. It dynamically maintains VLAN attributes on devices. Using
GVRP, VLAN attributes of one device can be propagated throughout the entire switching
network. GVRP enables network devices to dynamically deliver, register, and propagate
VLAN attributes, reducing the workload of the network administrator and helping to ensure
correct configuration.
12.2 Understanding GVRP
12.2.1 Basic Concepts of GVRP
Participant
On a device, each interface running a protocol is a participant. On a device running GVRP,
each GVRP-enabled interface is treated as a GVRP participant, as shown in Figure 12-2.

Figure 12-2 GVRP participant

GVRP应用实体
SwitchA SwitchC
SwitchB
VLAN Registration and Deregistration

GVRP implements automatic registration and deregistration of VLAN attributes. The
functions of VLAN registration and deregistration are:
l VLAN registration: adds interfaces to VLANs.
l VLAN deregistration: removes interfaces from VLANs.
GVRP registers and deregisters VLAN attributes through attribute declarations and reclaim
declarations as follows:
l When an interface receives a VLAN attribute declaration, it registers the VLAN
specified in the declaration. The interface is added to the VLAN.
l When an interface receives a VLAN attribute reclaim declaration, it deregisters the
VLAN specified in the declaration. The interface is removed from the VLAN.
Interface register or deregister VLANs only when they receive GVRP messages.
Figure 12-3 VLAN registration and deregistration

Declaration Register
SwitchA Reclaim Deregister SwitchB

declaration
GARP Messages
GARP participants exchange VLAN information through GARP messages. Major GARP
messages are Join messages, Leave messages, and LeaveAll messages.
l Join message
When a GARP participant expects other devices to register its attributes, it sends Join
messages to other devices. When the GARP participant receives a Join message from

another participant or when it is configured with attributes statically, it also sends Join
messages to other devices for the devices to register the new attributes.
Join messages are classified into two types:
– JoinEmpty message: declares an unregistered attribute.
– JoinIn message: declares a registered attribute.
l Leave message
When a GARP participant expects other devices to deregister its attributes, it sends
Leave messages to other devices. When the GARP participant receives a Leave message
from another participant or when some of its attributes are deregistered statically, it also
sends Leave messages to other devices.
Leave messages are classified into two types:
– LeaveEmpty message: deregisters an unregistered attribute.
– LeaveIn message: deregisters a registered attribute.
l LeaveAll message
When a participant starts, it starts the LeaveAll timer. When the LeaveAll timer expires,
the participant sends LeaveAll messages to other devices.
A participant sends LeaveAll messages to deregister all attributes so that other
participants can re-register attributes of the local participant. LeaveAll messages are used
to periodically delete useless attributes on the network.
For example, an attribute of a participant is deleted. Due to a sudden power failure, the
participant does not send Leave messages to request other participants to deregister the
attribute. In this case, the attribute becomes useless, necessitating the use of a LeaveAll
message.
GARP Timers
GARP defines four timers:
l Join timer
The Join timer controls the sending of Join messages including JoinIn messages and
JoinEmpty messages.
After sending the first Join message, a participant starts the Join timer. If the participant
receives a JoinIn message before the Join timer expires, it does not send a second Join
message. If the participant does not receive any JoinIn message, it sends a second Join
message when the Join timer expires. This ensures that Join messages can be sent to
other participants. Each interface maintains an independent Join timer.
l Hold timer
The Hold timer controls the sending of Join messages (JoinIn messages and JoinEmpty
messages) and Leave messages (LeaveIn messages and LeaveEmpty messages).
After a participant is configured with an attribute or receives a message, it sends the
message to other participants only after the Hold timer expires. The participant
encapsulates messages received within the hold time into a minimum number of packets,
reducing the number of packets sent to other participants. If the participant does not use
the Hold timer but forwards a message immediately after receiving it, a large number of
packets are transmitted on the network. This makes the network unstable and wastes data
fields of packets.
Each interface maintains an independent Hold timer. The Hold timer value must be equal
to or smaller than half of the Join timer value.

l Leave timer
The Leave timer controls attribute deregistration.
A participant starts the Leave timer after receiving a Leave or LeaveAll message. If the
participant does not receive any Join message of the corresponding attribute before the
Leave timer expires, the participant deregisters the attribute.
A participant sends a Leave message if one of its attributes is deleted, but the attribute
may still exist on other participants. Therefore, the participant receiving the Leave
message cannot deregister the attribute immediately; it must wait for messages from
other participants.
For example, an attribute has two sources on the network: participant A and participant
B. Other participants register the attribute through GARP. If the attribute is deleted from
participant A, participant A sends a Leave message to other participants. After receiving
the Leave message, participant B sends a Join message to other participants because the
attribute still exists on participant B. After receiving the Join message from participant
B, other participants retain the attribute. Other participants deregister the attribute only if
they do not receive any Join message of the attribute within a period longer than two
times the Join timer value. Therefore, the Leave timer value must be greater than two
times the Join timer value.
Each interface maintains an independent Leave timer.
l LeaveAll timer
When a GARP participant starts, it starts the LeaveAll timer. When the LeaveAll timer
expires, the participant sends a LeaveAll message and restarts the LeaveAll timer.
After receiving a LeaveAll message, a participant restarts all GARP timers. When its
LeaveAll timer expires, the participant sends another LeaveAll message. This reduces
the number of LeaveAll messages sent within a period of time.
If the LeaveAll timers of multiple devices expire simultaneously, they send LeaveAll
messages simultaneously, leading to an unnecessary generation of LeaveAll messages.
To solve this problem, each device uses a random value between the LeaveAll timer
value and 1.5 times the LeaveAll timer value as its LeaveAll timer value. When a
LeaveAll event occurs, all attributes on the entire network are deregistered. The
LeaveAll event affects the entire network; therefore, the LeaveAll timer must be set to a
value which is greater than the Leave timer value.
Each device maintains a global LeaveAll timer.
Registration Modes
A manually configured VLAN is a static VLAN, and a VLAN created through GVRP is a
dynamic VLAN. GVRP provides three registration modes. Static VLANs and dynamic
VLANs are processed differently in each registration mode:
l In normal mode, dynamic VLANs can be registered on interfaces, and interfaces can
send declarations of static VLANs and dynamic VLANs.
l In fixed mode, dynamic VLANs cannot be registered on interfaces, and interfaces can
send only declarations of static VLANs.
l In forbidden mode, dynamic VLANs cannot be registered on interfaces. All VLANs
except VLAN 1 are deleted from interfaces, and interfaces can send only the declaration
of VLAN 1.
12.2.2 Packet Format

GARP packets are encapsulated in the IEEE 802.3 Ethernet format, as shown in Figure 12-4.
Figure 12-4 GARP packet format
DA SA length DSAP SSAP Ctrl PDU Ethernet Frame

1 3 N
Protocol ID Message 1 … Message N End Mark GARP PDU structure
1 2 N
Attribute Type Attribute List Message structure
1 N
Attribute 1 … Attribute N End Mark Attribute List structure

1 2 3 N
Attribute Length Attribute Event Attribute Value Attribute structure
The following table describes the fields in a GARP packet.
Field Description Value
Protocol ID Indicates the protocol ID. 1
Message Indicates the messages in -

the packet. Each message
consists of the Attribute
Type and Attribute List
fields.
Attribute Type Indicates an attribute type, 0x01 for GVRP, indicating

which is defined by the that the attribute value is a
GARP application. VLAN ID
Attribute List Indicates the attribute list of -

a message, which consists of
multiple attributes.
Attribute Indicates an attribute, which -

consists of the Attribute
Length, Attribute Event, and
Attribute Value fields.
Attribute Length Indicates the length of an 2 to 255, in bytes

attribute.

Field Description Value
Attribute Event Indicates the event that an l 0: LeaveAll Event

attribute describes. l 1: JoinEmpty Event
l 2: JoinIn Event
l 3: LeaveEmpty Event
l 4: LeaveIn Event
l 5: Empty Event
Attribute Value Indicates the value of an VLAN ID for GVRP

attribute. This field is invalid in a
LeaveAll attribute.
End Mark Indicates the end of a GARP 0x00

PDU.
12.2.3 Working Mechanism

This section describes the working procedure of GVRP by using an example. This example
illustrates how a VLAN attribute is registered and deregistered on a network in four phases.
One-Way Registration
Figure 12-5 One-way registration of a VLAN attribute

SwitchA SwitchC
Static vlan 2
Port 4
Port 1 JoinEmpty
JoinEmpty
Port 2 Port 3
SwitchB
Static VLAN 2 is created on SwitchA. Ports on SwitchB and SwitchC can join VLAN 2
automatically through one-way registration. The process is as follows:
1. After VLAN 2 is created on SwitchA, Port 1 of SwitchA starts the Join timer and Hold
timer. When the Hold timer expires, Port 1 sends the first JoinEmpty message to
SwitchB. When the Join timer expires, Port 1 restarts the Hold timer. When the Hold
timer expires again, Port 1 sends the second JoinEmpty message.
2. After Port 2 of SwitchB receives the first JoinEmpty message, SwitchB creates dynamic
VLAN 2 and adds Port 2 to VLAN 2. In addition, SwitchB requests Port 3 to start the
Join timer and Hold timer. When the Hold timer expires, Port 3 sends the first JoinEmpty
message to SwitchC. When the Join timer expires, Port 3 restarts the Hold timer. When
the Hold timer expires again, Port 3 sends the second JoinEmpty message. After Port 2

receives the second JoinEmpty message, SwitchB does not take any action because Port
2 has been added to VLAN 2.
3. After Port 4 of SwitchC receives the first JoinEmpty message, SwitchC creates dynamic
VLAN 2 and adds Port 4 to VLAN 2. After Port 4 receives the second JoinEmpty
message, SwitchC does not take any action because Port 4 has been added to VLAN 2.
4. Every time the LeaveAll timer expires or a LeaveAll message is received, each switch
restarts the LeaveAll, Join, Hold, and Leave timers. Port 1 then repeats step 1 and sends
JoinEmpty messages. In the same way, Port 3 of SwitchB sends JoinEmpty messages to
SwitchC.
Two-Way Registration
Figure 12-6 Two-way registration of a VLAN attribute

SwitchA SwitchC
Static vlan 2 Static vlan 2

Port 4
JoinEmpty
Port 1 JoinIn
JoinIn
JoinEmpty
JoinIn
JoinIn
Port 2 Port 3
SwitchB
After one-way registration is complete, Port 1, Port 2, and Port 4 are added to VLAN 2 but
Port 3 is not added to VLAN 2 because only interfaces receiving a JoinEmpty or JoinIn
message can be added to dynamic VLANs. To transmit traffic of VLAN 2 in both directions,
VLAN registration from SwitchC to SwitchA is required. The process is as follows:
1. After one-way registration is complete, static VLAN 2 is created on SwitchC (the
dynamic VLAN is replaced by the static VLAN). Port 4 of SwitchC starts the Join timer
and Hold timer. When the Hold timer expires, Port 4 sends the first JoinIn message
(because it has registered VLAN 2) to SwitchB. When the Join timer expires, Port 4
restarts the Hold timer. When the Hold timer expires, Port 4 sends the second JoinIn
message.
2. After Port 3 of SwitchB receives the first JoinIn message, SwitchB adds Port 3 to VLAN
2 and requests Port 2 to start the Join timer and Hold timer. When the Hold timer expires,
Port 2 sends the first JoinIn message to SwitchA. When the Join timer expires, Port 2
restarts the Hold timer. When the Hold timer expires again, Port 2 sends the second
JoinIn message. After Port 3 receives the second JoinIn message, SwitchB does not take
any action because Port 3 has been added to VLAN 2.
3. When SwitchA receives the JoinIn message, it stops sending JoinEmpty messages to
SwitchB. Every time the LeaveAll timer expires or a LeaveAll message is received, each
switch restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Port 1 of
SwitchA sends a JoinIn message to SwitchB when the Hold timer expires.
4. SwitchB sends a JoinIn message to SwitchC.
5. After receiving the JoinIn message, SwitchC does not create dynamic VLAN 2 because
static VLAN 2 has been created.

One-Way Deregistration
Figure 12-7 One-way deregistration of a VLAN attribute

SwitchA SwitchC
Static vlan 2
LeaveEmpty Port 4
Port 1
LeaveIn
Port 2 Port 3
SwitchB
When VLAN 2 is not required on the switches, the switches can deregister VLAN 2. The
process is as follows:
1. After static VLAN 2 is manually deleted from SwitchA, Port 1 of SwitchA starts the
Hold timer. When the Hold timer expires, Port 1 sends a LeaveEmpty message to
SwitchB. Port 1 needs to send only one LeaveEmpty message.
2. After Port 2 of SwitchB receives the LeaveEmpty message, it starts the Leave timer.
When the Leave timer expires, Port 2 deregisters VLAN 2. Then Port 2 is deleted from
VLAN 2, but VLAN 2 is not deleted from SwitchB because Port 3 is still in VLAN 2. At
this time, SwitchB requests Port 3 to start the Hold timer and Leave timer. When the
Hold timer expires, Port 3 sends a LeaveIn message to SwitchC. Static VLAN 2 is not
deleted from SwitchC; therefore, Port 3 can receive the JoinIn message sent from Port 4
after the Leave timer expires. In this case, SwitchA and SwitchB can still learn dynamic
VLAN 2.
3. After SwitchC receives the LeaveIn message, Port 4 is not deleted from VLAN 2
because VLAN 2 is a static VLAN on SwitchC.
Two-Way Deregistration
Figure 12-8 Two-way deregistration of a VLAN attribute

SwitchA SwitchC
LeaveEmpty Port 4
Port 1 LeaveEmpty
LeaveEmpty LeaveIn
Port 2 Port 3
SwitchB
To delete VLAN 2 from all the switches, two-way deregistration is required. The process is as
follows:

1. After static VLAN 2 is manually deleted from SwitchC, Port 4 of SwitchC starts the
Hold timer. When the Hold timer expires, Port 4 sends a LeaveEmpty message to
SwitchB.
2. After Port 3 of SwitchB receives the LeaveEmpty message, it starts the Leave timer.
dynamic VLAN 2, and dynamic VLAN 2 is deleted from SwitchB. At this time, SwitchB
requests Port 2 to start the Hold timer. When the Hold timer expires, Port 2 sends a
LeaveEmpty message to SwitchA.
3. After Port 1 of SwitchA receives the LeaveEmpty message, it starts the Leave timer.
dynamic VLAN 2, and dynamic VLAN 2 is deleted from SwitchA.
12.3 Application Scenarios for GVRP

GVRP enables routers on a network to dynamically maintain and update VLAN information.
With GVRP, you can adjust the VLAN deployment on the entire network by configuring only
a few devices. Analyzing the topology and managing configurations are not necessary. In
Figure 12-9, GVRP is enabled on all devices. Devices are interconnected through trunk
interfaces and each trunk interface allows packets of all VLANs to pass. Using GVRP, you
simply need to configure static VLANs 100 to 1000 on SwitchA and SwitchC. Other devices
can then learn VLANs 100 to 1000 using GVRP.
Figure 12-9 Typical application of GVRP

SwitchB
SwitchA SwitchC
VLAN 100~1000 VLAN 100~1000
12.4 Licensing Requirements and Limitations for GVRP

GVRP configuration commands are available only after the S1720GW, S1720GWR, and
loaded and activated and the switches are restarted. GVRP configuration commands on other

Table 12-1 Products and versions supporting GVRP

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00


Model
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE

Feature Limitations
l When many dynamic VLANs need to be registered or the network radius is large, using
default values of timers may cause VLAN flapping and high CPU usage. In this case,
increase values of the timers. The following values are recommended depending on the
number of VLANs.
Table 12-2 Relationship between GARP timer values and number of dynamic VLANs
that need to be registered
Number of Dynamic VLANs to Be Registered (N)

Timer N ≤ 500 500 < N ≤ 1000 < N ≤ N > 1500
1000 1500
GARP Hold 100 200 800 1000

timer centiseconds centiseconds centiseconds centiseconds
(1 second) (2 seconds) (8 seconds) (10 seconds)
GARP Join 600 1200 4000 6000

(6 seconds) (12 seconds) (40 seconds) (1 minute)
GARP Leave 3000 6000 20000 30000

(30 seconds) (1 minute) (3 minutes and (5 minutes)
20 seconds)
GARP 12000 24000 30000 32765

LeaveAll timer centiseconds centiseconds centiseconds centiseconds
(2 minutes) (4 minutes) (5 minutes) (5 minutes and
27.65 seconds)
l The blocked port in instance 0 of STP/RSTP/MSTP can block GVRP packets; the
blocked ports of other MSTIs and other ring network protocols such as ERPS, SEP,
RRPP, Smart Link, and VBST cannot block GVRP packets. To ensure that GVRP runs
normally and prevent GVRP loops, do not enable GVRP on the blocked port of a ring
network protocol.
l The blocked ports of LBDT cannot block GVRP packets. To ensure that GVRP runs
normally and prevent GVRP loops, do not enable GVRP on the blocked port of LBDT.
12.5 Default Settings for GVRP
GVRP function Disabled globally and on interfaces
Registration mode of the GVRP Normal

interface
LeaveAll timer 1000 centiseconds

Hold timer 10 centiseconds
Join timer 20 centiseconds
Leave timer 60 centiseconds
12.6 Configuring GVRP
12.6.1 Enabling GVRP
Context
Before enabling GVRP on an interface, you must enable GVRP globally. GVRP can be
enabled only on trunk interfaces. You must perform related configurations to ensure that all
dynamically registered VLANs can pass the trunk interfaces.
NOTE
If the VCMP role is the client or server, GVRP cannot be enabled. In this case, run the vcmp role command
to configure the VCMP role as silent or transparent. If GVRP has been enabled, do not switch the VCMP
role to client or server.
Procedure
Step 2 Run gvrp
GVRP is enabled globally.
Step 4 Run port link-type trunk
The link type of the interface is set to trunk.
Step 5 Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The interface is added to the specified VLANs.
Step 6 Run gvrp
GVRP is enabled on the interface.
By default, GVRP is disabled globally and on each interface.

NOTE
l VLAN configuration will trigger GVRP messages. If too many VLANs are configured, you are
advised to configure VLANs on devices one by one and configure the timer. Otherwise, dynamic
VLANs may flap.
l When many dynamically registered VLANs such as 4094 VLANs are configured, run the car
packet-type gvrp cir cir-value command to increase the CPCAR value. To prevent a high load on
the CPU, the CPCAR cannot be increased infinitely. If the CPCAR values are adjusted improperly,
network services are affected. To adjust the CPCAR values, contact technical support personnel.
l If an interface is changed to another link type, such as access, hybrid, negotiation-desirable, or
negotiation-auto, the GVRP configuration on the interface is automatically deleted.
l The blocked interface in instance 0 of STP/RSTP/MSTP can block GVRP packets. The blocked
interfaces of other MSTIs and other ring network protocols such as ERPS, SEP, RRPP, Smart Link,
and VBST cannot block GVRP packets. To ensure that GVRP runs normally and to prevent GVRP
loops, do not enable GVRP on the blocked interface of a ring network protocol.
l The blocked ports of LBDT cannot block GVRP packets. To ensure that GVRP runs normally and
prevent GVRP loops, do not enable GVRP on the blocked port of LBDT.
----End
12.6.2 (Optional) Setting the Registration Mode for a GVRP

Interface
Context
A GVRP interface supports three registration modes:
l Normal: In this mode, the GVRP interface can dynamically register and deregister
VLANs, as well as transmit dynamic VLAN registration information and static VLAN
registration information.
l Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can only transmit the static VLAN registration information. If
the registration mode is set to fixed for a trunk interface, the interface allows only the
manually configured VLANs to pass, even if the interface is configured to allow all the
VLANs to pass.
l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering
and deregistering VLANs and can transmit only information about VLAN 1. If the
registration mode is set to forbidden for a trunk interface, the interface allows only
VLAN 1 to pass even if the interface is configured to allow all the VLANs to pass.
Procedure
Step 3 Run gvrp registration { fixed | forbidden | normal }
The registration mode is set for the interface.
By default, the registration mode of a GVRP interface is normal.

NOTE
Before setting the registration mode for an interface, enable GVRP on the interface.
----End
12.6.3 (Optional) Setting GARP Timers
Context
When a GARP participant is enabled, the LeaveAll timer starts. When the LeaveAll timer
expires, the GARP participant sends LeaveAll messages to request that other GARP
participants re-register all of their attributes. The LeaveAll timer then restarts.
Devices on a network may have different LeaveAll timer settings. In this case, all the devices
use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a device
expires, the device sends LeaveAll messages to other devices. After other devices receive the
LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeaveAll timer with
the smallest value takes effect, even if devices have different LeaveAll timer settings.
When using the garp timer command to set GARP timers, pay attention to the following
points:
l The undo garp timer command restores the default values of GARP timers. If the
default value of a timer is out of the valid range, the undo garp timer command does
not take effect.
l The value range of each timer changes along with the values of the other timers. If a
value you set for a timer is not in the allowed range, you can change the value of the
timer that determines the value range of this timer.
l To restore the default values of all the GARP timers, restore the Hold timer to the default
value, and then sequentially restore the Join timer, Leave timer, and LeaveAll timer to
the default values.
When many dynamic VLANs need to be registered or the network radius is large, using
default values of timers may cause VLAN flapping and high CPU usage. In this case, increase
values of the timers. The following values are recommended depending on the number of
VLANs.
Table 12-3 Relationship between GARP timer values and number of dynamic VLANs that
need to be registered

Timer N ≤ 500 500 < N ≤ 1000 1000 < N ≤ N > 1500
1500
GARP Hold 100 200 800 1000

timer centiseconds (1 centiseconds (2 centiseconds (8 centiseconds
second) seconds) seconds) (10 seconds)
GARP Join 600 1200 4000 6000

timer centiseconds (6 centiseconds centiseconds centiseconds (1
seconds) (12 seconds) (40 seconds) minute)


Timer N ≤ 500 500 < N ≤ 1000 1000 < N ≤ N > 1500
1500
GARP Leave 3000 6000 20000 30000

timer centiseconds centiseconds (1 centiseconds (3 centiseconds (5
(30 seconds) minute) minutes and 20 minutes)
seconds)
GARP 12000 24000 30000 32765

LeaveAll timer centiseconds (2 centiseconds (4 centiseconds (5 centiseconds (5
minutes) minutes) minutes) minutes and
27.65 seconds)
Procedure
Step 2 Run garp timer leaveall timer-value
The value of the LeaveAll timer is set.
The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).
The Leave timer length on an interface is restricted by the global LeaveAll timer length.
When configuring the global LeaveAll timer, ensure that all the interfaces configured with a
GARP Leave timer are working properly.
Step 4 Run garp timer { hold | join | leave } timer-value
The value of the Hold timer, Join timer, or Leave timer is set.
By default, the value of the Hold timer is 10 centiseconds, the value of the Join timer is 20
centiseconds, and the value of the Leave timer is 60 centiseconds.
----End
12.6.4 Verifying the GVRP Configuration
Procedure
l Run the display gvrp status command to view the status of global GVRP.
l Run the display gvrp statistics [ interface { interface-type interface-number [ to
interface-type interface-number ] }&<1-10> ] command to view the GVRP statistics on
an interface.

l Run the display garp timer [ interface { interface-type interface-number [ to interface-

type interface-number ] }&<1-10> ] command to view the values of the GARP timers.
----End
12.7 Clearing GVRP Statistics
Context
Cleared GVRP statistics cannot be restored. Exercise caution when you run this command.
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type
interface-number ] }&<1-10> ] command in the user view to clear GARP statistics on the
specified interfaces.
----End
12.8 Example for Configuring GVRP
In Figure 12-10, company A's headquarters, a branch of company A, and company B are
connected using switches. GVRP is enabled to implement dynamic VLAN registration.
Figure 12-10 Configuring GVRP

SwitchB
GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/1 SwitchC
SwitchA
Company A
GE0/0/2 GE0/0/2
Branch of
Company B
company A
The branch of Company A can communicate with Company A's headquarters using SwitchA
and SwitchB. Company B can communicate with company A's headquarters using SwitchB

and SwitchC. Interfaces connected to company A allow only the VLAN to which Company B
belongs to pass.
1. Enable GVRP to implement dynamic VLAN registration.
2. Configure GVRP on all switches of company A and set the registration mode of the
interfaces to normal to simplify configurations.
3. Configure GVRP on all switches of company A and set the registration mode to fixed for
the interfaces connecting to company A to allow only the VLAN to which company B
belongs to pass.
NOTE
Before enabling GVRP, you must configure the VCMP role as transparent or silent.
Procedure
# Enable GVRP globally.
[SwitchA] vcmp role silent
[SwitchA] gvrp
# Set the link type of GE 0/0/1 and GE 0/0/2 to trunk and configure the interfaces to allow all
VLANs to pass through.
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan all
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan all
# Enable GVRP and set the registration mode on the interfaces.

[SwitchA-GigabitEthernet0/0/1] gvrp
[SwitchA-GigabitEthernet0/0/1] gvrp registration normal
[SwitchA-GigabitEthernet0/0/2] gvrp
[SwitchA-GigabitEthernet0/0/2] gvrp registration normal
The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
[SwitchB] vcmp role silent
[SwitchB] gvrp

[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan all
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan all

[SwitchB-GigabitEthernet0/0/1] gvrp
[SwitchB-GigabitEthernet0/0/1] gvrp registration normal
[SwitchB-GigabitEthernet0/0/2] gvrp
[SwitchB-GigabitEthernet0/0/2] gvrp registration normal
Step 3 Configure SwitchC.

# Create VLAN 101 to VLAN 200.
[SwitchC] vlan batch 101 to 200

[SwitchC] vcmp role silent
[SwitchC] gvrp
[SwitchC-GigabitEthernet0/0/1] port link-type trunk
[SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan all
[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan all

[SwitchC-GigabitEthernet0/0/1] gvrp
[SwitchC-GigabitEthernet0/0/1] gvrp registration fixed
[SwitchC-GigabitEthernet0/0/2] gvrp
[SwitchC-GigabitEthernet0/0/2] gvrp registration normal

After the configuration is complete, the branch of Company A can communicate with the
headquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with
users in Company B.
Run the display gvrp statistics command on SwitchA to view GVRP statistics on GVRP
interfaces, including the GVRP state of each interface, number of GVRP registration failures,
source MAC address of the last GVRP PDU, and registration mode of each interface.

[SwitchA] display gvrp statistics
GVRP statistics on port GigabitEthernet0/0/1

GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal
GVRP statistics on port GigabitEthernet0/0/2

GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal
Info: GVRP is disabled on one or multiple ports.
Verify the configurations of SwitchB and SwitchC in the same way.
----End
Configuration Files
#
sysname SwitchA
#
vcmp role silent
#
gvrp
#
gvrp
#
gvrp
#
return

#
sysname SwitchB
#
vcmp role silent
#
gvrp
#
gvrp
#
gvrp
#
return

#
sysname SwitchC
#
vcmp role silent
#
vlan batch 101 to 200

#
gvrp
#
gvrp
gvrp registration fixed
#
gvrp
#
return
12.9 FAQ About GVRP
12.9.1 Why Is the CPU Usage High When VLANs Are Created or
Deleted Through GVRP in Default Configuration?
The switch supports VLAN configuration on devices at both ends. When GVRP is enabled on
the network, it advertises information about dynamic VLANs in two directions. Then the
intermediate devices dynamically create and delete VLANs based on the information.
Dynamic maintenance of VLANs can greatly reduce manual configurations.
The maximum 4 K dynamic VLANs are frequently created and deleted, which triggers larger
amount of packet communication. Receiving packets and delivering dynamic VLANs occupy
large amount of CPU resources.
In actual networking, you need to adjust GARP timers to the recommended values.
NOTE
The recommended values of the GARP timers are as follows:
GARP Hold timer: 100 centiseconds (1 second)
GARP Join timer: 600 centiseconds (6 seconds)
GARP Leave timer: 3000 centiseconds (30 seconds)
GARP LeaveAll timer: 12,000 centiseconds (2 minutes)
When more than 100 dynamic VLANs are created, use the preceding recommended values. When the
number of dynamic VLANs increases, lengths of the GARP timers need to be increased.

Configuration Guide - Ethernet Switching 13 VCMP Configuration
13 VCMP Configuration
About This Chapter
This chapter describes how to configure the VLAN Central Management Protocol (VCMP).
VCMP allows VLAN creation and deletion on a switch to be synchronized to other specified
switches on a Layer 2 network, implementing centralized VLAN management and
maintenance and reducing network maintenance workload.
13.1 Overview of VCMP

13.2 Understanding VCMP
13.3 Application Scenarios for VCMP
13.4 Licensing Requirements and Limitations for VCMP
13.5 Default Settings for VCMP
13.6 Configuring VCMP
13.7 Maintaining VCMP
13.8 Example for Configuring VCMP to Implement Centralized VLAN Management
13.1 Overview of VCMP
Definition
The Virtual Local Area Network Central Management Protocol (VCMP), a Layer 2 protocol
in the Open System Interconnection (OSI) model, transmits VLAN information and ensures
consistent VLAN information on the Layer 2 network.
Purpose
In most cases, switches on an enterprise network need to synchronize VLAN information with
each other to ensure that they can correctly forward data. On a small-scale enterprise network,
the network administrator can log in to each switch to configure and maintain VLANs. On a

large-scale enterprise network, a lot of switches are deployed, so a large amount of VLAN
information needs to be configured and maintained. If the network administrator manually
configures and maintains all VLANs, the workload is heavy and VLAN information may be
inconsistent.
VCMP is used to implement centralized VLAN management. The network administrator
needs to create and delete VLAN information only on a switch. The changes on the switch are
automatically synchronized to other switches in a specified scope so that no manual operation
is required on these switches. In this way, the configuration workload is reduced and VLAN
information consistency is ensured.
NOTE
l VCMP can only help the network administrator synchronize VLAN information but not dynamically
assign VLANs. VCMP is often used with Link-type Negotiation Protocol (LNP) to simplify user
configurations. For details about LNP, see 5.2.5 LNP.
l Generic VLAN Registration Protocol (GVRP) can reduce VLAN configurations and dynamically
assign interfaces to VLANs. GVRP creates dynamic VLANs, but VCMP creates static VLANs.
Benefits to Customers
VCMP configured on a switch of a Layer 2 network brings in the following benefits:
l Implements centralized VLAN management and maintenance, and reduces the network
maintenance workload.
l Implements the plug-and-play function of access switches.
13.2 Understanding VCMP
13.2.1 Basic Concepts of VCMP

VCMP uses a VCMP domain to manage switches and determine attributes of switches in the
VCMP domain based on roles. VCMP defines four roles: server, client, transparent, and
silent. Figure 13-1 shows VCMP domains and roles in the VCMP domains.

Figure 13-1 VCMP domains and roles
Server
VCMP VCMP
domain 1 domain 2
Transparent Silent Switch
Layer 2
network
Client Client Client
VCMP Domain
As shown in Figure 13-1, a VCMP domain is composed of switches that have the same
VCMP domain name and are connected through trunk or hybrid interfaces. All switches in the
VCMP domain must use the same domain name, and each switch can join only one VCMP
domain. Switches in different VCMP domains cannot synchronize VLAN information.
A VCMP domain specifies the scope for the administrative switch and managed switches.
Switches in a VCMP domain are managed by the administrative switch. There is only one
administrative switch and multiple managed switches in a VCMP domain.
VCMP Roles
VCMP determines attributes of switches based on VCMP roles. Table 13-1 describes VCMP
roles.
Table 13-1 VCMP roles
VCMP Function Remarks

Role
Server The VCMP server synchronizes VLAN information created and

VLAN information to other switches deleted on the VCMP server is
in the local VCMP domain. broadcast in a VCMP domain.
Client A VCMP client belongs to a VLAN information created and

specified VCMP domain and deleted on a VCMP client is not
synchronizes VLAN information broadcast in a VCMP domain, but is
with the VCMP server. overwritten by VLAN information
sent by the VCMP server.

VCMP Function Remarks

Role
Transparent A VCMP transparent switch does A VCMP transparent switch

not affect other switches in the local transparently forwards VCMP
VCMP domain and is not affected by packets to only trunk or hybrid links.
VCMP management behaviors such VLAN information created and
as VLAN creation and deletion. deleted on a VCMP transparent
switch is not affected by the VCMP
server and is not broadcast in a
VCMP domain.
In this way, some switches that do
not need to be managed by VCMP
can forward VCMP packets.
Silent Deployed at the edge of a VCMP A VCMP silent switch directly

domain, a VCMP silent switch does discards received VCMP packets.
not affect other switches in the local VLAN information created and
VCMP domain and is not affected by deleted on a VCMP silent switch is
VCMP management behaviors. The not affected by the VCMP server and
VCMP silent switch prevents VCMP is not broadcast in a VCMP domain.
packets in a VCMP domain from
being transmitted to other VCMP
domains.
NOTE
l VCMP transparent and silent switches do not belong to any VCMP domain.
l If an edge switch in a VCMP domain needs to be managed, configure the edge switch as a VCMP
client. To prevent VCMP packets in the local VCMP domain from being transmitted to other VCMP
domains, disable VCMP on the edge switch interface connected to other VCMP domains.
13.2.2 VCMP Implementation

VCMP enables switches of different roles to exchange VCMP packets to implement
centralized VLAN management. VCMP packets can be only transmitted in VLAN 1 on trunk
or hybrid interfaces. To retain the same VLAN information on the VCMP server and clients,
VCMP defines two types of multicast packets: Summary-Advert and Advert-Request. Table
13-2 describes the functions and applicable scenarios of the two types of packets.

Table 13-2 VCMP packets

Packet Function Applicable Scenario Sent By
Type
Summa The VCMP server sends l The VCMP server VCMP server
ry- Summary-Advert sends a Summary-
Advert packets to other devices Advert packet every
in the local VCMP 5 minutes to ensure
domain to notify them of real-time
the domain name, device synchronization of
ID, configuration VLAN information
revision number, and on the VCMP server
VLAN information. and clients and
prevent VLAN
information loss due
to packet loss.
l The VCMP server
configuration is
changed. For
example, VLANs are
created or deleted,
the VCMP domain
name or device ID is
changed, and the
VCMP server
restarts.
l The VCMP server
receives Advert-
Request packets
from VCMP clients
in the same VCMP
domain.
Advert- A VCMP client sends l A VCMP client is VCMP client

Reques Advert-Request packets added.
t to the VCMP server to l A VCMP client
request VLAN restarts or a client
information. interface becomes
Up.
Summary-Advert packets sent by the VCMP server carry the configuration revision number.
A VCMP client uses it to determine whether VLAN information sent from the VCMP server
is newer than the local VLAN information. If so, the VCMP client synchronizes VLAN
information with the VCMP server.
A configuration revision number is represented by an 8-digit hexadecimal number. The four
left-most bits indicate the change of the VCMP domain or device ID and the four right-most
bits indicate the VLAN change. Upon a VLAN change on the VCMP server, the configuration
revision number is automatically increased. When the VCMP domain name or device ID
changes, the four left-most bits of the configuration revision number are recalculated and the
four right-most bits are reset.

VLAN Synchronization When the VCMP Server Configuration Changes

When the VCMP server configuration changes, for example, creating and deleting VLANs,
changing the VCMP domain name and device ID, or restarting the VCMP server, the VCMP
server sends a Summary-Advert packet to instruct VCMP clients in the local VCMP domain
to synchronize VLAN information. The following uses creation of VLAN 100 on the VCMP
server as an example to describe synchronization upon a server configuration change.
In Figure 13-2:
l SwitchA: VCMP server
l SwitchB: VCMP transparent switch
l SwitchC, SwitchD and SwitchE: VCMP clients
l SwitchF: VCMP silent switch
Figure 13-2 VLAN synchronization when the VCMP server configuration changes
Create VLAN 100.
1. The server sends a Server

Summary-Advert packet. SwitchA
2. Directly forward Transparent

packets. SwitchB
Client Client Client

SwitchC SwitchD SwitchE
3. Create VLAN 100 3. Create VLAN 3. Create VLAN 100

and forward packets. 100 and forward and forward packets.
packets.
4. Discard packets.
Silent
VLAN 100 does not
SwitchF need to be created.
Summary-Advert packet
After VLAN 100 is created on SwitchA:

1. SwitchA sends a Summary-Advert packet carrying a VLAN information change to
notify the neighbor (SwitchB) of the VLAN information change.
2. When receiving the Summary-Advert packet, SwitchB directly forwards the packet.
3. After a VCMP client receives the Summary-Advert packet:

– If the VCMP client receives the packet for the first time, it learns the device ID,
revision number, and VLAN ID in the packet. If the VCMP domain name of the
VCMP client is empty, the VCMP client learns the VCMP domain name in the
packet.
– If it is not the first time the VCMP client receives the packet, the VCMP processes
the packet as follows:
i. The VCMP client performs VCMP authentication for the Summary-Advert
packet according to the configured authentication password, and VCMP
domain name, device ID, and configuration revision number in the Summary-
Advert packet. After the Summary-Advert packet is authenticated, the VCMP
client proceeds to the next step.
ii. If the VCMP domain name and device ID are saved locally, the VCMP client
compares the local ones with those in the Summary-Advert packet. When the
local ones are the same as those in the packet, the VCMP client proceeds to the
next step.
iii. The VCMP client compares the local configuration revision number with that
in the Summary-Advert packet:
○ If the four left-most bits are different, the VCMP client synchronizes
VLAN information with the VCMP server according to the Summary-
Advert packet and learns the VCMP domain name and device ID.
○ If the four left-most bits are the same, the VCMP client checks whether
the local four right-most bits are smaller than or equal to those in the
Summary-Advert packet. If so, the VCMP client only synchronizes
VLAN information with the VCMP server.
iv. The VCMP client forwards the Summary-Advert packet to other devices in the
local VCMP domain.
Here, it is not the first time the VCMP client receives the Summary-Advert packet. The
VCMP client finds that the highest four bits in the local revision number are the same as
those in the Summary-Advert packet but the lowest four bits in the local revision number
are smaller than or equal to those in the Summary-Advert packet. The VCMP client
therefore synchronizes information of the VCMP server according to the Summary-
Advert packet, and creates VLAN 100 locally.
4. SwitchF directly discards the packet.
NOTE
l VLAN information synchronization is similar in other scenarios where Summary-Advert packets are
triggered.
l Within 30 minutes after a client synchronizes VLAN information from the server, the client
generates the vlan.dat file to store the current VLAN information. After the client restarts, the client
reads the vlan.dat file to obtain the VLAN information before the restart. The vlan.dat file cannot
be modified, deleted, or overwritten. The file is deleted when the following operations are
performed:
l Run the reset vcmp command to clear VCMP domain information.
l Run the vcmp role { server | silent | transparent } command to change the VCMP role to
non-client.
l Run the startup saved-configuration configuration-file command to configure a new
configuration file whose name is different from the name of the current configuration file.
l Run the reset saved-configuration command to delete the saved configuration file. This
operation will delete all the configuration.

VLAN Information Synchronization When a VCMP Client Is Added

To ensure VLAN information synchronization between the VCMP server and clients, the
VCMP server sends a Summary-Advert packet every 5 minutes to notify switches in the local
VCMP domain of the domain name, device ID, and configuration revision number. When a
VCMP client is added or a VCMP client restarts, the VCMP client sends an Advert-Request
packet to the VCMP server to request VLAN information on the VCMP server. The following
describes how the VCMP client synchronizes VLAN information.
In Figure 13-3:
l SwitchA: VCMP server
l SwitchB: VCMP transparent switch
l SwitchC and SwitchE: VCMP silent switches
l SwitchD: VCMP client
l SwitchF: new VCMP client
Figure 13-3 VLAN synchronization when a VCMP client is added
Server
SwitchA
Reply with a Summary-

Advert packet.
Transparent
SwitchB Directly forward VCMP packets.
Silent Determine and

Client Silent
SwitchC forward VCMP
SwitchD SwitchE
packets.
Directly discard Directly discard
VCMP packets. VCMP packets.
Trigger an Advert-
Request packet. Synchronize VLAN
information on the server.
New client
SwitchF
Summary-Advert packet
Advert-Request packet
After SwitchF is configured with VCMP and specified as a VCMP client, SwitchF becomes
the new VCMP client.

1. SwitchF sends an Advert-Request packet to SwitchD to request VLAN information on

SwitchA.
2. SwitchD forwards the Advert-Request packet to SwitchB.
3. SwitchB forwards the Advert-Request packet to its neighbors.
4. In the following situations:
– When the VCMP server receives an Advert-Request packet:
n The VCMP server performs VCMP authentication for the Advert-Request
packet according to the configured authentication password, and VCMP
domain name, device ID, and configuration revision number in the Advert-
Request packet. After the Advert-Request packet is authenticated, the VCMP
server proceeds to the next step.
n If the VCMP domain name or device ID in the Advert-Request packet is not
empty but is different from the VCMP domain name or device ID on the
VCMP server, the VCMP server discards the Advert-Request packet.
Otherwise, the VCMP server replies with a Summary-Advert packet carrying
its VLAN information.
– The VCMP silent switch directly discards the received Advert-Request packet.
5. After SwitchD, SwitchB, SwitchC and SwitchE, and SwitchF receive the Summary-
Advert packet from SwitchA, the Summary-Advert packet is processed according to
VLAN Synchronization When the VCMP Server Configuration Changes. SwitchD
compares the locally configured VCMP domain name, device ID, and configuration
revision number with those in the Summary-Advert packet. If they are the same,
SwitchD directly forwards the packet. SwitchF synchronizes VLAN information on
SwitchA. If the VCMP domain is not configured on the SwitchF, SwitchF learns the
VCMP domain name and device ID on SwitchA.
NOTE
Advert-Request packets are triggered when a VCMP client restarts or a VCMP interface goes Up.
VLAN information synchronization is similar.
Multi-Server Trap
Only one VCMP server exists in a VCMP domain. To prevent attacks of bogus VCMP
servers, the VCMP server matches the VCMP domain name, device ID, and source MAC
address in the received Summary-Advert packets with local ones. If the VCMP domain name
and device ID match local ones but the source MAC address in the packet is different from
the system MAC address, the VCMP server sends a trap about the multi-server event to the
NMS.
To prevent the VCMP server from being affected by too many traps, the VCMP server sends
traps to the NMS once every 30 minutes.
VCMP Authentication
When an unauthorized switch joins a VCMP domain, VLAN information on the switch may
be synchronized in the VCMP domain, affecting network stability. To prevent unauthorized
switches from joining a VCMP domain and enhance VCMP domain security, configure a
VCMP domain authentication password on the VCMP server and clients.
If the VCMP domain authentication password is configured on the VCMP server or a VCMP
client, the VCMP server or VCMP client uses the password character string (empty character

string is used by default) as the key and performs SHA-256 for the VCMP domain name, and
device ID to obtain a digest. Then the VCMP server encapsulates the digest in a Summary-
Advert packet or the VCMP client encapsulates the digest in an Advert-Request packet. When
each VCMP client in the VCMP domain receives a Summary-Advert packet from the VCMP
server, the VCMP client uses the locally configured password to perform SHA-256 for the
VCMP domain name, device ID, and configuration revision number, and compares the
calculated digest with the digest in the Summary-Advert packet. If the calculated digest
matches the digest in the Summary-Advert packet, the Summary-Advert packet passes
authentication and further VCMP processing is performed. Otherwise, the Summary-Advert
packet is discarded. When the VCMP server receives an Advert-Request packet from a
VCMP client, authentication and processing are similar.
If no domain authentication password is set, VCMP packets pass without authentication.
NOTE
l In a VCMP domain, the VCMP domain authentication password on the VCMP server and clients
must be the same.
l To ensure device security, change the password periodically.
13.3 Application Scenarios for VCMP

As the enterprise network scale increases, more switches are deployed, and VLAN
information on the switches needs to be synchronized to ensure correct data forwarding.
Repeated VLAN creation and deletion on the switches are time-consuming and error-prone.
To solve this problem, deploy VCMP on the enterprise network, determine a VCMP domain
according to the management scope, and select the aggregation or core switch as the VCMP
server. When VLANs are created and deleted on the aggregation or core switch, VLAN
information is synchronized on access switches in the same VCMP domain. VCMP
implements centralized management and reduces the configuration and maintenance
workload. When no authentication password is configured in a VCMP domain and a non-
configured switch is added to the VCMP domain, the VCMP server notifies other switches in
the VCMP domain of synchronizing VLAN information. This implements plug-and-play.

Figure 13-4 Typical VCMP networking
Internet
Router
Core
switch
Department A Department B
Server Server
VCMP1 AGG1 AGG2 VCMP2
Client Client Client Client

ACC1 ACC2 ACC3 ACC4
VLANs 10-20 VLANs 30-40
As shown in Figure 13-4, departments A and B of an enterprise belong to different Layer 2

networks. The departments are large and a lot of VLANs need to be configured and
maintained. To facilitate VLAN configuration and maintenance, deploy VCMP domains
VCMP1 and VCMP2 for departments A and B respectively, and configure AGG1 as the
VCMP server in VCMP1, ACC1 and ACC2 as VCMP clients in VCMP1, AGG2 as the
VCMP server in VCMP2, and ACC3 and ACC4 as VCMP clients in VCMP2. The network
administrator needs to create and delete VLAN information only on AGG1 and AGG2. ACC1
to ACC4 synchronize VLAN information with AGG1 and AGG2 respectively. This
implements centralized VLAN configuration and management.
NOTE
VCMP packets can be only transmitted on trunk and hybrid interfaces. When deploying VCMP, you
need to deploy LNP to dynamically negotiate the link type, which simplifies use configurations. For
details about LNP, see 5.2.5 LNP.
13.4 Licensing Requirements and Limitations for VCMP

VCMP configuration commands are available only after the S1720GW, S1720GWR, and
loaded and activated and the switches are restarted. VCMP configuration commands on other

Table 13-3 Products and versions supporting VCMP

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10
S2750EI V200R005C00SPC300, V200R006C00, V200R007C00,

V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5700 S5700LI/ V200R005C00SPC300, V200R006C00, V200R007C00,

S5700S-LI V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V200R005(C00&C01&C02&C03)
S5700SI V200R005C00


Model
S5710EI V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI/ V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI/ V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V200R005(C00SPC500&C01&C02)
S5710HI V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
Feature Limitations
l VCMP can only help the network administrator synchronize VLAN information but not
dynamically assign interfaces to VLANs. VCMP is often used with LNP to simplify user
configurations. For details about LNP, see "LNP" in "VLAN Configuration" in the
Configuration Guide - Ethernet Switching of the corresponding product version.
l VCMP packets can be only transmitted in VLAN 1. By default, all interfaces join VLAN
1. To prevent loops, deploy a loop prevention protocol such as STP in addition to VCMP.
After STP is deployed, blocked interfaces cannot receive or send VCMP packets.
l By default, a switch is a VCMP client. After a switch is upgraded from a version earlier
than V200R005C00 to V200R005C00 or a later version, the role of the switch is silent.

l VCMP synchronizes only the VLAN ID in the current version.

l One switch can join only one VCMP domain, and only one VCMP server exists in a
VCMP domain.
l If the VCMP domain authentication password is set, ensure that the VCMP server and
clients use the same VCMP domain authentication password.
l If VLANs created or deleted on the VCMP server are the control VLANs of the Ethernet
Ring Protection Switch (ERPS), Rapid Ring Protection Protocol (RRPP), Smart Ethernet
Protocol (SEP), or Smart link, or reserved VLANs of stack, a VCMP client does not
create or delete the VLANs.
l If the Generic VLAN Registration Protocol (GVRP) has been enabled, the VCMP role
can be only the transparent or silent switch. If the VCMP role is set to client or server, do
not use GVRP.
l Termination sub-interfaces cannot be configured on a VCMP client. For details on how
to configure a termination sub-interface, see "Configuring a Sub-interface" in "Logical
Interface Configuration" in the Configuration Guide - Interface Management of the
corresponding product version.
l After a VLAN is deleted on the VCMP server, VCMP clients delete the VLAN but do
not delete configurations in the VLAN. In addition, the vlan vlan-id configuration
command is generated in the configuration file, and the configurations in the deleted
VLAN specified by vlan-id are moved to the VLAN configuration view.
l When the device used as a VCMP client that connects to a VCMP server restarts, the
VLAN configuration before the restart takes effect. To make the saved VLAN
configuration take effect, use one of the following methods to delete the vlan.dat file
and then restart the device:
– Run the vcmp role { server | silent | transparent } command to change the device
role to a non-client.
– Run the startup saved-configuration configuration-file command to configure a
new configuration file. Ensure that the name of the new configuration file is
different from that of the current configuration file.
– Run the reset saved-configuration command to clear the saved configuration file.
This command will clear all the configuration.
NOTE
When the value of Server ID in the display vcmp status command output is not empty, the device
used as a VCMP client has been connected to a VCMP server.
13.5 Default Settings for VCMP
VCMP domain Not configured
VCMP role Client

NOTE
After a switch is upgraded from a version earlier than
V200R005C00 to V200R005C00 or a later version, the role of
the switch is silent.
Device ID Not configured

VCMP domain authentication Not configured

password
VCMP on an interface Enabled
13.6 Configuring VCMP
Context
VCMP implements centralized VLAN management and manages network devices based on
VCMP domains (for details, see VCMP Domain). VCMP defines four roles: server, client,
transparent, and silent (for details, see VCMP Roles). Switches added to a VCMP domain as
clients are managed by the VCMP server in the same VCMP domain. After a VLAN is
created or deleted on the VCMP server, VCMP clients automatically synchronize VLAN
information with the server. VCMP reduces the workload on modifying the same VLAN
information on multiple switches and ensures VLAN information consistency.
You are advised to configure VCMP on an enterprise network as follows:
l Configure an aggregation or core switch as the VCMP server. Only one VCMP server
exists in a VCMP domain.
l Configure access switches as VCMP clients.
l Configure switches that do not need to be managed by the VCMP server and are located
between the VCMP server and clients as VCMP transparent switches.
l Configure edge devices connected to other networks as VCMP silent switches to prevent
the connected networks from being affected.
A VCMP client identifies the VCMP server by device ID. The VCMP client obtains the
device ID of the VCMP server from the first received VCMP packet, and synchronizes VLAN
information with only the VCMP server specified by the device ID. The device ID of the
VCMP server learned by a VCMP client remains unchanged unless the role of the VCMP
client changes. The VCMP server can receive and transmit VCMP packets and achieve
centralized management only when being configured with the device ID.
When an unauthorized switch is added to a VCMP domain, VCMP clients in this VCMP
domain may synchronize VLAN information of the unauthorized switch, affecting network
stability. To prevent unauthorized switches from joining a VCMP domain, configure an
authentication password on the VCMP server and clients in the VCMP domain.
Before configuring VCMP, complete the following tasks:
l Connect interfaces and setting physical parameters of the interfaces to ensure that the
physical status of the interfaces is Up. For details, see Ethernet Interface Configuration
in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Interface
Management.
l Configure the link type of interfaces as trunk and hybrid so that the interfaces can
forward VCMP packets.

NOTE
l VCMP is often used with LNP to dynamically negotiate the link type, which simplifies use
configurations. For detailed LNP configuration, see steps 1 to 6 in 5.7.2 Configuring
Interface-based VLAN Assignment (LNP Dynamically Negotiates the Link Type).
l You can run the display lnp summary command to check whether LNP is configured on the
switch and check the link type of the interface. If LNP is not configured on the switch or the
link type of the interface is not trunk or hybrid, run the port link-type { hybrid | trunk }
command to configure the link type of the interface.
Procedure
Step 2 Run vcmp role { client | server | silent | transparent }
A VCMP role of the switch is configured.
By default, switches in a VCMP domain are VCMP clients.
NOTE
After a switch is upgraded from a version earlier than V200R005C00 to V200R005C00 or a later
version, the role of the switch is silent.
Step 3 Perform the following operations based on the VCMP role of the switch.
l Perform the following operations on the VCMP server:
a. Run vcmp domain domain-name
A VCMP domain is configured.
By default, no VCMP domain is created.
All switches in a VCMP domain must use the same VCMP domain name.
Each switch can be added to only one VCMP domain.
b. Run vcmp device-id device-name
A device ID is set for the VCMP server.
By default, no device ID is set for the VCMP server.
c. (Optional) Run vcmp authentication sha2-256 password password
A VCMP domain authentication password is configured.
The VCMP server and clients in a VCMP domain must be configured with the same
authentication password. To ensure device security, change the password
periodically.
By default, no authentication password is configured in a VCMP domain, and
VCMP packets pass authentication.
l Perform the following operations on a VCMP client:
a. (Optional) Run vcmp domain domain-name
A VCMP domain is configured.
By default, no VCMP domain is created.
All switches in a VCMP domain must use the same VCMP domain name. If the
domain name is not set on a VCMP client, the VCMP client learns the domain
name in the first received VCMP packet.

Each switch can be added to only one VCMP domain.

b. (Optional) Run vcmp authentication sha2-256 password password
A VCMP domain authentication password is configured.
The VCMP server and clients in a VCMP domain must be configured with the same
authentication password. To ensure device security, change the password
periodically.
By default, no authentication password is configured in a VCMP domain, and
VCMP packets pass authentication.
l When the VCMP role is transparent or silent, go to the next step.
The view of a Layer 2 Ethernet interface where VCMP is to be enabled is displayed.
VCMP can be enabled only on Layer 2 Ethernet interfaces.
Step 5 Run undo vcmp disable
VCMP is enabled on the interface.
By default, VCMP is enabled on all interfaces of a switch.
NOTE
If an edge switch in a VCMP domain needs to be managed, configure the edge switch as a VCMP client.
To prevent VCMP packets in the local VCMP domain from being transmitted to other VCMP domains,
run the vcmp disable command to disable VCMP on the edge switch interface connected to other
VCMP domains.
Step 6 (Optional) Run snmp-agent trap enable feature-namevcmp
The VCMP trap function is enabled.
To protect the switch against attacks of bogus VCMP servers, enable the VCMP trap function.
When receiving VCMP packets from bogus VCMP servers, the switch sends traps about the
multi-server event to the NMS.
----End

After you configure VCMP, check whether the configuration takes effect.
l Run the display vcmp status command to check the VCMP configuration, including the
VCMP domain name, VCMP role, device ID, configuration revision number, and VCMP
domain authentication password.
l Run the display vcmp interface brief command to check the VCMP status on Layer 2
Ethernet interfaces.
13.7 Maintaining VCMP

13.7.1 Displaying VCMP Running Information

Context
If faults occur during VCMP running, you can view VCMP packet statistics or VLAN change
trace on the VCMP client to locate faults.
Procedure
l Run the display vcmp counters command in any view to view statistics on VCMP
packets.
l Run the display vcmp track command in any view to view the VLAN change trace on
the VCMP client.
----End
13.7.2 Clearing VCMP Running Information

Context
The VCMP domain ID and device ID learned by a VCMP client remain unchanged. The
VCMP client needs to learn VCMP information again when the VCMP server in the local
VCMP domain is changed. Therefore, clear learned VCMP information before the VCMP
client learns VCMP information.
Before viewing the VLAN change trace on the VCMP client in a given period of time, clear
the existing VLAN change trace.
VCMP running information cannot be restored after being cleared. Therefore, exercise
caution when you run these clearing commands.
Procedure
l Run the reset vcmp command in the user view to clear learned VCMP information.
l Run the reset vcmp track command in the user view to clear the existing VLAN change
trace.
----End
13.8 Example for Configuring VCMP to Implement

Centralized VLAN Management
As shown in Figure 13-5, the enterprise branch network is a Layer 2 network. The AGG is
the aggregation switch, ACC1 to ACC3 are access switches, and ACC1 is connected to
visitors. As the enterprise branch scale increases, the network administrator needs to

configure and maintain too much VLAN information. The workload is heavy and
configuration errors can easily occur. The administrator requires that the VLAN configuration
and maintenance workload be reduced and rights of visitors connected to the branch network
be limited. VLANs on ACC1 are required to be configured and maintained independently.
Figure 13-5 Networking for configuring VCMP to implement centralized VLAN

management
Internet
Router
GE0/0/1 GE0/0/3
Server
GE0/0/2 AGG
GE0/0/1 GE0/0/1 GE0/0/1

Silent Client Client
ACC1 ACC2 ACC3
GE0/0/2 GE0/0/2 GE0/0/2
Visitor Office PC Office PC
VCMP can be deployed on the enterprise branch network by configuring the AGG as the
VCMP server, ACC2 and ACC3 as VCMP clients, and ACC1 as a VCMP silent switch. In
this way, the network administrator only needs to modify VLAN information on the AGG.
The AGG sends the modified VLAN information to ACC1, ACC2, and ACC3 on the
enterprise branch network. ACC2 and ACC3 synchronize VLAN information with the AGG,
whereas ACC1 does not. VCMP reduces the workload on modifying the same VLAN
information on multiple switches and allows the independent VLAN configuration on ACC1.
To relieve the network administrator from setting the link type, configure LNP to
automatically negotiate the link type.
1. Configure LNP to automatically negotiate the link type, which simplifies use
configurations.
2. Specify VCMP roles for switches to determine the VCMP management scope,
administrative switch, and managed switches.
3. Set VCMP parameters such as the authentication password and device ID on the VCMP
server and clients to ensure secure communication and identity identification between
the VCMP server and clients.

4. Enable VCMP.
Procedure
Step 1 Configure LNP to automatically negotiate the link type.
By default, LNP is enabled globally and on all interfaces. That is, the link type of the
interfaces will be automatically negotiated through LNP.
You can run the display lnp summary command to check whether LNP is enabled globally
and on an interface (Global LNP and link-type(C) fields) and check the link type of the
interface (link-type(N)).
l If LNP is not enabled globally or on an interface, perform the following operations:
# Enable global LNP. The configurations of ACC1, ACC2, and ACC3 are similar to the
configuration of the AGG, and are not mentioned here.
[HUAWEI] sysname AGG
[AGG] undo lnp disable
# Enable LNP on interfaces. The configurations of ACC1, ACC2, and ACC3 are similar
to the configuration of the AGG, and are not mentioned here.
[AGG] interface GigabitEthernet 0/0/1
[AGG-GigabitEthernet0/0/1] undo port negotiation disable
[AGG-GigabitEthernet0/0/1] port link-type negotiation-desirable
[AGG-GigabitEthernet0/0/1] quit
l If LNP is enabled globally and on an interface but the link type of the interface
connecting switches is Access, run the port link-type { trunk | hybrid } command to
specify the link type of the interface so that VCMP can work properly.
Step 2 Specify VCMP roles for switches.
# Configure the AGG as the VCMP server.
[AGG] vcmp role server
# Configure ACC1 as a VCMP silent switch.

[ACC1] vcmp role silent
# Configure ACC2 as a VCMP client.

[ACC2] vcmp role client
# Configure ACC3 as a VCMP client.

[ACC3] vcmp role client
Step 3 Set VCMP parameters on the VCMP server and clients.

# On the AGG, configure the VCMP domain, device ID, and authentication password.
[AGG] vcmp domain vd1
[AGG] vcmp device-id server
[AGG] vcmp authentication sha2-256 password Hello

# On ACC2, configure the VCMP domain and authentication password.

[ACC2] vcmp domain vd1
[ACC2] vcmp authentication sha2-256 password Hello
# On ACC3, configure the VCMP domain and authentication password.

[ACC3] vcmp domain vd1
[ACC3] vcmp authentication sha2-256 password Hello
Step 4 Enable VCMP.

By default, VCMP is enabled on interfaces. To prevent VCMP packets from affecting the PC,
disable VCMP on the client interface connected to the PC.
[ACC2] interface GigabitEthernet 0/0/2
[ACC2-GigabitEthernet0/0/2] vcmp disable
[ACC2-GigabitEthernet0/0/2] quit
[ACC3] interface GigabitEthernet 0/0/2
[ACC3-GigabitEthernet0/0/2] vcmp disable
[ACC3-GigabitEthernet0/0/2] quit

After the configurations are complete, run the display vcmp status command to view the
VCMP configuration, including the VCMP domain name, VCMP role, device ID,
configuration revision number, and VCMP domain authentication password.
The display on the AGG is used as an example.
[AGG] display vcmp status
VCMP information:
Domain : vd1
Role : Server
Server ID : server
Configuration Revision : 0x239c0000
Password : ******
On the AGG, run the vlan vlan-id command to create VLAN 10, and run the display vlan
summary command on ACC1, ACC2, and ACC3 respectively to view VLAN information.
The command output shows that ACC2 and ACC3 have synchronized VLAN information
with that on the AGG, whereas ACC1 has not.
[AGG] vlan 10
[AGG-vlan10] quit
[AGG] display vlan summary
Static VLAN:
Total 2 static VLAN.
1 10
Dynamic VLAN:
Total 0 dynamic VLAN.
Reserved VLAN:
Total 0 reserved VLAN.
[ACC1] display vlan summary
Static VLAN:
1
Dynamic VLAN:
Reserved VLAN:
Static VLAN:

1 10
Dynamic VLAN:
Reserved VLAN:
Static VLAN:
1 10
Dynamic VLAN:
Reserved VLAN:
----End
Configuration Files
l AGG configuration file
#
sysname AGG
#
vcmp role server
vcmp domain vd1
vcmp device-id server
vcmp authentication sha2-256 password %^%#6dD+>}ffA7*[j2#]0%
%GfN#;I}#.lQ2Yfb2b1y"0%^%#
#
vlan batch 10
#
return
l ACC1 configuration file

#
sysname ACC1
#
vcmp role silent
#
return

#
sysname ACC2
#
vcmp domain vd1
#
vlan batch 10
#
vcmp disable
#
return

#
sysname ACC3
#
vcmp domain vd1
#
vlan batch 10

#
vcmp disable
#
return

Configuration Guide - Ethernet Switching 14 STP/RSTP Configuration
14 STP/RSTP Configuration
About This Chapter
This chapter describes how to configure the Spanning Tree Protocol (STP) and Rapid
Spanning Tree Protocol (RSTP).
14.1 Overview of STP/RSTP

14.2 Understanding STP/RSTP
14.3 Application Scenarios for STP
14.4 Summary of STP/RSTP Configuration Tasks
14.5 Licensing Requirements and Limitations for STP/RSTP
14.6 Default Settings for STP/RSTP
14.7 Configuring STP/RSTP
14.8 Setting STP Parameters That Affect STP Convergence
14.9 Setting RSTP Parameters that Affect RSTP Convergence
14.10 Configuring RSTP Protection Functions
14.11 Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices
14.12 Maintaining STP/RSTP
14.13 Configuration Examples for STP/RSTP
14.14 FAQ About STP/RSTP
14.1 Overview of STP/RSTP
Definition
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,

causing broadcast storms and making the MAC address table unstable. As a result, network
communication may encounter quality deterioration or even be interrupted. STP solves this
problem.
Devices running STP exchange STP bridge protocol data units (BPDUs) to discover loops on
the network and block some ports to prune the network into a loop-free tree network. STP
prevents infinite looping of packets to ensure packet processing capabilities of switches.
The STP network convergence speed is slow, so IEEE released 802.1w in 2001, which
introduces RSTP. RSTP improves STP to speed up network convergence.
Purpose
After a spanning tree protocol is configured on an Ethernet switching network, the protocol
calculates the network topology to implement the following functions:
l Loop prevention: The spanning tree protocol blocks redundant links to prevent potential
loops on the network.
l Link redundancy: If an active link fails and a redundant link exists, the spanning tree
protocol activates the redundant link to ensure network connectivity.
14.2 Understanding STP/RSTP
14.2.1 Background
STP prevents loops on a local area network (LAN). The switching devices running STP
exchange information with one another to discover loops on the network, and block certain
ports to eliminate loops. With the growth in scale of LANs, STP has become an important
protocol for a LAN.
Figure 14-1 Typical LAN networking

Host A
port1 port1
S1 S2
port2 port2
Host B
Data flow

On the network shown in Figure 14-1, the following situations may occur:
l Broadcast storms cause a breakdown of the network.
If a loop exists on the network, broadcast storms may occur, leading to a breakdown of
the network. In Figure 14-1, STP is not enabled on the switching devices. If Host A
sends a broadcast request, both S1 and S2 receive the request on port 1 and forward the
request through their port 2. Then, S1 and S2 receive the request forwarded by each
other on port 2 and forward the request through port 1. As this process repeats, resources
on the entire network are exhausted, and the network finally breaks down.
l Assume that no broadcast storm has occurred on the network shown in Figure 14-1.
HostA sends a unicast packet to HostB. If HostB is temporarily removed from the
network at this time, the MAC address entry for HostB will be deleted on S1 and S2. The
unicast packet sent by HostA to HostB is received by port 1 on S1. S1 has no matching
MAC address entry, so the unicast packet is forwarded to port 2. Then port 2 on S2
receives the unicast packet from port 2 on S1 and sends it out through port 1. In addition,
port 1 on S2 also receives the unicast packet sent by HostA to HostB, and sends it out
through port 2. As such transmissions repeat, port 1 and port 2 on S1 and S2
continuously receive unicast packets from HostA. S1 and S2 modify the MAC address
entries continuously, causing the MAC address table to flap. As a result, MAC address
entries are damaged.
14.2.2 Basic Concepts of STP/RSTP
Root Bridge
A tree topology must have a root. As defined in STP, the device that functions as the root of a
tree network is called the root bridge.
There is only one root bridge on the entire STP network. The root bridge is the logical center
of but is not necessarily at the physical center of the network. The root bridge changes
dynamically with the network topology.
After network convergence, the root bridge generates and sends configuration BPDUs at a
specific interval. Upon receipt of the configuration BPDUs, non-root bridges compare
whether the priority of the received BPDUs is higher than that of their local configuration
BPDUs. If the priority is higher, the non-root bridges update their configuration BPDU
information stored on their STP interfaces based on the information in the received BPDUs. If
the priority is lower, the non-root bridges discard the received configuration BPDUs.
Metrics for Spanning Tree Calculation

A spanning tree is calculated based on the following metrics: bridge ID (BID), port ID (PID),
and path cost.
l BID and PID

According to IEEE 802.1D, a BID is composed of a bridge priority (leftmost 16 bits) and
a bridge MAC address (rightmost 48 bits).
On an STP network, the device with the smallest BID is elected as the root bridge.
IDs are classified into bridge ID (BID) and port ID (PID).
A PID is composed of a port priority (leftmost 4 bits) and a port number (rightmost 12
bits).
The PID is used to select the designated port.

NOTE
The port priority affects the role of a port in a specified spanning tree instance. For details, see
14.2.4 STP Topology Calculation.
l Path cost
The path cost is a port variable used for link selection. STP calculates path costs to select
robust links and blocks redundant links, and finally trims the network into a loop-free
tree topology.
On an STP network, a port's path cost to the root bridge is the sum of the path costs of all
ports between the port and the root bridge. This path cost is the root path cost.
Root Bridge, Root Port, and Designated Port

Three elements are involved in pruning a ring network into a tree network: root bridge, root
port, and designated port. Figure 14-2 shows the three elements in the STP network
architecture.
Figure 14-2 STP network architecture

root
bridge A B S2
PC=100;RPC=0 PC=100;RPC=100
S1
B A
PC=100;RPC=0 PC=99;RPC=100
A B
PC=100;RPC=100 PC=99;RPC=199
B A
S3 PC=200;RPC=100 PC=200;RPC=300 S4
PC: path cost

RPC: root path cost
root port
designated port
blocked port
l Root bridge
The root bridge is the bridge with the smallest BID. The smallest BID is discovered by
exchanging configuration BPDUs.
l Root port
The root port on an STP device is the port with the smallest path cost to the root bridge
and is responsible for forwarding data to the root bridge. An STP device has only one
root port, and there is no root port on the root bridge.
l Designated port

Table 14-1 explains the designated bridge and designated port.
Table 14-1 Designated bridge and designated port

Reference Designated Bridge Designated Port
Object
Device A directly connected device The designated bridge's port that

that forwards configuration forwards configuration BPDUs
BPDUs to the device to the device
LAN A device that forwards The designated bridge's port that

configuration BPDUs to the forwards configuration BPDUs
LAN to the LAN
As shown in Figure 14-3, AP1 and AP2 are ports of S1; BP1 and BP2 are ports of S2;
CP1 and CP2 are ports of S3.
– S1 sends configuration BPDUs to S2 through AP1, so S1 is the designated bridge
for S2, and AP1 is the designated port on S1.
– S2 and S3 are connected to the LAN. If S2 forwards configuration BPDUs to the
LAN, S2 is the designated bridge for the LAN, and BP2 is the designated port on
S2.
Figure 14-3 Designated bridge and designated port

S1
AP1 AP2
BP1 CP1
S2 S3
BP2 CP2
LAN
After the root bridge, root ports, and designated ports are selected successfully, a tree
topology is set up on the entire network. When the topology is stable, only the root port and
designated ports forward traffic. The other ports are in the Blocking state; they only receive
STP BPDUs and do not forward user traffic.
Comparison Principles
During role election, STP devices compare four fields, which form a BPDU priority vector
{root ID, root path cost, sender BID, PID}.

Table 14-2 describes the four fields carried in a configuration BPDU.
Table 14-2 Four fields
Field Description
Root ID ID of the root bridge. Each STP network has only one
root bridge.
Root path cost Path cost to the root bridge. It is determined by the
distance between the port sending the configuration
BPDU and the root bridge.
Sender BID BID of the device that sends the configuration BPDU.
PID PID of the port that sends the configuration BPDU.
After a device on the STP network receives a configuration BPDU, it compares the fields
listed in Table 14-2 with its own values. The four comparison principles are as follows:
l Smallest BID: used to select the root bridge. Devices on an STP network select the
device with the smallest BID based on the root ID field in Table 14-2.
l Smallest root path cost: used to select the root port on a non-root bridge. On the root
bridge, the path cost of each port is 0.
l Smallest sender BID: used to select the root port among ports with the same root path
cost. The port with the smallest BID is selected as the root port in STP calculation. For
example, S2 has a smaller BID than S3 in Figure 14-2. If the BPDUs received on port A
and port B of S4 contain the same root path cost, port B becomes the root port on S4
because the BPDU received on port B has a smaller sender BID.
l Smallest PID: used to determine which port should be blocked when multiple ports have
the same root path cost. The port with the greatest PID is blocked. The PIDs are
compared in the scenario shown in Figure 14-4. The BPDUs received on port A and port
B of S1 contain the same root path cost and sender BID. Port A has a smaller PID than
port B. Therefore, port B is blocked to prevent loops.
Figure 14-4 Scenario where PIDs need to be compared
S1 S2
A B
designated port
blocked port

Port States
Table 14-3 describes the possible states of ports on an STP device.
Table 14-3 STP port states

Port Purpose Description
State
Forwardi A port in Forwarding state can Only the root port and designated port
ng forward user traffic and process can enter the Forwarding state.
BPDUs.
Learning When a port is in Learning state, the This is a transitional state, which is
device creates MAC address entries designed to prevent temporary loops.
based on user traffic received on the
port but does not forward user traffic
through the port.
Listening All ports are in Listening state before This is a transitional state.
the root bridge, root port, and
designated port are selected.
Blocking A port in Blocking state receives and This is the final state of a blocked
processes only BPDUs, and does not port.
forward user traffic.
Disabled A port in Disabled state does not The port is Down.

process BPDUs or forward user
traffic.
Figure 14-5 shows the state transitions of a port.

Figure 14-5 STP state transitions of a port
Disabled or
Down
①
⑤
Blocking
②
④ ⑤
Listening
③
④ ⑤
Learning
③
④ ⑤
Forwarding
1 The port is initialized or enabled, and enters the Blocking state.
2 The port is selected as the root or designated port, and enters

the Listening state.
3 When the time for keeping the port in a temporary state is
reached, the port enters the Learning or Forwarding state. The
port is selected as the root or designated port.
4 The port is not the root or designated port, and enters the
blocking state.
5 The port is disabled or the link fails.
NOTE
By default, a Huawei network device uses the MSTP mode. After a device transitions from the MSTP
mode to the STP mode, its STP ports support only those states defined in MSTP, which are Forwarding,
Learning, and Discarding. Table 14-4 describes the three port states.
Table 14-4 MSTP port states

Port Description
State
Forwardi A port in Forwarding state can forward user traffic and process BPDUs.
ng

Port Description
State
Learning This is a transitional state. When a port is in Learning state, it can send and
receive BPDUs, but does not forward user traffic. The device creates MAC
address entries based on user traffic received on the port but does not forward
user traffic through the port.
Discardin A port in the Discarding state can only receive BPDUs.

g
The following parameters affect the STP port states and convergence.
l Hello Time
The Hello Time specifies the interval at which an STP device sends configuration BPDU
packets to detect link failures.
When the Hello Time is changed, the new value takes effect only after a new root bridge
is elected. The new root bridge adds the new Hello Time value in BPDUs it sends to
non-root bridges. When the network topology changes, TCN BPDUs are transmitted
immediately, independent of the Hello Time.
l Forward Delay
The Forward Delay timer specifies the length of delay before a port state transition.
When a link fails, STP calculation is triggered and the spanning tree structure changes.
However, new configuration BPDUs cannot be immediately spread over the entire
network. If the new root port and designated port forward data immediately, transient
loops may occur. Therefore, STP defines a port state transition delay mechanism. The
newly selected root port and designated port must wait for two Forward Delay intervals
before transitioning to the Forwarding state. Within this period, the new configuration
BPDUs can be transmitted over the network, preventing transient loops.
The default Forward Delay timer value is 15 seconds. This means that the port stays in
the Listening state for 15 seconds and then stays in the Learning state for another 15
seconds before transitioning to the Forwarding state. The port is blocked when it is in the
Listening or Learning state, which is key to preventing transient loops.
l Max Age
The Max Age specifies the aging time of BPDUs. This parameter is configurable on the
root bridge.
The Max Age is spread to the entire network with configuration BPDUs. After a non-
root bridge receives a configuration BPDU, it compares the Message Age value with the
Max Age value in the received configuration BPDU.
– If the Message Age value is smaller than or equal to the Max Age value, the non-
root bridge forwards the configuration BPDU.
– If the Message Age value is larger than the Max Age value, the non-root bridge
discards the configuration BPDU. When this happens, the network size is
considered too large and the non-root bridge disconnects from the root bridge.
If the configuration BPDU is sent from the root bridge, the value of Message Age is 0.
Otherwise, the value of Message Age is the total time spent to transmit the BPDU from
the root bridge to the local bridge, including the transmission delay. In real world
situations, the Message Age value of a configuration BPDU increases by 1 each time the
configuration BPDU passes through a bridge.

Table 14-5 provides the timer values defined in IEEE 802.1D.
Table 14-5 Values of STP timer parameters

Parameter Default Value Value Range
Hello Time 200 centiseconds (2 100-1000

seconds)
Max Age 2000 centiseconds (20 600-4000

seconds)
Forward Delay 1500 centiseconds (15 400-3000

seconds)
14.2.3 BPDU Format

A BPDU carries the BID, root path cost, and PID. There are two types of STP BPDUs:
l Configuration BPDUs are heartbeat packets. STP-enabled designated ports send
configuration BPDUs at Hello intervals.
l Topology Change Notification (TCN) BPDUs are sent only after a device detects a
network topology change.
A BPDU is encapsulated in an Ethernet frame. Its destination MAC address is a multicast
MAC address 01-80-C2-00-00-00. The Length field specifies the number of bytes of the Data
field (excluding the CRC field). The LLC header and BPDU packet header are appended to
the Length field in sequence. Figure 14-6 shows the Ethernet frame format.
Figure 14-6 Format of an Ethernet frame

6 bytes 6 bytes 2 bytes 3 bytes 43-1497 bytes 4 bytes
DMAC SMAC Length LLC Data CRC
Configuration BPDU
Configuration BPDUs are used most commonly and are sent to exchange topology
information among STP devices.
Each bridge actively sends configuration BPDUs during initialization. After the network
topology becomes stable, the designated port of each device periodically sends configuration
BPDUs. A configuration BPDU is at least 35 bytes long, including the parameters such as the
BID, root path cost, and PID. A bridge processes a received configuration BPDU only when it
finds that at least one of the sender BID and PID is different from that on the local receive
port. If both fields are the same as those on the receive port, the bridge drops the configuration
BPDU. In this way, the bridge does not need to process BPDUs with the same information as
the local port.
A configuration BPDU is sent in one of the following scenarios:
l After STP is enabled on ports of a device, the designated port on the device sends
configuration BPDUs at Hello intervals.

l When a root port receives a configuration BPDU with a priority higher than that of its
own configuration BPDU, the device where the root port resides updates the
configuration BPDU information stored on its STP ports based on the information in the
received configuration BPDU and sends the information to a downstream device through
a designated port. In contrast, if the root port receives a configuration BPDU with a
priority lower than that of its own configuration BPDU, the root port discards the
received configuration BPDU.
l When a designated port receives an inferior configuration BPDU, the designated port
immediately sends its own configuration BPDU to the downstream device.
Table 14-6 describes fields in a BPDU.
Table 14-6 Fields in a BPDU

Field Byte Description
s
Protocol Identifier 2 The value is fixed at 0, representing a spanning tree

protocol.
Protocol Version 1 The value is fixed at 0, representing the STP protocol

Identifier
BPDU Type 1 Indicates the type of a BPDU. The value is one of the
following:
l 0x00: configuration BPDU
l 0x80: TCN BPDU
Flags 1 Indicates whether the network topology has changed.

l The rightmost bit is the Topology Change (TC) flag.
l The leftmost bit is the Topology Change
Acknowledgment (TCA) flag.
Root Identifier 8 Indicates the BID of the current root bridge.
Root Path Cost 4 Indicates the accumulated path cost from a port to the root
bridge.
Bridge Identifier 8 Indicates the BID of the bridge that sends the BPDU.
Port Identifier 2 Indicates the ID of the port that sends the BPDU.
Message Age 2 Records the time that has elapsed since the original BPDU
was generated on the root bridge.
If the configuration BPDU is sent from the root bridge, the
value of Message Age is 0. Otherwise, the value of Message
Age is the total time spent to transmit the BPDU from the
root bridge to the local bridge, including the transmission
delay. In real world situations, the Message Age value of a
configuration BPDU increases by 1 each time the
configuration BPDU passes through a bridge.
Max Age 2 Indicates the aging time of a BPDU.

Field Byte Description

s
Hello Time 2 Indicates the interval at which BPDUs are sent.
Forward Delay 2 Indicates the period during which a port stays in the
Listening and Learning states.
Figure 14-7 shows the Flags field. Only the leftmost and rightmost bits are used in STP.
Figure 14-7 Format of the Flags field

Reserved
Bit7 Bit0
TCA (Topology Change TC (Topology

Acknowledgment flag) Change flag)
TCN BPDU
A TCN BPDU contains only three fields: Protocol Identifier, Version, and Type, as shown in
Table 14-6. The Type field is four bytes long and is fixed at 0x80.
When the network topology changes, TCN BPDUs are transmitted upstream until they reach
the root bridge. A TCN BPDU is sent in either of the following scenarios:
l A port transitions to the Forwarding state.
l A designated port receives a TCN BPDU and sends a copy to the root bridge.
14.2.4 STP Topology Calculation

After STP is enabled on all devices on a network, all devices consider themselves the root
bridge. They only transmit and receive BPDUs and do not forward user traffic. All ports on
the devices are in Listening state. Then the devices select the root bridge, root ports, and
designated ports based on configuration BPDUs.
BPDU Exchange
Figure 14-8 shows the initial information exchange process. The four parameters in a pair of
brackets represent the root ID (S1_MAC and S2_MAC are BIDs of the two devices), root
path cost, sender BID, and PID carried in configuration BPDUs. Configuration BPDUs are
sent at Hello intervals.
Figure 14-8 Initial BPDU exchange

{S1_MAC,0,S1_MAC,A_PID}
A B
S1 {S2_MAC,0,S2_MAC,B_PID} S2

STP Algorithm Implementation

1. Initialization
Because each bridge considers itself the root bridge, the BPDU sent from a port is set as
follows:
The root ID is the BID of the local bridge, the root path cost is the accumulative path
cost from the port to the local bridge, the sender BID is the BID of the local bridge, and
the PID is the ID of the port that sends the BPDU.
2. Root bridge election
During network initialization, every device considers itself the root bridge and sets the
root ID to its own BID. Then devices exchange configuration BPDUs and compare their
root IDs to find the device with the smallest BID, which finally becomes the root bridge.
3. Root port and designated port selection
Table 14-7 describes the process of selecting the root port and designated port.
Table 14-7 Selecting the root port and designated port

Ste Process
p
1 A non-bridge device selects the port that receives the optimal configuration
BPDU as the root port. Table 14-8 describes the process of selecting the optimal
configuration BPDU.
2 The device generates a configuration BPDU for each port and calculates the
fields in the configuration BPDU based on the configuration BPDU on the root
port and path cost of the root port:
l Replaces the root ID with the root ID in the configuration BPDU on the root
port.
l Replaces the root path cost with the sum of the root path cost in
configuration BPDU on the root port and the path cost of the root port.
l Replaces the sender BID with the local BID.
l Replaces the PID with the local port ID.
3 The device compares the calculated configuration BPDU with the configuration
BPDU received on the port:
l If the calculated configuration BPDU is superior, the port is selected as the
designated port and periodically sends the calculated configuration BPDU.
l If the port's own configuration BPDU is superior, the configuration BPDU
on the port is not updated and the port is blocked. After that, the port only
receives BPDUs, and does not forward data or send BPDUs.

Table 14-8 Selecting the optimal configuration BPDU

Ste Process
p
1 Each port compares the received configuration BPDU with its own
configuration BPDU:
l If the received configuration BPDU is inferior, the port discards the received
configuration BPDU and retains its own configuration BPDU.
l If the received configuration BPDU is superior, the port replaces its own
configuration BPDU with the received one.
l If the received configuration BPDU is the same, the port discards the
2 The device compares configuration BPDUs on all the ports and selects the
optimal one.
Example of STP Topology Calculation

After the root bridge, root ports, and designated ports are selected successfully, a tree
topology is set up on the entire network. The following example illustrates how STP
calculation is implemented.
Figure 14-9 STP networking and calculated topology

DeviceA
Priority=0 DeviceA
Port A1 Port A2 Root Bridge

STP Topology
Calculation
Pa
5
st=
th
co
co
st=
th
Pa
10
Port B1 Port C1
Path cost=4
Port B2 Port C2
DeviceB DeviceC DeviceC
DeviceB
Priority=1 Priority=2
root port
designated port
blocked port
As shown in Figure 14-9, DeviceA, DeviceB, and DeviceC are deployed on the network,
with priorities 0, 1, and 2, respectively. The path costs between DeviceA and DeviceB,
DeviceA and DeviceC, and DeviceB and DeviceC are 5, 10, and 4, respectively.
1. Initial state of each device
Table 14-9 lists the initial state of each device.

Table 14-9 Initial state of each device

Device Port Configuration BPDU
DeviceA Port A1 {0, 0, 0, Port A1}
Port A2 {0, 0, 0, Port A2}
DeviceB Port B1 {1, 0, 1, Port B1}
Port B2 {1, 0, 1, Port B2}
DeviceC Port C1 {2, 0, 2, Port C1}
Port C2 {2, 0, 2, Port C2}
2. Configuration BPDU comparison and result

Table 14-10 describes configuration BPDU comparison process and result.
NOTE
The fields in a configuration BPDU are {root ID, root path cost, sender BID, PID}.
Table 14-10 Topology calculation process and result

Dev Comparison Configuration BPDU
ice After Comparison
Devi l Port A1 receives the configuration BPDU {1, l Port A1: {0, 0, 0, Port
ceA 0, 1, Port B1} from Port B1 and finds it A1}
inferior to its own configuration BPDU {0, 0, l Port A2: {0, 0, 0, Port
0, Port A1}, so Port A1 discards the received A2}
configuration BPDU.
l Port A2 receives the configuration BPDU {2,
0, 2, Port C1} from Port C1 and finds it
inferior to its own configuration BPDU {0, 0,
0, Port A2} superior, so Port A2 discards the
l DeviceA finds that the root bridge and
designated bridge specified in the
configuration BPDUs on its ports are both
itself. Therefore, DeviceA considers itself as
the root bridge and periodically sends
configuration BPDUs from each port without
modifying the BPDUs.


Devi l Port B1 receives the configuration BPDU {0, l Port B1: {0, 0, 0, Port
ceB 0, 0, Port A1} from Port A1 and finds it A1}
superior to its own configuration BPDU {1, l Port B2: {1, 0, 1, Port
0, 1, Port B1}, so Port B1 updates its B2}
configuration BPDU.
l Port B2 receives the configuration BPDU {2,
0, 2, Port C2} from Port C2 and finds it
inferior to its own configuration BPDU {1, 0,
1, Port B2}, so Port B2 discards the received
configuration BPDU.
l DeviceB compares the configuration BPDU l Root port (Port B1):

on each port and finds that Port B1 has {0, 0, 0, Port A1}
optimal configuration BPDU. DeviceB l Designated port (Port
selects Port B1 as the root port and retains the B2): {0, 5, 1, Port B2}
configuration BPDU on Port B1.
l DeviceB calculates the configuration BPDU
{0, 5, 1, Port B2} for Port B2 based on the
configuration BPDU and path cost of the root
port, and compares the calculated
configuration BPDU with the original
configuration BPDU {1, 0, 1, Port B2} on
Port B2. The calculated configuration BPDU
is superior to the original one, so DeviceB
selects Port B2 as the designated port,
replaces Port B2's configuration BPDU with
the calculated one, and periodically sends the
configuration BPDU from Port B2.
Devi l Port C1 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
ceC 0, 0, Port A2} from Port A2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {1, 0, 1, Port
0, 0, Port C1}, so Port C1 updates its B2}
configuration BPDU.
l Port C2 receives the configuration BPDU {1,
0, 1, Port B2} from Port B2 and finds it
superior to its own configuration BPDU {1,
0, 1, Port C2}, so Port C2 updates its
configuration BPDU.


l DeviceC compares the configuration BPDU l Root port (Port C1):

on each port and finds that the configuration {0, 0, 0, Port A2}
BPDU on Port C1 is optimal. DeviceC selects l Designated port (Port
Port C1 as the root port and retains the C2): {0, 10, 2, Port
configuration BPDU on Port C1. C2}
l DeviceC calculates the configuration BPDU
{0, 10, 2, Port C2} for Port C2 based on the
port, and compares the calculated
configuration BPDU with the original
configuration BPDU {1, 0, 1, Port B2} on
Port C2. The calculated configuration BPDU
is superior to the original one, so DeviceC
selects Port C2 as the designated port and
replaces its configuration BPDU with the
calculated one.
l Port C2 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
5, 1, Port B2} from Port B2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {0, 5, 1, Port
10, 2, Port C2}, so Port C2 updates its B2}
configuration BPDU.
l Port C1 receives the configuration BPDU {0,
0, 0, Port A2} from Port A2 and finds it the
same as its own configuration BPDU, so Port
C1 discards the received configuration
BPDU.


l The root path cost of Port C1 is 10 (root path l Blocked port (Port C1):
cost 0 in the received configuration BPDU {0, 0, 0, Port A2}
plus the link patch cost 10), and the root path l Root port (Port C2):
cost of Port C2 is 9 (root path cost 5 in the {0, 5, 1, Port B2}
received configuration BPDU plus the link
patch cost 4). DeviceC finds that Port C2 has
a smaller root path cost and therefore
considers the configuration BPDU of Port C2
superior to that of Port C1. DeviceC then
selects Port C2 as the root port and retains its
configuration BPDU.
l DeviceC calculates the configuration BPDU
{0, 9, 2, Port C1} for Port C1 based on the
port, and finds the calculated configuration
BPDU inferior to the original configuration
BPDU {0, 0, 0, Port A2} on Port C1.
DeviceC blocks Port C1 and does not update
its configuration BPDU. Port C1 no longer
forwards data until STP recalculation is
triggered, for example, when the link between
DeviceB and DeviceC is Down.
After the topology becomes stable, the root bridge still sends configuration BPDUs at a
specific interval. If the received configuration BPDU is superior, a non-root bridge replaces
the configuration BPDU on the corresponding port with the received configuration BPDU. If
the received configuration BPDU is inferior or the same, a non-root bridge discards the
STP Topology Changes

Figure 14-10 shows the packet transmission process after an STP topology change.
Figure 14-10 Packet transmission after a topology change

Root Bridge Root Bridge

1. When the status of the interface at point T changes, a downstream device continuously
sends TCN BPDUs to the upstream device.
2. The upstream device processes only the TCN BPDUs received on the designated port
and drops TCN BPDUs on other ports.
3. The upstream device sets the TCA bit of the Flags field in the configuration BPDUs to 1
and returns the configuration BPDUs to instruct the downstream device to stop sending
TCN BPDUs.
4. The upstream device sends a copy of the TCN BPDUs toward the root bridge.
5. Steps 1, 2, 3 and 4 are repeated until the root bridge receives the TCN BPDUs.
6. The root bridge sets the TC and TCA bits of the Flags field in the configuration BPDUs
to 1. The TC bit of 1 indicates that the root bridge notifies the downstream device of
deleting MAC address entries, and the TCA bit of 1 indicates that the root bridge notifies
the downstream device of stopping sending TCN BPDUs.
NOTE
l TCN BPDUs are used to inform the upstream device and root bridge of topology changes.
l Configuration BPDUs with the TCA bit set to 1 are used by the upstream device to inform the
downstream device that the topology changes are known and instruct the downstream device to stop
sending TCN BPDUs.
l Configuration BPDUs with the TC bit set to 1 are used by the upstream device to inform the
downstream device of topology changes and instruct the downstream device to delete MAC address
entries. In this manner, fast network convergence is achieved.
14.2.5 Improvements in RSTP

In 2001, IEEE 802.1w was published to introduce the Rapid Spanning Tree Protocol (RSTP),
an extension of the Spanning Tree Protocol (STP). RSTP was developed based on STP and
makes supplements and modifications to STP.
Disadvantages of STP
STP ensures a loop-free network but has a slow network topology convergence speed, leading
to service quality deterioration. If the network topology changes frequently, connections on
the STP network are frequently torn down, causing frequent service interruption. This is
unacceptable to users.
STP has the following disadvantages:
l STP does not distinguish port states and port roles clearly, making it difficult for less
experienced administrators to learn and deploy this protocol.
A network protocol that clearly defines and distinguishes different situations outperforms
the others that fail to do so.
– Ports in the Listening, Learning, and Blocking states are the same to users because
they are all prevented from forwarding service traffic.
– From the perspective of port use and configuration, the essential differences
between ports lie in the port roles rather than port states.
Both root and designated ports can be in Listening state or Forwarding state, so the
ports cannot be distinguished by their states.
l The STP algorithm determines topology changes after the timer expires, which slows
down network convergence.

l The STP algorithm requires that the root bridge should send configuration BPDUs after
the network topology becomes stable, and other devices process and spread the
configuration BPDUs to the entire network. This also slows down topology convergence.
Improvements Made in RSTP

RSTP deletes three port states, defines two new port roles, and distinguishes port attributes
based on port states and roles. In addition, RSTP provides enhanced features and protection
measures to ensure network stability and fast convergence.
l More port roles are defined to simplify the learning and deployment of the protocol.
Figure 14-11 Diagram of port roles

S1
root bridge
B A
S2 S3
A A a
S1
root bridge
B A
S2 S3
A a
B A
b
root port
designated port
Alternate port
Backup port
As shown in Figure 14-11, RSTP defines four port roles: root port, designated port,
alternate port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The alternate port and backup port are described as follows:

– From the perspective of configuration BPDU transmission:

n An alternate port is blocked after learning a configuration BPDU sent by
another bridge.
n A backup port is blocked after learning a configuration BPDU sent by itself.
– From the perspective of user traffic:
n An alternate port acts as a backup of the root port and provides an alternate
path from the designated bridge to the root bridge.
n A backup port acts as a backup of the designated port and provides a backup
path from the root bridge to the related network segment.
After roles of all RSTP ports are determined, the topology convergence is
completed.
l RSTP redefines port states.
RSTP deletes two port states defined in STP and reduces the number of port states to 3.
Depending on whether a port can forward user traffic and learn MAC addresses, the port
may be in any of the following states:
– If the port does not forward user traffic or learn MAC addresses, it is in the
Discarding state.
– If the port does not forward user traffic but learns MAC addresses, it is in the
Learning state.
– If the port forwards user traffic and learns MAC addresses, it is in the Forwarding
state.
Table 14-11 compares the port states defined in STP and RSTP. Port states are not
necessarily related to port roles. Table 14-11 lists possible states for different port roles.
Table 14-11 Comparison between port states defined in STP and RSTP
STP Port State RSTP Port State Port Role
Forwarding Forwarding Root port or designated port
Learning Learning Root port or designated port
Listening Discarding Root port or designated port
Blocking Discarding Alternate port or backup port
Disabled Discarding -
l RSTP changes the configuration BPDU format and uses the Flags field to describe port
roles.
RSTP retains the basic configuration BPDU format defined in STP and makes minor
changes:
– The value of the Type field is changed from 0 to 2. Devices running STP will drop
the configuration BPDUs sent from devices running RSTP.
– The Flags field uses the six bits reserved in STP. This configuration BPDU is called
an RST BPDU. Figure 14-12 shows the Flags field in an RST BPDU.

Figure 14-12 Format of the Flags field in an RST BPDU
Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0

TCA Agreement Forwarding Learning Port role Proposal TC
Topology Change Topology

Acknowledgment flag Change flag
Port role = 00 Unknown
01 Alternate/Backup port
10 Root port
11 Designated port
l Configuration BPDUs are processed in a different way.

– Configuration BPDU transmission
In STP, the root bridge sends configuration BPDUs at Hello intervals after the
topology becomes stable. Non-root bridges send configuration BPDUs only after
they receive configuration BPDUs from upstream devices. This complicates the
STP calculation and slows down network convergence. RSTP allows non-root
bridges to send configuration BPDUs at Hello time intervals after the topology
becomes stable, regardless of whether they have received configuration BPDUs
from the root bridge.
– BPDU timeout period
In STP, a device has to wait a Max Age period before determining a negotiation
failure. In RSTP, a device determines that the negotiation between its port and the
upstream device has failed if the port does not receive any configuration BPDUs
sent from the upstream device within the timeout interval (Hello Time x 3 x Timer
Factor).
– Processing of inferior BPDUs
When an RSTP port receives an RST BPDU from the upstream designated bridge,
the port compares the received RST BPDU with its own RST BPDU.
If its own RST BPDU is superior to the received one, the port discards the received
RST BPDU and immediately responds to the upstream device with its own RST
BPDU. After receiving the RST BPDU, the upstream device replaces its own RST
BPDU with the received RST BPDU.
In this manner, RSTP processes inferior BPDUs more rapidly, independent of any
timer.
l Rapid convergence
– Proposal/agreement mechanism
In STP, a port that is selected as a designated port needs to wait at least one Forward
Delay interval (Learning state) before it enters the Forwarding state. In RSTP, such
a port enters the Discarding state, and then the proposal/agreement mechanism
allows the port to immediately enter the Forwarding state. The proposal/agreement
mechanism must be applied on P2P links in full-duplex mode.
For details, see 14.2.6 RSTP Technology Details.
– Fast switchover of the root port

If a root port fails, the best alternate port becomes the root port and enters
Forwarding state. This is because the network segment connected to this alternate
port has a designated port connected to the root bridge.
When the port role changes, the network topology changes accordingly. For details,
see 14.2.6 RSTP Technology Details.
– Edge ports
In RSTP, a designated port on the network edge is called an edge port. An edge port
directly connects to a terminal and does not connect to any other switching devices.
An edge port does not participate in RSTP calculation. This port can transition from
Disable to Forwarding state immediately without a delay. An edge port becomes a
common STP port once it is connected to a switching device and receives a
configuration BPDU. The spanning tree needs to be recalculated, causing network
flapping.
l Protection functions
RSTP provides the following functions:
– BPDU protection
On a switching device, ports directly connected to a user terminal such as a PC or
file server are edge ports. Usually, no RST BPDUs are sent to edge ports. If a
switching device receives bogus RST BPDUs on an edge port, the switching device
automatically sets the edge port to a non-edge port and performs STP calculation.
This causes network flapping.
BPDU protection enables a switching device to set the state of an edge port to error-
down if the edge port receives an RST BPDU. In this case, the port remains the
edge port, and the switching device sends a notification to the NMS.
– Root protection
The root bridge on a network may receive superior RST BPDUs due to incorrect
configurations or malicious attacks. When this occurs, the root bridge can no longer
serve as the root bridge, causing an incorrect change of the network topology. As a
result, traffic may be switched from high-speed links to low-speed links, leading to
network congestion.
If root protection is enabled on a designated port, the port role cannot be changed.
When the designated port receives a superior RST BPDU, the port enters the
Discarding state and does not forward packets. If the port does not receive any
superior RST BPDUs within a period (generally two Forward Delay periods), the
port automatically enters the Forwarding state.
NOTE
Root protection takes effect only on designated ports.

– Loop protection
On an RSTP network, a switching device maintains the states of the root port and
blocked ports based on RST BPDUs received from the upstream switching device.
If the ports cannot receive RST BPDUs from the upstream switching device
because of link congestion or unidirectional link failures, the switching device re-
selects a root port. Then, the previous root port becomes a designated port and the
blocked ports change to the Forwarding state. As a result, loops may occur on the
network.
As shown in Figure 14-13, when the link between BP2 and CP1 is congested, the
root port CP1 on DeviceC cannot receive BPDUs from the upstream device. After a

specified period, the alternate port CP2 becomes the root port and CP1 becomes the
designated port. As a result, a loop occurs.
Figure 14-13 Topology change upon link congestion

DeviceA DeviceA
Root Root
Bridge Bridge
AP1 AP2 AP1 AP2
BP1 CP2 BP1 CP2
BP2 CP1 BP2 CP1

DeviceB DeviceC DeviceB DeviceC
a. The link is normal. b. Congestion occurs in the link.
root port
designated port
Alternate port
If the root port or alternate port does not receive BPDUs from the upstream device
for a long time, the switch enabled with loop protection sends a notification to the
NMS. The root port enters the Discarding state and becomes the designated port,
whereas the alternate port keeps blocked and becomes the designated port. In this
case, loops will not occur. After the link is not congested or unidirectional link
failures are rectified, the port receives BPDUs for negotiation and restores its
original role and status.
NOTE
Loop protection takes effect only on the root port and alternate ports.
– TC BPDU attack defense
A switching device deletes its MAC address entries and ARP entries after receiving
TC BPDUs. If an attacker sends a large number of bogus TC BPDUs to the
switching device in a short time, the device frequently deletes MAC address entries
and ARP entries. This increases the load on the switching device and threatens
network stability.
After enabling TC BPDU attack defense on a switching device, you can set the
number of times the device processes TC BPDUs within a given time. If the number
of TC BPDUs that the switching device receives within the given time exceeds the
specified threshold, the switching device processes only the specified number of TC
BPDUs. Excess TC BPDUs are processed by the switching device as a whole after
the specified period expires. This function prevents the switching device from
frequently deleting its MAC address entries and ARP entries.

14.2.6 RSTP Technology Details

The Proposal/Agreement mechanism enables a designated port to enter the Forwarding state
quickly. As shown in Figure 14-14, root bridge S1 establishes a link with S2. On S2, p2 is an
alternate port; p3 is a designated port and is in the Forwarding state; p4 is an edge port.
Figure 14-14 Proposal/Agreement negotiation process
S1
p0 1 Proposal
3 Agreement
p1
S2
p2 E p4
p3
2 sync 2 sync 2 sync

(Leaves the port (Blocks the (Leaves the port
state unchanged) port) state unchanged)
Designated port
Alternate port
E Edge port
The Proposal/Agreement mechanism works as follows:

1. p0 and p1 become designated ports and send RST BPDUs to each other.
2. The RST BPDU sent from p0 is superior to that of p1, so p1 becomes a root port and
stops sending RST BPDUs.
3. p0 enters the Discarding state and sets the Proposal and Agreement field in its RST
BPDU to 1.
4. After S2 receives an RST BPDU with the Proposal field set to 1, it sets the sync variable
to 1 for all its ports.
5. As p2 has been blocked, its state remains unchanged. p4 is an edge port and does not
participate in calculation. Therefore, only the non-edge designated port p3 needs to be
blocked.
6. After the synced variable of each port is set to 1, p2 and p3 enter the Discarding state,
and p1 enters the Forwarding state and returns an RST BPDU with the Agreement field
being set to 1 to S1.
7. After S1 receives this RST BPDU, it identifies that the RST BPDU is a response to the
proposal that it has sent. Then p0 immediately enters the Forwarding state.

The proposal/agreement process can proceed to downstream devices.

STP can select designated ports quickly; however, to prevent loops, all ports must wait at least
one Forward Delay interval before starting data forwarding. RSTP blocks non-root ports to
prevent loops and uses the proposal/agreement mechanism to shorten the time that an
upstream port waits before transitioning to the Forwarding state.
NOTE
The proposal/agreement mechanism applies only to P2P full-duplex links between two switching
devices. When proposal/agreement fails, a designated port is elected after two Forward Delay intervals,
same as designated port election in STP mode.
RSTP Topology Changes

RSTP considers that the network topology has changed when a non-edge port transitions to
the Forwarding state.
When detecting a topology change, RSTP devices react as follows:
l The local device starts a TC While timer on each non-edge designated port and root port.
The TC While timer value is twice the Hello Time value.
Within the TC While time, the local device clears MAC address entries learned on all
ports.
At the same time, the non-edge designated ports and root ports send out RST BPDUs
with the TC bit set to 1. When the TC While timer expires, the ports stop sending RST
BPDUs.
l When other switching devices receive RST BPDUs, they clear MAC address entries
learned on all their ports except the ports that receive the RST BPDUs. These switching
devices also start a TC While timer on each non-edge designated port and root port and
repeat the preceding process.
RST BPDUs are then flooded on the entire network.
Interoperability with STP

RSTP can interoperate with STP, but its advantages such as fast convergence are lost when it
interoperates with STP.
On a network with both STP-capable and RSTP-capable devices, STP-capable devices drop
RST BPDUs. If a port on an RSTP-capable device receives a configuration BPDU from an
STP-capable device, the port switches to the STP mode and starts to send configuration
BPDUs after two Hello intervals.
After STP-capable devices are removed, Huawei RSTP-capable devices can switch back to
the RSTP mode.
14.3 Application Scenarios for STP
STP Application
Loops often occur on a complex network, because multiple physical links are often deployed
between two devices to implement link redundancy. Loops may cause broadcast storms and
damage MAC address entries on network devices.

Figure 14-15 Typical STP application
Network
PE1 Root PE2

Bridge
STP
CE1 CE2
PC1 PC2
Blocked port
As shown in Figure 14-15, STP is deployed on the devices. The devices exchange
information to discover loops on the network and block a port to trim the ring topology into a
loop-free tree topology. The tree topology prevents infinite looping of packets on the network
and ensures packet processing capabilities of the devices.
14.4 Summary of STP/RSTP Configuration Tasks

Table 14-12 summarizes STP/RSTP configuration tasks.
Table 14-12 STP/RSTP configuration tasks

Configuring basic STP/ Configure STP/RSTP on 14.7 Configuring STP/

RSTP functions switching devices on a RSTP
network to trim the network
into a tree topology free
from loops.

Setting STP parameters that STP cannot implement rapid 14.8 Setting STP
affect STP convergence convergence. However, you Parameters That Affect
can set STP parameters, STP Convergence
including the network
diameter, timeout interval,
Hello timer value, Max Age
timer value, and Forward
Delay timer value to speed
up convergence.
Setting RSTP parameters RSTP supports link type and 14.9 Setting RSTP
that affect RSTP fast transition configuration Parameters that Affect
convergence on ports to implement rapid RSTP Convergence
convergence.
Configuring RSTP You can configure one or 14.10 Configuring RSTP

protection functions more functions RSTP Protection Functions
protection functions on a
Huawei device.
Setting parameters for To implement interoperation 14.11 Setting Parameters

interoperation between between a Huawei device for Interoperation
Huawei and non-Huawei and a non-Huawei device, Between Huawei and Non-
devices select the fast transition Huawei Devices
mode based on the Proposal/
Agreement mechanism of
the non-Huawei device.
14.5 Licensing Requirements and Limitations for STP/

RSTP

Other network elements also need to support STP or RSTP.
STP or RSTP configuration commands are available only after the S1720GW, S1720GWR,
License) loaded and activated and the switches are restarted. STP or RSTP configuration

Table 14-13 Products and versions supporting STP or RSTP

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700 S2700SI V100R005C01, V100R006(C00&C01&C03&C05)
S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00


Model
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE

Feature Limitations
When STP or RSTP is enabled on a ring network, STP or RSTP immediately starts spanning
tree calculation. Parameters such as the device priority and port priority affect spanning tree
calculation, and the change of these parameters may cause network flapping. To ensure fast
and stable spanning tree calculation, configure parameters such as the device priority and port
priority before enabling STP or RSTP.
On a switch enabled with a spanning tree protocol, when a terminal connects to the switch,
spanning tree calculation is performed again. As a result, it takes a long period of time for the
terminal to obtain an IP address. In this case, disable the spanning tree protocol on the switch
port connected to the terminal or configure this switch port as the edge port.
14.6 Default Settings for STP/RSTP
Working mode MSTP
STP/RSTP status Enabled globally and on an interface
Switching device priority 32768
Port priority 128
Algorithm used to calculate the dot1t, IEEE 802.1t

path cost
Forward Delay 1500 centiseconds (15 seconds)
Hello Time 200 centiseconds (2 seconds)
Max Age 2000 centiseconds (20 seconds)
14.7 Configuring STP/RSTP
14.7.1 Configuring the STP/RSTP Mode
Context
A switching device supports three working modes: STP, RSTP, and MSTP. Use the STP mode
on a ring network running only STP, and use the RSTP mode on a ring network running only
RSTP.
Procedure

Step 2 Run stp mode { stp | rstp }

The working mode of the switching device is set to STP or RSTP.
By default, the working mode of a switching device is MSTP. MSTP is compatible with STP
and RSTP.
----End
14.7.2 (Optional) Configuring the Root Bridge and Secondary

Root Bridge
Context
The root bridge of a spanning tree is automatically calculated. You can also manually specify
a root bridge or secondary root bridge.
l A spanning tree can have only one effective root bridge. When two or more devices are
specified as root bridges for a spanning tree, the device with the smallest MAC address is
elected as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root
bridge fails or is powered off, a secondary root bridge becomes the new root bridge. If a
new root bridge is specified, the secondary root bridge will not become the root bridge.
If there are multiple secondary root bridges, the one with the smallest MAC address
becomes the root bridge of the spanning tree.
NOTE
It is recommended that you specify the root bridge and secondary root bridge when configuring STP/
RSTP.
Procedure
l Perform the following operations on the device to be used as the root bridge.
a. Run system-view
b. Run stp root primary
The device is configured as the root bridge.
By default, a switching device does not function as the root bridge. After you run
this command, the priority value of the device is set to 0 and cannot be changed.
l Perform the following operations on the device to be used as the secondary root bridge.
a. Run system-view
b. Run stp root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root bridge. After
you run this command, the priority value of the device is set to 4096 and cannot be
changed.
----End

14.7.3 (Optional) Setting a Priority for a Switching Device

Context
An STP/RSTP network can have only one root bridge, which is the logical center of the
spanning tree. The root bridge should be a high-performance switching device deployed at a
high network layer; however, such a device may not have the highest priority on the network.
Therefore, you need to set a high priority for such a device to ensure that it can be selected as
the root bridge.
Because low-performance devices at lower network layers are not suitable as the root bridge,
set low priorities for these devices.
A smaller priority value indicates a higher priority of the switching device. The switching
device with a higher priority is more likely to be elected as the root bridge.
Procedure
Step 2 Run stp priority priority
A priority is set for the switching device.
The default priority value of a switching device is 32768.
If the stp root primary or stp root secondary command has been executed to configure the
device as the root bridge or secondary root bridge, run the undo stp root command to disable
the root bridge or secondary root bridge function and then run the stp priority priority
command to set a priority.
----End
14.7.4 (Optional) Setting a Path Cost for a Port

Context
Path cost is the reference value used for link selection on an STP/RSTP network.
The path cost value range is determined by the calculation method. After the calculation
method is determined, it is recommended that you set smaller path cost values for the ports
with higher link rates.
In the Huawei calculation method, the link rate determines the recommended value for the
path cost. Table 14-14 lists the recommended path costs for ports with different link rates.
Table 14-14 Mappings between link rates and path cost values
Link Rate Recommended Recommended Allowable Path
Path Cost Path Cost Range Cost Range
10 Mbit/s 2000 200 to 20000 1 to 200000
100 Mbit/s 200 20 to 2000 1 to 200000

Link Rate Recommended Recommended Allowable Path

Path Cost Path Cost Range Cost Range
1 Gbit/s 20 2 to 200 1 to 200000
10 Gbit/s 2 2 to 20 1 to 200000
Over 10 Gbit/s 1 1 to 2 1 to 200000
If a network has loops, it is recommended that you set a large path cost for ports with low link
rates. STP/RSTP then blocks these ports.
Procedure
Step 2 (Optional) Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is specified.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path cost.
All switching devices on a network must use the same path cost calculation method.
The view of an interface participating in STP calculation is displayed.
Step 4 Run stp cost cost
A path cost is set for the interface.
l When the Huawei calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
14.7.5 (Optional) Setting a Priority for a Port
Context
In spanning tree calculation, priorities of the ports in a ring affect designated port election.
To block a port on a switching device, set a greater priority value than the default priority
value for the port.
Procedure


Step 3 Run stp port priority priority
A priority is set for the interface.
The default priority value of a port on a switching device is 128.
----End
14.7.6 Enabling STP/RSTP

Context
After STP/RSTP is enabled on a ring network, spanning tree calculation starts immediately on
the network. Configurations on a switching device, such as the device priority and port
priority, affect spanning tree calculation. Any change to these configurations may cause
network flapping. To ensure rapid, stable spanning tree calculation, perform basic
configuration on the switching device and its ports before enabling STP/RSTP.
Procedure
STP/RSTP-enabled devices calculate spanning trees by exchanging BPDUs. Therefore, all the
interfaces participating in spanning tree calculation must be enabled to send BPDUs to the
CPU for processing. By default, an interface is enabled to send BPDUs to the CPU. You can
run the bpdu enable command in interface view to enable an interface to send BPDUs to the
CPU. The S5720EI, S5720HI, S6720EI, and S6720S-EI do not support the bpdu command.
Step 2 Run stp enable
STP/RSTP is enabled on the switching device.
By default, STP/RSTP is enabled on a device. If you specify a VLANIF interface of a VLAN
as the management network interface for an MSTP-enabled device, you can run the ethernet-
loop-protection ignored-vlan command to specify this VLAN as an ignored VLAN. Then
interfaces in the ignored VLAN will not enter the Blocking state and stay in the Forwarding
state. Therefore, services will not be interrupted on these interfaces.

NOTE
For the S1720GFR, S2750EI, S5700LI, and S5700S-LI, a maximum of 64 STP-enabled ports in Up state are
recommended. If there are more than 64 STP-enabled ports in Up state, the CPU may be affected and faults
such as protocol flapping may occur.
For the S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2720EI, S5710-X-LI, S5720LI, S5720S-LI,
S5730SI, S5730S-EI, S1720X, S1720X-E, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S5720SI, and S5720S-
SI, a maximum of 128 STP-enabled ports in Up state are recommended. If there are more than 128 STP-
enabled ports in Up state, the CPU may be affected and faults such as protocol flapping may occur.
For the S5720EI, a maximum of 200 STP-enabled ports in Up state are recommended. If there are more than
200 STP-enabled ports in Up state, the CPU may be affected and faults such as protocol flapping may occur.
For the S5720HI, S6720EI, and S6720S-EI, a maximum of 256 STP-enabled ports in Up state are
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths for associated VLANs
are changed. Switching devices need to update the ARP entries corresponding to those
VLANs. Depending on how switching devices process ARP entries, STP/RSTP convergence
mode can be fast or normal.
l In fast mode, ARP entries to be updated are directly deleted.
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0 to immediately age the
ARP entries out. If the number of ARP aging probes is greater than 0, the switching
device performs aging probe for these ARP entries.
Run the stp converge { fast | normal } command in the system view to configure the STP/
RSTP convergence mode.
By default, the normal STP/RSTP convergence mode is used. The normal mode is
recommended. If the fast mode is used, ARP entries will be frequently deleted, causing a high
CPU usage (even 100%). As a result, network flapping will frequently occur.
14.7.7 Verifying the STP/RSTP Configuration

Procedure
l Run the display stp [ interface interface-type interface-number | slot slot-id ] [ brief ]
command to view the spanning tree status and statistics.
----End
14.8 Setting STP Parameters That Affect STP Convergence

STP cannot implement rapid convergence. However, STP parameters including the network
diameter, timeout interval, Hello timer value, Max Age timer value, and Forward Delay timer
value can affect the STP convergence speed.
Before setting STP parameters that affect STP convergence, configure basic STP functions.

14.8.1 Setting the STP Network Diameter
Context
Any two terminals on a switching network are connected through a specific path along
multiple devices. The network diameter is the maximum number of devices between any two
terminals. A larger network diameter indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect
communication. Run the stp bridge-diameter command to set an appropriate network
diameter based on the network scale, which helps speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 2 Run stp bridge-diameter diameter
The network diameter is configured.
By default, the network diameter is 7.
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network diameter
cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
value, and Max Age timer value based on the configured network diameter.
----End
14.8.2 Setting the STP Timeout Interval
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval,
the device considers the upstream device to have failed and recalculates the spanning tree.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout
interval because the upstream device is busy. In this case, recalculating the spanning tree will
cause a waste of network resources. To avoid wasting network resources, set a long timeout
interval on a stable network.
If a switching device does not receive any BPDUs from the upstream device within the
timeout interval, spanning tree recalculation is performed. The timeout interval is calculated
as follows:
Timeout interval = Hello time x 3 x Timer Factor

Procedure
Step 2 Run stp timer-factor factor
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello timer value.
----End
14.8.3 Setting the STP Timers

Context
The following timers are used in spanning tree calculation:
l Forward Delay: specifies the delay before a state transition. After the topology of a ring
network changes, it takes some time to spread the new configuration BPDU throughout
the entire network. As a result, the original blocked port may be unblocked before a new
port is blocked. When this occurs, a loop exists on the network. You can set the Forward
Delay timer to prevent loops. When the topology changes, all ports will be temporarily
blocked during the Forward Delay.
l Hello Time: specifies the interval at which hello packets are sent. A device sends
configuration BPDUs at the specified interval to detect link failures. If the switching
device does not receive any BPDUs within the timeout period (timeout period = Hello
Time x 3 x Timer Factor), the device recalculates the spanning tree.
l Max Age: determines whether BPDUs expire. A switching device determines that a
received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values of Forward Delay, Hello Time, and Max
Age.
You are not advised to directly change the preceding three timers. The three parameters are
relevant to the network scale; therefore, it is recommended that you set the network diameter
so that the spanning tree protocol automatically adjusts these timers. When the default
network diameter is used, the three timers also retain their default values.
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and
Max Age timer values conform to the following formulas:
l 2 x (Forward Delay - 1.0 second) ≥ Max Age
l Max Age ≥ 2 x (Hello Time + 1.0 second)
Procedure

Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1. Run stp timer forward-delay forward-delay
The Forward Delay timer is set for the switching device.
By default, the Forward Delay timer is 1500 centiseconds (15 seconds).
2. Run stp timer hello hello-time
The Hello Time is set for the switching device.
By default, the Hello Time is 200 centiseconds (2 seconds).
3. Run stp timer max-age max-age
The Max Age timer is set for the switching device.
By default, the Max Age timer is 2000 centiseconds (20 seconds).
----End
14.8.4 Setting the Maximum Number of Connections in an Eth-

Trunk that Affects Spanning Tree Calculation
Context
The path costs affect spanning tree calculation. Changes of path costs trigger spanning tree
recalculation. The path cost of an interface is affected by its bandwidth, so you can change the
interface bandwidth to affect spanning tree calculation.
As shown in Figure 14-16, deviceA and deviceB are connected through two Eth-Trunk links.
Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member
interfaces in Up state. Each member link has the same bandwidth, and deviceA is selected as
the root bridge.
l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1
on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1,
the path cost of Eth-Trunk 1 is larger than the path cost of Eth-Trunk 2. Therefore, the
two devices perform spanning tree recalculation. Then Eth-Trunk 1 on deviceB becomes
the alternate port and Eth-Trunk 2 becomes the root port.

Figure 14-16 Setting the maximum number of connections in an Eth-Trunk

SwitchA SwitchB
Before Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
SwitchA SwitchB
Eth-Trunk1
After
Root Bridge
Alternate port
Root port
Designated port
The maximum number of connections affects only the path cost of an Eth-Trunk interface
participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-
Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active
member interfaces in the Eth-Trunk.
Procedure
Step 3 Run max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
By default, the maximum number of connections affecting the bandwidth of an Eth-Trunk is

8.
----End
14.8.5 Verifying the Configuration of STP Parameters that Affect

STP Convergence
Procedure
----End

14.9 Setting RSTP Parameters that Affect RSTP

Convergence
Before configuring RSTP parameters that affect RSTP convergence, configure basic RSTP
functions.
14.9.1 Setting the RSTP Network Diameter

Context
Procedure
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network diameter
cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
value, and Max Age timer value based on the configured network diameter.
----End
14.9.2 Setting the RSTP Timeout Interval

Context

as follows:
Procedure
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello timer value.
----End
14.9.3 Setting RSTP Timers

Context
Age.

Procedure
Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
The Forward Delay timer is set for the switching device.
By default, the Forward Delay timer is 1500 centiseconds (15 seconds).

The Hello Time is set for the switching device.
By default, the Hello Time is 200 centiseconds (2 seconds).

The Max Age timer is set for the switching device.
By default, the Max Age timer is 2000 centiseconds (20 seconds).
----End

Context
the root bridge.


SwitchA SwitchB
Before Eth-Trunk1
Root Bridge
SwitchA SwitchB
Eth-Trunk1
After
Root Bridge
Alternate port
Root port
Designated port
Procedure
8.
----End
14.9.5 Setting the Link Type for a Port

Context
P2P links can implement rapid convergence. If the two ports connected to a P2P link are root
or designated ports, the ports can transit to the forwarding state quickly by sending Proposal
and Agreement packets. This reduces the forwarding delay.
Procedure


The view of an Ethernet interface participating in STP calculation is displayed.
Step 3 Run stp point-to-point { auto | force-false | force-true }
The link type is set for the interface.
By default, an interface automatically identifies whether it is connected to a P2P link. P2P
links implement rapid network convergence.
l If the Ethernet interface works in full-duplex mode, the interface is connected to a P2P
link. In this case, force-true can be specified in the command to implement rapid
network convergence.
l If the Ethernet interface works in half-duplex mode, you can run the stp point-to-point
force-true command to forcibly set the link type to P2P.
----End
14.9.6 Setting the Maximum Transmission Rate of an Interface

Context
The more BPDUs sent from an interface within a Hello Time interval, the more system
resources consumed. Setting a proper transmission rate (packet-number) on an interface
prevents excess bandwidth usage when network flapping occurs.
Procedure
The view of an Ethernet interface participating in STP calculation is displayed.
Step 3 Run stp transmit-limit packet-number
The maximum transmission rate of BPDUs (BPDUs per second) is set for the interface.
By default, an interface sends a maximum of six BPDUs per second. If the same maximum
transmission rate of BPDUs needs to be set for each interface on a device, run the stp
transmit-limit (system view) command.
----End
14.9.7 Switching to the RSTP Mode

Context
If an interface on an RSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the RSTP-enabled device, the
interface cannot switch back to the RSTP mode. In this case, run the stp mcheck command to
switch the interface to the RSTP mode.

You need to manually switch the interface to the RSTP mode in the following situations:
l The STP-enabled device is shut down or disconnected.
l The STP-enabled device is switched to the RSTP mode.
Procedure
l Switching to the RSTP mode in the interface view
a. Run system-view
The view of an interface participating in spanning tree calculation is displayed.
c. Run stp mcheck
The interface is switched to the RSTP mode.
l Switching to the RSTP mode in the system view
a. Run system-view
b. Run stp mcheck
The device is switched to the RSTP mode.
----End
14.9.8 Configuring Edge Ports and BPDU Filter Ports

Context
As defined in RSTP, a port that is located at the edge of a network and directly connected to a
terminal device is an edge port.
Edge ports can still send BPDUs. If the BPDUs are sent to another network, this network may
encounter network flapping. To prevent this problem, configure the BPDU filter function on
edge ports so that the edge ports do not process or send BPDUs.
NOTE
After all ports are configured as edge ports and BPDU filter ports in the system view, none of ports on
the local device sends BPDUs or negotiates the STP states with directly connected ports on the peer
device. All ports are in forwarding state. This may cause loops on the network, leading to broadcast
storms. Exercise caution when deciding to perform this configuration.
After a specified port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs and cannot negotiate the STP state with the directly connected port on
the peer device. Exercise caution when deciding to perform this configuration.
Procedure
l Configuring all ports as edge ports and BPDU filter ports
a. Run system-view
b. Run stp edged-port default

All ports are configured as edge ports.
By default, all ports are non-edge ports.

c. Run stp bpdu-filter default
All ports are configured as BPDU filter ports.
By default, all ports are non-BPDU filter ports.

l Configuring a specified port as an edge port and BPDU filter port
a. Run system-view

The view of an Ethernet interface that participates in spanning tree calculation is

displayed.
c. Run stp edged-port enable
The port is configured as an edge port.

d. Run stp bpdu-filter enable
The port is configured as a BPDU filter port.
By default, a port is a non-BPDU filter port.
----End
14.9.9 Verifying the Configuration of RSTP Parameters that Affect

RSTP Convergence
Procedure
----End
14.10 Configuring RSTP Protection Functions
14.10.1 Configuring BPDU Protection on a Switching Device
Procedure
Step 2 Run stp bpdu-protection
BPDU protection is enabled on the switching device.

By default, BPDU protection is disabled on a switching device.
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the delay expires. Note the following when
setting the recovery delay:
l By default, the auto recovery function is disabled; therefore, the recovery delay
parameter does not have a default value. When you enable the auto recovery function,
you must set a recovery delay.
l A smaller value of interval-value indicates a shorter time taken for an edge port to go
Up, and a higher frequency of Up/Down state transitions on the port.
l A larger value of interval-value indicates a longer time taken for the edge port to go Up,
and a longer service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.
14.10.2 Configuring TC Protection on a Switching Device

Context
If attackers send pseudo TC BPDUs to attack a switching device, the device receives a large
number of TC BPDUs within a short time and frequently deletes MAC address entries and
ARP entries. This wastes resources on the switching device and threatens network stability.
To suppress TC BPDUs, enable TC protection on a switching device and set the maximum
number of TC BPDUs that the device can process within a given time period. If the number of
TC BPDUs that the switching device receives within a given time period exceeds the
specified threshold, the switching device processes only the specified number of TC BPDUs.
After the specified time period expires, the switching devices process all the excess TC
BPDUs together. This function prevents the switching device from frequently deleting MAC
entries and ARP entries, protecting the switching device from being overburdened.
Procedure
Step 2 Run stp tc-protection interval interval-value
The time period during which the device processes the maximum number of TC BPDUs is
set.
By default, the time period is the Hello time.
Step 3 Run stp tc-protection threshold threshold
The maximum number of times the switching device processes TC BPDUs and updates
forwarding entries within the specified time period is set.

By default, the device processes only one TC BPDU within a specified time period.
The switch processes only TC BPDUs of a number configured by stp tc-protection
threshold within the time period configured by the stp tc-protection interval command.
Other packets are processed after a delay, so spanning tree convergence speed may slow
down. For example, if the time period is set to 10 seconds and the maximum of TC BPDUs is
set to 5, the switch processes only the first five TC BPDUs within 10 seconds. Subsequent TC
BPDUs are processed together 10 seconds later.
----End
14.10.3 Configuring Root Protection on a Port

Procedure
Step 3 Run stp root-protection
Root protection is enabled on the interface.
By default, root protection is disabled on the interface. Root protection takes effect only on
designated ports. Generally, root protection is configured on the interfaces of the root bridge.
Root protection and loop protection cannot be configured on the same interface.
----End
14.10.4 Configuring Loop Protection on a Port

Context
On an RSTP network, a switching device maintains states of the root port and blocked ports
based on BPDUs received from an upstream switching device. If the switching device cannot
receive BPDUs from the upstream because of link congestion or unidirectional link failure,
the switching device selects a new root port. The original root port becomes a designated port,
and the original blocked ports change to the Forwarding state, which may cause loops on the
network. To prevent such a problem, configure loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a long
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
Procedure

The view of the root port or alternate port is displayed.
Step 3 Run stp loop-protection
Loop protection is enabled on the root port or alternate port.
By default, loop protection is disabled on a port.
NOTE
An alternate port is a backup for a root port. If a switching device has an alternate port, configure loop
protection on both the root port and the alternate port.
Root protection and loop protection cannot be configured on the same port.
----End
14.10.5 Verifying the Configuration of RSTP Protection Functions
Procedure
----End
14.11 Setting Parameters for Interoperation Between

Huawei and Non-Huawei Devices
Context
A switching device supports the following Proposal/Agreement modes:
l Enhanced mode: The device determines the root port when it calculates the
synchronization flag bit.
a. An upstream device sends a Proposal message to a downstream device to request
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
b. The upstream device sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the
Forwarding state.
c. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.
l Common mode: The device ignores the root port when it calculates the synchronization
flag bit.
a. An upstream device sends a Proposal message to a downstream device to request
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
Then, the root port transitions to the Forwarding state.

b. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.
On an STP network, if a Huawei switching device is connected to a non-Huawei device that
uses a different Proposal/Agreement mechanism, the two devices may fail to interoperate with
each other. Select the enhanced mode or common mode based on the Proposal/Agreement
mechanism of the non-Huawei device.
Before setting parameters for interoperation between Huawei and non-Huawei devices,
configure basic STP/RSTP functions.
Procedure
The view of an interface participating in spanning tree calculation is displayed.
Step 3 Run stp no-agreement-check
The common fast transition mode is specified.
By default, the enhanced fast transition mode is used on a port.
----End
14.12 Maintaining STP/RSTP
14.12.1 Clearing STP/RSTP Statistics

Context
STP/RSTP statistics cannot be restored after being cleared. Exercise caution when deciding to
clear STP/RSTP statistics.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics command to clear statistics about error STP
packets.
----End

14.12.2 Monitoring STP/RSTP Topology Change Statistics
Context
The statistics about STP/RSTP topology changes can be viewed. If the statistics increase,
network flapping occurs.
Procedure
l Run the display stp topology-change command to view statistics about STP/RSTP
topology changes.
l Run the display stp [ interface interface-type interface-number | slot slot-id ] tc-bpdu
statistics command to view statistics about sent and received TC/TCN packets.
----End
14.13 Configuration Examples for STP/RSTP
14.13.1 Example for Configuring Basic STP Functions

On a complex network, multiple physical links are often deployed between two devices for
link redundancy (one as the active link and the others as standby links). Redundant links may
cause loops on the network, which result in broadcast storms and unstable MAC address
entries.
STP can be deployed on a network to eliminate loops by blocking ports. In Figure 14-18, a
loop exists on the network, and SwitchA, SwitchB, SwitchC, and SwitchD are all running
STP. These devices exchange BPDUs to discover the loops and block the appropriate ports in
order to trim the ring topology into a loop-free tree topology. The tree topology prevents
infinite looping of packets, which in turn helps improve packet processing performance.

Figure 14-18 Networking diagram of basic STP configurations
Network
GE0/0/3 GE0/0/3
Root
SwitchD GE0/0/1 GE0/0/1
Bridge
GE0/0/2 GE0/0/2 SwitchA
STP
GE0/0/3 GE0/0/3
SwitchC SwitchB
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
PC1 PC2
Blocked port
1. Configure the STP mode for the switches on the ring network.
2. Configure the primary and secondary root bridges.
3. Set a path cost for the ports to be blocked.
4. Enable STP to eliminate loops. Because ports connected to the PCs do not participate in
STP calculation, configure these ports as both edge ports.
Procedure
Step 1 Configure basic STP functions.
1. Configure the STP mode for the switches on the ring network.
# Configure the STP mode on SwitchA.
[SwitchA] stp mode stp
# Configure the STP mode on SwitchB.

[SwitchB] stp mode stp
# Configure the STP mode on SwitchC.

[SwitchC] stp mode stp
# Configure the STP mode on SwitchD.

[HUAWEI] sysname SwitchD
[SwitchD] stp mode stp

# Configure SwitchA as the primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary

– The path cost value range depends on path cost calculation methods. This example
uses the Huawei proprietary calculation method and sets the path cost to 20000 (the
greatest value in the range).
– All switching devices on a network must use the same path cost calculation method.
# On Switch A, set the path cost calculation method to the Huawei proprietary method.
[SwitchA] stp pathcost-standard legacy
# On Switch B, set the path cost calculation method to the Huawei proprietary method.
[SwitchB] stp pathcost-standard legacy
# On Switch C, set the path cost of GigabitEthernet0/0/1 to 20000.

[SwitchC] stp pathcost-standard legacy
[SwitchC-GigabitEthernet0/0/1] stp cost 20000
# On SwitchD, set the path cost calculation method to the Huawei proprietary method.
[SwitchD] stp pathcost-standard legacy
4. Enable STP to eliminate loops.

– Configure the ports connected to PCs as both edge ports.
# Configure GigabitEthernet0/0/2 on SwitchB as both an edge port.
[SwitchB-GigabitEthernet0/0/2] stp edged-port enable
(Optional) Configure BPDU protection on SwitchB.

[SwitchB] stp bpdu-protection
# Configure GigabitEthernet0/0/2 on SwitchC as both an edge port.

[SwitchC-GigabitEthernet0/0/2] stp edged-port enable
(Optional) Configure BPDU protection on SwitchC.

[SwitchC] stp bpdu-protection
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU protection
is enabled, the edge ports will be shut down and their attributes remain unchanged after they
receive BPDUs.
– Enable STP globally.
# Enable STP globally on SwitchA.
[SwitchA] stp enable

# Enable STP globally on SwitchB.

[SwitchB] stp enable
# Enable STP globally on SwitchC.

[SwitchC] stp enable
# Enable STP globally on SwitchD.

[SwitchD] stp enable

After the preceding configuration is complete and the network becomes stable, perform the
following operations to verify the configuration:
# Run the display stp brief command on SwitchA to view the port states and protection type.
The following information is displayed:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING NONE
After SwitchA is configured as the root bridge, GigabitEthernet 0/0/2 connected to SwitchB
and GigabitEthernet 0/0/1 connected to SwitchD are elected as designated ports through
spanning tree calculation.
# Run the display stp interface gigabitethernet 0/0/1 brief command on SwitchB to view
status of GigabitEthernet 0/0/1. The following information is displayed:
[SwitchB] display stp interface gigabitethernet 0/0/1 brief
GigabitEthernet 0/0/1 is elected as a designated port and is in the Forwarding state.

# Run the display stp brief command on SwitchC to view the interface states and protection
type. The following information is displayed:
[SwitchC] display stp brief
0 GigabitEthernet0/0/1 ALTE DISCARDING NONE
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
GigabitEthernet 0/0/3 is elected as a root port and is in the Forwarding state.

GigabitEthernet 0/0/1 is elected as an alternate port and is in the Discarding state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return

#
sysname SwitchB
#

stp mode stp

stp bpdu-protection
#
stp edged-port enable
#
return

#
sysname SwitchC
#
stp mode stp
stp bpdu-protection
#
stp instance 0 cost 20000
#
#
return
l SwitchD configuration file

#
sysname SwitchD
#
stp mode stp
stp instance 0 root secondary
#
return
Related Content
Videos
Configuring STP to Prevent Loops
14.13.2 Example for Configuring Basic RSTP Functions

On a complex network, multiple physical links are often deployed between two devices for
link redundancy (one as the active link and the others as standby links). Redundant links may
cause loops on the network, which result in broadcast storms and unstable MAC address
entries.
RSTP can be deployed on a network to eliminate loops by blocking ports. In Figure 14-19, a
loop exists on the network, and SwitchA, SwitchB, SwitchC, and SwitchD are all running
RSTP. These devices exchange BPDUs to discover the loops and block the appropriate ports
in order to trim the ring topology into a loop-free tree topology. The tree topology prevents
infinite looping of packets, which in turn helps improve packet processing performance.

Figure 14-19 Networking diagram of basic RSTP configurations
Network
GE0/0/3 GE0/0/3
Root
SwitchD GE0/0/1 GE0/0/1
Bridge
GE0/0/2 GE0/0/2 SwitchA
RSTP
GE0/0/3 GE0/0/3
SwitchC SwitchB
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
PC1 PC2
Blocked port
1. Configure basic RSTP functions.
a. Configure the RSTP mode for the switches on the ring network.
b. Configure the primary and secondary root bridges.
c. Set a path cost for the ports to be blocked.
d. Enable RSTP to eliminate loops. Because ports connected to the PCs do not
participate in RSTP calculation, configure these ports as both edge ports.
2. Configure RSTP protection functions. For example, configure root protection on
designated ports of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the RSTP mode for the switches on the ring network.
# Configure the RSTP mode on SwitchA.
[SwitchA] stp mode rstp
# Configure the RSTP mode on SwitchB.

[SwitchB] stp mode rstp
# Configure the RSTP mode on SwitchC.

[SwitchC] stp mode rstp
# Configure the RSTP mode on SwitchD.

[SwitchD] stp mode rstp

# Configure SwitchA as the primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary

– The path cost value range depends on path cost calculation methods. This example
uses the Huawei proprietary calculation method and sets the path cost to 20000.
– All switching devices on a network must use the same path cost calculation method.
# On SwitchA, set the path cost calculation method to the Huawei proprietary method.
# On SwitchB, set the path cost calculation method to the Huawei proprietary method.
# On SwitchC, set the path cost of GigabitEthernet0/0/1 to 20000.

[SwitchC-GigabitEthernet0/0/1] stp cost 20000
# On SwitchD, set the path cost calculation method to the Huawei proprietary method.
4. Enable RSTP to eliminate loops.

– Configure the ports connected to PCs as both edge ports.
# Configure GigabitEthernet0/0/2 on SwitchB as both an edge port.

# Configure GigabitEthernet0/0/2 on SwitchC as both an edge port.


NOTE
receive BPDUs.

– Enable RSTP globally.

# Enable RSTP globally on SwitchA.
# Enable RSTP globally on SwitchB.

# Enable RSTP globally on SwitchC.

# Enable RSTP globally on SwitchD.

Step 2 Configure RSTP protection functions. For example, configure root protection on designated
ports of the root bridge.
# Enable root protection on GE 0/0/1 on SwitchA.

[SwitchA-GigabitEthernet0/0/1] stp root-protection
# Enable root protection on GE 0/0/2 on SwitchA.

After the preceding configuration is complete and the network becomes stable, perform the
following operations to verify the configuration:
# Run the display stp brief command on SwitchA to view the port roles and states. The
following information is displayed:
0 GigabitEthernet0/0/1 DESI FORWARDING ROOT
After SwitchA is configured as the root bridge, GigabitEthernet0/0/2 connected to SwitchB

and GigabitEthernet0/0/1 connected to SwitchD are elected as designated ports through
spanning tree calculation. Root protection is enabled on the designated ports.
# Run the display stp interface gigabitethernet 0/0/1 brief command on SwitchB to view
the role and state of GigabitEthernet0/0/1. The following information is displayed:
[SwitchB] display stp interface gigabitethernet 0/0/1 brief
GigabitEthernet0/0/1 is elected as a designated port and is in the Forwarding state.
# Run the display stp brief command on SwitchC to view the port roles and states. The
following information is displayed:
0 GigabitEthernet0/0/2 DESI FORWARDING BPDU
GE0/0/1 is elected as an alternate port and is in the Discarding state.

GE0/0/3 is elected as a root port and is in the Forwarding state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode rstp
#
stp root-protection
#
stp root-protection
#
return

#
sysname SwitchB
#
stp mode rstp
stp bpdu-protection
#
#
return

#
sysname SwitchC
#
stp mode rstp
stp bpdu-protection
#
#
#
return

#
sysname SwitchD
#
stp mode rstp
#
return
Related Content
Videos
Configuring STP to Prevent Loops

14.14 FAQ About STP/RSTP
14.14.1 How to Prevent Low Convergence for STP Edge Ports that
Connect Terminals?
Terminal devices cannot participate in the STP calculation or respond to STP packets, causing
low convergence. You can prevent low convergence for STP edge switch ports for connecting
user terminals or servers as follows:
l On a port, run the stp edge-port enable command to configure the port as an STP edge
port, and run the stp bpdu-filter enable command to enable the BPDU packet filtering
function and prevent the port from sending BPDU packets.
l Run the stp disable command on the port to disable the STP protocol and make the port
remain in forwarding state.
To ensure availability and security, you are advised to configure the port as an STP edge port.
This is because when a loop occurs on a terminal device connected to an edge port, the port
automatically switches to a non-edge port and enables the loop breaking function of STP.
14.14.2 Can Switches Using RSTP and STP Be Connected?

Switches using RSTP and STP can be connected. STP protocols include the STP, RSTP, and
MSTP protocols. These protocols support forward compatibility and connection to a certain
extent. The following table describes the connection effects.
Scenario Connection Effect
An STP device connects to an RSTP connects to the STP port, and the mode
RSTP device. automatically changes to STP to implement slow
convergence.
An RSTP device connects to The CIST can be connected. That is, instance 0 can be
an MSTP device. connected. The connection ports are inter-AS ports.
An MSTP device connects to MSTP connects to the STP port, and the mode
an STP device. automatically changes to STP to implement slow
convergence.
NOTE
When a port whose mode switches reconnects to another device, the original mode must be restored by
running the stp mcheck command.
14.14.3 Why Is the Recommended Value of STP Network Radius

Within 7?
According to the initial panning tree protocol, the default interval for an STP switch to send
BPDUs is 2 seconds. Each switch receives and processes BPDUs for about 1 second each
time, and supports a maximum of 20 hops.

According to the RSTP protocol, packets are aged after three intervals (6 seconds) by default.
If a hop takes 1 second, a packet times out after 6 hops. Therefore, the recommended value of
STP network radius cannot be greater than 7.
There are also some other considerations such as bandwidth usage, storm range, and the
maintainability and manageability of the network.
14.14.4 Why Does the STP Convergence Fail for a Switch?
The switch STP calculation, convergence, and damage are implemented using BPDUs. The
BPDU processing capacity must be enabled for the port. Otherwise, the switch discards the
BPDUs by default, making the STP convergence fail.
NOTE
Globally run the bpdu enable command for the S2700 switch. Run the bpdu enable command on the
port for other devices.
14.14.5 In What Condition Do I Need to Configure STP Edge

Ports?
User-side devices such as servers do not need to run STP. If STP is enabled on switch ports
connected to these devices, the ports will alternate between Up and Down or cannot enter the
Forwarding state immediately after a topology change on the STP network, which is
unacceptable for some services. To prevent the preceding problem, configure the ports that do
not need to run STP as edge ports. Edge ports can enter the Forwarding state immediately
after they go Up. In addition, edge ports do not send TC BPDUs and therefore do not affect
services on the STP network.
14.14.6 What Are Precautions for Configuring the Formats of Sent

and Received BPDUs on an STP Interface?
There are two STP BPDU formats: standard IEEE 802.1s format and proprietary format. The
switch supports both formats and works in auto mode by default. You can run the stp
compliance command on an STP interface to change the packet format. In auto mode, an
STP interface can parse BPDUs in any format received from the peer interface.
When a Huawei switch is connected to another vendor' device, the two devices may fail to
communicate because of different keys in BPDUs even though they have the same domain
name, revision level, and VLAN mapping table. To solve this problem, run the stp config-
digest-snoop command to enable digest snooping. This function enables the Huawei switch
to keep its BPDU key consistent with that used on the peer device.
14.14.7 How Do I Configure a User-Side Interface on an STP

Switch?
Terminal devices cannot participate in the STP calculation or respond to STP packets. You
can configure a user-side interface as follows:

14.14.8 How Do I Prevent Terminals' Failures to Ping the Gateway

or Low Speed in Obtaining IP Addresses When They Connect to
an STP Network?
Terminal devices such as servers or network management workstations do not support STP.
However, STP is enabled on switch interfaces by default. An STP interface enters the
Forwarding state 30 seconds after it changes to the Up state. If an interface alternates between
Up and Down states, the terminal connected to the interface will fail to communicate with the
gateway or spends a long time to obtain an IP address.
To solve this problem, configure interfaces connected to terminals as edge ports or disable
STP on the interfaces.
14.14.9 Can the Switch Work with the Non-Huawei Devices

Running STP or RSTP?
The switch adopts the standard STP or RSTP algorithm. Whether the switch can work with
the STP or RSTP devices of other vendors depends on the protocols running by those STP or
RSTP devices:
l If a non-Huawei device runs the standard STP or RSTP protocol, including STP, and
RSTP, the switch can work with it.
l If a non-Huawei device runs non-standard STP or RSTP protocol, except for the Cisco
Per VLAN Spanning Tree (PVST) protocol, the switch can transparently transmit the
STP or RSTP packets from the device after the stp disable and bpdu enable commands
are run on the interface.
l If a non-Huawei device is a Cisco device that runs PVST, the switch cannot negotiate
with the device, but can transparently transmit the packets from the device.
14.14.10 What Is the Function of the Automatic Edge-port

Detecting?
After STP is enabled on a port, edge-port detecting is started automatically. If the port fails to
receive BPDU packets within (2 x Hello Timer + 1) seconds, the port is set to an edge port.
Otherwise, the port is set to a non-edge port. If the stp edged-port enable or stp edged-port
disable command is executed in the interface view or the stp edged-port default command is
configured in the system view, automatic detection of the edge port becomes invalid.

Configuration Guide - Ethernet Switching 15 MSTP Configuration
15 MSTP Configuration
About This Chapter
This chapter describes how to configure the Multiple Spanning Tree Protocol (MSTP).
15.1 Overview of MSTP

15.2 Understanding MSTP
15.3 Application Scenarios for MSTP
15.4 Summary of MSTP Configuration Tasks
15.5 Licensing Requirements and Limitations for MSTP
15.6 Default Settings for MSTP
15.7 Configuring MSTP
15.8 Configuring MSTP Multi-Process
15.9 Configuring MSTP Parameters on an Interface
15.10 Configuring MSTP Protection Functions
15.11 Configuring MSTP Interoperability Between Huawei and Non-Huawei Devices
15.12 Maintaining MSTP
15.13 Configuration Examples for MSTP
15.14 FAQ About MSTP
15.1 Overview of MSTP
Definition
The Multiple Spanning Tree Protocol (MSTP) enables multiple VLAN instances to be
mapped to the same spanning tree without creating loops. MSTP is a Layer 2 protocol that
was first defined in IEEE 802.1s.

Purpose
MSTP generates multiple spanning trees that are used independently of each other to forward
traffic in different VLANs, which allows load balancing to be implemented without the risk of
broadcast storms.
15.2 Understanding MSTP
15.2.1 MSTP Background
STP/RSTP Defect
Both STP and RSTP (which is an evolution of STP and allows for fast network topology
convergence) suffer from a significant limitation: neither can implement VLAN-based load
balancing because all VLANs on a LAN use one spanning tree. When a link is blocked, it no
longer transmits traffic, which wastes bandwidth and prevents certain VLAN packets from
being forwarded.
Figure 15-1 provides an example scenario where STP or RSTP is enabled on a LAN. In
Figure 15-1, the broken line shows the spanning tree.
Figure 15-1 Limitation of STP/RSTP
S1 S4
HostC HostA
VLAN 3 VLAN 2
(VLAN 3) (VLAN 2)
VLAN 2 VLAN 3
S2 S5
HostB VLAN 2 VLAN 2 HostD

(VLAN 2) VLAN 3 VLAN 3 (VLAN 3)
VLAN 3
VLAN 2 VLAN 3
S3 S6
spanning tree(root bridge:S6)
In Figure 15-1, S6 is the root switch. The links between S2 and S5 and between S1 and S4
are blocked. VLAN packets are transmitted through "VLAN 2" or "VLAN 3" links.
Because the link between S2 and S5 is blocked and the link between S3 and S6 denies packets
from VLAN 2, HostA and HostB cannot communicate with each other despite both belonging
to VLAN 2.

MSTP Improvements
Because the link between S2 and S5 is blocked and the link between S3 and S6 denies packets
from VLAN 2, HostA and HostB cannot communicate with each other despite both belonging
to VLAN 2.
To address the limitation of STP and RSTP, MSTP allows fast convergence and provides
multiple paths to load balance VLAN traffic.
MSTP divides a switching network into multiple regions, each of which has multiple
spanning trees that are independent of each other. Each spanning tree is called a Multiple
Spanning Tree Instance (MSTI) and each region is called a Multiple Spanning Tree (MST)
region. Figure 15-2 shows an example of an MST region.
NOTE
An MSTI is a collection of VLANs. Binding multiple VLANs to a single MSTI reduces communication
costs and resource usage. The topology of each MSTI is calculated independently, and traffic can be
balanced among MSTIs. Multiple VLANs with the same topology can be mapped to a single MSTI. The
forwarding state of the VLANs for a port is determined by the port state in the MSTI.
Figure 15-2 Multiple spanning trees in an MST region
S1 S4
HostC HostA
VLAN 3 VLAN 2
(VLAN 3) (VLAN 2)
VLAN 2
S2 S5
HostB VLAN 2 VLAN 2 HostD

VLAN 3
VLAN 2 VLAN 3
S3 S6
In Figure 15-2, MSTP maps VLANs to MSTIs in the VLAN mapping table. Each VLAN can
be mapped to only one MSTI. This means that traffic of a VLAN can be transmitted in only
one MSTI. An MSTI, however, can correspond to multiple VLANs.
Two MSTIs are calculated:

l MSTI 1 uses S4 as the root switch to forward packets of VLAN 2.
l MSTI 2 uses S6 as the root switch to forward packets of VLAN 3.
In this situation, devices within the same VLAN can communicate with each other. Packets of
different VLANs are load balanced along different paths.

15.2.2 Basic Concepts of MSTP

MSTP Network Hierarchy
An MSTP network consists of one or more MST regions, each of which contains one or more
MSTIs. An MSTI is a tree network that consists of switches running MSTP. Figure 15-3
provides an example of an MSTP network.
Figure 15-3 MSTP network hierarchy
MSTP Network
MST Region 1 MST Region 2

VLAN 1 -> MSTI 1 VLAN 1 -> MSTI 1
other VLAN S -> MSTI 3 other VLAN S -> MSTI 3
S1

other VLAN S -> MSTI 3 other VLAN S -> MSTI 3
MST Region 3 MST Region 4
CST
IST
MST Region
An MST region contains multiple network segments, each of which contains one or more
switches. The switches in one MST region all share the following characteristics:

l MSTP-enabled
l Same region name
l Same VLAN-MSTI mappings
l Same MSTP revision level
Multiple switches can be grouped into an MST region by using MSTP configuration
commands.
In Figure 15-4, MST region 4 contains SwitchA, SwitchB, SwitchC, and SwitchD, and has
three MSTIs.
Figure 15-4 MST region with four switches and three MSTIs
A D A D
B C B C
MSTI 1 MSTI 2
S3
A D
Root
VLAN 1 -> MSTI 1 bridge
VLAN 2 -> MSTI 2
other VLAN S -> MSTI 3 B C MSTI
MST Region 4 MSTI 3
MSTI topology in MST region 4
VLAN Mapping Table

Each MST region has a VLAN mapping table. The VLAN mapping table maps VLANs to
MSTIs.
In Figure 15-4, the mappings in MST region 4 are as follows:
l VLAN 1 is mapped to MSTI 1.
l VLAN 2 is mapped to MSTI 2.
l Other VLANs are mapped to MSTI 3.
CST
A Common Spanning Tree (CST) connects all MST regions on a switching network.
The CST is calculated using STP or RSTP, with each MST region being considered as a
single node.
In Figure 15-3, the regions that are connected through blue lines form a CST.
IST
An Internal Spanning Tree (IST) resides within an MST region.

An IST is a special MSTI with an MSTI ID of 0.
An IST is a segment of the CIST in an MST region.
In Figure 15-3, the switches that are connected through dark blue lines in an MST region
form an IST.
SST
A Single Spanning Tree (SST) is formed in either of the following situations:
l A switch running STP or RSTP belongs to only one spanning tree.
l An MST region has only one switch.
CIST
A Common and Internal Spanning Tree (CIST) connects all the switches on a switching
network and is calculated using STP or RSTP.
In Figure 15-3, all ISTs and the CST form a CIST.
Regional Root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In Figure 15-3, the switches that are closest to the CIST root are IST regional roots.
An MST region can contain multiple spanning trees, each of which is called an MSTI. An
MSTI regional root is the root of the MSTI. In Figure 15-4, each MSTI has its own regional
root.
CIST Root
In Figure 15-3, the CIST root is the root bridge of the CIST. The CIST root is a device in S1.
Master Bridge
The master bridge is the switch closest to the CIST root in a region, for example, S1 in Figure
15-3.
If the CIST root is in an MST region, the CIST root is the master bridge of the region.
Port Roles
MSTP adds two extra port roles to those defined in RSTP. Table 15-1 describes the port roles
included in MSTP.
NOTE
Except edge ports, all ports participate in MSTP calculation.

A port can play different roles in different spanning tree instances.

Table 15-1 Port roles

Port Description
Role
Root port A root port sends data to a root bridge and is the port closest to the root bridge.
Root bridges do not have root ports.
Root ports are responsible for sending data to root bridges.
In Figure 15-5, S1 is the root; CP1 is the root port on S3; BP1 is the root port
on S2.
Designate The designated port on a switch forwards BPDUs to a downstream switch.

d port In Figure 15-5, AP2 and AP3 are designated ports on S1; CP2 is a designated
port on S3.
Alternate l Alternate ports provide an alternate path to the root bridge. This path is
port different from the path through the root port.
l An alternate port is blocked from sending BPDUs after a BPDU sent by
another bridge is received.
In Figure 15-5, BP2 is an alternate port.
Backup l Backup ports provide a backup path to a segment already connected by a

port designated port.
l Backup ports are blocked from sending BPDUs after a BPDU sent by itself
is received.
In Figure 15-5, CP3 is a backup port.
Master A master port is on the shortest path connecting MST regions to the CIST root.
port BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on ISTs
or CISTs and master ports in instances.
In Figure 15-6, S1, S2, S3, and S4 form an MST region. AP1 on S1 is the
master port because it is the closest port in the region to the CIST root.
Regional A regional edge port is located at the edge of an MST region and connects to
edge port another MST region or an SST.
In Figure 15-6, AP1, DP1, and DP2 in an MST region are directly connected
to other regions. This means that they are all regional edge ports of the MST
region.
Edge port An edge port is located at the edge of an MST region and does not connect to
any switching device.
Generally, edge ports are directly connected to terminals.
After MSTP is enabled on a port, edge port detection is started automatically.
If the port fails to receive BPDU packets within (2 x Hello Timer + 1) seconds,
the port is set to an edge port. Otherwise, the port is set to a non-edge port.

Figure 15-5 MSTP port roles

S1
Root
AP2 AP3
CP1 BP1
S3 S2
CP2 CP3 BP2
root port
designated port
Alternate port
Backup port
Figure 15-6 Master port and regional edge port

Connect to the
CIST root
AP1
Master
S1
S2 S3
S4
DP1 DP2 MST Region
Blocked port
MSTP Port States

Table 15-2 describes the MSTP port states, which are the same as those used in RSTP.

Table 15-2 Port states

Port Description
State
Forwardi A port in this state can send and receive BPDUs. It can also forward user
ng traffic.
Learning A port in this state learns MAC addresses from user traffic to construct a MAC
address table.
In Learning state, the port can send and receive BPDUs, but cannot forward
user traffic.
Discardin A port in this state can only receive BPDUs.

g
NOTE
Root, master, designated, and regional edge ports support all three port states. Alternate and backup ports
support only the Discarding state.
15.2.3 MST BPDUs

MSTP calculates spanning trees based on Multiple Spanning Tree Bridge Protocol Data Units
(MST BPDUs). Switches on an MSTP network transmit MST BPDUs to calculate spanning
tree topologies, maintain network topologies, and communicate topology changes.
Table 15-3 describes differences between TCN BPDUs, configuration BPDUs defined by
STP, RST BPDUs defined by RSTP, and MST BPDUs defined by MSTP.
Table 15-3 Differences between BPDUs

Version Type Name
0 0x00 Configuration BPDU
0 0x80 TCN BPDU
2 0x02 RST BPDU
3 0x02 MST BPDU
Format of an MST BPDU

Figure 15-7 shows the format of an MST BPDU.

Figure 15-7 MST BPDU format
NOTE
The first 36 bytes of an MST BPDU are the same as those of an RST BPDU.
Fields from the 37th byte of an MST BPDU are MSTP-specific. The MSTI Configuration Messages field
consists of configuration messages of multiple MSTIs.
Table 15-4 describes the fields in an MST BPDU.
Table 15-4 Fields in an MST BPDU

Field Length Description
(Bytes)
Protocol 2 Identifies a protocol.

Identifier
Protocol 1 Indicates the protocol version identifier:

Version l 0: STP
Identifier
l 2: RSTP
l 3: MSTP


(Bytes)
BPDU Type 1 Indicates the BPDU type:

l 0x00: Configuration BPDU for STP
l 0x80: TCN BPDU for STP
l 0x02: RST BPDU or MST BPDU
CIST Flags 1 Identifies the CIST.
CIST Root 8 Indicates the ID of the CIST root switch.

Identifier
CIST External 4 Indicates the total path cost from the MST region
Path Cost where the switch resides to the MST region where the
CIST root switch resides. This value is calculated based
on link bandwidth.
CIST Regional 8 Indicates the ID of the regional root switch on the

Root Identifier CIST. If the root is in this region, the CIST Regional
Root Identifier is the same as the CIST Root Identifier.
CIST Port 2 Indicates the ID of the designated port in the IST.

Identifier
Message Age 2 Indicates the lifecycle of the BPDU.
Max Age 2 Indicates the maximum lifecycle of the BPDU. If the

Max Age timer expires, the link to the root is
considered faulty.
Hello Time 2 Indicates the Hello timer value. The default value is 2
seconds.
Forward Delay 2 Indicates the forwarding delay timer. The default value
is 15 seconds.
Version 1 1 Indicates the BPDUv1 length, which has a fixed value

Length of 0.
Version 3 2 Indicates the BPDUv3 length.

Length
MST 51 Indicates the MST configuration identifier, which has

Configuration four fields.
Identifier
CIST Internal 4 Indicates the total path costs from the local port to the
Root Path Cost IST master. This value is calculated based on link
bandwidth.
CIST Bridge 8 Indicates the ID of the designated switch on the CIST.

Identifier


(Bytes)
CIST 1 Indicates the number of remaining hops of the BPDU

Remaining in the CIST.
Hops
MSTI 16 Indicates an MSTI configuration message. Each MSTI

Configuration configuration message occupies 16 bytes. If there are n
Messages(may MSTIs, MSTI configuration messages are n*16 bytes
be absent) long.
Configurable Format of MST BPDUs

There are two formats of MST BPDUs:
l dot1s: BPDU format defined in IEEE 802.1s

l legacy: private BPDU format
Remote devices must transmit and receive the same MST BPDU format. If MST BPDU
formats are different, loops may occur.
To configure ports on a Huawei switch to automatically adopt the BPDU format of the remote
device, use the stp compliance command. The following modes can be set on Huawei
switches:
l auto
l dot1s
l legacy
In auto mode, a port uses the dot1s BPDU format by default, but switches format if legacy
BDPUs are received from the remote end.
Maximum Number of BPDUs Sent by a Port at a Hello Interval

The maximum number of BPDUs sent by a port during a Hello interval can be configured on
Huawei switches.
The number of BPDUs sent during a Hello interval increases as the Hello Time value is
increased. Setting the Hello Time to a smaller value limits the number of BPDUs sent by a
port during a Hello interval, which helps prevent network topology flapping and excessive use
of bandwidth resources by BPDUs.
15.2.4 MSTP Topology Calculation

MSTP can divide the entire Layer 2 network into multiple MST regions. The CST is
generated through calculation. In an MST region, multiple spanning trees are calculated, each
of which is called an MSTI. Among these MSTIs, MSTI 0 is also known as the internal
spanning tree (IST). Like STP, MSTP uses configuration messages to calculate spanning
trees. These configuration messages, however, are MSTP-specific.

Vectors
Both MSTIs and the CIST are calculated based on vectors, carried in MST BPDUs.
There are seven types of vectors used to calculate MSTIs and the CIST. Each vector carries a
priority value. For each vector, smaller priority values indicate higher priorities.
If the priority of a vector carried in the configuration message of a BPDU received by a port is
higher than the priority of the vector in the configuration message saved on the port, the port
replaces the saved configuration message with the received message and updates the global
configuration message saved on the device.
If the priority of a vector carried in the configuration message of a BPDU received on a port is
equal to or lower than that saved on the port, the port discards the BPDU. Table 15-5
describes each vector.
Table 15-5 Vector description
Vector Name Description
Root ID Identifies the root switch for the CIST. The root identifier consists of
the priority value (16 bits) and MAC address (48 bits).
The priority value is the priority of MSTI 0.
External root path Indicates the path cost from a CIST regional root to the root. ERPCs
cost (ERPC) are the same on all switches in an MST region. If the CIST root is in
an MST region, all ERPCs in that MST region are set to 0.
Regional root ID Identifies the MSTI regional root and consists of the priority value
(16 bits) and MAC address (48 bits).
The priority value is the priority of MSTI 0.
Internal root path Indicates the path cost from the local bridge to the regional root. The
cost (IRPC) IRPC saved on a regional edge port must be greater than the IRPC
saved on a non-regional edge port.
Designated Identifies the nearest upstream bridge on the path from the local
switching device bridge to the regional root. If the local bridge is the root or the
ID regional root, this ID is the same as the local bridge ID.
Designated port ID Identifies the port on the designated switch connected to the root port
on the local bridge. The designated port ID consists of the priority
value (4 bits) and port number (12 bits). The priority value must be a
multiple of 16.
Receiving port ID Identifies the port receiving the BPDU. The receiving port ID
consists of the priority value (4 bits) and port number (12 bits). The
priority value must be a multiple of 16.
The following vectors are used in CIST calculation:
l Root ID
l External root path cost

l Regional root ID
l Internal root path cost
l Designated switch ID
l Designated port ID
l Receiving port ID
The following vectors are used in MSTI calculation:
l Regional root ID
l Internal root path cost
l Designated switch ID
l Designated port ID
l Receiving port ID
NOTE
The preceding vectors are listed in descending order of priority.
Vectors are compared in the following sequence:

l Root IDs
l ERPCs
l Regional root IDs
l IRPCs
l Designated switch IDs
l Designated port IDs
l Receiving port IDs
If the vectors being compared are the same, the next vector in the list is compared. If the
vectors being compared are different, the remaining vectors are not compared
CIST Calculation
After comparing the vectors, the switch with the highest priority on the entire network is
selected as the CIST root. MSTP calculates an IST for each MST region, and calculates a
CST to interconnect MST regions. The CST and ISTs form a CIST for the entire network.
MSTI Calculation
In an MST region, MSTP independently calculates an MSTI for each VLAN based on
mappings between VLANs and MSTIs. The calculation process is similar to that used by STP
to calculate a spanning tree. For details, see 14.2.4 STP Topology Calculation.
MSTIs have the following characteristics:
l The spanning tree is calculated independently for each MSTI. Spanning trees of MSTIs
are independent of each other.
l Spanning trees of MSTIs can have different roots and topologies.
l Each MSTI sends BPDUs in its spanning tree.
l The topology of each MSTI is configured by using commands.
l A port can be configured with different parameters for different MSTIs.

l A port can play different roles or have different status in different MSTIs.
On an MSTP-aware network, a VLAN packet is forwarded along the following paths:
l MSTI in an MST region
l CST among MST regions
MSTP Responding to Topology Changes

MSTP topology changes are processed in a similar manner to how RSTP topology changes
are processed. For details, see 14.2.6 RSTP Technology Details.
15.2.5 MSTP Fast Convergence

MSTP supports both ordinary and enhanced Proposal/Agreement (P/A) mechanisms:
l Ordinary P/A
Ordinary P/A mechanism supported by MSTP is implemented in the same manner as
that supported by RSTP. For details, see 14.2.6 RSTP Technology Details.
l Enhanced P/A
Figure 15-8 Enhanced P/A mechanism

Upstream Downstream
device device
Send a proposal so
that the port can
rapidly enter the
Forwarding state Configure the root port
and block non-edge ports
Send an agreement
The root port
The designated enters the
port enters the Send an agreement Forwarding state
Forwarding state
Root port
Designated port
Enhanced P/A works as follows:

a. At the beginning of the negotiation, all devices consider themselves as the root
bridge, and all ports on the root bridge are designated ports in Discarding state.
When the synced variable is set to 1, the Proposal and Agreement fields are set to 1.
The upstream device sends a proposal to the downstream device, indicating that the
port connecting to the downstream device wants to enter the Forwarding state. After
receiving this BPDU, the downstream device sets its port connected to the upstream
device as the root port, and blocks all non-edge ports.
b. The upstream device sends an agreement BPDU. After receiving this BPDU, the
root port enters the Forwarding state.

c. The downstream device replies with an agreement BPDU. After receiving this
BPDU, the upstream device sets its port connected to the downstream device as the
designated port, and the port enters the Forwarding state.
By default, Huawei switches use fast transition in enhanced P/A. To enable a Huawei switch
to communicate with a third-party device that uses fast transition in common P/A, configure
the Huawei switch to use ordinary P/A.
15.2.6 MSTP Multi-Process

Background
MSTP multi-process is an enhancement to MSTP and allows ports on switching devices to be
bound to different processes. A process controls a ring composed of switches, which means
that only the ports bound to a process can participate in MSTP calculation for this process.
With MSTP multi-process, spanning trees of different processes are calculated independently
and do not affect each other.
The network shown in Figure 15-9 can be divided into multiple MSTP processes by using
MSTP multi-process. In Figure 15-9:
l User-facing Provider Edges (UPEs) are deployed at the aggregation layer, running
MSTP.
l UPE1 and UPE2 are connected by a Layer 2 link.
l Multiple rings are connected to UPE1 and UPE2 through different ports.
l Switching devices on the rings reside at the access layer, running STP or RSTP. Because
UPE1 and UPE2 work for different carriers, they reside on different spanning trees so
that their topology changes do not affect each other.

Figure 15-9 Application of both MSTP and STP/RSTP
MPLS/IP Core
Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S1
Access
S4
S2 S3
NOTE
MSTP multi-process is applicable to MSTP, RSTP, and STP.
Purpose
MSTP multi-process provides the following benefits:
l Greatly improves the applicability of STP to different networking conditions.
On a network running different spanning tree protocols, devices that run different
spanning tree protocols can be bound to different processes, allowing every process to
calculate a separate, independent spanning tree.
l Improves networking reliability.
Network topology is calculated for each process so that, if a device fails, only the
topology corresponding to the process that the device belongs to is affected. On a
network with many Layer 2 access devices, MSTP multi-process reduces the adverse
effect of a single node failure on the entire network.
l Reduces the network administrator workload during network expansion.
To expand a network, a network administrator must configure new processes, connect
the processes to the existing network, and keep the existing MSTP processes unchanged.
If device expansion is performed in a process, only this process needs to be modified.

l Implements separate Layer 2 port management

An MSTP process manages separate port functions on a device. Layer 2 ports on a
device are separately managed by multiple MSTP processes.
Additional Concepts
l Public link status
In Figure 15-9, the public link between UPE1 and UPE2 is a Layer 2 link running
MSTP. This public link is different from the links that connect switching devices to
UPEs. The ports on the public link need to participate in the calculation for multiple
access rings and MSTP processes. Therefore, the UPEs must identify the process from
which MST BPDUs are sent.
In addition, a port on the public link participates in the calculation for multiple MSTP
processes, and obtains different status. As a result, the port cannot determine its status.
To prevent this situation, the port always adopts its status in MSTP process 0 when
participating in the calculation for multiple MSTP processes.
NOTE
By default, MSTP process 0 is created when a device starts, and MSTP configurations in the
system view and interface view belong to this process.
l Reliability
On the network shown in Figure 15-10, after the topology of a ring changes, the MSTP
multi-process mechanism helps UPEs flood a TC BPDU to all devices on the ring and
prevent the TC BPDU from being flooded to devices on the other ring. UPE1 and UPE2
update MAC and ARP entries on the ports corresponding to the changed spanning tree.

Figure 15-10 MSTP multi-process topology change
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S1
Access
S4
S3
S2
Topology change
Flood STP/RSTP TC BPDUs at the access layer
Flood STP/RSTP TC BPDUs at the aggregation layer
On the network shown in Figure 15-11, if the public link between UPE1 and UPE2 fails,
multiple switching devices that are connected to the UPEs will unblock their blocked
ports.

Figure 15-11 Public link fault
MPLS/IP Core
Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
Access
S2 S4
S1 S3
UPE1 is configured with the highest priority, UPE2 with the second highest priority, and
all other switches with default or lower priorities. After the link between UPE1 and
UPE2 fails, the blocked ports (replacing the root ports) on switching devices no longer
receive packets with higher priorities, triggering state machine calculation. If the
calculation changes the blocked ports to designated ports, a permanent loop forms, as
shown in Figure 15-12.

Figure 15-12 Loop between access rings
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
Access
S2 S4
S1 S3
Flood MSTP TC BPDUs at the aggregation layer
Flood STP/RSTP TC BPDUs at the access layer
l Loop prevention solutions

To prevent a loop from occurring between access rings, use either of the following
solutions:
– Configure an inter-board Eth-Trunk link between UPE1 and UPE2.
An inter-board Eth-Trunk link can be used as the public link between UPE1 and
UPE2 to improve link reliability, as shown in Figure 15-13.

Figure 15-13 inter-board Eth-Trunk link
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
Eth-Trunk
STP/RSTP
Access
S2 S4
S1 S3
– Configure root protection between UPE1 and UPE2.

If all physical links between UPE1 and UPE2 fail, configuring an inter-board Eth-
Trunk link cannot prevent the loop. Root protection can be configured to prevent
the loop, as shown in Figure 15-12.

Figure 15-14 MSTP multi-process with root protection
Core
MPLS/IP Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
Root
protection
S2
S4
Access
STP/RSTP
S1 S3
The blue ring in Figure 15-14 is used as an example. UPE1 is configured with the
highest priority, UPE2 with the second highest priority, and switching devices on
the blue ring with default or lower priorities. Root protection is enabled on UPE2.
If a port on S1 is blocked, when the public link between UPE1 and UPE2 fails, the
blocked port on S1 starts to perform state machine calculation. After calculation,
the blocked port becomes the designated port and performs P/A negotiation with the
downstream device.
After S1 sends BPDUs of higher priorities to the UPE2 port enabled with root
protection, the port is blocked. The port remains blocked because it continues to
receive BPDUs of higher priorities, which prevents loops from occurring.

15.3 Application Scenarios for MSTP

Application of MSTP
Figure 15-15 Network of a typical MSTP application
MST Region
S1 S2
all VLAN
VLAN
VLAN VLAN
10&20 VLAN
20&30 20&30
10&20
VLAN
S3 20&40 S4
MSTP allows packets in different VLANs to be forwarded by using different spanning tree
instances. An example of a network using MSTP is shown in Figure 15-15. The network is
configured in the following ways:
l All devices on the network belong to the same MST region.

l VLAN 10 packets are forwarded within MSTI 1.
In Figure 15-15, S1 and S2 are devices at the aggregation layer, and S3 and S4 are devices at
the access layer. Traffic from VLAN 10 and VLAN 30 is terminated by aggregation devices,
and traffic from VLAN 40 is terminated by the access device. Therefore, S1 and S2 can be
configured as the roots of MSTI 1 and MSTI 3, and S3 can be configured as the root of MSTI
4.
Application of MSTP Multi-process

In Figure 15-16, the UPEs are connected to each other through Layer 2 links and enabled
with MSTP. The rings connected to the UPEs must be independent of each other. The devices
on the rings connected to the UPEs support only RSTP, not MSTP.
After MSTP multi-process is enabled, each MSTP process corresponds to a ring connected to
the UPE. STP on each ring calculates a tree independently.

Figure 15-16 Application of both MSTP and STP/RSTP
MPLS/IP Core
Core
UPE4 UPE3
Aggregation
MSTP
UPE1 UPE2
STP/RSTP
S1
Access
S4
S2 S3
15.4 Summary of MSTP Configuration Tasks

Table 15-6 lists the configuration task summary of MSTP.

Table 15-6 MSTP configuration tasks

Task Description Reference
Configure basic MSTP MSTP is commonly 15.7 Configuring MSTP

functions. configured on switches to
trim a ring network to a
loop-free network. Devices
start spanning tree
calculation after the working
mode is set and MSTP is
enabled. Use any of the
following methods if you
need to intervene in the
spanning tree calculation:
l Manually configure the
root bridge and
secondary root bridge.
l Set a priority for a switch
in an MSTI.
l Set a path cost for a port
in an MSTI.
l Set a priority for a port in
an MSTI.
Configure MSTP multi- On a network deployed with 15.8 Configuring MSTP

process. Layer 2 single-access rings Multi-Process
and multi-access rings,
configure multiple MSTP
processes so that spanning
trees of different processes
are calculated independently
and do not affect each other.
Configure MSTP parameters Setting optimal MSTP 15.9 Configuring MSTP

on an interface. parameters achieve rapid Parameters on an
convergence. Interface
Configure MSTP protection You can configure one or 15.10 Configuring MSTP
functions. more functions. Protection Functions
Configure MSTP To communicate with a non- 15.11 Configuring MSTP

interoperability between Huawei device, set proper Interoperability Between
Huawei devices and non- parameters on the MSTP- Huawei and Non-Huawei
Huawei devices. enabled Huawei device. Devices
15.5 Licensing Requirements and Limitations for MSTP


Other network elements also need to support MSTP.
MSTP configuration commands are available only after the S1720GW, S1720GWR, and
loaded and activated and the switches are restarted. MSTP configuration commands on other
Table 15-7 Products and versions supporting MSTP

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00


Model
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10


Model
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
Feature Limitations
l Table 15-8 lists the specification of MSTP.
Table 15-8 Specification of MSTP
Item Specification
Maximum number of instances on the 65

entire system
l MSTP BPDUs may be discarded in a scenario wherein there are many MSTIs and MSTP
multi-process is configured. This is due to the default CIR of STP being insufficient.
(The default CIR of STP is insufficient because the length of MSTP BPDUs increases as
the number of MSTIs increases, and the number of outgoing MSTP BPDUs increases
when MSTP multi-process is configured.) To avoid this situation, increase the CIR of
STP.
If the CPCAR values are adjusted improperly, network services are affected. To adjust
the CPCAR values of STP BPDUs, contact technical support personnel.
l Enabling MSTP on a ring network immediately triggers spanning tree calculation. If
basic configurations are not performed on switches and interfaces before MSTP is
enabled, network flapping may occur upon changes to parameters such as device priority
and interface priority.
15.6 Default Settings for MSTP
Working mode MSTP
MSTP status MSTP is enabled globally and on an interface.

Port priority 128
Algorithm used to calculate the dot1t, IEEE 802.1t

path cost
Forward Delay Time 1500 centiseconds
Hello Time 200 centiseconds
Max Age Time 2000 centiseconds
15.7 Configuring MSTP
Context
MSTP based on the basic STP/RSTP function divides a switching network into multiple
regions, each of which has multiple spanning trees that are independent of each other. MSTP
isolates different VLANs' traffic, and load-balances VLAN traffic. MSTP is configured on
switches to trim a ring network to a loop-free network. Devices start spanning tree calculation
after the working mode is set and MSTP is enabled. To intervene in the spanning tree
calculation, use any of the following methods:
l Manually configure the root bridge and secondary root bridge.
l Set a priority for a switch in an MSTI. The lower the numerical value, the higher the
priority of the switch and the more likely the switch becomes a root bridge.
l Set a path cost for a port in an MSTI. The lower the numerical value, the smaller the cost
of the path from the port to the root bridge and the more likely the port becomes a root
port (assuming the same calculation method is used).
l Set a priority for a port in an MSTI. The lower the numerical value, the more likely the
port becomes a designated port.
15.7.1 Configuring the MSTP Mode

Context
Before configuring basic MSTP functions, set the working mode of a switch to MSTP. MSTP
is compatible with STP and RSTP.
Procedure
Step 2 Run stp mode mstp
The working mode of the switch is set to MSTP. By default, the working mode is MSTP.
MSTP can recognize RSTP BPDUs and, conversely, RSTP can recognize MSTP BPDUs.
However, MSTP and STP cannot recognize each other's BPDUs. To enable devices running

different spanning tree protocols to interwork with each other, interfaces of an MSTP-enabled
switch connected to devices running STP automatically transition to STP mode; other
interfaces continue to work in MSTP mode.
----End
15.7.2 Configuring and Activating an MST Region

Context
An MST region contains multiple switches and network segments. These switches are directly
connected and, after MSTP is enabled, have the same region name, VLAN-to-MSTI mapping,
and configuration revision number. One switching network can have multiple MST regions.
Running MSTP commands allows you to group multiple switches into one MST region.
NOTE
Two switches belong to the same MST region when they have the same:
l Name of the MST region
l Mapping between VLANs and MSTIs
l Revision level of the MST region
Perform the following steps on a switch that needs to join an MST region.
Procedure
Step 2 Run stp region-configuration
The MST region view is displayed.
Step 3 Run region-name name
The name of an MST region is configured.
By default, the MST region name is the MAC address of the bridge MAC of the switch.
Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.
l Run the instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to
configure VLAN-to-instance mappings.
l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping
assignment based on a default algorithm.
By default, all VLANs in an MST region are mapped to MSTI 0.
l The VLAN-to-instance mappings generated using the vlan-mapping modulo modulo
commands cannot meet network requirements. It is recommended that you run the
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure
VLAN-to-instance mappings.
l The vlan-mapping modulo specifies the formula (VLAN ID-1)%modulo+1. In the
formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1) divided by the
value of modulo. This formula is used to map a VLAN to the corresponding MSTI. The
calculation result of the formula is the ID of the mapping MSTI.

l To configure the mapping between a spanning tree instance and a MUX VLAN, you are
advised to configure the principal VLAN, subordinate group VLANs, and subordinate
separate VLANs of the MUX VLAN in the same protected instance. Otherwise, loops
may occur.
Step 5 (Optional) Run revision-level level
The MSTP revision number is set.
By default, the MSTP revision number is 0.
MSTP is a standard protocol; therefore, the MSTP revision level of a device is 0 by default. If
the revision level of some devices from a specified manufacturer is not 0, you must change
the value to 0 to facilitate tree calculation in an MST region.
NOTE
Changing MST region configurations (especially changes in the VLAN mapping table) triggers
spanning tree recalculation and may cause route flapping. Therefore:
l After configuring an MST region name, VLAN-to-MSTI mappings, and an MSTP revision number,
run the check region-configuration command in the MST region view to verify the configuration.
After confirming the region configurations, run the active region-configuration command to
activate MST region configurations.
l You are advised not to modify MST region parameters after the MST region is activated.
Step 6 Run active region-configuration
MST region configurations are activated so that the configured region name, VLAN-to-MSTI
mappings, and revision number can take effect.
The preceding configurations do not take effect until this command is run.
If MST region configurations on the switch change after MSTP starts, the active region-
configuration command must be run before the changes take effect.
Before using the active region-configuration command to activate the modified MST region
parameters, run the check region-configuration command to check whether parameters are
correct. After the active region-configuration command is run, if a message that indicates an
activation failure is displayed, reconfigure MSTP parameters.
----End

Root Bridge
Context
MSTP can calculate the root bridge or you can manually configure the root bridge or
secondary root bridge. Manually configuring the root bridge and secondary root bridge is
recommended.
A switch can function as a root bridge or a secondary root bridge in a spanning tree. It can
also function as the root bridge or secondary root bridge of another spanning tree. In a
spanning tree:
l Only one root bridge takes effect. If two or more root bridges are specified in a spanning
tree, the device with the smallest MAC address is used.

l Multiple secondary root bridges can be specified. If the root bridge fails or is powered
off and no new root bridge is specified, the secondary root bridge with smallest MAC
address will become the root bridge of the spanning tree.
Procedure
a. Run system-view
b. Run stp [ instance instance-id ] root primary
By default, a switch does not function as the root bridge. After the configuration is
complete, the priority value of the device is 0 (this value cannot be modified).
If instance is not specified, the device in MSTI 0 is a root bridge.
a. Run system-view
b. Run stp [ instance instance-id ] root secondary
By default, a switch does not function as the secondary root bridge. After the
configuration is complete, the priority value of the device is 4096 (this value cannot
be modified).
If instance is not specified, the device in MSTI 0 is a secondary root bridge.
----End
15.7.4 (Optional) Configuring a Priority for a Switch in an MSTI

Context
In an MSTI, there can be only one root bridge, which is the logical center of the MSTI. The
root bridge should be a high-performance switch; however, the priority of such a device may
not be the highest on the network. To ensure that such a device is selected as the root bridge,
set a low priority for low-performance switches, and set a high priority for high-performance
switches. A smaller priority value indicates a higher priority.
Procedure
Step 2 Run stp [ instance instance-id ] priority priority
A priority is set for the switch in an MSTI.
The default priority value of the switch is 32768.
If instance-id is not specified, a priority is set for the switch in MSTI 0.

NOTE
If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary
command has been executed to configure the device as the root bridge or secondary root bridge, to
change the device priority, run the undo stp [ instance instance-id ] root command to disable the root
bridge or secondary root bridge function and run the stp [ instance instance-id ] priority priority
command to set a priority.
----End
15.7.5 (Optional) Configuring a Path Cost of a Port in an MSTI

Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important metric used in spanning tree calculation and determine
root port selection in an MSTI. The port with the lowest path cost to the root bridge is
selected as the root port. Setting different path costs for a port in different MSTIs allows
VLAN traffic to be transmitted along different physical links for load balancing.
If loops occur on a network, it is recommended that you set a large path cost for ports with
low link rates.
Procedure
Step 2 Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.
All switches on a network must use the same path cost calculation method.
Step 4 Run stp instance instance-id cost cost
A path cost is set for the port in the current MSTI.
----End
15.7.6 (Optional) Configuring a Port Priority in an MSTI

Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected
as designated ports.

To block a port in an MSTI to eliminate loops, set the port priority to a value larger than the
default value. This port will be blocked during designated port selection.
Procedure
Step 3 Run stp instance instance-id port priority priority
A port priority is set in an MSTI.
By default, the port priority is 128.
The priority value ranges from 0 to 240, in increments of 16.
----End
15.7.7 Enabling MSTP
Context
Enabling MSTP on a ring network immediately triggers spanning tree calculation. If basic
configurations are not performed on switches and interfaces before MSTP is enabled, network
flapping may occur upon changes to parameters such as device priority and interface priority.
Procedure
STP/RSTP-enabled devices calculate spanning trees by exchanging BPDUs. Therefore, all the
interfaces participating in spanning tree calculation must be enabled to send BPDUs to the
CPU for processing. By default, an interface is enabled to send BPDUs to the CPU. You can
run the bpdu enable command in interface view to enable an interface to send BPDUs to the
CPU. The S5720EI, S5720HI, S6720EI, and S6720S-EI do not support the bpdu command.
MSTP is enabled on the switch.
By default, the MSTP function is enabled on the device.
NOTE
If the management network interface for an MSTP-enabled device is a VLANIF interface of a VLAN,
run the ethernet-loop-protection ignored-vlan command to specify this VLAN as an ignored VLAN.
During MSTP calculation, the interface on which the ignored VLAN is configured remains in
forwarding state. Therefore, services are not interrupted.
After MSTP is enabled on a port, edge port detection is started automatically. If the port fails to receive
BPDU packets within (2 x Hello Timer + 1) seconds, the port is set to an edge port. Otherwise, the port
is set to a non-edge port.

NOTE
----End
Follow-up Procedure
If the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. On the switch, therefore, the ARP entries corresponding to these VLANs need to be
updated. MSTP processes ARP entries in either fast or normal mode.
The remaining lifetime of ARP entries to be updated is set to 0. The switch rapidly
processes these aged entries. If the number of ARP aging probe attempts is not set to 0,
ARP implements aging probe for these ARP entries.
To specify which mode is used for STP/RSTP convergence, run the stp converge { fast |
normal } command in the system view.
By default, the normal MSTP convergence mode is used.
NOTE
If fast mode is used, ARP entries are frequently deleted. This causes high CPU usage on the device
(reaching 100%) and results in frequent network flapping. Therefore, using normal mode is
recommended.
15.7.8 Verifying the Basic MSTP Configuration

Procedure
l Run the display stp [ instance instance-id ] [ interface interface-type interface-number |
slot slot-id ] [ brief ] command to view spanning-tree status and statistics.
l Run the display stp region-configuration command to view configurations of activated
MST regions.
l Run the display stp region-configuration digest command to view the digest
configurations of activated MST regions.
----End
15.8 Configuring MSTP Multi-Process

MSTP ensures that spanning trees in rings are calculated independently. After MSTP multi-
process is enabled, each MSTP process can manage certain ports on a device. Each Layer 2
interface can be managed by multiple MSTP processes.
Before configuring MSTP multi-process, complete and activate the MST region
configuration.
15.8.1 Creating an MSTP Process
Context
A process ID uniquely identifies an MSTP process. After the ports on an MSTP-enabled
device are bound to different processes, the switch performs MSTP calculation based on
processes, with only relevant ports in each process taking part in MSTP calculation. To create
an MSTP process, perform the following procedure on the devices connected to access rings.
Procedure
Step 2 Run stp process process-id
An MSTP process is created and the MSTP process view is displayed.
Step 3 Run stp mode mstp
A working mode is configured for the MSTP process.
The default mode is MSTP.
NOTE
l A default MSTP process with the ID 0 is established when a device starts. MSTP configurations in
the system view and interface view belong to this process. The default working mode of this process
is MSTP.
l To add an interface to an MSTP process whose ID is not 0, run the stp process command followed
by the stp binding process command.
----End
15.8.2 Adding a Port to an MSTP Process
Context
After being added to MSTP processes, interfaces can participate in MSTP calculation. The
links connecting MSTP-enabled devices and access rings are called access links, and the link
shared by multiple access rings is called a shared link. Interfaces on this shared link
participate in MSTP calculation in multiple access rings and MSTP processes.
Procedure
l Adding a port on an access link to an MSTP process

a. Run system-view
The interface specified in this command must be the interface that connects the
device and the access ring.
c. Run stp binding process process-id
The port is added to the specified MSTP process.
NOTE
On the S5720EI, S5720HI, S6720EI, and S6720S-EI, if an interface joining the MSTP
process has sub-interfaces configured with other features such as VPLS, run the stp vpls-
subinterface enable command. The main interface can then notify its sub-interfaces to
update MAC address entries and ARP entries after receiving a TC-BPDU. This prevents
service interruption. In addition, root protection needs to be configured on the main
interface.
l Adding a port on a shared link to an MSTP process
a. Run system-view
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
The interface specified in this command must be an interface on the shared link
between the devices configured with MSTP multi-process. It cannot be an interface
that connects an access ring and device.
c. Run stp binding process process-id1 [ to process-id2 ] link-share
The port is added to multiple MSTP processes to complete MSTP calculation.
NOTE
In an MSTP process where there are multiple shared links, run the stp enable command in
the MSTP multi-instance view. On an interface that is added to an MSTP process, run the
stp enable command in the interface view.
----End

Root Bridge
Context
MSTP can calculate the root bridge or you can manually configure the root bridge or
secondary root bridge. Manually configuring the root bridge and secondary root bridge is
recommended.
A switch can function as a root bridge or a secondary root bridge in a spanning tree. It can
also function as the root bridge or secondary root bridge of another spanning tree. In a
spanning tree:

l Only one root bridge takes effect. If two or more root bridges are specified in a spanning
tree, the device with the smallest MAC address is used.
l Multiple secondary root bridges can be specified. If the root bridge fails or is powered
off and no new root bridge is specified, the secondary root bridge with smallest MAC
address will become the root bridge of the spanning tree.
Procedure
a. Run system-view

b. Run stp process process-id
The MSTP process view is displayed.

c. Run stp [ instance instance-id ] root primary
By default, a switch does not function as the root bridge. After the configuration is
complete, the priority value of the device is 0 (this value cannot be modified).
If instance is not specified, the device in MSTI 0 is a root bridge.

a. Run system-view

b. Run stp process process-id

c. Run stp [ instance instance-id ] root secondary
By default, a switch does not function as the secondary root bridge. After the
configuration is complete, the priority value of the device is 4096 (this value cannot
be modified).
If instance is not specified, the device in MSTI 0 is a secondary root bridge.
----End
15.8.4 (Optional) Configuring a Priority for a Switch in an MSTI
Context
In an MSTI, there can be only one root bridge, which is the logical center of the MSTI. The
root bridge should be a high-performance switch; however, the priority of such a device may
not be the highest on the network. To ensure that such a device is selected as the root bridge,
set a low priority for low-performance switches, and set a high priority for high-performance
switches. A smaller priority value indicates a higher priority.

Procedure
Step 3 Run stp [ instance instance-id ] priority priority
A priority is set for the switch in an MSTI.
The default priority value of the switch is 32768.
If instance-id is not specified, a priority is set for the switch in MSTI 0.
NOTE
l To configure a switch as the primary root bridge, run the stp [ instance instance-id ] root primary
command directly. The priority value of this switch is 0.
l To configure a switch as the secondary root bridge, run the stp [ instance instance-id ] root
secondary command. The priority value of this switch is 4096.
In an MSTI, a switch cannot act as the primary root bridge and secondary root bridge at the same
time.
l If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary
command has been executed to configure the device as the root bridge or secondary root bridge, to
change the device priority, run the undo stp [ instance instance-id ] root command to disable the
root bridge or secondary root bridge function and run the stp [ instance instance-id ] priority
priority command to set a priority.
----End
15.8.5 (Optional) Configuring a Path Cost of a Port in an MSTI

Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important metric used in spanning tree calculation and determine
root port selection in an MSTI. The port with the lowest path cost to the root bridge is
selected as the root port. Setting different path costs for a port in different MSTIs allows
VLAN traffic to be transmitted along different physical links for load balancing.
If loops occur on a network, it is recommended that you set a large path cost for ports with
low link rates. MSTP then blocks these ports.
Procedure

All switches on a network must use the same path cost calculation method.
Step 4 Run stp binding process process-id
The port is bound to an MSTP process.
Step 5 Run stp [ process process-id ] instance instance-id cost cost
A path cost is set for the port in the current MSTI.
----End
15.8.6 (Optional) Configuring a Port Priority in an MSTI

Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected
as designated ports.
To block a port in an MSTI to eliminate loops, set the port priority to a value larger than the
default value. This port will be blocked during designated port selection.
Procedure
Step 3 Run stp binding process process-id
Step 4 Run stp [ process process-id ] instance instance-id port priority priority
A port priority is set in an MSTI.
By default, the port priority is 128.
The priority value ranges from 0 to 240, in increments of 16.
----End
15.8.7 Configuring TC Notification in MSTP Multi-process

Context
After the TC notification function is configured for MSTP multi-process, an MSTP process
can notify the MSTIs in other specified MSTP processes to refresh MAC address entries and

ARP entries after receiving a TC-BPDU. This ensures service continuity. To configure the TC
notification function for MSTP multi-process, perform the following procedure on the devices
connected to access rings.
Procedure
The view of the created MSTP process is displayed.
Step 3 Run stp tc-notify process 0
TC notification is enabled in the MSTP process.
After the stp tc-notify process 0 command is run, the current MSTP process notifies the
MSTIs in MSTP process 0 to update MAC entries and ARP entries after receiving a TC-
BPDU. This prevents services from being interrupted.
----End
15.8.8 Enabling MSTP
Context
After MSTP multi-process is enabled on the switch, you must enable MSTP in the MSTP
process view so that the MSTP configuration can take effect in the MSTP process.
Enabling MSTP on a ring network immediately triggers spanning tree calculation on the
network. On the switch, configurations such as the switch priority and port priority affect
spanning tree calculation. Any change to these configurations may cause network flapping.
Therefore, to ensure rapid and stable spanning tree calculation, perform basic configurations
on the switch and its ports and enable MSTP.
Procedure
The view of the created MSTP process is displayed.
MSTP is enabled on the MSTP process of the device.
By default, the MSTP function is enabled on the device.

NOTE
----End
Follow-up Procedure
If the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. On the switch, therefore, the ARP entries corresponding to these VLANs need to be
updated. MSTP processes ARP entries in either fast or normal mode.
The remaining lifetime of ARP entries to be updated is set to 0. The switch rapidly
processes these aged entries. If the number of ARP aging probe attempts is not set to 0,
ARP implements aging probe for these ARP entries.
In either fast or normal mode, MAC entries are directly deleted.
To specify which mode is used for STP/RSTP convergence, run the stp converge { fast |
normal } command in the system view.
By default, the normal MSTP convergence mode is used.
If fast mode is used, ARP entries are frequently deleted. This causes high CPU usage on the
device (reaching 100%) and results in frequent network flapping. Therefore, using normal
mode is recommended.
15.8.9 Verifying the MSTP Multi-Process Configuration

Procedure
l Run the display stp process process-id [ instance instance-id ] [ interface interface-
type interface-number | slot slot-id ] [ brief ] command to view spanning-tree status and
statistics.
----End
15.9 Configuring MSTP Parameters on an Interface

Before configuring MSTP parameters that affect route convergence, configure MSTP or
MSTP multi-process.
15.9.1 Setting the MSTP Network Diameter

Context
Procedure
Step 2 (Optional) Run stp process process-id
NOTE
Skip this step if you perform configurations in the MSTP process 0.

The switch calculates the optimal Forward Delay period, Hello timer value, and Max Age
timer value based on the specified network diameter.
NOTE
RSTP uses a single spanning tree instance on the entire network, meaning that performance deterioration
cannot be prevented when the network scale increases. Therefore, the network diameter cannot be larger than
7.
----End
15.9.2 Setting the MSTP Timeout Interval

Context

as follows:
Procedure
NOTE
The timeout interval is set, specifying how long the upstream device waits for BPDUs.
By default, the timeout interval is 9 times the Hello timer value.
----End
15.9.3 Setting the Values of MSTP Timers
Context
Age.

Procedure
NOTE
Step 3 Set Forward Delay, Hello Time, and Max Age.

The value of Forward Delay of the switch is set.
By default, the value of Forward Delay of the switch is 1500 centiseconds.
The value of Hello Time of the switch is set.
By default, the value of Hello Time of the switch is 200 centiseconds.
The value of Max Age of the switch is set.
By default, the value of Max Age of the switch is 2000 centiseconds.
----End

Context
the root bridge.



SwitchA SwitchB
Before Eth-Trunk1
Root Bridge
SwitchA SwitchB
Eth-Trunk1
After
Root Bridge
Alternate port
Root port
Designated port
Procedure

8.
----End
Context
It is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P
link are root or designated ports, the ports can transit to the forwarding state quickly by
sending Proposal and Agreement packets. This reduces the forwarding delay.

Procedure
The view of the Ethernet interface participating in STP calculation is displayed.
The link type is configured for the interface.
By default, an interface automatically determines whether to connect to a P2P link. The P2P
link supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, it is connected to a P2P link. In this case,
specify force-true to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, specify force-true to forcibly set the link
type to P2P.
----End
15.9.6 Setting the Maximum Transmission Rate of an Interface
Context
A larger value of packet-number indicates more BPDUs sent in a hello interval and therefore
more system resources occupied. Setting the proper value of packet-number prevents excess
bandwidth usage when route flapping occurs.
Procedure
The maximum number of BPDUs sent by a port in a specified period is set.
By default, the maximum number of BPDUs that a port sends is 6 per second.
----End
15.9.7 Switching to the MSTP Mode
Context
If an interface on an MSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP-compatible mode.

If the STP-enabled device is switched to MSTP mode, or if it is powered off or disconnected

from the MSTP-enabled device, the interface cannot switch to MSTP mode. In this case, use
the stp mcheck command to switch the interface to MSTP mode.
Procedure
l Switch to the MSTP mode in the interface view.
a. Run system-view
displayed.
c. Run stp mcheck
The device is switched to the MSTP mode.
l Switch to the MSTP mode in the system view.
a. Run system-view
b. (Optional) Run stp process process-id
NOTE

c. Run stp mcheck
The device is switched to the MSTP mode.
----End
15.9.8 Configuring a Port as an Edge Port and BPDU Filter Port

Context
If a designated port is located at the edge of a network and is directly connected to terminal
devices, this port is called edge port.
An edge port does not receive or process configuration BPDUs and does not participate in
MSTP calculation. It can transition from Disabled to Forwarding without any delay.
After a designated port is configured as an edge port, the port can still send BPDUs. The
BPDUs are sent to other networks, which causes flapping on other networks. To prevent a
port from processing and sending BPDUs, configure the port as an edge port and BPDU filter
port.

After all ports are configured as edge ports and BPDU filter ports in the system view, the
ports do not send BPDUs or negotiate the STP status with directly connected ports on the peer
device. All ports are in the Forwarding state, which may cause loops on the network and lead
to broadcast storms. Exercise caution when you configure a port as an edge port and BPDU
filter port.
After a port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs. The port cannot negotiate the STP status with the directly
connected port on the peer device. Exercise caution when you configure a port as an edge port
and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run system-view



l Configuring a port as an edge port and BPDU filter port in the interface view
a. Run system-view

displayed.
c. (Optional) Run stp edged-port enable

----End

15.9.9 Setting the Maximum Number of Hops in an MST Region
Context
To communicate with each other on a Layer 2 network running MSTP, switches exchange
MST BPDUs. MST BPDUs have a field that indicates the number of remaining hops.
l The number of remaining hops in a BPDU sent by the root bridge equals the maximum
number of hops.
l The number of remaining hops in a BPDU sent by a non-root bridge equals the
maximum number of hops minus the number of hops from the non-root bridge to the
root bridge.
l If a switch receives a BPDU in which the number of remaining hops is 0, the switch will
discard the BPDU.
The maximum number of hops of a spanning tree in an MST region determines the network
scale. The stp max-hops command can be used to set the maximum number of hops in an
MST domain so that the network scale of a spanning tree can be controlled.
Procedure
NOTE
Step 3 Run stp max-hops hop
The maximum number of hops in an MST region is set.
By default, the maximum number of hops of the spanning tree in an MST region is 20.
----End
15.9.10 Verifying the Configuration of MSTP Parameters on an

Interface
Procedure
l Run the display stp [ process process-id ] [ instance instance-id ] [ interface interface-
statistics.
----End
15.10 Configuring MSTP Protection Functions

Before configuring MSTP protection functions, configure MSTP or MSTP multi-process.
15.10.1 Configuring BPDU Protection on a Switch
Context
Edge ports are directly connected to user terminals and will not receive BPDUs. Attackers
may send pseudo BPDUs to attack the switch. If the edge ports receive the BPDUs, the switch
configures the edge ports as non-edge ports and triggers a new spanning tree calculation.
Network flapping then occurs. BPDU protection can be used to protect switches against
malicious attacks.
Perform the following procedure on all switches that have edge ports.
Procedure
NOTE
BPDU protection is enabled on the switch.
By default, BPDU protection is disabled on the switch.
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the delay expires. Note the following when
setting the recovery delay:
l By default, the auto recovery function is disabled; therefore, the recovery delay
parameter does not have a default value. When you enable the auto recovery function,
you must set a recovery delay.
l A smaller value of interval-value indicates a shorter time taken for an edge port to go
Up, and a higher frequency of Up/Down state transitions on the port.
l A larger value of interval-value indicates a longer time taken for the edge port to go Up,
and a longer service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.

15.10.2 Configuring TC Protection on a Switch

Context
If attackers forge TC-BPDUs to attack the switch, the switch receives a large number of TC
BPDUs within a short period. If MAC address entries and ARP entries are deleted frequently,
the switch is heavily burdened, causing potential risks to the network.
TC protection is used to suppress TC BPDUs. The number of TC BPDUs processed by a
switch within a given period is configurable. If the number of TC BPDUs received by a
switch exceeds the specified threshold within a given period, the switch handles only the
specified number of TC BPDUs. The processing of excess TC BPDUs is delayed until after
the specified period expires. This protects the switch from becoming overburdened with
frequently deleting MAC entries and ARP entries.
Procedure
NOTE
Step 3 Run stp tc-protection interval interval-value

The time taken by the device to process the maximum number of TC BPDUs is set.
By default, the device processes the maximum number of TC BPDUs at an interval of the
Hello time.
Step 4 Run stp tc-protection threshold threshold
The number of times the MSTP process handles the received TC BPDUs and updates
forwarding entries within a given time is set.
NOTE
Within the time specified by stp tc-protection interval, the switch processes the number of TC BPDUs
specified by stp tc-protection threshold. Packets that exceed this threshold are delayed, so spanning
tree convergence may be affected. For example, if the period is set to 10s and the threshold is set to 5,
the device processes five TC BPDUs within 10s. After 10s, the device processes subsequent TC BPDUs.
----End
15.10.3 Configuring Root Protection on an Interface

Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to
serve as the root bridge and the network topology is changed, triggering spanning tree
recalculation. This may also result in traffic that should be transmitted over high-speed links

being transmitted over low-speed links, leading to network congestion. The root protection
function on a switch preserves the role of the designated port in order to protect the root
bridge.
NOTE
Perform the following steps on the root bridge in an MST region.
Procedure
Step 3 (Optional) Run stp binding process process-id
NOTE
Skip this step if the interface belongs to process 0.

Root protection is configured on the switch.
By default, root protection is disabled.
----End
15.10.4 Configuring Loop Protection on an Interface

Context
To maintain the root port status and status of blocked ports on a network running MSTP, a
switch receives BPDUs from an upstream switch. If the switch cannot receive these BPDUs
because of link congestion or unidirectional-link failure, the switch re-selects a root port. The
original root port becomes a designated port and the original blocked ports change to the
Forwarding state. This may cause network loops. To mitigate this issue, configure loop
protection.
period, the switch enabled with loop protection sends a notification to the NMS. If the root
port is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port remains blocked and becomes the designated port. In
this case, loops will not occur. After the link congestion subsides or unidirectional link
failures are rectified, the port receives BPDUs for negotiation and restores its original role and
status.
NOTE
An alternate port is a backup port for a root port. If a switch has an alternate port, configure loop
protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switch in an MST region.

Procedure
Step 3 (Optional) Run stp binding process process-id
NOTE
Skip this step if the interface belongs to process 0.
Loop protection for the root port is configured on the switch.
By default, loop protection is disabled.
Root protection and loop protection cannot be configured simultaneously.
----End
15.10.5 Configuring Shared-Link Protection on a Switch
Context
Shared-link protection is used in scenarios where a switch is dual homed to a network.
If a shared link fails, shared-link protection forcibly changes the working mode of a local
switch to RSTP. This function can be used together with root protection to avoid network
loops.
Procedure
NOTE
Step 3 Run stp link-share-protection
Shared-link protection is enabled.
----End

15.10.6 Verifying the MSTP Protection Function Configuration
Procedure
statistics.
----End
15.11 Configuring MSTP Interoperability Between

Huawei and Non-Huawei Devices
15.11.1 Configuring a Proposal/Agreement Mechanism
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All
switches support the following modes:
l Enhanced mode: The current interface includes the root port calculation when it
computes the synchronization flag bit.
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
– The upstream device then sends an Agreement message to the downstream device.
After the downstream device receives the message, the root port transitions to the
Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port, and the designated port transitions to
l Common mode: The current interface ignores the root port when it computes the
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
The root port then transitions to the Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port. The designated port then transitions
to the Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that
used on non-Huawei devices.

Procedure
The common rapid transition mechanism is configured.
By default, the interface uses the enhanced rapid transition mechanism.
----End
15.11.2 Configuring the MSTP Protocol Packet Format on an

Interface
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets).
You can specify the packet format or use the auto mode. In auto mode, the switch switches the
MSTP protocol packet format based on the received MSTP protocol packet format so that the
switch can communicate with the peer device.
Procedure
Step 3 Run stp compliance { auto | dot1s | legacy }
The MSTP protocol packet format is configured on the interface.
The auto mode is used by default.
NOTE
The negotiation will fail if the format of MSTP packets is set to dot1s at one end and legacy at the other
end.
----End
15.11.3 Enabling the Digest Snooping Function

Context
Interconnected Huawei and non-Huawei devices cannot communicate with each other if they
have the same region name, revision number, and VLAN-to-instance mappings but different

BPDU keys. To address this problem, enable the digest snooping function on the Huawei
device.
Perform the following steps on a switch in an MST region to enable the digest snooping
function.
Procedure
Step 3 Run stp config-digest-snoop
The digest snooping function is enabled.
----End
15.11.4 Verifying the Configuration of MSTP Interoperability

Between Huawei and Non-Huawei Devices
Procedure
statistics.
----End
15.12 Maintaining MSTP
15.12.1 Clearing MSTP Statistics
Context
MSTP statistics cannot be restored after being cleared.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics to clear the statistics of error STP packets.
----End

15.12.2 Monitoring the Statistics on MSTP Topology Changes

Procedure
l Run the display stp [ process process-id ] [ instance instance-id ] topology-change
command to view the statistics about MSTP topology changes.
In the case of a non-zero process, the stp process process-id command must be used to
create a process before the display stp [ process process-id ] [ instance instance-id ]
topology-change command is used.
type interface-number | slot slot-id ] tc-bpdu statistics command to view the statistics
about TC/TCN packets.
In the case of a non-zero process, the stp process process-id command must be used to
create a process before the display stp [ process process-id ] [ instance instance-id ]
[ interface interface-type interface-number | slot slot-id ] tc-bpdu statistics command is
used.
----End
15.13 Configuration Examples for MSTP
15.13.1 Example for Configuring MSTP

To implement redundancy on a complex network, network designers tend to deploy multiple
physical links between two devices, one of which is the master and the others are the backup.
Loops occur, causing broadcast storms or damaging MAC addresses. After the network is
planned, deploy MSTP on the network to prevent loops. MSTP blocks redundant links and
prunes a network into a tree topology free from loops.
As shown in Figure 15-18, SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. To load
balance traffic from VLANs 2 to 10 and VLANs 11 to 20, use MSTP multi-instance. You can
configure a VLAN mapping table to associate VLANs with MSTIs.

Figure 15-18 Networking diagram of MSTP configuration
Network
RG1
SwitchA Eth-Trunk1 SwitchB
GE0/0/1 Eth-Trunk1
GE0/0/1
GE0/0/3 GE0/0/3
GE0/0/2
SwitchC SwitchD
GE0/0/2
GE0/0/1 GE0/0/1
VLAN 2~10 MSTI 1

VLAN 11~20 MSTI 2
MSTI 1:
Root Switch:SwitchA
Blocked port
MSTI 2:
Root Switch:SwitchB
Blocked port
1. Configure basic MSTP functions on the switch on the ring network. Because ports
connected to the PCs do not participate in MSTP calculation, configure these ports as
edge ports.
2. Configure protection functions to protect devices or links. You can configure root
protection on the designated port of the root bridge.

NOTE
When the link between the root bridge and secondary root bridge goes Down, the port enabled with root
protection becomes Discarding because root protection takes effect.
To improve the reliability, you are advised to bind the link between the root bridge and secondary root
bridge to an Eth-Trunk.
3. Configure Layer 2 forwarding.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD in the same MST region named
RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switches belong to the same MST region when they have the same:
– Name of the MST region
– Mapping between VLANs and MSTIs
– Revision level of the MST region
# Configure an MST region on SwitchA.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 2 to 10
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
# Configure an MST region on SwitchB.

[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG1
[SwitchB-mst-region] instance 1 vlan 2 to 10
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Configure an MST region on SwitchC.

[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1
[SwitchC-mst-region] instance 1 vlan 2 to 10
[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
# Configure an MST region on SwitchD.

[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG1
[SwitchD-mst-region] instance 1 vlan 2 to 10
[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
2. In the MST region RG1, configure the root bridge and secondary root bridge in MSTI 1
and MSTI 2.

– Configure the root bridge and secondary root bridge in MSTI 1.

# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary
– Configure the root bridge and secondary root bridge in MSTI 2.

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be greater than the
default value.
NOTE
– The path cost values depend on path cost calculation methods. This example uses the Huawei
calculation method as an example to set the path cost to 20000 for the ports to be blocked.
– All switches on a network must use the same path cost calculation method.
# Configure SwitchA to use Huawei calculation method to calculate the path cost.
# Configure SwitchB to use Huawei calculation method to calculate the path cost.
# Configure SwitchC to use Huawei calculation method to calculate the path cost, and
set the path cost of GE0/0/2 in MSTI 2 to 20000.
[SwitchC-GigabitEthernet0/0/2] stp instance 2 cost 20000
# Configure SwitchD to use Huawei calculation method to calculate the path cost, and
set the path cost of GE0/0/2 in MSTI 1 to 20000.
[SwitchD] interface gigabitethernet 0/0/2
[SwitchD-GigabitEthernet0/0/2] stp instance 1 cost 20000
[SwitchD-GigabitEthernet0/0/2] quit
4. Enable MSTP to eliminate loops.

– Enable MSTP globally.
# Enable MSTP on SwitchA.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

# Enable MSTP on SwitchD.

– Configure the ports connected to the terminal as edge ports.

# Configure GE0/0/1 of SwitchC as an edge port.

# Configure GE0/0/1 of SwitchD as an edge port.

[SwitchD-GigabitEthernet0/0/1] stp edged-port enable
(Optional) Configure BPDU protection on SwitchD.

[SwitchD] stp bpdu-protection
NOTE
receive BPDUs.
Step 2 Configure root protection on the designated port of the root bridge.
# Enable root protection on GE0/0/1 of SwitchA.
# Enable root protection on GE0/0/1 of SwitchB.

[SwitchB-GigabitEthernet0/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on devices on the ring network.

l Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.
# Create VLANs 2 to 20 on SwitchA.
[SwitchA] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchB.

[SwitchB] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchC.

# Create VLANs 2 to 20 on SwitchD.

[SwitchD] vlan batch 2 to 20
l Add ports on switches to VLANs.

# Add GE0/0/1 on SwitchA to a VLAN.
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 to 20
# Add Eth-Trunk1 on SwitchA to a VLAN.

[SwitchA] interface Eth-Trunk 1
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 0/0/2
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 0/0/3
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 2 to 20
# Add GE0/0/1 on SwitchB to a VLAN.

[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 to 20
# Add Eth-Trunk1 on SwitchB to a VLAN.

[SwitchB] interface Eth-Trunk 1

[SwitchB-Eth-Trunk1] trunkport gigabitethernet 0/0/2
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 0/0/3
[SwitchB-Eth-Trunk1] port link-type trunk
[SwitchB-Eth-Trunk1] port trunk allow-pass vlan 2 to 20
[SwitchB-Eth-Trunk1] quit
# Add GE0/0/1 on SwitchC to a VLAN.

[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 2

[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 2 to 20

# Add GE0/0/1 on SwitchD to a VLAN.

[SwitchD-GigabitEthernet0/0/1] port link-type access
[SwitchD-GigabitEthernet0/0/1] port default vlan 11

[SwitchD-GigabitEthernet0/0/2] port link-type trunk
[SwitchD-GigabitEthernet0/0/2] port trunk allow-pass vlan 2 to 20

After the preceding configurations are complete and the network topology becomes stable,
perform the following operations to verify the configuration.
NOTE
MSTI 1 and MSTI 2 are used as examples. You do not need to check the interface status in MSTI 0.
# Run the display stp brief command on SwitchA to view the status and protection mode on
the ports. Output similar to the following is displayed:
0 Eth-Trunk1 DESI FORWARDING NONE
2 Eth-Trunk1 ROOT FORWARDING NONE
In MSTI 1, GE0/0/1 and Eth-Trunk1 are designated ports because SwitchA is the root bridge.
In MSTI 2, GE0/0/1 on SwitchA is the designated port and Eth-Trunk1 is the root port.

# Run the display stp brief command on SwitchB. Output similar to the following is
displayed:
[SwitchB] display stp brief
In MSTI 2, GE0/0/1 and Eth-Trunk1 are designated ports because SwitchB is the root bridge.
In MSTI 1, GE0/0/1 on SwitchB is the designated port and Eth-Trunk1 is the root port.
# Run the display stp interface brief commands on SwitchC. Output similar to the following
is displayed:
[SwitchC] display stp interface gigabitethernet 0/0/3 brief
GE0/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. GE0/0/2 on SwitchC is the
designated port in MSTI 1 but is blocked in MSTI 2.
# Run the display stp interface brief commands on SwitchD. Output similar to the following
is displayed:
[SwitchD] display stp interface gigabitethernet 0/0/3 brief
[SwitchD] display stp interface gigabitethernet 0/0/2 brief
GE0/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. GE0/0/2 on SwitchD is the
blocked port in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 20
#
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10

active region-configuration
#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchB
#
vlan batch 2 to 20
#
#
region-name RG1
#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection
#
region-name RG1
#

port default vlan 2

#
#
#
return

#
sysname SwitchD
#
vlan batch 2 to 20
#
stp bpdu-protection
#
region-name RG1
#
#
#
#
return
Related Content
Videos
Configuring MSTP to Prevent Loops
15.13.2 Example for Configuring MSTP + VRRP Network
NOTE
Only the S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720EI, S5720HI, S6720EI, and
S6720S-EI support this example.
In Figure 15-19, hosts connect to Switch C, and Switch C connects to the Internet through
Switch A and Switch B. To improve access reliability, the user configures redundant links.
The redundant links cause a network loop, which leads to broadcast storms and MAC address
damaging.

It is required that the network loop be prevented when redundant links are deployed, traffic be
switched to another link when one link fails, and network bandwidth be effectively used.
MSTP can be configured on the network to prevent loops. MSTP blocks redundant links and
prunes a network into a tree topology free from loops. In addition, VRRP needs to be
configured on Switch A and Switch B. Host A connects to the Internet by using Switch A as
the default gateway and Switch B as the secondary gateway. Host B connects to the Internet
by using Switch B as the default gateway and Switch A as the secondary gateway. This allows
traffic to be load balanced and communication reliability improved.
Figure 15-19 MSTP + VRRP network
VRRP VRID 1 SwitchA

Virtual IP Address: VRID 1:Master
HostA 10.1.2.100 VRID 2:Backup
VLAN2 /1
10.1.2.101/24 E0/0 GE
0/0
G /3 RouterA
GE
GE0/0/2
0/0 1
/2 0 /0/
GE
SwitchC MSTP
GE0/0/2 Internet
GE
3
0/0/SwitchC 0/0/4
G E
HostB GE RouterB
0/0 /0/3
VLAN3 /1 GE0
10.1.3.101/24 SwitchB
VRID 1:Backup
VRRP VRID 2 VRID 2:Master
Virtual IP Address:
10.1.3.100
VLAN2 MSTI1 VLAN3 MSTI2
MSTI1: MSTI2:
Root Switch:SwitchA Root Switch:SwitchB

Blocked port Blocked port
Device Interface VLANIF Interface IP Address
SwitchA GE0/0/1 and VLANIF 2 10.1.2.102/24

GE0/0/2
GE0/0/1 and VLANIF 3 10.1.3.102/24

GE0/0/2
GE0/0/3 VLANIF 4 10.1.4.102/24

Device Interface VLANIF Interface IP Address
SwitchB GE0/0/1 and VLANIF 2 10.1.2.103/24

GE0/0/2
GE0/0/1 and VLANIF 3 10.1.3.103/24

GE0/0/2
GE0/0/3 VLANIF 5 10.1.5.103/24
1. Configure basic MSTP on the switches, including:
a. Configure MST and create multi-instance, map VLAN 2 to MSTI 1, and map
VLAN 3 to MSTI 2 to load balance traffic.
b. Configure the root bridge and backup bridge in the MST region.
c. Configure the path cost on an interface so that the interface can be blocked.
d. Enable MSTP to prevent loops:
n Enable MSTP globally.
n Enable MSTP on all interfaces except the interfaces connecting to hosts.
NOTE
Because the interfaces connecting to hosts do not participate in MSTP calculation, configure
these ports as edge ports.
2. Enable the protection function to protect devices or links. For example, enable the
protection function on the root bridge of each instance to protect roots.
3. Configure Layer 2 forwarding.
4. Assign an IP address to each interface and configure the routing protocol on each device
to ensure network connectivity.
NOTE
SwitchA and SwitchB must support VRRP and OSPF. For details about models supporting VRRP
and OSPF, see relevant documentation.
5. Create VRRP group 1 and VRRP group 2 on Switch A and Switch B. Configure Switch
A as the master device and Switch B as the backup device of VRRP group 1. Configure
Switch B as the master device and Switch A as the backup device of VRRP group 2.
Procedure
1. Add Switch A, Switch B, and Switch C to region RG1, and create instances MSTI 1 and
MSTI 2.
# Configure an MST region on Switch A.
[SwitchA-mst-region] instance 1 vlan 2

[SwitchA-mst-region] instance 2 vlan 3

# Configure an MST region on Switch B.

[SwitchB-mst-region] instance 1 vlan 2
[SwitchB-mst-region] instance 2 vlan 3
# Configure an MST region on Switch C.

[SwitchC-mst-region] region-name RG1
[SwitchC-mst-region] instance 1 vlan 2
[SwitchC-mst-region] instance 2 vlan 3
2. Configure the root bridges and backup bridges for MSTI 1 and MSTI 2 in RG1.
– Configure the root bridge and backup bridge for MSTI 1.
# Set Switch A as the root bridge of MSTI 1.
[SwitchA] stp instance 1 root primary
# Set Switch B as the backup bridge of MSTI 1.

[SwitchB] stp instance 1 root secondary
– Configure the root bridge and backup bridge for MSTI 2.

# Set Switch B as the root bridge of MSTI 2.
[SwitchB] stp instance 2 root primary
# Set Switch A as the backup bridge of MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the interfaces that you want to block on MSTI 1 and MSTI 2 to be
greater than the default value.
NOTE
– The path cost range is determined by the calculation method. The Huawei calculation method
is used as an example. Set the path costs of the interfaces to 20000.
– The switches on the same network must use the same calculation method to calculate path
costs.
# Set the path cost calculation method on Switch A to Huawei calculation method.
# Set the path cost calculation method on Switch B to Huawei calculation method.
# Set the path cost calculation method on Switch C to Huawei calculation method. Set
the path cost of GE0/0/1 in MSTI 2 to 20000; set the path cost of GE0/0/4 in MSTI 1 to
20000.

4. Enable MSTP to prevent loops.

– Enable MSTP globally.
# Enable MSTP on Switch A.
# Enable MSTP on Switch B.

# Enable MSTP on Switch C.

– Configure the ports connected to hosts as edge ports.

# Configure GE0/0/2 and GE0/0/3 of Switch C as an edge port.

– Configure the ports connected to Router as edge ports.

# Configure GE0/0/3 of Switch A as an edge port.
[SwitchA-GigabitEthernet0/0/3] stp edged-port enable
(Optional) Configure BPDU protection on SwitchA.

[SwitchA] stp bpdu-protection
# Disable STP on GE0/0/3 of Switch B as an edge port.


NOTE
receive BPDUs.
Step 2 Enable the protection function on the designated interfaces of each root bridge.
# Enable root protection on GE0/0/1 of Switch A.
# Enable root protection on GE0/0/1 of Switch B.

Step 3 Configure Layer 2 forwarding on the switches in the ring.

l Create VLANs 2 and 3 on Switch A, Switch B, and Switch C.
# Create VLANs 2 and 3 on Switch A.

# Create VLANs 2 and 3 on Switch B.

# Create VLANs 2 and 3 on Switch C.

l Add the interfaces connecting to the loops to VLANs.

# Add GE0/0/1 of Switch A to VLANs.
# Add GE0/0/2 of Switch A to VLANs.

# Add GE0/0/1 of Switch B to VLANs.

# Add GE0/0/2 of Switch B to VLANs.

# Add GE0/0/1 of Switch C to VLANs.

# Add GE0/0/2 of Switch C to VLAN 2.

# Add GE0/0/3 of Switch C to VLAN 3.

# Add GE0/0/4 of Switch C to VLANs.


perform the following operations to verify the configuration.
NOTE
MSTI 1 and MSTI 2 are used as examples. You do not need to check the interface status in MSTI 0.
# Run the display stp brief command on Switch A to view the status and protection mode on
ports. Output similar to the following is displayed:


In MSTI 1, GE0/0/2 and GE0/0/1 of Switch A are set as designated interfaces because Switch
A is the root bridge of MSTI 1. In MSTI 2, GE0/0/1 of Switch A is set as the designated
interface and GE0/0/2 is set as the root interface.
# Run the display stp brief command on Switch B. Output similar to the following is
displayed:
In MSTI 2, GE0/0/1 and GE0/0/2 of Switch B are set as designated interfaces because Switch
B is the root bridge of MSTI 2. In MSTI 1, GE0/0/1 of Switch B is set as the designated
interface and GE0/0/2 is set as the root interface.
# Run the display stp interface brief command on Switch C. Output similar to the following
is displayed:
GE0/0/1 of Switch C is the root interface of MSTI 1, and is blocked in MSTI 2. GE0/0/4 of
Switch C is the root interface of MSTI 2, and is blocked in MSTI 1.
Step 5 Connect devices.
# Assign an IP address to each interface, for example, the interfaces on SwitchA. The
configuration on SwitchB is similar to the configuration on SwitchA. For details, see the
configuration files.

# Run OSPF on SwitchA, SwitchB, and routers. The configuration on SwitchA is used as an
example. The configuration on SwitchB is similar to the configuration on SwitchA. For
details, see the configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
Step 6 Configure VRRP groups.

# Create VRRP group 1 on SwitchA and SwitchB. Set SwitchA as the master device, priority
to 120, and preemption delay to 20 seconds. Set SwitchB as the backup device and retain the
default priority.
[SwitchA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[SwitchA-Vlanif2] vrrp vrid 1 priority 120
[SwitchA-Vlanif2] vrrp vrid 1 preempt-mode timer delay 20
[SwitchB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
# Create VRRP group 2 on SwitchA and SwitchB. Set SwitchB as the master device, priority
to 120, and preemption delay to 20 seconds. Set SwitchA as the backup device and retain the
default priority.
[SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[SwitchB-Vlanif3] vrrp vrid 2 priority 120
[SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20
[SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
# Set the virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of Host A,
and the virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway of Host B.
# After completing the preceding configurations, run the display vrrp command on SwitchA.
SwitchA's VRRP status is master in VRRP group 1 and backup in VRRP group 2.
[SwitchA] display vrrp
Vlanif2 | Virtual Router 1
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58


State : Backup
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
# Run the display vrrp command on SwitchB. SwitchB's VRRP status is backup in VRRP
group 1 and master in VRRP group 2.
[SwitchB] display vrrp
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Master
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 4
#

stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 2 to 3 5
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0

vrrp vrid 2 priority 120

vrrp vrid 2 preempt-mode timer delay 20
#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 2 to 3
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
#
port default vlan 2
#
port default vlan 3
#
#
return

15.13.3 Example for Connecting CEs to the VPLS in Dual-Homing

Mode Through MSTP
NOTE
This configuration can be supported only on the S5720EI, S5720HI, S6720EI, and S6720S-EI.
In Figure 15-20, each CE is dual-homed to PEs. The PEs establish a VPLS full mesh. The
CEs and PEs run MSTP. Generally, traffic is forwarded through the primary link. If the
primary link fails, traffic is switched to the secondary link.
Figure 15-20 Network diagram for connecting CEs to the VPLS in dual-homing mode
1.1.1.1/32 2.2.2.2/32
PE1 PE2
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
GE0/0/1 GE0/0/3 GE0/0/3 GE0/0/1
GE0/0/2 VPLS GE0/0/2
CE1 GE0/0/3 GE0/0/2 CE2
PC1 GE0/0/4 GE0/0/2 GE0/0/3 GE0/0/4 PC2
10.1.1.1/24 GE0/0/1 GE0/0/1 10.1.1.2/24
PE4 PE3
4.4.4.4/32 3.3.3.3/32
PE1 GigabitEthernet0/0/ GigabitEthernet0/0/ -

1 1.1
GigabitEthernet0/0/ VLANIF 10 172.16.1.1/24

2

3
Loopback1 - 1.1.1.1/32

1 1.1

2

3
Loopback1 - 2.2.2.2/32


1 1.1

2

3
Loopback1 - 3.3.3.3/32

1 1.1

2

3
Loopback1 - 4.4.4.4/32
CE1 GigabitEthernet0/0/ - -
1
GigabitEthernet0/0/ - -
4
2
CE2 GigabitEthernet0/0/ - -
1
4
2
1. Configure the routing protocol on the backbone network to implement interworking.
2. Set up a remote LDP session between the PEs.
3. Establish a VPLS full mesh between PEs.
4. Configure MSTP. Configure PE1 and PE2 as the primary roots, and configure PE3 and
PE4 as the secondary roots.

Procedure
Step 1 Specify the VLANs that device interfaces belong to and set the IP addresses of the
corresponding VLANIF interfaces according to Figure 15-20.
NOTE
l Packets sent from CEs to PEs must contain VLAN tags.
# Configure CE1.
[CE1] vlan batch 100
# Configure CE2.
[CE2] vlan batch 100
# Configure PE1.
[PE1] vlan batch 10 40
[PE1-Vlanif10] quit
[PE1-Vlanif40] quit
# Configure PE2.


[PE2-Vlanif10] quit
[PE2-Vlanif20] quit
# Configure PE3.
[PE3-Vlanif20] quit
[PE3-Vlanif30] quit
# Configure PE4.
[PE4-Vlanif30] quit
[PE4-Vlanif40] quit
Step 2 Configure an IGP. In this example, OSPF is used.
When configuring OSPF, advertise 32-bit loopback interface addresses (LSR IDs) of PE1,
PE2, PE3, and PE4.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0

[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# Configure PE3.
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
# Configure PE4.
[PE4] ospf 1
[PE4-ospf-1] area 0
[PE4-ospf-1] quit
# Wait for 40s and run the display ip routing-table command on PE1, PE2, and PE3. Output
similar to the following is displayed (PE1 is used as an example). The output indicates that
the PEs have learned the routes to one another.
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 172.16.1.2 Vlanif10
3.3.3.3/32 OSPF 10 2 D 172.19.1.1 Vlanif40
OSPF 10 2 D 172.16.1.2 Vlanif10
4.4.4.4/32 OSPF 10 1 D 172.19.1.1 Vlanif40
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif10
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
172.17.1.0/24 OSPF 10 2 D 172.16.1.2 Vlanif10
172.18.1.0/24 OSPF 10 2 D 172.19.1.1 Vlanif40
172.19.1.0/24 Direct 0 0 D 172.19.1.2 Vlanif40
172.19.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif40
Step 3 Configure basic MPLS functions and LDP.

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
[PE1-Vlanif40] mpls
[PE1-Vlanif40] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif10] mpls
[PE2-Vlanif10] quit
[PE2-Vlanif20] mpls
[PE2-Vlanif20] quit
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3-Vlanif20] mpls
[PE3-Vlanif20] quit
[PE3-Vlanif30] mpls
[PE3-Vlanif30] quit
# Configure PE4.
[PE4] mpls
[PE4-mpls] quit
[PE4] mpls ldp
[PE4-mpls-ldp] quit
[PE4-Vlanif30] mpls
[PE4-Vlanif30] quit
[PE4-Vlanif40] mpls
[PE4-Vlanif40] quit
Step 4 Create a remote LDP session between PEs.

# Configure PE1.
# Configure PE2.


# Configure PE3.
# Configure PE4.
After the configuration is complete, run the display mpls ldp session command on the PEs.
The command output shows that the status of the remote LDP peer relationship is
Operational, indicating that remote LDP sessions have been set up. The output on PE1 is used
as an example:

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
# Configure PE4.
[PE4] mpls l2vpn
[PE4-l2vpn] quit
# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit

# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Configuration of PE3 and PE4 is similar to configuration of PE1 and PE2.

Step 7 Bind the VSI to interfaces on the PEs.
NOTE
Before configuring the termination sub-interface, run the display vcmp status command to view the VCMP
role. If the value of the Role field is Client, run the vcmp role { silent | transparent } command to change
the VCMP role to silent or transparent.
# Configure PE1.
# Configure PE2.
# Configure PE3.
# Configure PE4.
Step 8 Configure STP.

1. Configure the MST region and activate the region.
# Configure PE1.
[PE1] stp region-configuration
[PE1-mst-region] region-name RG1
[PE1-mst-region] active region-configuration
[PE1-mst-region] quit

# Configure PE4.
# Configure CE1.
[CE1] stp region-configuration
[CE1-mst-region] region-name RG1
[CE1-mst-region] active region-configuration
[CE1-mst-region] quit
# Configure PE2.
# Configure PE3.
# Configure CE2.
[CE2-mst-region] region-name RG1
2. Configure the priorities of the PEs to make PE1 and PE2 the primary roots and PE3 and
PE4 the secondary roots.
# Configure PE1.
[PE1] stp instance 0 priority 0
# Configure PE2.
# Configure PE3.
# Configure PE4.
3. Enable association between MSTP and VPLS on the CEs and PEs, and configure root
protection on the secondary roots.
# Configure CE1.
[CE1] stp enable
[CE1-GigabitEthernet0/0/4] stp enable
[CE1-GigabitEthernet0/0/2] stp edged-port enable
(Optional) Configure BPDU protection on CE1.

[CE1] stp bpdu-protection
# Configure CE2.
[CE2] stp enable


[CE2-GigabitEthernet0/0/2] stp edged-port enable
(Optional) Configure BPDU protection on CE2.

[CE2] stp bpdu-protection
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU protection is
enabled, the edge ports will be shut down and their attributes remain unchanged after they receive
BPDUs.
# Configure PE1.
[PE1] stp enable
[PE1-GigabitEthernet0/0/1] stp vpls-subinterface enable
[PE1-GigabitEthernet0/0/1] stp enable
[PE1-GigabitEthernet0/0/2] stp disable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
[PE3-GigabitEthernet0/0/1] stp root-protection
# Configure PE4.
[PE4] stp enable
[PE4-GigabitEthernet0/0/1] stp root-protection

Run the display vsi name a2 verbose command on PE1. The command output shows that the
VSI state is Up.
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 4099
Peer Type : dynamic
Session : up
Tunnel ID : 0xd
Broadcast Tunnel ID : 0xd
CKey : 2
NKey : 1
Stp Enable : 0
PwIndex : 0
VC Label : 4100
Peer Type : dynamic
Session : up
Tunnel ID : 0xf
Broadcast Tunnel ID : 0xf
CKey : 4
NKey : 3
Stp Enable : 0
PwIndex : 0
VC Label : 4101
Peer Type : dynamic
Session : up
Tunnel ID : 0xb
Broadcast Tunnel ID : 0xb
CKey : 6
NKey : 5
Stp Enable : 0

PwIndex : 0
Interface Name : GigabitEthernet0/0/1.1

State : up
Access Port : false
Last Up Time : 2015/03/16 15:56:44
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0xf
Broadcast Tunnel ID : 0xf
Ckey : 0x4
Nkey : 0x3
Main PW Token : 0xf
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2015/03/16 15:56:48
PW State : up
PW Type : label
Tunnel ID : 0xb
Broadcast Tunnel ID : 0xb
Ckey : 0x6
Nkey : 0x5
Main PW Token : 0xb
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2015/03/16 15:56:49
PW State : up
PW Type : label
Tunnel ID : 0xd
Broadcast Tunnel ID : 0xd
Ckey : 0x2
Nkey : 0x1
Main PW Token : 0xd
Tnl Type : LSP

Stp Enable : 0
PW Last Up Time : 2015/03/16 15:57:06
PC1 (10.1.1.1) can ping PC2 (10.1.1.2).

If the link between CE1 and PE1 fails or PE1 is faulty, PE4 becomes the primary root. In this
case, PC1 and PE2 can still ping each other.
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp bpdu-protection
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
#
port link-type
access
#
#
return

#
sysname CE2
#
vlan batch 100
#
stp bpdu-protection
#
stp region-
configuration
region-name
RG1
#
#
port link-type
access


#
#
return
#
sysname PE1
#
router id 1.1.1.1
#
vlan batch 10 40
#
stp instance 0 priority 0
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 2.2.2.2
peer 3.3.3.3
peer 4.4.4.4
#
mpls ldp
#
remote-ip 3.3.3.3
#
interface Vlanif10
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 172.19.1.2 255.255.255.0
mpls
mpls ldp
#
stp vpls-subinterface enable
#
l2 binding vsi a2
#
stp disable
#
stp disable
#

interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.19.1.0 0.0.0.255
#
return
#
sysname PE2
#
router id 2.2.2.2
#
vlan batch 10 20
#
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 3.3.3.3
peer 4.4.4.4
#
mpls ldp
#
remote-ip 4.4.4.4
#
interface Vlanif10
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 172.17.1.1 255.255.255.0
mpls
mpls ldp
#
#
l2 binding vsi a2
#
stp disable
#


stp disable
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
#
sysname PE3
#
router id 3.3.3.3
#
vlan batch 20 30
#
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
peer 4.4.4.4
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif20
ip address 172.17.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 172.18.1.1 255.255.255.0
mpls
mpls ldp
#
stp root-protection
#
l2 binding vsi a2
#

stp disable
#
stp disable
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 172.17.1.0 0.0.0.255
network 172.18.1.0 0.0.0.255
#
return
#
sysname PE4
#
router id 4.4.4.4
#
vlan batch 30 40
#
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 4.4.4.4
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 2.2.2.2
#
interface Vlanif30
ip address 172.18.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 172.19.1.1 255.255.255.0
mpls
mpls ldp
#
stp root-protection
#
l2 binding vsi a2

#
stp disable
#
stp disable
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 172.18.1.0 0.0.0.255
network 172.19.1.0 0.0.0.255
#
return
15.13.4 Example for Configuring MSTP Multi-Process for Layer 2

Single-Access Rings and Layer 2 Multi-Access Rings
On a network deployed with both Layer 2 single-access rings and multi-access rings, switches
transmit both Layer 2 and Layer 3 services. To enable different rings to transmit different
services, configure MSTP multi-process. Spanning trees of different processes are calculated
independently.
In Figure 15-21, both Layer 2 single-access rings and dual-access rings are deployed and
switches A and B carry both Layer 2 and Layer 3 services. Switches A and B connected to
dual-access rings are also connected to a single-access ring.
NOTE
In the ring where MSTP multi-process is configured, you are advised not to block the interface directly
connected to the root protection-enabled designated port.

Figure 15-21 MSTP multi-process for Layer 2 single-access rings and multi-access rings
Network
SwitchC
GE0/0/5 GE0/0/5
Region name:RG1
PE2
PE1 SwitchB
SwitchA
CE CE
GE0/0/4 GE0/0/1 GE0/0/4
GE0/0/1
GE0/0/3 GE0/0/3
GE0/0/2 GE0/0/2
CE
CE
Instance1:VLAN2~100 Instance3:VLAN201~300
Process 1
Process 3
CE CE
Instance2:VLAN101~200
Process 2
1. Configure basic MSTP functions, add a device to an MST region, and create MSTIs.
NOTE
l Each ring can belong to only one region.

l Each CE can join only one ring.
2. Configure multiple MSTP processes:
a. Create multiple MSTP processes and add interfaces to these processes.
b. Configure a shared link.
3. Configure MSTP protection functions:
– Configure priorities of MSTP processes and enable root protection.
– Configure shared link protection.
4. Configure the Layer 2 forwarding function on devices.
Procedure
Step 1 Configure basic MSTP functions, add devices to an MST region, and create MSTIs.
1. Configure MST regions and create MSTIs.

# Configure an MST region and create MSTIs on SwitchA.

# Configure an MST region and create MSTIs on SwitchB.

2. Enable MSTP.
# Configure SwitchA.
# Configure SwitchB.
Step 2 Configure multiple MSTP processes.

1. Create multiple MSTP processes and add interfaces to these processes.
# Create MSTP processes 1 and 2 on SwitchA.
[SwitchA] stp process 1
[SwitchA-mst-process-1] quit
# Create MSTP processes 2 and 3 on SwitchB.

[SwitchB] stp process 2
[SwitchB-mst-process-2] quit
# Add GE 0/0/3 and GE 0/0/4 on SwitchA to MSTP process 1 and GE 0/0/2 to MSTP
process 2.
[SwitchA-GigabitEthernet0/0/4] stp enable
[SwitchA-GigabitEthernet0/0/4] bpdu enable
[SwitchA-GigabitEthernet0/0/4] stp binding process 1
# Add GE 0/0/3 and GE 0/0/4 on SwitchB to MSTP process 3 and GE 0/0/2 to MSTP
process 2.
[SwitchB-GigabitEthernet0/0/4] stp enable

[SwitchB-GigabitEthernet0/0/4] bpdu enable

[SwitchB-GigabitEthernet0/0/4] stp binding process 3
2. Configure a shared link.

[SwitchA-GigabitEthernet0/0/1] stp binding process 2 link-share
[SwitchB-GigabitEthernet0/0/1] stp binding process 2 link-share
3. Enable the MSTP function in MSTP multi-process.

[SwitchA-mst-process-1] stp enable
[SwitchA-mst-process-2] stp enable
[SwitchB-mst-process-3] stp enable
[SwitchB-mst-process-2] stp enable
Step 3 Configure MSTP protection functions.

l Configure priorities of MSTP processes and enable root protection.
[SwitchA-mst-process-1] stp instance 0 root primary
[SwitchB-mst-process-3] stp instance 0 root primary
[SwitchB-mst-process-3] stp instance 3 root primary


[SwitchB-mst-process-2] stp instance 0 root secondary
[SwitchB-mst-process-2] stp instance 2 root secondary
NOTE
– In each ring, the priority of the MSTP process on the downstream CE must be lower than the
priority of the MSTP process on the switch.
– For switches A and B on the dual-access ring, you are recommended to configure them as the
primary root bridges of different MSTIs.
l Configure shared link protection.
[SwitchA-mst-process-2] stp link-share-protection
[SwitchB-mst-process-2] stp link-share-protection
Step 4 Create VLANs and add interfaces to VLANs.

# Create VLANs 2 to 200 on SwitchA. Add GE 0/0/3 and GE 0/0/4 to VLANs 2 to 100, and
add GE 0/0/1 and GE 0/0/2 to VLANs 101 to 200.
# Create VLANs 101 to 300 on SwitchB. Add GE 0/0/3 and GE 0/0/4 to VLANs 201 to 300,
and add GE 0/0/1 and GE 0/0/2 to VLANs 101 to 200.


l Run the display stp interface brief command on SwitchA.
# GE 0/0/4 is a designated port in the CIST of MSTP process 1 and in MSTI 1.
[SwitchA] display stp process 1 interface gigabitethernet 0/0/4 brief

[SwitchA] display stp process 2 interface gigabitethernet 0/0/2 brief
l Run the display stp interface brief command on SwitchB.

[SwitchB] display stp process 3 interface gigabitethernet 0/0/4 brief

[SwitchB] display stp process 2 interface gigabitethernet 0/0/2 brief
----End
Configuration Files
Only the MSTP-related configuration files are provided.
#
sysname
SwitchA
#
vlan batch 2 to
200
#
stp region-
configuration
region-name
RG1
instance 1 vlan 2 to
100
200
300
active region-
configuration
#
stp process
1
stp instance 0 root
primary
stp instance 1 root

primary
stp
enable
stp process
2
stp instance 0 root
primary
stp instance 2 root
primary
stp link-share-
protection
stp
enable
#
interface
GigabitEthernet0/0/1
port trunk allow-pass vlan 101 to
200
stp binding process 2 link-share
#
interface
200
stp binding process
2
stp root-
protection
#
100
stp binding process
1
#
100
stp binding process 1
#
return
#
sysname
SwitchB
#
vlan batch 101 to

300
#
stp region-
configuration
region-name
RG1
100
200

300
active region-
configuration
#
stp process
2
stp instance 0 root
secondary
stp instance 2 root
secondary
stp link-share-
protection
stp
enable
stp process
3
stp instance 0 root
primary
stp instance 3 root
primary
stp
enable
#
200
stp binding process 2 link-
share
#
200
stp binding process
2
stp root-
protection
#
300
stp binding process
3
#
300
stp binding process
3
#
return
15.14 FAQ About MSTP

15.14.1 Can a Huawei STP Switch Work with a Non-Huawei STP

Device?
Huawei switches use the standard STP protocol. Whether a switch can work with a non-
Huawei STP device depends on the protocol running on the non-Huawei device:
l If the non-Huawei device runs a standard STP protocol, including STP, MSTP, and
RSTP, the Huawei switch can work with it.
l If the non-Huawei device runs a non-standard STP protocol, except for the Cisco Per
VLAN Spanning Tree (PVST) protocol, the Huawei switch can transparently transmit
the STP packets from the device after you run the stp disable and bpdu enable
commands on the interface connected to the non-Huawei device.
l If the non-Huawei device is a Cisco device that runs PVST, the switch cannot negotiate
with the device, but can transparently transmit the packets from the device.
15.14.2 How to Prevent Low Convergence for STP Edge Ports that
Connect Terminals?
Terminal devices cannot participate in the STP calculation or respond to STP packets, causing
low convergence. You can prevent low convergence for STP edge switch ports for connecting
user terminals or servers as follows:
15.14.3 How Do I Configure a User-Side Interface on an STP

Switch?
Terminal devices cannot participate in the STP calculation or respond to STP packets. You
can configure a user-side interface as follows:
15.14.4 How Do I Prevent Terminals' Failures to Ping the Gateway

or Low Speed in Obtaining IP Addresses When They Connect to
an STP Network?
Terminal devices such as servers or network management workstations do not support STP.
However, STP is enabled on switch interfaces by default. An STP interface enters the

Forwarding state 30 seconds after it changes to the Up state. If an interface alternates between
Up and Down states, the terminal connected to the interface will fail to communicate with the
gateway or spends a long time to obtain an IP address.
To solve this problem, configure interfaces connected to terminals as edge ports or disable
STP on the interfaces.

Configuration Guide - Ethernet Switching 16 VBST Configuration
16 VBST Configuration
About This Chapter
This chapter describes how to configure the VLAN-based Spanning Tree (VBST). VBST is a
spanning tree protocol developed by Huawei. It constructs a spanning tree in each VLAN to
load balance traffic from different VLANs, improving link use efficiency.
16.1 Overview of VBST

16.2 Understanding VBST
16.3 Application Scenarios for VBST
16.4 Summary of VBST Configuration Tasks
16.5 Licensing Requirements and Limitations for VBST
16.6 Default Settings for VBST
16.7 Configuring VBST
16.8 Setting VBST Parameters That Affect VBST Convergence
16.9 Configuring Protection Functions of VBST
16.10 Setting Parameters for Interworking Between a Huawei Datacom Device and a Non-
Huawei Device
16.11 Maintaining VBST
16.12 Example for Configuring VBST
16.1 Overview of VBST
Definition
VBST, a Huawei spanning tree protocol, constructs a spanning tree in each VLAN so that
traffic from different VLANs is forwarded through different spanning trees. VBST is

equivalent to STP or RSTP running in each VLAN. Spanning trees in different VLANs are
independent of each other.
Purpose
Currently, there are three standard spanning tree protocols: Spanning Tree Protocol (STP),
Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). STP
and RSTP cannot implement VLAN-based load balancing, because all the VLANs on a LAN
share a spanning tree and packets in all VLANs are forwarded along this spanning tree. In
addition, the blocked link does not carry any traffic, which wastes bandwidth and may cause a
failure to forward packets from some VLANs. In real-world situations, MSTP is preferred
because it is compatible with STP and RSTP, ensures fast convergence, and provides multiple
paths to load balance traffic.
On enterprise networks, enterprise users need functions that are easy to use and maintain,
whereas the configuration of MSTP multi-instance and multi-process is complex and has high
requirements for engineers' skills.
To address this issue, Huawei develops VBST. VBST constructs a spanning tree in each
VLAN so that traffic from different VLANs is load balanced along different spanning trees. In
addition, VBST is easy to configure and maintain.
Benefits
VBST brings in the following benefits:
l Eliminates loops.
l Implements link multiplexing and load balancing, and therefore improving link use
efficiency.
l Reduces configuration and maintenance costs.
Comparisons Between VBST and Standard Spanning Tree Protocols

Table 16-1 lists the comparisons between VBST and STP/RSTP/MSTP.

Table 16-1 Comparisons between VBST and STP/RSTP/MSTP

Spannin Difference
g Tree Similarity
Protocol Convergenc Traffic Usage Complex
e Speed Forwarding Scenario ity
VBST Forms a RSTP/ A spanning l Service Medium

loop-free tree MSTP/VBST tree is formed traffic needs
topology to provides in each to be
prevent faster VLAN, so differentiated
broadcast convergence that traffic and load
storms and than STP. from balanced.
implement different l VBST
link backup. VLANs is interworks
forwarded with PVST,
through PVST+, and
different Rapid PVST
spanning +.
trees that are
independent
of each other.
MSTP Provides Service traffic High

mappings needs to be
between differentiated
MSTIs and and load
VLANs so balanced.
that traffic
from
different
VLANs is
forwarded
through
different
spanning
trees that are
independent
of each other.
RSTP Maps all Service traffic Low

VLANs to does not need to
STP Slowest one spanning be differentiated. Low
tree, so traffic
from all
VLANs is
forwarded
through the
same
spanning
tree.

16.2 Understanding VBST

VBST is equivalent to running STP or RSTP in each VLAN so that spanning trees in different
VLANs are independent of each other. Though VBST does not provide multi-instance, VBST
implements load balancing of traffic from different VLANs.
VBST inherits the following concepts of STP/RSTP:
l One root bridge
l Two measurements: ID and path cost
l Three port statuses: Discarding, Learning, and Forwarding
l Five port roles: root port, alternate port, backup port, designated port, and edge port
l Three timers: Hello Time, Forward Delay, and Max Age
Difference between VBST and STP/RSTP:
l Bridge ID (BID)
In VBST, the BID consists of the bridge priority, VLAN ID, and bridge MAC address.
The sum of the bridge priority and VLAN ID occupies the leftmost 16 bits, and the
bridge MAC address occupies the rightmost 48 bits.
On a VBST network, the device with the smallest bridge ID will be selected as the root
bridge.
l VBST transmits VBST BPDUs in VLANs to determine the network topology. VBST
BPDUs are based on STP/RSTP BPDUs and a 4-byte 802.1Q tag is added between the
source MAC address and protocol length. Figure 16-1 shows the comparisons between
the STP/RSTP BPDU and VBST BPDU.
Figure 16-1 Comparisons between the formats of the STP/RSTP BPDU and VBST
BPDU
6 bytes 6 bytes 2 bytes 38-1492 bytes 4 bytes
STP/RSTP BPDU
encapsulation DMAC SMAC Length LLC Data CRC
format
DSAP SSAP Control

1 byte 1 byte 1 byte
VBST BPDU 6 bytes 6 bytes 4 bytes 2 bytes 38-1492 bytes 4 bytes

encapsulation
DMAC SMAC 802.1Q Tag Length LLC Data CRC
format
DSAP SSAP Control

1 byte 1 byte 1 byte
The DMAC identifies the destination MAC address of packets. The DMAC in a VBST
BPDU is 0100-0CCC-CCCD; the Data field in a standard RSTP/STP BPDU is used as
the Data field in a VBST BPDU. By default, the Data field in a standard RSTP BPDU is
used as the Data field in a VBST BPDU.

VBST implements VLAN-based spanning tree calculation, topology convergence, and

interworking with spanning tree protocols of other vendors.
VBST Topology Calculation

VBST supports VLAN-based topology calculation. Tagged VBST BPDUs are sent in each
VLAN except VLAN 1 and topology calculation is performed separately. The VBST topology
calculation method is similar to the STP/RSTP calculation method. For details, see 14.2.4
STP Topology Calculation. Different root bridges can be selected in VLANs. Figure 16-2
shows the topology calculation results of STP/RSTP and VBST.
Figure 16-2 Topology calculation results of STP/RSTP and VBST
S1 S4
VLAN 3 VLAN 2, 3 VLAN 2
HostC HostA
VLAN 2
S2 S5
HostB VLAN 2, 3 VLAN 2, 3 HostD

(VLAN 2) (VLAN 3)
VLAN 3
VLAN 2 VLAN 3
S3 S6
STP/RSTP spanning tree (root bridge S6)
S1 S4
VLAN 3 VLAN 2, 3 VLAN 2
HostC HostA
VLAN 2
S2 S5
HostB VLAN 2, 3 VLAN 2, 3 HostD

(VLAN 2) (VLAN 3)
VLAN 3
VLAN 2 VLAN 3
S3 S6
Spanning tree for VBST VLAN 2 (root bridge S4)

Spanning tree for VBST VLAN 3 (root bridge S6)

In Figure 16-2:
l Through topology calculation, STP/RSTP generates a spanning tree with the root bridge
as S6. The links between S2 and S5 and between S1 and S4 are blocked. HostA and
HostB belong to VLAN 2. The link between S2 and S5 does not permit packets of
VLAN 2 to pass through because the link between S2 and S5 is blocked. Therefore,
HostA fails to communicate with HostB.
l Through topology calculation, VBST generates spanning trees VLAN 2 and VLAN 3
with root bridges as S4 and S6 respectively. Traffic in VLAN 2 and VLAN3 is forwarded
through their respective spanning trees so that traffic is load balanced between paths S2-
S5 and S3-S6.
Fast Convergence of VBST

VBST supports the Proposal/Agreement mechanism in common and enhanced modes:
l Common mode
The Proposal/Agreement mechanism in common mode supported by VBST is similar to
that supported by RSTP. For details, see 14.2.6 RSTP Technology Details.
l Enhanced mode
The Proposal/Agreement mechanism in enhanced mode supported by VBST is similar to
that supported by MSTP. For details, see 15.2.5 MSTP Fast Convergence.
Protection Mechanisms of VBST

Similar to RSTP, VBST provides BPDU protection, TC protection, root protection, and loop
protection. For details, see Protection functions.
Interworking Between VBST and Standard STP/RSTP

On a live network, VBST-enabled devices may connect to STP/RSTP-enabled devices. VBST
and STP/RSTP use different BPDU formats, so there are interworking problems. To
implement interworking between VBST and standard STP/RSTP, take the following
measures:
l On a trunk interface:
– When a VBST-enabled device connects to an RSTP-enabled device, the VBST-
enabled device uses standard RSTP BPDUs in VLAN 1 and VBST BPDUs with the
Data field of RSTP BPDUs in other VLANs to exchange with the RSTP-enabled
device.
– When a VBST-enabled device connects to an STP-enabled device, the VBST-
enabled device uses standard STP BPDUs in VLAN 1 and VBST BPDUs with the
Data field of STP BPDUs in other VLANs to exchange with the STP-enabled
device.
The following describes spanning tree implementation, as shown in Figure 16-3.
As shown in Figure 16-3, STP/RSTP is deployed on S1 and S2, and VBST is deployed
on S3 and S4. Devices are connected through trunk interfaces, and interfaces on S1
through S4 allow packets from VLAN 1 and VLAN 10 to pass through.

Figure 16-3 Interworking between VBST and STP/RSTP on a trunk interface

S1 S2
Trunk
STP/RSTP STP/RSTP
VLAN 1, 10
Trunk VLAN 1, 10 VLAN 1, 10 Trunk
VLAN 1, 10
VBST VBST
Trunk
S3 S4
Spanning tree Spanning tree Spanning tree for

for VLAN 1 for VLAN 10 VLAN 1 and 10
Root bridge
Unblocked link
Blocked link
Blocked port
An STP/RSTP-enabled device can only send and receive STP/RSTP BPDUs, and
transparently transmit VBST BPDUs, so a spanning tree is formed in VLAN 1 as defined
by STP/RSTP.
Assume that the congestion point of the spanning tree in VLAN 1 is on S4. Because
VBST runs on S4, so the congestion point exists in VLAN 1. S4 can still receive and
forward VBST BPDUs in VLAN 10. Loops occur in VLAN 10, so spanning tree
calculation in VLAN 10 is triggered. S1 and S2 transparently transmit VBST BPDUs in
VLAN 10, so only four interfaces on S3 and S4 participate in spanning tree calculation
in VLAN 10. Then the spanning trees in VLAN 1 and VLAN 10 are formed, as shown in
Figure 16-3.
Assume that the blocking point of the spanning tree in VLAN 1 is on S2. STP/RSTP
runs on S2, so the blocking port exists on S2. S2 cannot forward VBST BPDUs from
VLAN 10 and no loop occurs in VLAN 10, so spanning tree calculation in VLAN 10 is
not triggered. VBST BPDUs from VLAN 10 can be forwarded along the spanning tree in
VLAN 1, that is, VLAN 10 and VLAN 1 share the spanning tree. as shown in Figure
16-3.
l On an access interface, a VBST-enabled device uses standard STP or RSTP BPDUs to
exchange with the remote end according to the VLAN that the access interface belongs
to. Topology calculation is performed as defined by STP/RSTP. Because STP/RSTP does
not differentiate VLANs, a spanning tree shared by VLANs is formed.

When a VBST-enabled device connects to an STP/RSTP-enabled device, the trunk interface

must be used to connect the two devices and the blocking point must be located on the VBST-
enabled device to implement load balancing.
Interworking Between VBST and PVST/PVST+/Rapid PVST+

On a live network, a VBST-enabled device may connect to a device enabled with PVST/
PVST+/Rapid PVST+.
l Trunk interface
– When a VBST-enabled device connects to a device enabled with Rapid PVST+, the
VBST-enabled device sends standard RSTP BPDUs (or VBST BPDUs with the
Data field of RSTP BPDUs) and VBST BPDUs with the Data field of RSTP
BPDUs in other VLANs to exchange with the device enabled with Rapid PVST+.
– When a VBST-enabled device connects to a device enabled with PVST+, the
VBST-enabled device sends standard STP BPDUs (or VBST BPDUs with the Data
field of STP BPDUs) and VBST BPDUs with the Data field of STP BPDUs in
other VLANs to exchange with the device enabled with PVST+.
– When a VBST-enabled device connects to a PVST-enabled device, packet exchange
is similar to that in the scenario where a VBST-enabled device connects to a device
enabled with PVST+. The difference is that the VBST-enabled device and PVST-
enabled device send only VBST BPDUs with the Data field of STP BPDUs in
VLAN 1.
The two devices can identify the BPDUs carrying VLAN information, so a VLAN-based
spanning tree is formed. The connection between a VBST-enabled device and a device
enabled with PVST/PVST+/Rapid PVST+ through a trunk interface is similar to the
connection between two VBST-enabled devices.
l Access interface
A VBST-enabled device uses standard STP BPDUs to exchange with the device enabled
with PVST/PVST+ or RSTP BPDUs to exchange with the device enabled with Rapid
PVST+ according to the VLAN that the access interface belongs to. Topology
calculation is performed as defined by STP/RSTP. Because STP/RSTP does not
differentiate VLANs, a spanning tree shared by VLANs is formed.
16.3 Application Scenarios for VBST

To improve reliability of an enterprise network, access switches often connect to aggregation
switches in dual-homing or multi-homing mode networking. In such networking, one link is
the active link, and other links are standby links. When multiple links are used, loops may
occur. As a result, broadcast storms occur and MAC address entries are damaged. In
addition, one access switch often needs to transmit services from different VLANs.
Deploying MSTP can eliminate loops and load balance traffic from different VLANs,
whereas it is difficult to configure and maintain MSTP multi-instance and multi-process.
You can deploy VBST. VBST constructs a spanning tree in each VLAN so that traffic from
different VLANs is forwarded through different spanning trees. This eliminates loops and
implements load balancing of traffic. In addition, VBST is easy to configure and maintain.

Figure 16-4 VBST implementing load balancing
Core Network
SwitchA SwitchB
Aggregation
VLAN 10, 20, 30 switch
VLAN 10, 20 VLAN 20, 30

0 VL
,2 AN
10 20
,3
A N
VL 0
Access
switch
SwitchC SwitchD
Spanning tree Spanning tree Spanning tree

for VLAN 10 for VLAN 20 for VLAN 30
Forwarding path for

Root bridge traffic from VLAN 30
Unblocked link Forwarding path for
Blocked link traffic from VLAN 20
Blocked port Forwarding path for
traffic from VLAN 10
As shown in Figure 16-4, SwitchC and SwitchD are access switches; SwitchA and SwitchB
are aggregation switches. SwitchC and SwitchD are dual-homed to SwitchA and SwitchB. To
eliminate loops and load balance traffic from different VLANs, deploy VBST on SwitchA,
SwitchB, SwitchC, and SwitchD. Configure SwitchA as the root bridge of VLAN 10 and
VLAN 20 and SwitchB as the root bridge of VLAN 30.
Loops are eliminated based on VLANs. Figure 16-4 shows the formed spanning trees and
forwarding paths. In Figure 16-4, traffic from VLAN 10, VLAN 20, and VLAN 30 is
forwarded through their respective spanning trees. In this manner, traffic from VLAN 10,
VLAN 20, and VLAN 30 is load balanced on paths SwitchC<->SwitchA, SwitchD<-
>SwitchA, and SwitchD<->SwitchB.
16.4 Summary of VBST Configuration Tasks

Table 16-2 describes the VBST configuration tasks. VBST blocks redundant links and prunes
a network into a tree topology to eliminate loops and implement load balancing. You can
perform the following configurations to meet requirements in special scenarios:
l Setting VBST parameters that affect VBST convergence
l Configuring protection functions
l Setting parameters for interworking between a Huawei datacom device and a non-
Huawei device
Table 16-2 VBST configuration tasks

(Mandatory) Configure After you configure the 16.7 Configuring VBST

basic VBST functions operation mode of VBST
and start VBST, VBST
calculates the spanning tree
and prunes a network into a
tree network to eliminate
loops. You can perform the
following configurations to
manually adjust the
spanning tree calculation
result:
l Manually configure the
root bridge and
secondary root bridge.
l Configure the switch
priority. A smaller
priority value indicates a
higher priority of the
switch and higher
probability of becoming
the root bridge.
l Configure the port path
cost. A smaller path cost
indicates a smaller cost
from the port to the root
bridge and higher
probability of becoming
the root port.
l Configure the port
priority. A smaller
priority value indicates
higher probability of
becoming the designated
port.

(Optional) Set VBST The network diameter, 16.8 Setting VBST

parameters that affect VBST timeout interval, Hello time, Parameters That Affect
convergence Max Age, and Forward VBST Convergence
Delay affect VBST
convergence. Proper settings
of these parameters can
speed up VBST
convergence speed.
(Optional) Configure Huawei datacom devices 16.9 Configuring

protection functions provide the following Protection Functions of
protection functions: VBST
l BPDU protection:
prevents malicious
attacks from bogus
BPDUs.
l TC protection: reduces
the impact of malicious
attacks from bogus TCN
BPDUs.
l Root protection: protects
the role of the root
bridge by retaining the
role of the designated
port and prevents
network congestion
caused by malicious
attacks.
l Loop protection:
prevents loops caused by
link congestion.
(Optional) Set parameters To implement interworking 16.10 Setting Parameters

for interworking between a between a Huawei datacom for Interworking Between
Huawei datacom device and device and a non-Huawei a Huawei Datacom Device
a non-Huawei device device, configure the fast and a Non-Huawei Device
transition mode according to
the Proposal/Agreement
mechanism of the non-
Huawei device.
16.5 Licensing Requirements and Limitations for VBST

Other network elements also need to support VBST.

VBST configuration commands are available only after the S1720GW, S1720GWR, and
loaded and activated and the switches are restarted. VBST configuration commands on other
Table 16-3 Products and versions supporting VBST

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10
S2750EI V200R005C00SPC300, V200R006C00, V200R007C00,

V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5700 S5700LI, V200R005C00SPC300, V200R006C00, V200R007C00,

S5700S-LI V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10


Model
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700SI V200R005C00
S5700EI V200R005(C00&C01&C02&C03)
S5710EI V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V200R005(C00SPC500&C01&C02)
S5710HI V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
Feature Limitations
l Table 16-4 describes the specifications of VBST.

Table 16-4 Specifications of VBST

Item Specification
Number of protected VLANs 128
PV quantity (production of number of l The CPU usage of VBST is in direct

VBST-enabled ports and number of proportion to the PV quantity.
VLANs) l In V200R009 and earlier versions, the
S5720HI, S6720EI, and S6720S-EI
support a maximum of 1200 PVs, the
S5720EI supports a maximum of 600
PVs, and other switches support a
maximum of 300 PVs.
l In later versions of V200R009, the
S5720HI, S6720EI, and S6720S-EI
support a maximum of 1200 PVs, the
S1720X, S1720X-E, S5730SI,
S5730S-EI, S6720LI, S6720S-LI,
S6720SI, S6720S-SI, and S5720EI
supports a maximum of 1000 PVs, the
S1720GFR, S2750EI, and S5700LI
support a maximum of 300 PVs, and
other switches support a maximum of
600 PVs.
l The number of PVs in the stack is the
sum of PVs of member switches.
However, the S5720EI supports up to
2400 PVs.
l For an Eth-Trunk, the number of PVs
supported by the system is the number
of PVs supported by the master
device.
NOTICE
If the PV quantity exceeds the specifications,
the CPU usage may exceed the threshold. As
a result, the switch cannot process tasks in a
timely manner, protocol calculation is
affected, and even the device cannot be
managed by the NMS.
l The switch does not support association between VBST and VPLS.
l When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the device priority and port priority affect spanning tree
calculation, and the change of these parameters may cause network flapping. To ensure
fast and stable spanning tree calculation, perform basic configurations on the switch and
interfaces before enabling VBST.
l If the protected instance has been configured in a SEP segment or ERPS ring but the
mapping between protected instances and VLANs is not configured, VBST cannot be
enabled.
l VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS, RRPP,
SEP, or Smart Link.

l If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the switch,
delete the mapping before changing the STP working mode to VBST.
l If the stp vpls-subinterface enable command has been configured on a switch, run the
undo stp vpls-subinterface enable command on an interface before changing the STP
working mode to VBST.
l If the device has been configured as the root bridge or secondary root bridge, run the
undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to disable the root
bridge or secondary root bridge function and run the stp vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> priority priority command to change the device priority.
l When more than 128 MSTIs are dynamically specified, STP is disabled in a created
VLAN in the configuration file, for example, stp vlan 100 disable.
l To prevent frequent network flapping, ensure that the values of Hello time, Forward
Delay, and Max Age conform to the following formulas:
– 2 x (Forward Delay - 1.0 second) ≥ Max Age
– Max Age ≥ 2 x (Hello Time + 1.0 second)
l After all ports are configured as edge ports and BPDU filter ports in the system view,
none of ports on the switch send BPDUs or negotiate the VBST status with directly
connected ports on the remote device. All ports are in forwarding state. This may cause
loops on the network, leading to broadcast storms. Exercise caution when you configure
a port as an edge port and BPDU filter port.
l After a port is configured as an edge port and BPDU filter port in the interface view, the
port does not process or send BPDUs. The port cannot negotiate the VBST status with
the directly connected port on the peer device. Exercise caution when you configure a
port as an edge port and BPDU filter port.
l Root protection takes effect only on designated ports.
l An alternate port is the backup of the root port. If a switch has an alternate port,
configure loop protection on both the root port and alternate port.
16.6 Default Settings for VBST

Working mode MSTP
VBST Enabled globally, enabled on an interface, and STP

enabled in each VLAN
Port priority 128
Algorithm used to calculate the Dot1t, IEEE 802.1t

default path cost
Forward Delay 1500 centiseconds
Hello time 200 centiseconds
Max Age 2000 centiseconds

16.7 Configuring VBST

After you configure the operation mode of VBST and start VBST, VBST calculates the
spanning tree and prunes a network into a tree network to eliminate loops. Network planners
can also set parameters such as the switch priority, port path cost, and port priority to adjust
the spanning tree calculation result.
Before configuring basic VBST functions, connect ports and set the physical parameters of
each interface to make the physical layer in Up state. For details, see Basic Configuration for
Interfaces and Ethernet Interface Configuration in the S1720, S2700, S5700, and S6720
V200R011C10 Configuration Guide - Interface Management.
16.7.1 (Optional) Setting the Device Priority
Context
The device priority is used in spanning tree calculation, and determines whether the device
can be configured as a root bridge of a spanning tree. A smaller value indicates a higher
priority.
Generally, a high-performance switch at a high network layer is required to be selected as the

root bridge. However, the high-performance switch at a high network layer may not have a
high priority. It is necessary to set the device priority to ensure that the device functions as the
root bridge. Low-performance devices at lower network layers are not fit to serve as root
bridges. Therefore, set low priorities for these devices.
Procedure
Step 2 Run stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> priority priority
The priority of the switch in a specified VLAN is set.
By default, the priority of the device is 32768.
NOTE
If the device has been configured as the root bridge or secondary root bridge, to change the device
priority, run the undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to disable the root
bridge or secondary root bridge function and run the stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
priority priority command to set the device priority.
----End
16.7.2 (Optional) Setting the Path Cost for a Port

Context
A path cost is port-specific and is used by VBST to select a link. A port in different VLANs
may have different path costs on a network running VBST. Traffic from different VLANs is
forwarded through different physical links by setting a proper path cost enable, therefore
implementing VLAN-based load balancing.
The path cost value range is determined by the calculation method. The following calculation
methods are used:
l dot1d-1998: IEEE 802.1d standard is used to calculate the path cost.
l dot1t: IEEE 802.1T standard is used to calculate the path cost.
l legacy: Huawei calculation method is used to calculate the path cost.
After the calculation method is determined, the path cost of a port can be set. Generally, a
higher path cost indicates higher probability of a port to be blocked. If the link rate of a port is
small, you are advised to set a large path cost so that the port is selected as the blocking port
during spanning tree calculation and its link is blocked.
The default path cost varies according to the interface rate. Huawei calculation method is used
as an example. Table 16-5 shows the mapping between link rates and path costs.
Table 16-5 Mappings between link rates and path costs

Interface Rate Default Value Recommended Path Cost Range
Value Range
10 Mbit/s 2000 200-20000 1-200000
100 Mbit/s 200 20-2000 1-200000
1 Gbit/s 20 2-200 1-200000
10 Gbit/s 2 2-20 1-200000
Over 10 Gbit/s 1 1-2 1-200000
Procedure
By default, IEEE 802.1T standard is used to calculate the path cost.
All switches on the same network must use the same path cost calculation method.
The view of the Ethernet interface that participates in spanning tree calculation is displayed.
Step 4 Run stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> cost cost
The path cost of the port in each VLAN is set.

l If Huawei calculation method is used, the path cost ranges from 1 to 200000.
l If IEEE 802.1D standard is used, the path cost ranges from 1 to 65535.
l If IEEE 802.1T standard is used, the path cost ranges from 1 to 200000000.
----End
16.7.3 (Optional) Configuring Port Priorities
Context
In VBST spanning tree calculation, the port path cost, bridge ID of the sending switch, and
port priority determine whether the port can be selected as the designated port. A smaller
priority value indicates higher probability of becoming the designated port, and a larger
priority value indicates higher probability of becoming the blocking port.
On a network running VBST, a port can function as different roles in different spanning trees
so that traffic from different VLANs is forwarded through different physical paths.
Procedure
The view of the Ethernet interface that participates in spanning tree calculation is displayed.
Step 3 Run stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> port priority priority
The priority of the port in each VLAN is set.
By default, the priority of a switch port is 128.
----End
16.7.4 (Optional) Manually Configuring the Mapping between

MSTIs and VLANs
Context
Based on the mappings between MSTIs and VLANs of MSTP, VBST maps each MSTI to a
VLAN to establish 1:1 mapping. The 1:1 mapping between MSTIs and VLANs is used only
by the switch to determine the VBST forwarding status. This does not mean that VBST
supports multi-instance.
The mapping between MSTIs and VLANs can be manually configured or dynamically
specified.
l You can manually configure the mapping between MSTIs and VLANs on the switch. If a
static mapping is also configured for a VLAN, the static mapping takes effect.
l After VBST is enabled, the system dynamically allocates instance IDs to existing or new
VLANs in ascending order. The dynamically specified mapping cannot be changed

manually. After a VLAN is deleted or STP is disabled globally, its mapping is

automatically deleted.
NOTE
When more than 128 MSTIs are dynamically specified, if a VLAN is created, in the configuration
file, STP is disabled, for example, stp vlan 100 disable.
The following steps are performed to manually configure the mapping between MSTIs and
VLANs.
Procedure
Step 3 Run instance instance-id vlan vlan-id
1:1 mapping between MSTIs and VLANs is configured.
By default, all VLANs in an MST region are mapped to MSTI 0.
NOTE
After this step is performed, the dynamic mapping between MSTIs and VLANs cannot be canceled even
if VLANs are deleted or STP is disabled globally.
1:1 mapping between MSTIs and VLANs is activated.
The change of 1:1 mapping between MSTIs and VLANs causes VBST recalculation and
network flapping. Therefore, it is recommended that you run the check region-configuration
command in the MST region view to check whether the parameters of the MST region are set
correctly before activating the configuration of the MST region. When determining that
parameters of the MST region are set correctly, run the active region-configuration
command to activate 1:1 mapping between MSTIs and VLANs.
----End
16.7.5 Enabling VBST
Context
The VBST configuration takes effect only when VBST is enabled.

When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the switch priority and port priority affect spanning tree
calculation, and change of these parameters may cause network flapping. To ensure fast and
stable spanning tree calculation, perform basic configurations on the switch and ports before
enabling VBST.
The PV quantity is the number of VBST-enabled interfaces multiplied by the number of
VLANs. If the PV quantity exceeds the specifications, the CPU usage may exceed the
threshold. As a result, the switch cannot process tasks in a timely manner, protocol calculation
is affected, and even the device cannot be managed by the NMS. The PV quantity supported
by the device is as follows:
l The CPU usage of VBST is in direct proportion to the PV quantity.
l The S5720HI, S6720EI, and S6720S-EI support up to 1200 PVs, the S1720X, S1720X-E,
S6720LI, S6720S-LI, S6720SI, S6720S-SI, S5730SI, S5730S-EI, and S5720EI supports
up to 1000 PVs, the S1720GFR, S2750EI, and S5700LI support up to 300 PVs, and other
switches support up to 600 PVs.
l The number of PVs in the stack is the sum of PVs of member switches. However, the
S5720EI supports up to 2400 PVs.
l For an Eth-Trunk, the number of PVs supported by the system is the number of PVs
supported by the master device.
Procedure
Step 2 Run stp mode vbst
The working mode of the switch is set to VBST.
By default, the switch works in MSTP mode.
NOTE
l The VBST mode cannot be used with the STP/RSTP/MSTP mode.

l If a protected instance in a segment has been configured by the protected-instance (sep segment
view) command or a protected instance in an ERPS ring has been configured by the protected-
instance (ERPS ring view) command, you must perform the operation of 16.7.4 (Optional)
Manually Configuring the Mapping between MSTIs and VLANs. Otherwise, the STP working
mode cannot be changed to VBST.
l If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the switch, the mapping
must be deleted before changing the STP working mode to VBST.
l On the S5720EI, S5720HI, S6720EI, and S6720S-EI, if stp vpls-subinterface enable has been
configured on the switch, the undo stp vpls-subinterface enable command must be run on the
interface before changing the STP working mode to VBST.
Global STP is enabled.
By default, STP is enabled globally.

Step 4 Run stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> enable
VBST is enabled in the specified VLANs.
By default, VBST is enabled in each VLAN.
NOTE
VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS, RRPP, SEP, or Smart
Link.
If VLAN mapping or VLAN stacking is configured on an interface corresponding to the VLAN, VBST
negotiation for this VLAN will fail.
STP is enabled on the interface.
By default, STP is enabled on each switch interface.
NOTE
STP cannot be used with SEP or Smart Link. An STP-enabled interface cannot join a SEP segment or
Smart Link group. Similarly, the interface that has joined the SEP segment or Smart Link group cannot
be enabled with STP.
----End
16.7.6 Verifying the Basic VBST Configuration
Procedure
l Run the display stp [ vlan vlan-id ] [ interface interface-type interface-number | slot
slot-id ] [ brief ] command to check the spanning tree status and statistics.
l Run the display stp [ vlan vlan-id ] active command to check details of and statistics on
spanning trees of all ports in Up state.
l Run the display stp [ vlan vlan-id ] bridge { root | local } command to check the
spanning tree status of the local bridge and root bridge.
l Run the display stp global command to check the summary of the spanning tree
protocol.
l Run the display stp region-configuration [ digest ] command to check the mapping
between instances and VLANs.
----End
16.8 Setting VBST Parameters That Affect VBST

Convergence

Context
After basic VBST functions are configured, VBST implements fast convergence using default
parameters. To achieve better convergence, set parameters that affect VBST convergence. All
steps in this configuration task are optional. You can perform the steps as needed.
Before configuring VBST parameters that affect VBST convergence, perform the task of 16.7
Configuring VBST.
16.8.1 Setting the Network Diameter
Context
Any two terminals on a switching network are connected through a specific path along which
multiple devices are located. The network diameter is the maximum number of devices
between any two terminals. A larger network diameter indicates a larger network scale.
communication. Setting a proper network diameter according to the network scale helps speed
up network convergence.
The switch calculates the Forward Delay, Hello time, and Max-Age based on the configured
network diameter. It is recommended that you set the network diameter to configure timers.
Procedure
Step 2 Run stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> bridge-diameter diameter
A network diameter is set.
l Rapid Spanning Tree Protocol (RSTP) uses a single spanning tree instance on the entire
network. As a result, performance deteriorates when the network scale grows. Therefore,
the network diameter cannot be larger than 7.
l It is recommended that all devices on a ring network use the same network diameter.
----End
16.8.2 Setting Values of VBST Timers
Context
VBST uses the following parameters in spanning tree calculation:
l Forward Delay: determines the interval for port status transition. On a network where a
spanning tree algorithm is used, when the network topology changes, new BPDUs are
transmitted throughout the network after a given period of time. During the period, the

port that should enter the blocking state may be not blocked and the originally blocked
port may be unblocked, causing temporary loops. To address this problem, set the
Forward Delay during which all ports are blocked temporarily.
l Hello Time: is the interval at which Hello packets are sent. The switch sends BPDUs to
neighboring devices at an interval of the Hello Time to check whether links are faulty. If
the switch does not receive any BPDU within the timeout period (timeout period = Hello
Time x 3 x Timer Factor), the switch recalculates the spanning tree due to BPDU
timeout.
l Max Age: determines whether BPDUs expire. The switch determines whether the
received BPDU expires based on this value. If the received BPDU expires, the spanning
tree needs to be recalculated.
Age.
Generally, you are not advised to adjust values of the three parameters. This is because the
three parameters are relevant to the network scale. It is recommended that the network
diameter be adjusted so that the spanning tree protocol automatically adjusts the three
parameters. When the default network diameter is used, the default values of the three
parameters are used.
To prevent frequent network flapping, ensure that the values of Hello time, Forward Delay,
and Max Age conform to the following formulas:
l Max Age ≥ 2 x (Hello time + 1.0 second)
Procedure
Step 2 Set values of Hello time, Forward Delay, and Max Age.
l Run stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> timer forward-delay forward-delay
The value of Forward Delay is set.
By default, the value of Forward Delay is 1500 centiseconds.
l Run stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> timer hello hello-time
The value of Hello time is set.
By default, the value of Hello time is 200 centiseconds.
l Run stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> timer max-age max-age
The value of Max Age is set.
By default, the value of Max Age is 2000 centiseconds.
----End
16.8.3 Setting the VBST Timeout Interval

Context
The timeout interval of the switch is calculated through the following formula:
l Timeout interval = Hello time x 3 x Timer factor
On a network running VBST, when the network topology becomes stable, the non-root-bridge
switch forwards BPDUs sent by the root bridge to neighboring switches at an interval of
Hello time to check whether links are faulty. If the switch does not receive any BPDU from
the upstream device within the timeout interval, the switch considers that the upstream device
fails and recalculates the spanning tree.
Sometimes, the switch may not receive BPDUs in a long time from the upstream device
because the upstream device is busy. In this case, the device should not recalculate its
spanning tree. Therefore, you can set a long timeout interval for the device on a stable
network to reduce waste of network resources.
Procedure
The timeout interval for the switch to wait for BPDUs from the upstream device is set.
By default, the timeout interval is 9 times the value of Hello time.
----End
Context
Implementing fast convergence on a P2P link is easy. If the two ports connected to a P2P link
are root or designated ports, the ports can transit to the forwarding state quickly by sending
Proposal and Agreement packets. This reduces the forwarding delay.
Procedure
The view of the interface that participates in spanning tree calculation is displayed.
By default, the link type of a port is auto.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. You
can specify force-true to implement fast convergence.

l If the Ethernet port works in half-duplex mode, specify force-true to forcibly set the link
type to P2P to implement fast convergence.
l In other situations, specify auto so that the port identifies whether it is connected to a
P2P link.
----End
16.8.5 Setting the Maximum Transmission Rate of a Port
Context
The maximum transmission rate of a port indicates the maximum number of BPDUs sent per
second. A larger value of the maximum transmission rate of a port indicates more BPDUs
sent at an interval of Hello time and therefore more system resources are occupied.
Setting the proper value of this parameter prevents excess bandwidth usage when route
flapping occurs. If network flapping occurs frequently, and the switch needs to detect
topology change in a timely manner and has sufficient bandwidth resources, set a large value
for this parameter.
Procedure
The maximum number of BPDUs that the port can send at an interval of Hello time is set.
By default, a port sends a maximum of 6 BPDUs per second.
NOTE
If the maximum number of BPDUs needs to be set on all ports of the switch, run the stp transmit-limit
(system view) command.
----End
16.8.6 Manually Switching to the VBST Mode
Context
When a port on a VBST-enabled switch is connected to an STP-enabled switch, the port
automatically switches to the STP mode.
In the following cases, you need to switch the port back to the VBST mode manually:
l The STP-enabled switch is shut down or disconnected.
l The STP-enabled switch is switched to the RSTP/MSTP mode.
When a VBST-enabled switch connects to an MSTP-enabled switch, the connected port of the
MSTP-enabled switch automatically switches to the RSTP mode through negotiation. When

the VBST-enabled switch switches to the MSTP mode, the connected ports of the two
switches may still work in RSTP mode due to the time sequence problem. You can perform
the following operations to manually switch the ports to the MSTP mode.
Procedure
l Switching a port to the VBST mode
a. Run system-view

c. Run stp mcheck
The port is switched to the VBST mode.

l Switching the switch to the VBST mode
a. Run system-view

b. Run stp mcheck
The switch is switched to the VBST mode.
After the switch is switched to the VBST mode in the system view, all ports switch
to the VBST mode.
----End
16.8.7 Configuring a VBST Convergence Mode
Context
When the topology of an MSTI changes, the forwarding path of the VLAN mapping the
MSTI also changes. The MAC address entries and ARP entries relevant to the VLAN need to
be updated. VBST provides the following convergence modes:
l fast: The system directly deletes ARP entries to be updated.

l normal: The system rapidly ages ARP entries to be updated.
In fast or normal mode, the system directly deletes MAC addresses.
Procedure
Step 2 Run stp converge { fast | normal }
A convergence mode is configured.
By default, the VBST convergence mode of a port is normal.

NOTE
normal is recommended. If fast is used, frequently deleting ARP entries may result in 100% CPU usage
of the device. As a result, packets are not processed in a timely manner and network flapping occurs.
----End
16.8.8 Configuring a Port as an Edge Port and BPDU Filter Port
Context
If a designated port is located at the edge of a network and is directly connected to terminals,
this port is called edge port. The switch does not learn whether a port is directly connected to
terminals, and the port needs to be manually configured as an edge port.
An edge port does not receive or process configuration BPDUs, or participate in VBST
calculation. It can transit from Disable to Forwarding without any delay to implement fast
convergence.
After a designated port is configured as an edge port, the port can still send BPDUs. Then
BPDUs are sent to other networks, causing flapping of other networks. You can configure a
port as an edge port and BPDU filter port so that the port does not process or send BPDUs.
l After all ports are configured as edge ports and BPDU filter ports in the system view, none
of ports on the switch send BPDUs or negotiate the VBST status with directly connected
ports on the peer device. All ports are in forwarding state. This may cause loops on the
network, leading to broadcast storms. Exercise caution when you configure a port as an
edge port and BPDU filter port.
l After a port is configured as an edge port and BPDU filter port in the interface view, the
port does not process or send BPDUs. The port cannot negotiate the VBST status with the
directly connected port on the peer device. Exercise caution when you configure a port as
an edge port and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run system-view
By default, a port is a non-edge port.
l Configuring a port as an edge port and BPDU filter port in the interface view

a. Run system-view

displayed.
c. Run stp edged-port enable
By default, a port is a non-edge port.

----End
16.8.9 Verifying the Configuration of VBST Parameters That

Affect VBST Convergence
Procedure
slot-id ] [ brief ] command to check the spanning tree status and statistics.
spanning trees of all ports in Up state.
l Run the display stp [ vlan vlan-id ] bridge { root | local } command to check the
spanning tree status of the local bridge and root bridge.
protocol.
----End
16.9 Configuring Protection Functions of VBST

VBST provides BPDU protection, TC protection, root protection, and loop protection, and
you can configure one or more protection functions as needed.
Before configuring protection functions of VBST, complete the following task:
l Perform the task of 16.7 Configuring VBST.
l (Optional) Perform the operation of Configuring an Edge Port before configuring
BPDU protection.
16.9.1 Configuring BPDU Protection on the Switch

Context
Edge ports are directly connected to user terminals and will not receive BPDUs. If a switch is
attacked by bogus BPDUs, edge ports will receive these BPDUs. The switch then sets the
edge ports as non-edge ports and recalculates the spanning tree, resulting in network flapping.
BPDU protection can be used to protect the switch against malicious attacks. After BPDU
protection is enabled on the switch, the switch shuts down an edge port if the edge port
receives a BPDU.
Perform the following operations on the switch configured with an edge port.
Procedure
BPDU protection is enabled on the switch.
By default, BPDU protection is disabled on the switch.
----End
Follow-up Procedure
To configure a shutdown edge port to go Up automatically, run the error-down auto-
recovery cause bpdu-protection interval interval-value command in the system view to
configure the automatic recovery function and set the recovery delay. After the delay expires,
the port automatically goes Up. Note the following when setting interval interval-value:
l A smaller value indicates a shorter delay for the port to go Up automatically and a higher
frequency at which the port alternates between Up and Down states.
l A larger value indicates a longer delay for the port to go Up automatically and longer
traffic interruption.
16.9.2 Configuring TC Protection on the Switch
Context
When malicious attackers send bogus TC BPDUs to attack the switch, the switch receives a
large number of TC BPDUs within a short time. If MAC address entries and ARP entries are
deleted frequently, the switch is heavily burdened, causing potential risks to the network.
TC protection is used to suppress TC BPDUs. You can set the number of times the switch
processes TC BPDUs within a given time period. If the number of TC BPDUs that the switch
receives within a given time exceeds the specified threshold, the switch processes TC BPDUs
only for the specified number of times. After the specified number of times is reached, the
switch processes excess TC BPDUs at one time only. For example, the period is set to 10s and
the threshold is set to 5. After the switch receives TC BPDUs, the switch processes the first
five TC BPDUs within 10s. After 10s, the switch processes subsequent TC BPDUs. In this
way, the switch does not need to frequently delete MAC entries and ARP entries.

Procedure
Step 2 Configure either of or both of the parameters.
l Run stp tc-protection interval interval-value
The time taken by the switch to process the maximum of TC BPDUs is 10s.
By default, the time is the Hello timer length.
l Run stp tc-protection threshold threshold
10102
The maximum number of TC BPDUs processed by the switch in a given time is set.
By default, the default number of times that the switch handles the TC BPDUs and
updates forwarding entries is 1 within a unit time.
NOTE
Within the time specified by stp tc-protection interval, the switch processes TC BPDUs of a number
specified by stp tc-protection threshold. Other packets are delayed, so convergence may be affected.
----End
16.9.3 Configuring Root Protection on a Port
Context
Due to incorrect configurations or malicious attacks on a network, a valid root bridge may
receive BPDUs with a higher priority. Consequently, the valid root bridge is no longer able to
serve as the root bridge and the network topology is changed, triggering spanning tree
recalculation. As a result, traffic may be switched from high-speed links to low-speed links,
causing network congestion. To prevent network congestion, enable root protection on the
switch to protect the role of the root switch by retaining the role of the designated port.
NOTE

Perform the following operations on the root bridge.
Procedure
Root protection is enabled on the switch.
By default, root protection is disabled on a switch port.
----End

16.9.4 Configuring Loop Protection on a Port
Context
On a network running VBST, the switch maintains the root port status and status of blocked
ports by receiving BPDUs from an upstream switch. If the switch cannot receive any BPDU
from the upstream switch because of link congestion or unidirectional link failures, the switch
selects a new root port. The original root port becomes a designated port and the original
blocked ports change to the Forwarding state. This switching may cause network loops, which
can be mitigated by configuring loop protection.
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
NOTE
An alternate port is the backup of the root port. If a switch has an alternate port, you need to configure
loop protection on both the root port and alternate port.
Perform the following operations on the root port and alternate port of the switch.
Procedure
The view of the root port or alternate port is displayed.
Loop protection is enabled.
By default, loop protection is disabled on a switch port.
----End
16.9.5 Verifying the Configuration of VBST Protection Functions
Procedure
slot-id ] [ brief ] command to check the spanning tree status, including the root
protection status and information about other protection functions.
spanning trees of all ports in Up state, including the root protection status and
information about other protection functions.

protocol.
----End
16.10 Setting Parameters for Interworking Between a

Huawei Datacom Device and a Non-Huawei Device
Context
To implement interworking between a Huawei datacom device and a non-Huawei device,
configure the fast transition mode according to the Proposal/Agreement mechanism of the
non-Huawei device. The switch supports the following modes on the Proposal/Agreement
mechanism:
l Enhanced mode: The port participates in calculation of the root port when calculating the
a. An upstream device sends a Proposal message to a downstream device, requesting
fast transition. After receiving the message, the downstream device sets the port
connected to the upstream device as a root port and blocks all non-edge ports.
b. The upstream device then sends an Agreement message to the downstream device.
After the downstream device receives the message, the root port transitions to the
Forwarding state.
c. The downstream device sends an Agreement message to the upstream device. After
receiving the Agreement message, the upstream device sets the port connected to
the downstream device as a designated port, and the designated port transitions to
l Common mode: The port ignores the root port when calculating the synchronization flag
bit.
a. An upstream device sends a Proposal message to a downstream device, requesting
fast transition. After receiving the Proposal message, the downstream device sets
the port connected to the upstream device as a root port and blocks all non-edge
ports. The root port then transitions to the Forwarding state.
b. The downstream device sends an Agreement message to the upstream device. After
receiving the Agreement message, the upstream device sets the port connected to
the downstream device as a designated port, and the designated port transitions to
On a network running VBST protocol, a Huawei datacom device and the connected non-
Huawei device may fail to communicate if they use different Proposal/Agreement modes. The
Huawei datacom device can select the same mode as that on the non-Huawei device to
implement interworking.
If Huawei datacom device and Handreamnet switch are deployed on the VBST network, non-
standard STP/RSTP packets sent by the Handreamnet switch may cause temporary loops.
Therefore, the Huawei datacom device interface needs to be configured to discard non-
standard STP/RSTP packets to prevent temporary loops.

Before setting parameters for interworking between a Huawei datacom device and a non-
Huawei device, perform the task of 16.7 Configuring VBST.
Procedure
The common mode is configured.
By default, the enhanced mode is used on a port.
Step 4 (Optional) Run stp agreement-legacy
The interface is configured to discard non-standard STP/RSTP packets sent by the

Handreamnet switch.
By default, Huawei datacom device interface does not discard non-standard STP/RSTP
packets sent by the Handreamnet switch.
Step 5 (Optional) Run stp revertive slow
The interface is configured the delay in revertive switching during VBST calculation on a
port.
NOTE
l When a VBST-enabled switch interworks with a PVST-enabled third-party device that does not
support P/A negotiation, negotiation is asynchronous. As a result, the network convergence time is
long. If the remote device is the root bridge and the VBST-enabled switch provides the alternate port
in addition to the interconnected port, you can enable the delay in revertive switching on the
interconnected interface. The delay is calculated as follows: 2 * Forward Delay + 8s After the delay
function is enabled, the remote interface first completes spanning tree calculation when the port
status changes. Then the local interface performs spanning tree status switching. During status
switching, services are not interrupted.
l After the delay in revertive switching is enabled on a port, this function takes effect for all VLANs
that the interface joins in. If there is no alternate port in the VLAN where the interconnected port
belongs, the port needs to wait for the delay for recovery. Exercise caution when you run this
command in this situation.
----End
16.11 Maintaining VBST
16.11.1 Displaying VBST Running Information and Statistics

Context
You can view the VBST running information and statistics on VBST BPDUs. If the number
of topology change times increases, network flapping occurs.
Procedure
l Run the display stp [ vlan vlan-id ] topology-change command to check VBST
topology change statistics.
l Run the display stp error packet command to check the number of received error
packets and the content of recently received error packets.
l Run the display vbst [ vlan vlan-id ] [ interface interface-type interface-number | slot
slot-id ] bpdu-statistics command to check BPDU statistics.
slot-id ] tc-bpdu statistics command to check statistics on TC or TCN BPDUs on the
VBST-enabled port.
----End
16.11.2 Clearing VBST Statistics
Context
Before recollecting statistics on VBST BPDUs in a certain period, clear existing statistics on
VBST BPDUs.
Cleared statistics on VBST BPDUs cannot be restored. Exercise caution when you run the
reset vbst command.
Procedure
l Run the reset vbst [ interface interface-type interface-number | slot slot-id ] bpdu-
statistics command in the user view to clear statistics on VBST BPDUs.
----End
16.12 Example for Configuring VBST
As shown in Figure 16-5, SwitchC and SwitchD (access switches) are dual-homed to
SwitchA and SwitchB (aggregation switches) respectively. SwitchC transmits traffic from
VLAN 10 and VLAN 20, and SwitchD transmits traffic from VLAN 20 and VLAN 30. A
ring network is formed between the access layer and aggregation layer. The enterprise
requires that service traffic in each VLAN be correctly forwarded and service traffic from
different VLANs be load balanced to improve link use efficiency.

Figure 16-5 VBST networking
Core Network
SwitchA SwitchB
GE0/0/1 GE0/0/1
VLAN10, 20, 30
GE0/0/3 GE0/0/2 GE0/0/2 GE0/0/3
VLAN10, 20 VLAN20, 30
0 VL
,2 AN
10 2
AN 0,
VL 30
GE0/0/3 GE0/0/3
GE0/0/2 GE0/0/2
SwitchC SwitchD
GE0/0/4 GE0/0/5 GE0/0/4 GE0/0/5
Spanning tree Spanning tree Spanning tree

for VLAN 10 for VLAN 20 for VLAN 30
Root bridge
Unblocked link
Blocked link
Blocked port
VBST can be used to eliminate loops between the access layer and aggregation layer and
ensures that service traffic in each VLAN is correctly forwarded. In addition, traffic from
different VLANs can be load balanced. The configuration roadmap is as follows:
1. Configure Layer 2 forwarding on access and aggregation switches.
2. Configure basic VBST functions on SwitchA, SwitchB, SwitchC, and SwitchD. Perform
the following operations so that a spanning tree shown in Figure 16-5 is formed through
calculation:
– Configure the root bridge and secondary root bridge of VLAN 10 as SwitchA and
SwitchB respectively, configure the root bridge and secondary root bridge of VLAN

20 as SwitchA and SwitchB respectively, and configure the root bridge and
secondary root bridge of VLAN 30 as SwitchB and SwitchA respectively, to ensure
root bridge reliability.
– Set a larger path cost for GE0/0/2 on SwitchC in VLAN 10 and VLAN 20 so that
GE0/0/2 is blocked in spanning trees of VLAN 10 and VLAN 20 accordingly, set a
larger path cost for GE0/0/2 on SwitchD in VLAN 20 and VLAN 30 so that
GE0/0/2 is blocked in the spanning tree of VLAN 20 and VLAN 30 accordingly.
3. Configure ports on SwitchC and SwitchD connected to terminals as edge ports to reduce
VBST topology calculation and improve topology convergence.
Procedure
Step 1 Configure Layer 2 forwarding on switches on the ring network.
l Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA, SwitchB, SwitchC, and
SwitchD.
# Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA.
[SwitchA] vlan batch 10 20 30
# Create VLAN 10, VLAN 20, and VLAN 30 on SwitchB.

[SwitchB] vlan batch 10 20 30
# Create VLAN 10 and VLAN 20 on SwitchC.

[SwitchC] vlan batch 10 20
# Create VLAN 20 and VLAN 30 on SwitchD.

[SwitchD] vlan batch 20 30
l Add ports connected to the ring to VLANs.

# Add GE0/0/1 on SwitchA to VLAN 10, VLAN 20, and VLAN 30.
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 30
# Add GE0/0/2 on SwitchA to VLAN 20 and VLAN 30.

# Add GE0/0/3 on SwitchA to VLAN 10 and VLAN 20.

# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 20, and VLAN 30.
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 30
# Add GE0/0/2 on SwitchB to VLAN 10 and VLAN 20.


# Add GE0/0/3 on SwitchB to VLAN 20 and VLAN 30.

# Add GE0/0/2 on SwitchC to VLAN 10 and VLAN 20.

[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20
# Add GE0/0/3 on SwitchC to VLAN 10 and VLAN 20.

[SwitchC-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20
# Add GE0/0/4 on SwitchC to VLAN 10 and GE0/0/5 to VLAN 20.

# Add GE0/0/2 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet0/0/2] port trunk allow-pass vlan 20 30
# Add GE0/0/3 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 30
# Add GE0/0/4 on SwitchD to VLAN 20 and GE0/0/5 to VLAN 30.

Step 2 Configure basic VBST functions.

1. Configure switches on the ring network to work in VBST mode.
# Configure SwitchA to work in VBST mode.
[SwitchA] stp mode vbst
# Configure SwitchB to work in VBST mode.

[SwitchB] stp mode vbst
# Configure SwitchC to work in VBST mode.

[SwitchC] stp mode vbst
# Configure SwitchD to work in VBST mode.

[SwitchD] stp mode vbst
2. Configure the root bridge and secondary root bridge.

– Configure the root bridge and secondary root bridge in VLAN 10.
# Configure SwitchA as the root bridge in VLAN 10.
[SwitchA] stp vlan 10 root primary
# Configure SwitchB as the secondary root bridge in VLAN 10.

[SwitchB] stp vlan 10 root secondary
# Configure SwitchA as the root bridge in VLAN 20.
[SwitchA] stp vlan 20 root primary
# Configure SwitchB as the secondary root bridge in VLAN 20.

[SwitchB] stp vlan 20 root secondary
# Configure SwitchB as the root bridge in VLAN 30.
[SwitchB] stp vlan 30 root primary
# Configure SwitchA as the secondary root bridge in VLAN 30.

[SwitchA] stp vlan 30 root secondary
3. Configure the path cost for a port so that the port can be blocked.
NOTE
– The path cost range depends on the algorithm. IEEE 802.1t standard is used as an example. Set
the path costs of the ports to be blocked to 2000000.
– All switches on the same network must use the same path cost calculation method.
# Set the path cost of GE0/0/2 on SwitchC to 2000000 in VLAN 10 and VLAN 20.
[SwitchC-GigabitEthernet0/0/2] stp vlan 10 cost 2000000
[SwitchC-GigabitEthernet0/0/2] stp vlan 20 cost 2000000
# Set the path cost of GE0/0/2 on SwitchD to 2000000 in VLAN 20 and VLAN 30.
[SwitchD-GigabitEthernet0/0/2] stp vlan 20 cost 2000000
[SwitchD-GigabitEthernet0/0/2] stp vlan 30 cost 2000000
4. Enable VBST to eliminate loops.

– Disable VBST in VLAN 1.
NOTE
By default, all interfaces join VLAN 1 and VBST in VLAN 1 is enabled. In this example, to
reduce spanning tree calculation, VBST is disabled in VLAN 1. To prevent loops in VLAN 1
after VBST is disabled, delete interfaces from VLAN 1.
# Disable VBST in VLAN 1 on SwitchA. The configurations on SwitchB, SwitchC,
and SwitchD are similar to the configuration of SwitchA, and are not mentioned
here.
[SwitchA] stp vlan 1 disable
# Delete GE0/0/1 through GE0/0/3 on SwitchA from VLAN 1. The configurations

on SwitchB, SwitchC, and SwitchD are similar to the configuration of SwitchA, and
are not mentioned here. The difference is that GE0/0/4 and GE0/0/5 on SwitchC
and SwitchD do not need to be removed from VLAN 1.
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1

– Enable VBST globally.

# Enable global VBST on SwitchA.
# Enable global VBST on SwitchB.

# Enable global VBST on SwitchC.

# Enable global VBST on SwitchD.

– Enable VBST globally.

By default, VBST is enabled globally.
Run the display stp global command to check the VBST status. If VBST is
disabled, run the stp enable command in the system view to enable VBST globally.
– Enable VBST in a VLAN.
By default, VBST is enabled in a VLAN.
Run the display stp vlan vlan-id command to check the VBST status. If the
message "The protocol is disabled" is displayed, VBST is disabled in the VLAN.
Run the stp vlan vlan-id enable command in the system view to enable VBST in
the VLAN.
– Enable VBST on ports.
By default, VBST is enabled on Layer 2 Ethernet ports.
Run the display stp interface interface-type interface-number command to check
the VBST status on an interface. If the message "The protocol is disabled" is
displayed, VBST is disabled on the interface. Run the stp enable command in the
interface view to enable VBST on the interface.
Step 3 Configure ports connected to terminals as edge ports to improve topology convergence.
# Configure GE0/0/4 and GE0/0/5 on SwitchC connected to terminals as edge ports. The edge
port configuration on SwitchD is similar to that of SwitchC, and is not mentioned here.

After the configuration is complete and the network topology becomes stable, perform the
following operations to verify the configuration.
# Run the display stp bridge local command on SwitchA to view the STP working mode.
[SwitchA] display stp bridge local
VLAN-ID Bridge ID Hello Max Forward Protocol
Time Age Delay

----- -------------------- ----- --- ------- ---------------------------

10 10.0200-0000-6703 2 20 15 VBST
20 20.0200-0000-6703 2 20 15 VBST
30 4126.0200-0000-6703 2 20 15 VBST
The preceding information shows that the VBST mode is used.

# Run the display stp brief command on SwitchA to view the port status.
VLAN-ID Port Role STP State Protection
The preceding information shows that SwitchA participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30. For example, SwitchA is the root bridge in VLAN 10
and VLAN 20, so GE0/0/1 and GE0/0/3 in VLAN 10 are selected as designated ports.
GE0/0/1, GE0/0/2, and GE0/0/3 in VLAN 20 are selected as designated ports. SwitchA is the
secondary root bridge in VLAN 30, so GE0/0/1 is selected as the root port and GE0/0/2 is
selected as the designated port in VLAN 30.
# Run the display stp vlan 10 command on SwitchA to view detailed information about
VLAN 10.
[SwitchA] display stp vlan 10
-------[VLAN 10 Global Info]-------
Bridge ID :10 .0200-0000-6703
Config Times :Hello 2s MaxAge 20s FwDly 15s
Active Times :Hello 2s MaxAge 20s FwDly 15s
Root ID / RPC :10 .0200-0000-6703 / 0 (This bridge is the root)
RootPortId :0.0
Root Type :Primary
----[Port4093(GigabitEthernet0/0/1)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=20000
Desg. Bridge/Port :10 .0200-0000-6703 / 128.4093
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
----[Port4092(GigabitEthernet0/0/3)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=199999
Desg. Bridge/Port :10 .0200-0000-6703 / 128.4092
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Transit Limit :6 packets/hello
Protection Type :None
The preceding information shows that SwitchA is selected as the root bridge in VLAN 10 and
GE0/0/1 and GE0/0/3 are selected as designated ports in Forwarding state.
# Run the display stp brief command on SwitchB, SwitchC, and SwitchD to view the port
status.


[SwitchD] display stp brief
The preceding information shows that SwitchB participates in spanning tree calculation in
VLAN 10, VLAN 20, and VLAN 30, SwitchC participates in spanning tree calculation in
VLAN 10 and VLAN 20, and SwitchD participates in spanning tree calculation in VLAN 20
and VLAN 30. After the calculation is complete, ports are selected as different roles to
eliminate loops.
Different spanning trees are formed in VLAN 10, VLAN 20, and VLAN 30, and traffic in
VLAN 10, VLAN 20, and VLAN 30 is forwarded along different spanning trees to implement
load balancing.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 30 root secondary
stp vlan 10 20 root primary
#
undo port trunk allow-pass vlan 1
#
#
#
return
#
sysname SwitchB

#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 10 20 root secondary
stp vlan 30 root primary
#
#
#
#
return
#
sysname SwitchC
#
vlan batch 10 20
#
stp mode vbst
#
stp vlan 1 disable
#
stp vlan 10 20 cost 2000000
#
#
#
#
return
#
sysname SwitchD
#
vlan batch 20 30
#
stp mode vbst
#
stp vlan 1 disable
#


stp vlan 20 30 cost 2000000
#
#
#
#
return

Configuration Guide - Ethernet Switching 17 SEP Configuration
17 SEP Configuration
About This Chapter
This chapter describes how to configure the Smart Ethernet Protection (SEP). SEP is a ring
network protocol specially used for the Ethernet link layer. It blocks redundant links to
prevent logical loops on a ring network.
17.1 Overview of SEP

17.2 Understanding SEP
17.3 Application Scenarios for SEP
17.4 Summary of SEP Configuration Tasks
17.5 Licensing Requirements and Limitations for SEP
17.6 Configuring SEP
17.7 Specifying an Interface to Block
17.8 Configuring SEP Multi-Instance
17.9 Configuring the Topology Change Notification Function
17.10 Clearing SEP Statistics
17.11 Configuration Examples for SEP
17.1 Overview of SEP
Definition
The Smart Ethernet Protection (SEP) protocol is a ring network protocol specially used for the
Ethernet link layer. A SEP segment consists of interconnected Layer 2 switching devices
configured with the same SEP segment ID and control VLAN ID. A SEP segment is the basic
unit of SEP.

Purpose
SEP blocks redundant links to prevent logical loops on a ring network. Redundant links are
used on an Ethernet switching network to provide link backup and enhance network
reliability. However, the use of redundant links may produce loops, causing broadcast storms
and rendering the MAC address table unstable. As a result, communication quality
deteriorates, and services may even be interrupted. Huawei switches support the following
ring network protocols:
l STP/RSTP/MSTP
STP, RSTP, and MSTP are standard protocols for breaking loops on Ethernet networks.
Networks running these protocols converge slowly, failing to meet the transmission
requirements of some real-time services. The convergence time is affected by the
network topology. Huawei devices running STP, RSTP, or MSTP can communicate with
non-Huawei devices.
l RRPP
RRPP is a fast convergence Huawei proprietary protocol. RRPP requires a physical
topology to be divided into logical topologies so that major rings and sub-rings can be
differentiated. Therefore, RRPP does not apply to complex networks. A Huawei device
running RRPP cannot communicate with any non-Huawei device.
Huawei developed SEP to overcome the disadvantages of the preceding ring network
protocols. SEP has the following advantages:
l Works on diverse complex networks and supports all topologies and network topology
queries. A network running SEP can connect to a network running STP, RSTP, MSTP, or
RRPP.
Helps quickly locate blocked interfaces through network topology display. When a fault
occurs, SEP can quickly locate the fault, improving network maintainability.
l Implements traffic load balancing by selectively blocking interfaces.
l Improves network stability by preventing traffic from switching back after link recovery.
17.2 Understanding SEP
17.2.1 SEP Implementation

SEP is a ring network protocol dedicated to the Ethernet link layer. Only two interfaces on a
switching device can be added to the same SEP segment (a basic unit for SEP).
To prevent loops in a SEP segment, a ring protection mechanism selectively blocks interfaces
to eliminate redundant Ethernet links. When a link on a ring network fails, the device running
SEP immediately unblocks the interface and performs link switching to restore
communication between nodes.
Figure 17-1 shows a typical SEP application. CE1 is connected to Network Provider Edges
(NPEs) through a semi-ring formed by switches. A Virtual Router Redundancy Protocol
(VRRP) group is deployed on the NPEs. NPE1 initially serves as the master and NPE2 as the
backup. When the link between NPE1 and LSW5 or a node on the link becomes faulty, NPE1
becomes the backup. NPE2 then becomes the master. The following situations occur
depending on whether SEP is deployed. The following assumes that the link between LSW1
and LSW5 becomes faulty.

l If SEP is not deployed on the semi-ring, CE1 traffic is still transmitted along the original
path, but NPE1 does not forward traffic, causing traffic interruption.
l If SEP is deployed on the semi-ring, the blocked interface on LSW5 becomes unblocked,
enters the Forwarding state, and sends link state advertisements (LSAs) to instruct other
nodes on the SEP segment to update their LSA databases. CE1 traffic is transmitted
along backup link LSW5 -> LSW2 -> LSW4 -> NPE2, ensuring uninterrupted traffic
transmission.

Figure 17-1 SEP network

Access Aggregation Core
LSW1 LSW3 Master Backup
NPE1
VRRP+peer BFD IP/MPLS
NPE2 Core
CE1
LSW5
LSW2 LSW4 Backup Master
a,SEP is not deployed on the semi-ring

SEP NPE1 IP/MPLS

Segment VRRP+peer BFD Core
NPE2
CE1
LSW5
SEP NPE1 IP/MPLS

Segment VRRP+peer BFD Core
NPE2
CE1
LSW5
b,SEP is deployed on the semi-ring

Primary Edge Port
Secondary Edge Port
Block Port
In typical SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is
blocked, all service data is transmitted only along the path where the primary edge interface is
located. The path where the secondary edge interface is located remains idle, wasting
bandwidth.

SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing. SEP multi-instance allows two SEP segments to be configured on a physical ring.
Each SEP segment independently detects the completeness of a physical ring and blocks or
unblocks interfaces without affecting the other.
For details about SEP multi-instance, see 17.2.3 SEP Implementation Mechanisms.
17.2.2 Basic Concepts of SEP
SEP Network
In Figure 17-2, LSW1 through LSW5 constitute a ring and are dual-homed to an upper-layer
or a Layer 2 network. Two edge devices (LSW1 and LSW5) are indirectly connected. This
networking is called open ring networking. This mode will cause a loop on the entire network.
To eliminate redundant links and ensure link connectivity, a mechanism used to prevent loops
is required.
Figure 17-2 shows the typical networking of an open ring running SEP. The following
describes the basic concepts of SEP.
Figure 17-2 Open ring running SEP
Network Network
LSW5
LSW1 LSW1 LSW5
SEP SEP
Segment Segment
LSW2 LSW4 LSW2 LSW4
LSW3
LSW3
CE
CE
No-Neighbor Primary Edge Port
No-Neighbor Secondary Edge Port
Primary Edge Port
Secondary Edge Port
Block Port
The following includes basic SEP concepts:
l SEP segment

A SEP segment is the basic unit of SEP. A SEP segment consists of interconnected Layer
2 switching devices configured with the same SEP segment ID and control VLAN ID.
A SEP segment is a ring or linear Ethernet topology. Each SEP segment has a control
VLAN, edge interfaces, and common interfaces.
l Control VLAN
In a SEP segment, the control VLAN is used to transmit only SEP packets.
Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
Different SEP segments can use the same control VLAN.
Different from a control VLAN, a data VLAN is used to transmit data packets.
l Node
Each Layer 2 switching device in a SEP segment is a node. Each node can have a
maximum of two interfaces added to the same SEP segment.
l Interface role
As defined by SEP, there are two interface roles: common and edge interfaces.
In Table 17-1, edge interfaces are further classified into primary edge interfaces,
secondary edge interfaces, no-neighbor primary edge interfaces, and no-neighbor
secondary edge interfaces.
NOTE
It is not recommended to configure primary edge interfaces and no-neighbor edge interfaces in the
same SEP segment.
It is not recommended to configure secondary edge interfaces and no-neighbor edge interfaces in
the same SEP segment.
Table 17-1 Interface roles

Interface Role Sub-role Description
Edge interface Primary edge A SEP segment has only one primary
interface edge interface, which is determined by
the configuration and election.
The primary edge interface initiates
blocked interface preemption, terminates
packets, and sends topology change
notification messages to other networks.
Secondary edge A SEP segment has only one secondary

interface edge interface, which is determined by
the configuration and election.
The secondary edge interface terminates
packets and sends topology change
notification messages to other networks.

Interface Role Sub-role Description
No-neighbor An interface at the edge of a SEP segment

primary edge is a no-neighbor edge interface, which is
interface determined by the configuration and
election.
The no-neighbor primary edge interface
terminates packets and sends topology
change notification messages to other
networks.
No-neighbor primary edge interfaces are
used to interconnect Huawei devices and
non-Huawei devices or interconnect
Huawei devices and devices that do not
support SEP.
No-neighbor A SEP segment has only one no-neighbor

secondary edge secondary edge interface, which is
interface determined by the configuration and
election.
The no-neighbor secondary edge interface
terminates packets and sends topology
change notification messages to other
networks.
No-neighbor secondary edge interfaces
are used to interconnect Huawei devices
and non-Huawei devices or interconnect
Huawei devices and devices that do not
support SEP.
Common - In a SEP segment, all interfaces except

interface edge interfaces are common interfaces.
A common interface monitors the status
of a directly-connected SEP link. When
the status of a link changes, the interface
sends a topology change notification
message to notify its neighbors. Then the
topology change notification message is
flooded on the link until it finally reaches
the primary edge interface. The primary
edge interface determines how to process
the link change.
l Blocked interface
In a SEP segment, some interfaces are blocked to prevent loops.
Any interface in a SEP segment may be blocked if no interface is specified for blocking.
A complete SEP segment has only one blocked interface.
l SEP interface status
In a SEP segment, a SEP interface has two working states:

– Forwarding: The interface can forward user traffic, receive and send SEP packets.
– Discarding: The interface can receive and send SEP packets but cannot forward
user traffic.
An interface may be in Forwarding or Discarding state regardless of its role.
SEP Packet
Table 17-2 shows the types of SEP packets.
Table 17-2 Types of SEP packets

Packet Type Packet Subtype Description
Hello packet - After an interface is added to a SEP segment,

neighbor negotiations start. The interface and its
neighbor exchange Hello packets to establish a
neighbor relationship. After neighbor negotiations
succeed, the two interfaces continue to exchange
Hello packets to detect their neighbor status.
LSA LSA request After an interface has SEP enabled, the interface
packet periodically sends LSAs to its neighbor. After the
state machine of the neighbor goes Up, the two
LSA ACK packet interfaces update their LSA databases with all
topology information.
TC packet - When the topology of a SEP segment changes, the

device where the SEP segment and the upper-layer
network intersect sends a Topology Change (TC)
packet to notify the upper-layer network. All nodes
on the upper-layer network need to update their MAC
address tables and ARP tables.
GR packet - When a device performs an active/standby

switchover, it sends a SEP Graceful Restart packet to
instruct other nodes to prolong the aging time of
LSAs received from the device. After completing an
active/standby switchover, the device must send
another Grateful Restart (GR) packet to instruct other
nodes to restore the aging time to the previous value.
Primary edge - After an interface has SEP enabled, it considers itself

interface the primary edge interface if it is qualified for
election primary edge interface selection. The interface then
packet periodically sends primary edge interface election
packets without waiting for successful neighbor
negotiations. A primary edge interface election
packet contains the interface role (primary edge
interface, secondary edge interface, or common
interface), bridge MAC address of the interface,
interface ID, and integrity of the topology database.
Preemption Preemption A preemption packet is used to block a specified

packet request packet interface.

Packet Type Packet Subtype Description
Preemption ACK Preemption packets are sent by the elected primary

packet edge interface or brother interface of a no-neighbor
primary edge interface.
17.2.3 SEP Implementation Mechanisms

Neighbor Negotiation Mechanism
After an interface is added to a SEP segment, the interface and its neighbor exchange Hello
packets to initiate a neighbor relationship. After neighbor negotiations succeed, the two
interfaces continue to exchange Hello packets to detect their neighbor status.
Neighbor negotiations are bidirectional and therefore prevent unidirectional links. Interfaces
at both ends of a link must send Hello packets to each other for status confirmation. If an
interface does not receive a Hello packet from an interface within a specified interval, the
interface considers the other to be Down.
Neighbor negotiations provide information required to obtain the SEP segment topology.
Interfaces form a complete SEP segment by establishing neighbor relationships through
neighbor negotiations.
Synchronization of SEP LSA Databases and Topology Display

l Synchronization of SEP link state advertisement (LSA) databases
After neighbor negotiations are complete, devices in a SEP segment enter the LSA
database synchronization phase and periodically send LSAs. After a device receives
LSAs from other devices, the device updates its LSA database. This ensures consistency
in the LSA databases of all devices in the SEP segment.
If a device does not receive LSAs within three LSA transmission intervals, the device
will age the database that saves the LSAs of the other devices in the SEP segment.
When a faulty device in a SEP segment recovers, the device must obtain topology
information from other devices (peer and other devices) in the SEP segment and send
LSA request packets to the devices. After receiving LSA request packets from the
device, neighboring interfaces reply with LSA ACK packets that contain the latest link
state information.
l SEP segment topology display
The topology display function allows you to view the topology that has the highest
network connectivity of any device in a SEP segment. Link state synchronization ensures
that all devices in a SEP segment display the same topology.
Table 17-3 describes different types of SEP segment topologies.

Table 17-3 Types of SEP segment topologies

Topology Type Description Constraint
Ring topology Each interface in a SEP l If the primary edge

segment has a neighboring interface is elected on a
interface in Up state and a ring, the primary edge
brother interface. Each interface is listed first
node has two interfaces in in the topology
the SEP segment. information displayed
on each interface.
l If the secondary edge
interface is elected, it is
listed first in the
topology information
displayed on each
interface
Linear topology All topologies except ring For interfaces at both ends
topologies are linear of a link:
topologies. l If one interface
functions as the
primary edge interface,
the primary edge
interface is listed first
in the topology
information displayed
on each interface.
l If the secondary edge
interface is elected, the
secondary edge
interface is listed first
in the topology
information displayed
on each interface.
NOTE
The constraints listed in Table 17-3 ensure that each node in a ring or linear topology displays the
same topology information.
Primary Edge Interface Election

Only no-neighbor, primary, and secondary edge interfaces can participate in primary edge
interface election.
NOTE
If only one interface on a node has SEP enabled, you must set the role of the interface to edge so that the
interface can function as an edge interface.
In Figure 17-3, if there is no faulty link on the network and SEP is enabled on the interfaces,
the following situations occur:

l Common interfaces do not participate in primary edge interface election. Only P1 on

LSW1 and P1 on LSW5 participate in primary edge interface election.
l If P1 on LSW1 and P1 on LSW5 have the same role, P1 with a larger MAC address is
elected as the primary edge interface.
After the primary edge interface is selected, it periodically sends primary edge interface
election packets without waiting for successful neighbor negotiations. A primary edge
interface election packet contains the interface role (primary edge interface, secondary edge
interface, or common interface), bridge MAC address of the interface, interface ID, and
integrity of the topology database.
Figure 17-3 Networking diagram of electing the primary edge interface
LSW1 LSW5 LSW1 LSW5

Network Network
P1 P1 P1 P1
SEP SEP
Segment Segment
LSW2 LSW4 LSW2 LSW4

Failed
Failed
LSW3 LSW3
Primary Edge Port

Secondary Edge Port
Election packet of
Primary Edge Port
If a link fault occurs in the SEP segment of Figure 17-3:

l P1 on LSW1 and P1 on LSW5 receive fault notification packets, and P1 on LSW1
becomes the secondary edge interface.
l P1 on LSW5 does not receive primary edge interface election packets within a specified
period, and P1 on LSW1 becomes the secondary edge interface.
Two secondary edge interfaces exist in the SEP segment and periodically send primary edge
interface election packets.
When all link faults in the SEP segment are rectified, the two secondary edge interfaces can
receive primary edge interface election packets and elect a new primary edge interface within
a configured interval (1s by default).
Specifying an Interface to Block

A blocked interface is typically one of the two interfaces that complete neighbor negotiations
last. You can specify an interface to block according to network requirements. The

preemption mechanism must take effect before a specified interface preempts to be the
blocked interface.
The following describes the interface blocking mode and preemption mechanism.
l Interface blocking mode

You can configure the interface blocking mode to specify a blocked interface. Table 17-4
describes interface blocking modes.
Table 17-4 Interface blocking mode
Interface Blocking Mode Description
Specify the interface with SEP compares interface priorities by:

the highest priority as the 1. Comparing configured interface priority values. A
blocked interface. larger value indicates a higher priority.
2. Comparing bridge MAC addresses of interfaces
with same priority values. A smaller bridge MAC
address indicates a higher priority.
3. Comparing interface numbers of interfaces with
identical bridge MAC addresses. A smaller
interface number indicates a higher priority.
Specify the interface in the -

middle of a SEP segment as
the blocked interface.
Specify a blocked interface SEP sets the hop count of the primary edge interface
based on the configured hop to 1 and the hop count of the neighboring interface of
count. the primary interface to 2. Hop counts of other
interfaces increase by steps of 1 in the downstream
direction of the primary edge interface.
Specify a blocked interface After SEP is configured, the names of the device and
based on the device and interface determine the interface to be blocked. Before
interface names. specifying an interface to be blocked, run the display
command to view the current ring topology and all
interfaces and then specify the device and interface
names.
If multiple interfaces on the ring have the same device
and interface names, SEP blocks the interface nearest
to the primary edge interface in the topology.
NOTE
If you change the device name or interface name after
specifying the interface to block, the interface cannot
preempt to be the blocked interface.
l Preemption
After the interface blocking mode is specified, you can configure the preemption mode
to determine whether an interface will be blocked. Table 17-5 describes the preemption
modes.

Table 17-5 Preemption mode

Preemption Mode Description
Non-preemption When all link faults are rectified or the last two
interfaces enabled with SEP complete neighbor
negotiations, interfaces send blocking status packets to
each other. The interface with the highest priority is
then blocked and the other interfaces enter the
Forwarding state.
Preemption Preemption is classified into delayed preemption and

NOTE manual preemption.
Preemption can only be l Delayed preemption
implemented on the device
where the primary edge After all the faulty interfaces recover, the edge
interface or no-neighbor interfaces no longer receive fault notification
primary edge interface resides. packets. If the primary edge interface does not
receive fault advertisement packets within 3
seconds, it starts the delay timer. After the delay
timer expires, nodes in the SEP segment start
blocked interface preemption.
l Manual preemption
When the link status databases of the primary and
secondary edge interfaces are complete, the
primary edge interface or brother interface of the
no-neighbor primary edge interface sends
preemption packets to block a specified interface.
The specified interface then sends blocking status
packets to request the previously blocked interface
to transition to the Forwarding state.
NOTE
Preemption can only be implemented on the device
where the primary edge interface or no-neighbor primary
edge interface resides.
Only two interfaces on a device can be added to the same
SEP segment. If one interface is the no-neighbor primary
edge interface, the other interface is the brother interface
of the no-neighbor primary edge interface.
If the brother interface is blocked, it does not need to
send preemption packets.
If the brother interface is unblocked, it must send
preemption packets.
SEP Topology Change Notification

SEP considers that the topology of a SEP-enabled network change depending on certain
situations. Table 17-6 describes situations of SEP topology change notification.

Table 17-6 SEP topology change notification

Situation of SEP Topology Description
Change Notification
An interface fault occurs. An interface fault can be a link fault or neighboring

interface fault.
If an interface (in the SEP segment) is in Forwarding
state and receives a fault advertisement packet, the
device must send a Flush-Forwarding Database (Flush-
FDB) packet through the interface to notify other nodes
that there is a change in topology
The fault is rectified and the After faults occur in the SEP segment and the last faulty
preemption function takes interface recovers, the blocked interface is preempted
effect. and the topology is considered changed.
Preemption is triggered by the primary edge interface.
When an interface in a SEP segment receives a
preemption packet from the primary edge interface, the
interface must send Flush-FDB packets to notify other
nodes in the SEP segment that there is a change in
topology.

Figure 17-4 Network of SEP topology change notification
Network
LSW8
SEP SEP
LSW1 Segment1 Segment3 LSW13
LSW9 LSW10
LSW2 SEP LSW11SEP LSW12

Segment2 Segment4
Failed
LSW3 LSW4 LSW5 LSW6 LSW7
Primary Edge Port

Block Port
Forwarding Database
Topology Change
NOTE
The topology change notification function is configured on devices that connect an upper-layer network
and a lower-layer network. If the topology of one network changes, devices affected inform the other
network of the change.
Table 17-7 lists the scenarios in which topology changes are reported.

Table 17-7 SEP topology change notification

SEP Scenario Description Solution
Topology
Change
Notification
Topology A SEP network is l If the blocked interface Configure the SEP

change connected to an on a lower-layer SEP topology change
notification upper-layer network network is manually notification
from a lower- that runs other changed, the topology of function.
layer network features such as the SEP segment also
to an upper- SEP, STP, Smart changes. Because the
layer network Link and RRPP. upper-layer network is
unable to detect the
change in topology,
traffic is interrupted.
l If an interface on a
lower-layer SEP network
becomes faulty, the
topology of the SEP
segment changes but the
upper-layer network is
unable to detect the
change. As a result,
traffic is interrupted.
A host is connected During an active/standby Enable the edge

to a SEP network switchover of member devices in the SEP
using a Smart Link interfaces in the Smart Link segment to process
group. group, the host sends a Smart Link Flush
Smart Link Flush packet to packets.
notify connected devices in
the SEP segment of the
switchover.
If connected devices in the
SEP segment cannot
identify the Smart Link
Flush packet, traffic is
interrupted.
Topology A SEP network is If a fault occurs on the Configure

change connected to an upper-layer network, the association
notification upper-layer network topology of that network between SEP and
from an upper- where CFM is changes but the lower-layer CFM.
layer network deployed. network is unable to detect In Figure 17-5,
to a lower- the change. As a result, association
layer network traffic is interrupted. between SEP and
CFM is configured
on LSW1.

Figure 17-5 Association between SEP and CFM
IP/MPLS Core
CFM
PE-AGG1 PE-AGG2
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
Block Port
SEP associated with Ethernet CFM
In Figure 17-5, association between SEP and CFM is configured on LSW1 in the SEP
segment. When CFM detects a fault on the network at the aggregation layer, LSW1 sends a
CCM to notify the Operation, Administration, and Maintenance (OAM) module of the fault.
The SEP status of the interface associated with CFM then changes to Down.
The interface associated with CFM is in the SEP segment. If this interface goes Down, LSW2
must send a Flush-FDB packet to notify other nodes of the change in topology. After LSW3
receives the Flush-FDB packet, the blocked interface on LSW3 is unblocked and enters the
Forwarding state. This interface sends a Flush-FDB packet to instruct other nodes in the SEP
segment to update their MAC address tables and ARP tables. The lower-layer network can
then detect the faults on the upper-layer network, ensuring reliable service transmission.
Suppression of SEP TC Notification Packets

Topology changes on a SEP segment are advertised to other SEP segments or upper-layer
networks. A significant number of Topology Change (TC) notification packets are generated
in the following cases:

l A link becomes disconnected transiently.

l A SEP segment is attacked by invalid TC notification packets.
l There are multiple SEP rings.
Figure 17-6 shows a networking scenario with three SEP rings. If the topology of SEP
segment 3 changes, the number of TC notification packets doubles and SEP segment 2 is
flooded with these packets. Each time TC notification packets pass through a SEP
segment, its number doubles.
Figure 17-6 Network with multiple SEP rings
LSW9 LSW10
SEP
Segment 1
LSW7 LSW8
SEP
Segment2
LSW4 LSW6
LSW5
SEP
Segment3
LSW1 LSW3
LSW2
Primary Edge Port

Secondary Edge Port
Block Port
Sending many TC notification packets reduces the capability of a CPU to quickly process
other packet types. In addition, devices in SEP segments frequently update MAC address
entries, consuming bandwidth resources. The following measures can be taken to suppress TC
notification packets:
l Configure a device to only process one of the TC notification packets that carry the same
source address.
l Configure a device to process a specified number of TC notification packets within a
specified period. By default, three TC notification packets with different source
addresses are processed in 2s.
l Avoid having more than three SEP rings.

SEP Multi-Instance
In common SEP networking shown in Figure 17-7, a physical ring network can be configured
with only one SEP segment in which only one interface can be blocked.
If an interface in a complete SEP segment is blocked, all service data is transmitted only along
the path where the primary edge interface is located. The path where the secondary edge
interface is located remains idle, wasting bandwidth.
Figure 17-7 Networking diagram for SEP
LSW2 LSW4
SEP
Segment1
LSW1 LSW3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance allows two SEP segments to be configured on a physical ring. Each SEP
segment independently detects the completeness of a physical ring and blocks or unblocks
interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be
configured with a protected instance, each protected instance indicating a VLAN range. The
topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between
protected instances and VLANs is set, a blocked interface is only valid for the VLANs
protected by the SEP segment where the blocked interface resides. Data traffic for different
VLANs can be transmitted along different paths. This implements traffic load balancing and
link backup.

Figure 17-8 Networking diagram for SEP multi-instance
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
Instance1: Instance2:
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
In Figure 17-8, the SEP multi-instance ring network that consists of LSW1 to LSW4 has two
SEP segments. P1 is the blocked interface in SEP segment 1, and P2 is the blocked interface
in SEP segment 2.
l Protected instance 1 is configured in SEP segment 1 to protect the data from VLAN 100
to VLAN 200. The data is transmitted along path LSW1 -> LSW2. As the blocked
interface in SEP segment 2, P2 blocks only the data from VLAN 201 to VLAN 400.
l Protected instance 2 is configured in SEP segment 2 to protect the data from VLAN 201
to VLAN 400. The data is transmitted along path LSW3 -> LSW4. As the blocked
interface in SEP segment 1, P1 blocks only the data from VLAN 100 to VLAN 200.
When a node or link fault occurs, each SEP segment calculates its own topology
independently, and the nodes in each SEP segment update their own LSA databases.
In Figure 17-9, a fault occurs on the link between LSW3 and LSW4. The link fault does not
affect the transmission path for the data from VLAN 100 to VLAN 200 in SEP segment 1, but
blocks the transmission path for the data from VLAN 201 to VLAN 400 in SEP segment 2.

Figure 17-9 Networking diagram for a link fault on a SEP multi-instance network
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
After the link between LSW3 and LSW4 becomes faulty, LSW3 starts to send LSAs to
instruct the other devices in SEP segment 2 to update their LSA databases, and the blocked
interface enters the Forwarding state. After the topology of SEP segment 2 is recalculated, the
data from VLAN 201 to VLAN 400 is transmitted along path LSW3 -> LSW1 -> LSW2.
After the link between LSW3 and LSW4 recovers, the devices in SEP segment 2 perform
delayed preemption. After the preemption delay expires, P1 becomes the blocked interface
again, and sends LSAs to instruct the other devices in SEP segment 2 to update their LSA
databases. After the topology of SEP segment 2 is recalculated, the data from VLAN 201 to
VLAN 400 is transmitted along path LSW3 -> LSW4.
17.3 Application Scenarios for SEP
17.3.1 Open Ring Networking

Open ring networking occurs at the access layer and is used to transparently transmit Layer 2
unicast and multicast services. When SEP runs at the access layer, redundancy protection
switching can be implemented at the access layer and topology of the SEP segment can be
displayed. On an open ring network, edge interfaces are located on two edge devices in the
SEP segment.
Figure 17-10 shows a networking diagram of an open ring running SEP.

Figure 17-10 Open ring running SEP
Network
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE
Primary Edge Port

Secondary Edge Port
Block Port
In Figure 17-10, LSW1 to LSW5 are not directly connected and form an open ring to connect
to a Layer 2 network.
17.3.2 Closed Ring Networking

Closed ring-networking is at the aggregation layer and is used to aggregate Layer 2 unicast
and multicast services. When SEP runs at the aggregation layer, redundancy protection
switching can be implemented at the aggregation layer and the topology of the SEP segment
can be displayed. On a closed ring network, two edge interfaces are located on the same edge
device.
Figure 17-11 shows a networking diagram of a closed ring running SEP.

Figure 17-11 Closed ring running SEP
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE1 CE2 CE3
Primary Edge Port

Secondary Edge Port
Block Port
In Figure 17-11, LSW1 to LSW5 form a dual-homed link to access a Layer 2 network. LSW1
and LSW5 at the edge of the Layer 2 network are directly connected.
17.3.3 Multi-Ring Networking

When SEP runs at the access layer and the aggregation layer, redundancy protection switching
can be implemented at the access layer and the aggregation layer and the topology of the SEP
segment can be displayed.
In multi-ring networking, the topology change notification function must be configured
among ring networks.
Figure 17-12 shows a networking diagram of multiple rings running SEP.

Figure 17-12 Multiple rings running SEP
LSW1 SEP LSW5

Segment 1
LSW2 LSW4
LSW3
Se
SE e n
gm
P t3
t2
gm EP
SEP
en
S
LSW9
LSW6 Segment 4
Se
LSW12
SEP
LSW8 Segment 5
LSW14
LSW7 LSW13
LSW10 LSW11
Block Port
In Figure 17-12, LSW1 to LSW5 are at the aggregation layer, and LSW6 to LSW14 are at the
access layer. Layer 2 services are transparently transmitted at the access layer and the
aggregation layer.
If the topology of the access layer changes, a node in the SEP segment sends a Flush-FDB
packet to instruct other nodes in the SEP segment to update their MAC address tables and
ARP tables. Edge devices in the SEP segment send TC packets to notify the upper-layer
network that the topology of the SEP segment changes.
17.3.4 Hybrid SEP+MSTP Ring Networking

In hybrid-ring networking, no-neighbor edge interfaces need to be deployed on the edge
devices of SEP networks, and the SEP networks need to report topology changes to MSTP
networks. When SEP runs at the access layer, redundancy protection switching can be
implemented at the access layer.
Figure 17-13 shows a networking diagram of hybrid rings running SEP+MSTP.

Figure 17-13 Hybrid rings running SEP+MSTP
PE3 PE4
MSTP
PE1 PE2
Do not Support SEP
SEP
Segment
LSW1 LSW2
LSW3
Block Port
In Figure 17-13, LSW1 to LSW3 form a SEP segment to access the MSTP ring. LSW1 to
LSW3 are at the access layer and transparently transmit Layer 2 unicast and multicast
services.
packet to instruct other nodes in the SEP segment to update their MAC address tables and
ARP tables. LSW1 and LSW2 at the edge of the SEP segment send a TC packet to notify the
aggregation layer of the topology change in the SEP segment.
17.3.5 Hybrid SEP+RRPP Ring Networking

In hybrid SEP+RRPP ring networking, SEP networks need to report topology changes to
RRPP networks on the edge devices of SEP networks.
Figure 17-14 shows a networking diagram of hybrid rings running SEP+RRPP.

Figure 17-14 Hybrid rings running SEP and RRPP
PE3 PE4
RRPP
PE1 PE2
SEP
Segment
LSW1 LSW2
LSW3
Primary Edge Port
Secondary Edge Port
Block Port
In Figure 17-14, PE1, PE2 and LSW1 to LSW3 form a SEP segment to access the RRPP
ring. PE1, PE2 and LSW1 to LSW3 are at the access layer and transparently transmit Layer 2
unicast and multicast services. When SEP runs at the access layer, redundancy protection
switching can be implemented at the access layer.
packet to instruct other nodes to update their MAC address tables and ARP tables. PE1 and
PE2 at the edge of the SEP segment send a TC packet to notify the aggregation layer of the
topology change in the SEP segment.
17.3.6 SEP Multi-Instance

In Figure 17-15, SEP multi-instance allows two SEP segments to be configured on a physical
ring. Each SEP segment independently detects the completeness of a physical ring and blocks
or unblocks interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be
configured with a protected instance, each protected instance indicating a VLAN range. The
topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between
protected instances and VLANs is set, a blocked interface is only valid for the VLANs
protected by the SEP segment where the blocked interface resides. Data traffic for different
VLANs can be transmitted along different paths. This implements traffic load balancing and
link backup.

LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
17.3.7 Association Between SEP and CFM

Association between SEP and CFM can be configured on the edge devices on a SEP segment.
When CFM detects a fault on the network at the aggregation layer, edge devices send CCMs
to notify the fault to the Operation, Administration, and Maintenance (OAM) module. The
SEP status of the interface associated with CFM then changes to Down.
Figure 17-16 shows a networking diagram of association between SEP and CFM.

Figure 17-16 Association between SEP and CFM
IP/MPLS Core
CFM
PE-AGG1 PE-AGG2
LSW1 LSW5
SEP
Segment
LSW2 LSW4
LSW3
CE
Block Port
SEP associated with Ethernet CFM
In Figure 17-16, LSW1 to LSW5 run SEP to implement redundancy protection switching at
the access layer and display the topology. The interface associated with CFM is in the SEP
segment.
When the SEP status of the interface associated with CFM goes Down, LSW2 must send a
Flush-FDB packet to notify other nodes of the topology changes. After LSW3 receives the
Flush-FDB packet, the blocked interface on LSW3 is unblocked and enters the Forwarding
state. The interface sends a Flush-FDB packet to instruct the other nodes to update their MAC
address and ARP tables. Therefore, the lower-layer network can then detect the faults on the
upper-layer network, ensuring reliable service transmission.
17.4 Summary of SEP Configuration Tasks

Table 17-8 lists the SEP configuration tasks.

Table 17-8 SEP configuration tasks

Item Description Task
Configure basic SEP After basic SEP functions 17.6 Configuring SEP
functions. are configured on devices,
the devices start SEP
negotiation. Interfaces that
complete neighbor
negotiations last are blocked
to eliminate redundant links.
NOTE
When logging in to nodes on a
SEP semi-ring through Telnet
to configure the nodes, note
the following points:
l VLANIF interfaces and
their IP addresses need to
be configured, because
these nodes are Layer 2
devices. The VLANs to
which these VLANIF
interfaces correspond must
be mapped to SEP
protected instances.
l Basic SEP functions need
to be configured from the
node at one end of the
semi-ring to the node at
the other end of the semi-
ring.
Specify an interface to In some cases, however, the 17.7 Specifying an

block. negotiated blocked interface Interface to Block
may not be the required one.
You can specify an interface
to block according to
network requirements.
Configure SEP multi- To implement load 17.8 Configuring SEP

instance. balancing and to use of Multi-Instance
bandwidth efficiently,
protected instances need to
be deployed on a SEP
network and mapped to
VLANs.

Configure the topology A SEP network must work 17.9 Configuring the
change notification function. together with another Topology Change
network that runs other Notification Function
features. If the topology of
one network changes, the
other network must be able
to detect the topology
change and take measures to
ensure reliable data
transmission. Therefore, the
topology change
notification function must
be enabled on the SEP
network to ensure network
reliability.
17.5 Licensing Requirements and Limitations for SEP

Other network elements also need to support SEP.
SEP configuration commands are available only after the S1720GW, S1720GWR, and
loaded and activated and the switches are restarted. SEP configuration commands on other
Table 17-9 Products and versions supporting SEP

Model
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E


Model
S1720X, V200R011C00, V200R011C10

S1720X-E

S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10


Model
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
Feature Limitations
l Table 17-10 lists the specification of SEP.
Table 17-10 Specification of SEP

Item Specification
Maximum number of segments on the 16

device
l On a SEP network where there are no-neighbor edge interfaces, a device that is not in a
SEP segment cannot be added to the control VLAN of the SEP segment. Otherwise, a
loop will occur on the network.

17.6 Configuring SEP

When there is no faulty link on a ring network running SEP, SEP can eliminate loops on the
Ethernet. When a link fault occurs on the ring network, SEP can immediately restore the
communication between the nodes on the network.
Before configuring basic SEP functions, complete the following tasks:
l Establish the ring network.

l Ensure that the devices are powered on correctly and operate properly.
17.6.1 Configuring a SEP Segment
Context
A SEP segment is the basic unit of SEP. A SEP segment consists of interconnected Layer 2
switching devices configured with the same SEP segment ID and control VLAN ID.
After SEP is configured on a device, you can run the description command to configure the
description of the SEP segment, including the SEP segment ID, to facilitate maintenance.
Procedure
Step 2 Run sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
The switch supports a maximum of 16 SEP segments.
Step 3 (Optional) Run description text
A description is configured for the SEP segment.
By default, no description is configured for an SEP segment.
----End
17.6.2 Configuring a Control VLAN
Context
In a SEP segment, a control VLAN is used to transmit SEP packets but not service packets,
enhancing SEP security. Each SEP segment must be configured with a control VLAN. After
being added to a SEP segment configured with a control VLAN, an interface is added to the
control VLAN automatically.

NOTE
On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot be
added to the control VLAN of the SEP segment. Otherwise, a loop will occur on the network.
Procedure
Step 3 Run control-vlan vlan-id
A control VLAN is configured for the SEP segment to transmit SEP packets.
The control VLAN must be not created, and is not used by RRPP, dynamic instances of
VBST, VLAN mapping, and VLAN stacking. Additionally, no interface is added to the
control VLAN in trunk, access, hybrid, or qinq mode.
l Different SEP segments can use the same control VLAN.
l If an interface has been added to the SEP segment, the control VLAN of the SEP
segment cannot be deleted directly. To delete the control VLAN, run the undo sep
segment segment-id command in the interface view to delete the interface from the SEP
segment, and then run the undo control-vlan command in the SEP segment view to
delete the control VLAN.
l If no interface is added to the SEP segment, you can run the control-vlan vlan-id
command multiple times. Only the latest configuration takes effect.
l After the control VLAN is created successfully, the command used to create a common
VLAN will be displayed in the configuration file.
Each SEP segment must be configured with a control VLAN. After an interface is added
to a SEP segment configured with a control VLAN, the interface will be automatically
added to the control VLAN.
– If the interface type is trunk, in the configuration file, the port trunk allow-pass
vlan command is displayed in the view of the interface added to the SEP segment.
– If the interface type is hybrid, in the configuration file, the port hybrid tagged vlan
command is displayed in the view of the interface added to the SEP segment.
----End
17.6.3 Configuring a Protected Instance

Context
Interfaces can be added to a SEP segment only after the SEP segment is configured with
protected instances.
Procedure

Step 2 (Optional) Create and configure the mapping between MSTIs and VLANs.
NOTE
If the stp mode vbst command sets the STP working mode to VBST, you must perform this step to
configure the mapping between MSTIs and VLANs. Otherwise, the protected instance in a SEP segment
cannot be configured.
1. Run stp region-configuration

2. Run instance instance-id vlan vlan-id
The mapping between MSTIs and VLANs is created and configured.
By default, all VLANs map to MSTI 0.
3. Run active region-configuration
The mapping between MSTIs and VLANs is activated.
4. Run quit
Exit from the MST region view.
Step 4 Run protected-instance { all | { instance-id1 [ to instance-id2 ] } &<1-10> }
A protected instance is configured in a SEP segment.
When the mapping between MSTIs and VLANs is configured, instance-id in this step must be
the same as instance-id in the instance command.
By default, no protected instance is configured in a SEP segment.
NOTE
When the mapping between MSTIs and VLANs is not configured, the SEP protected instance is valid
for all VLANs.
----End
17.6.4 Adding a Layer 2 Interface to a SEP Segment and

Configuring a Role for the Interface
Context
To ensure that SEP packets are forwarded correctly in a SEP segment, add Layer 2 interfaces
to the SEP segment and configure different roles for the interfaces.
After an interface is added to a SEP segment, the interface sets its interface role to the primary
edge interface if the interface has the right to participate in primary edge interface election.
Then, the interface periodically sends a primary edge interface election packet without
waiting for the success of neighbor negotiations.
A primary edge interface election packet contains the interface role (primary edge interface,
secondary edge interface, or common interface), bridge MAC address of the interface,
interface ID, and integrity of the topology database.
Table 17-11 lists interface roles.

Table 17-11 Interface roles

Interface Sub-role Description Deployment Scenario
Role
Common - In a SEP segment, all -

interface interfaces except edge
interfaces and blocked
interfaces are common
interfaces.
A common interface
monitors the status of a
directly-connected SEP link.
When the link status
changes, the interface sends
a topology change
notification message to
notify its neighbors. Then
the topology change
notification message is
flooded on the link until it
finally reaches the primary
edge interface. The primary
edge interface determines
how to process the link
change.
Edge interface Primary A SEP segment has only one Open ring networking
edge primary edge interface, Closed ring networking
interface which is determined by the
configuration and election. Multi-ring networking
The primary edge interface Hybrid SEP+RRPP ring

initiates blocked interface networking
preemption, terminates
packets, and sends topology
change notification
messages to other networks.
Secondary A SEP segment has only one

edge secondary edge interface,
interface which is determined by the
configuration and election.
The secondary edge
interface terminates packets
and sends topology change
notification messages to
other networks.

Interface Sub-role Description Deployment Scenario

Role
No- An interface at the edge of a Hybrid SEP+MSTP ring

neighbor SEP segment is a no- networking
primary neighbor edge interface,
edge which is determined by the
interface configuration and election.
The no-neighbor primary
edge interface terminates
packets and sends topology
change notification
messages to other networks.
No-neighbor primary edge
interfaces are used to
interconnect Huawei devices
and non-Huawei devices or
and devices that do not
support SEP.
No- The no-neighbor secondary

neighbor edge interface terminates
secondary packets and sends topology
edge change notification
interface messages to other networks.
No-neighbor secondary edge
interfaces are used to
and non-Huawei devices or
and devices that do not
support SEP.
NOTE
l Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
l Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the
interface (except that the interface is a no-neighbor edge interface).
l Before adding an interface to a SEP segment, disable Smart Link on the interface.
l Before adding an interface to a SEP segment, disable port security on the interface; otherwise, loops
cannot be prevented.
Procedure
The view of an Ethernet interface added to the SEP segment is displayed.

Step 3 Run port link-type { trunk | hybrid }

The link type of the interface is set to trunk or hybrid.
Step 4 Run stp disable
STP is disabled on the interface.
Step 5 Run sep segment segment-id [ edge [ no-neighbor ] { primary | secondary } ]
The Ethernet interface is added to a specified SEP segment and a role is configured for the
interface.
NOTE
An interface can be added to a maximum of two SEP segments.
----End
17.6.5 Verifying the Basic SEP Configuration

Procedure
l Run the display sep segment { segment-id | all } command to check the configurations
of SEP segments.
l Run the display sep interface [ interface-type interface-number | segment segment-id ]
[ verbose ] command to check information about interfaces that are added to a specified
SEP segment.
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
17.7 Specifying an Interface to Block
17.7.1 Setting an Interface Blocking Mode

Context
In a SEP segment, some interfaces are blocked to prevent loops.
You can configure the interface blocking mode to specify a blocked interface. Table 17-12
lists interface blocking modes.

Table 17-12 Interface blocking mode

Interface Blocking Description
Mode
Specify the interface This mode applies to a large-scale network.

with the highest priority After fault recovery, the interface with the highest priority in a
as the blocked interface. SEP segment becomes the blocked interface. In this mode, the
priorities of the interfaces in the SEP segment need to be set in
advance.
Specify the interface in This mode applies to a network where traffic is symmetrically
the middle of a SEP distributed.
segment as the blocked After fault recovery, the interface in the middle of a SEP
interface. segment becomes the blocked interface.
Specify a blocked This mode applies to a small-scale network.

interface based on the After fault recovery, a specified interface is blocked based on
configured hop count. the hop count. A network planner needs to be familiar with the
topology of the entire SEP segment and the number of hops
from the blocked interface to the primary edge interface.
Specify a blocked This mode applies to a small-scale network.

interface based on the After fault recovery, a specified interface is blocked based on
device and interface the device and interface names. A network planner needs to be
names. familiar with the names of devices and interfaces in the entire
SEP segment and ensures that each device name is unique.
Perform the following operations on the device where the primary edge interface or no-
neighbor primary edge interface is located:
Procedure
Step 3 Run block port { optimal | middle | hop hop-id | sysname sysname interface { interface-
type interface-number | interface-name } }
An interface blocking mode is set.
By default, one of the interfaces at two ends of the link that is set up last or recovers from a
fault last is blocked.
----End

Follow-up Procedure
If the interface with the highest priority is specified to block, run the sep segment segment-id
priority priority command in the view of the interface to be blocked to increase its priority.
When a fault is rectified, the specified interface is blocked.
The default priority of an interface added to a SEP segment is 64. The priority value of an
interface is an integer that ranges from 1 to 128. A larger priority value indicates a higher
priority.
17.7.2 Configuring the Preemption Mode
Context
After the interface blocking mode is specified, whether a specified interface will be blocked is
determined by the preemption mode. Table 17-13 lists the preemption modes.
Table 17-13 Preemption mode

Preemption Advantage Disadvantage
Mode
Non-preemption SEP is in non- The blocked interface is one of the two

mode preemption mode by interfaces that complete neighbor
default. negotiations last.
In this mode, blocking
an interface does not
disconnect any link in a
SEP segment.
Preempt Delayed Each time a fault is l The delayed preemption mode needs
ion preempt rectified, the system to be specified in advance. There is no
mode ion automatically completes default delay in preemption, and the
preemption and ensures delay time needs to be configured
that the specified using a command.
interface is blocked. l After delayed preemption is
configured successfully, a fault needs
to be simulated to ensure that the
specified interface is blocked.
Manual Whether the specified l The manual preemption mode needs to

preempt interface will be blocked be specified in advance.
ion can be controlled l After a network fault is rectified and
manually. the preemption action is taken, manual
preemption no longer takes effect.
Manual preemption needs to be
configured again to ensure that the
blocked point can be moved to the
specified point after the next fault is
rectified. This increases the
maintenance workload.

The following conditions must be met to trigger preemption:
l The SEP segment topology is complete.

l The primary edge interface or no-neighbor primary edge interface has been elected in the
SEP segment.
l The function of flexibly specifying a blocked interface is enabled on the device where
the primary edge interface or no-neighbor primary edge interface resides.
Perform the following operations on the Layer 2 switching device where the primary edge
interface or no-neighbor primary edge interface resides.
Procedure
Step 3 Run preempt { manual | delay seconds }
The preemption mode is configured on the primary edge interface.
By default, no preemption mode is configured on the primary edge interface, that is, the non-
preemption mode is used.
----End
17.7.3 Verifying the Configuration of Specifying an Interface to

Block
Procedure
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
17.8 Configuring SEP Multi-Instance

Applicable Environment
bandwidth.

IP/MPLS Core
Core
group 1:Master group 2:Master

group 2:Backup group 1:Backup
NPE1 NPE2
VRRP+peer BFD
Aggregation
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
LSW1 LSW3
Access
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing and link backup. In Figure 17-17, multiple instances are deployed in the SEP
segment, and protected instances are mapped to different VLANs. Data traffic for different
VLANs can be transmitted along different paths.
NOTE
Currently, SEP multi-instance allows two SEP segments to be configured on a physical ring. Different
blocked interfaces and priorities need to be configured for the two SEP segments.
Before configuring SEP multi-instance, complete the following tasks:

l Configure basic SEP functions.

l Specify an interface to block.
Procedure
Step 3 Run instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
Mappings between protected instances and VLANs are configured.
The value of instance-id specified in this command must be the same as that of instance-id
specified in the protected-instance command.
Before you switch a VLAN from one SEP segment to another segment, shut down the
blocked port. If you do not shut down the blocked port, a routing loop may occur after the
VLAN switchover.
NOTE
To configure the mapping between a protected instance and a MUX VLAN, you are advised to configure
the principal VLAN, subordinate group VLANs, and subordinate separate VLANs of the MUX VLAN
in the same protected instance. Otherwise, loops may occur.

Mappings between protected instances and VLANs are activated.
After mappings between protected instances and VLANs take effect, topology changes of a
SEP segment affect only corresponding VLANs. This ensures reliable service data
transmission.
----End

Run the display stp region-configuration command to check the effective configuration of
the MST region.
17.9 Configuring the Topology Change Notification

Function

17.9.1 Reporting Topology Changes in a Lower-Layer Network -

SEP Topology Change Notification
Context
SEP runs on devices at the access layer. The topology change notification function enables
devices to detect topology changes on the upper and lower-layer networks.
If the upper-layer network fails to be notified of the topology change in a SEP segment, the
MAC address entries remain unchanged on the upper layer network and user traffic may be
interrupted. To ensure uninterrupted traffic forwarding, configure devices on the lower-layer
network to report topology changes to the upper-layer network and specify the devices on the
upper-layer network that will be notified of topology changes.
NOTE
Currently, topology changes in a SEP segment can be reported to other SEP segments, STP networks,
RRPP networks, VPLS networks, and SmartLink networks.
Only S5720EI, S5720HI, S6720EI, and S6720S-EI support VPLS networks.
After receiving a topology change notification from a lower-layer network, a device on the
upper-layer network sends TC packets to instruct other devices on the upper-layer network to
clear original MAC addresses and learn new MAC addresses after the topology of the lower-
layer network changes. This ensures uninterrupted traffic forwarding.
Procedure
Step 3 Run tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp | rrpp | smart-
link send-packet vlan vlan-id | vpls }
The topology change of the specified SEP segment is reported to another SEP segment or a
network running other ring protocols such as STP or RRPP.
By default, the topology change of a SEP segment is not reported.
NOTE
Only S5720EI, S5720HI, S6720EI, and S6720S-EI support vpls parameter.
----End
Follow-up Procedure
In the networking scenario where three or more SEP ring networks exist, when a topology
change notification is sent through multiple links, the upper-layer network will receive it
multiple times. This reduces packet processing efficiency on the upper-layer network.
Therefore, topology change notifications need to be suppressed. Suppressing topology change
notifications frees the upper-layer network from processing multiple duplicate packets and
protects the devices in the SEP segment against topology change notification attacks.

Run the tc-protection interval interval-value command in the SEP segment view to set the
interval for suppressing topology change notifications.
By default, the interval for suppressing topology change notifications is 2s, and three
topology change notifications with different source addresses are processed within 2s.
NOTE
l In the networking scenario where three or more SEP ring networks exist, the tc-protection interval
interval-value command must be run. If this command is not run, the default interval for suppressing
topology change notifications is used.
l A longer interval ensures stable SEP operation but reduces convergence performance.
17.9.2 Reporting Topology Changes in a Lower-Layer Network -

Enabling the Devices in a SEP Segment to Process SmartLink
Flush Packets
Context
When a host is connected to a SEP network using a SmartLink group, the host sends
SmartLink Flush packets to inform the remote device in the SEP segment if devices in the
SmartLink group experience an active/standby switchover. Therefore, devices in a SEP
segment must be able to process SmartLink Flush packets.
Procedure
Step 3 Run deal smart-link-flush
The device in a SEP segment is configured to process SmartLink Flush packets.
By default, no device in a SEP segment is configured to process SmartLink Flush packets.
Step 4 Run quit
Step 6 Run smart-link flush receive control-vlan vlan-id [ password { simple | sha } password ]
The interface is configured to receive Flush packets.
By default, an interface is prohibited from receiving Flush packets.
The password parameter is optional. If no password is specified, no password is used for

authentication.

The control VLAN ID and password contained in Flush packets on both devices must be the
same.
----End
17.9.3 Reporting Topology Changes in an Upper-Layer Network -

Configuring Association Between SEP and CFM
Context
SEP runs on devices at the access layer or aggregation layer. To enable devices running SEP
to detect the topology changes in an upper-layer network, you must configure on SEP and
CFM association the device connecting the lower-layer network to the upper-layer network.
When CFM detects a fault on the upper-layer network, the edge device sends a CFM packet to
notify the OAM module of the fault. Then the SEP status of the interface associated with
CFM on the edge device changes to Down.
The peer device (on the SEP segment) of the edge device notifies other nodes in the same SEP
segment of topology changes by sending Flush-FDB packets. After a device in the SEP
segment receives the Flush-FDB packet, the blocked interface on the device is unblocked,
enters the Forwarding state, and sends a Flush-FDB packet to instruct other nodes in the SEP
segment to refresh their MAC forwarding tables and ARP tables. Therefore, the lower-layer
network can then detect the faults on the upper-layer network, ensuring reliable service
transmission.
NOTE
IEEE 802.1ag, also known as Connectivity Fault Management (CFM), defines OAM functions, such as
continuity check (CC), link trace (LT) and loopback (LB), for Ethernet networks. CFM is network-level
OAM and applies to large-scale end-to-end networking.
Procedure
Step 2 Run oam-mgr
The OAM management view is displayed.
Step 3 Run oam-bind ingress cfm md md-name ma ma-name egress sep segment segment-id
interface interface-type interface-number
Association between SEP and CFM is configured.
----End
17.9.4 Verifying the Configuration of the Topology Change

Notification Function
Procedure
l Run the display sep interface verbose command to check information about the
interfaces added to a SEP segment.

l Run the display this command in the OAM management view to check the
configuration of topology change notification on the upper-layer network topology.
----End
17.10 Clearing SEP Statistics
Context
SEP statistics cannot be restored after being cleared. Therefore, exercise caution when you
run reset commands.
Procedure
Step 1 Run the reset sep interface interface-type interface-number statistics command in the user
view to clear SEP packet statistics on a specified interface in a SEP segment.
----End
17.11 Configuration Examples for SEP
17.11.1 Example for Configuring SEP on a Closed Ring Network
Generally, redundant links are used to connect an Ethernet switching network to an upper-
layer network to provide link backup and enhance network reliability. The use of redundant
links, however, may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, communication quality deteriorates, and services may even be
interrupted. SEP can be deployed on the ring network to eliminate loops and restore
communication if a link fault occurs.
In the closed ring networking, CE1 is dual-homed to a Layer 2 network through multiple
Layer 2 switching devices. The two edge devices connected to the upper-layer Layer 2
network are directly connected to each other. The closed ring network is deployed at the
aggregation layer to transparently transmit Layer 2 unicast and multicast packets. SEP runs at
the aggregation layer to implement link redundancy.
In Figure 17-18, Layer 2 switching devices LSW1 to LSW5 form a ring network.
SEP runs at the aggregation layer.

l When there is no faulty link on a ring network, SEP can eliminate loops on the network.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes on the network.

Figure 17-18 Networking diagram of a closed ring SEP network
Core
IP/MPLS Core
GE0/0/2 GE0/0/3 GE0/0/2

LSW1 LSW5
GE0/0/3
GE0/0/1 GE0/0/1
Aggregation
SEP
Segment1
GE0/0/1 GE0/0/1
LSW2 LSW4
LSW3 GE0/0/2
GE0/0/2
GE0/0/1 GE0/0/2
GE0/0/3
GE0/0/1
Access
Primary Edge Port

CE1
Secondary Edge Port
VLAN
100 Block Port
1. Configure basic SEP functions.
a. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the
control VLAN of SEP segment 1.
b. Add all devices on the ring to SEP segment 1, and configure the roles of GE0/0/1
and GE0/0/3 of LSW1 in SEP segment 1.
c. On the device where the primary edge interface is located, specify the interface with
the highest priority to block.
d. Set priorities of the interfaces in the SEP segment.
Set the highest priority for GE0/0/2 of LSW3 and retain the default priority of the
other interfaces so that GE0/0/2 of LSW3 will be blocked.

e. Configure delayed preemption on the device where the primary edge interface is
located.
2. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure LSW1.
[HUAWEI] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the configuration
file automatically displays the command for creating the VLAN.
– Each SEP segment must be configured with a control VLAN. After an interface is added to a
SEP segment configured with a control VLAN, the interface will be automatically added to the
control VLAN.
2. Add all devices on the ring to SEP segment 1 and configure interface roles on the
devices.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On LSW1, configure GE0/0/1 as the primary edge interface and GE0/0/3 as the
secondary edge interface.

[LSW1] interface gigabitethernet 0/0/1

[LSW1-GigabitEthernet0/0/1] port link-type hybrid
[LSW1-GigabitEthernet0/0/1] stp disable
[LSW1-GigabitEthernet0/0/1] sep segment 1 edge primary
[LSW1-GigabitEthernet0/0/1] quit
[LSW1-GigabitEthernet0/0/3] sep segment 1 edge secondary
# Configure LSW2.
[LSW2-GigabitEthernet0/0/1] sep segment 1
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
3. Specify an interface to block.

# On LSW1 where the primary edge interface is located, specify the interface with the
highest priority to block.
[LSW1-sep-segment1] block port optimal
4. Set the priority of GE0/0/2 on LSW3.

[LSW3-GigabitEthernet0/0/2] sep segment 1 priority 128

5. Configure the preemption mode.

# Configure delayed preemption on LSW1.
[LSW1-sep-segment1] preempt delay 30
NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. After the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE0/0/2 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on GE0/0/2 to rectify the fault.
Step 2 Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
For details about the configuration, see the configuration files.
l Run the shutdown command on GE0/0/1 of LSW3 to simulate an interface fault, and
then run the display sep interface command on LSW3 to check whether GE0/0/2 of
LSW3 has switched from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 0/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE0/0/2 common up forwarding
----End
Configuration Files
l LSW1 configuration file
#
sysname LSW1
#
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 48
#
stp disable
sep segment 1 edge primary
#
#

port hybrid tagged vlan 10 100 200

stp disable
sep segment 1 edge secondary
#
return
#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
sep segment 1 priority 128
#
#
return
#
sysname LSW4
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#


stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW5
#
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
#
stp disable
sep segment 1
#
return
#
sysname CE1
#
vlan batch 100
#
#
return
Related Content
Videos
Configuring SEP
17.11.2 Example for Configuring SEP on a Multi-Ring Network


In multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployed
at the access layer and aggregation layer. SEP runs at the access layer and aggregation layer to
implement link redundancy.
In Figure 17-19, multiple Layer 2 switching devices form ring networks at the access layer
and aggregation layer.
SEP runs at the access layer and aggregation layer. When there is no faulty link on a ring
network, SEP can eliminate loops on the network. When a link fails on the ring network, SEP
can rapidly restore communication between nodes on the network.

Figure 17-19 Networking diagram of a multi-ring SEP network
Core
IP/MPLS Core
GE0/0/2 GE0/0/2
LSW1 GE0/0/3 GE0/0/3 LSW5

GE0/0/1 GE0/0/1
Aggregation
SEP
GE0/0/1 GE0/0/3
Segment 1
LSW4
LSW2 GE0/0/1
GE0/0/2
G
GE0/0/2
E0
LSW3
/0
/
3
GE0/0/4
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
t2
gm EP
Se
en
SE en
Se S
LSW6 GE0/0/2 LSW11

gm
P t3
GE0/0/2 LSW8
GE0/0/1
GE0/0/1 GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/2 LSW9 GE0/0/1
LSW7 GE0/0/3 LSW10 GE0/0/3
Access
GE0/0/1 GE0/0/1
CE2
CE1
VLAN VLAN
200 100
Primary Edge Port Control VLAN 10

Secondary Edge Port Control VLAN 20
Block Port Control VLAN 30

a. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30
as their respective control VLANs.
n Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the
n Configure SEP segment 2 on LSW2, LSW3, and LSW6 to LSW8, and
configure VLAN 20 as the control VLAN of SEP segment 2.
n Configure SEP segment 3 on LSW3, LSW4, and LSW9 to LSW11, and
configure VLAN 30 as the control VLAN of SEP segment 3.
b. Add devices on the rings to the SEP segments and configure interface roles on the
edge devices of the SEP segments.
n On LSW1 to LSW5, add the interfaces on the ring at the access layer to SEP
segment 1. Configure the roles of GE0/0/1 and GE0/0/3 of LSW1 in SEP
segment 1.
n Add GE0/0/2 of LSW2, GE0/0/1 and GE0/0/2 of LSW6 to LSW8, and
GE0/0/2 of LSW3 to SEP segment 2. Configure the roles of GE0/0/2 of LSW2
n Add GE0/0/1 of LSW3, GE0/0/1 and GE0/0/2 of LSW9 to LSW11, and
GE0/0/1 of LSW4 to SEP segment 3. Configure the roles of GE0/0/1 of LSW3
c. Specify an interface to block on the device where the primary edge interface is
located.
n In SEP segment 1, specify the interface with the highest priority to block.
n In SEP segment 2, specify the device and interface names to block the
specified interface.
n In SEP segment 3, specify the blocked interface based on the configured hop
count.
d. Configure the preemption mode on the device where the primary edge interface is
located.
Configure delayed preemption in SEP segment 1 and manual preemption in SEP
segment 2 and SEP segment 3.
e. Configure the topology change notification function on the edge devices between
SEP segments, namely, LSW2, LSW3, and LSW4.
2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW11.
Procedure
1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as
their respective control VLANs, In Figure 17-19.
# Configure LSW1.

# Configure LSW2.
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to
LSW5 except for the control VLANs of different SEP segments.
NOTE
control VLAN.
2. Add devices on the rings to the SEP segments and configure interface roles according to
Figure 17-19.

NOTE
# On LSW1, configure GE0/0/1 as the primary edge interface and GE0/0/3 as the
secondary edge interface.
# Configure LSW2.
# Configure LSW3.
# Configure LSW4.


# Configure LSW5.
# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to
LSW5 except for the interface roles.
# On LSW1 where the primary edge interface of SEP segment 1 is located, specify the
interface with the highest priority to block.
[LSW1-sep-segment1] block port optimal
# On LSW3, set the priority of GE0/0/4 to 128, which is the highest priority among the
interfaces so that GE0/0/4 will be blocked.
[LSW3-GigabitEthernet0/0/4] sep segment 1 priority 128
Retain the default priority of the other interfaces in SEP segment 1.

# On LSW2 where the primary edge interface of SPE segment 2 is located, specify the
device and interface names so that the specified interface will be blocked.
Before specifying the interface to block, use the display sep topology command to view
the current topology information and obtain information about all the interfaces in the
topology. Then specify the device and interface names.
[LSW2-sep-segment2] block port sysname LSW7 interface gigabitethernet 0/0/1
# On LSW4 where the primary edge interface of SEP segment 3 is located, specify the
blocked interface based on the configured hop count.
[LSW4-sep-segment3] block port hop 5
NOTE
SEP sets the hop count of the primary edge interface to 1 and the hop count of the secondary edge
interface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction of
the primary interface.
# Configure delayed preemption on LSW1.

NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. After the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE0/0/2 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on GE0/0/2 to rectify the fault.
# Configure manual preemption on LSW2.
[LSW2-sep-segment2] preempt manual
# Configure the manual preemption mode on LSW4.

5. Configure the topology change notification function.

# Configure devices in SEP segment 2 to notify SEP segment 1 of topology changes.
# Configure LSW2.
[LSW2-sep-segment2] tc-notify segment 1
# Configure LSW3.
# Configure SEP segment 3 to notify SEP segment 1 of topology changes.

# Configure LSW3.
# Configure LSW4.
NOTE
The topology change notification function is configured on edge devices between SEP segments
so that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and LSW1 to LSW11.
After completing the preceding configurations, verify the configuration. LSW1 is used as an
example.

SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
#
stp disable
#
#
port hybrid tagged vlan 10 100 200 300
stp disable
#
return

#
sysname LSW2
#
vlan batch 10 20 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
block port sysname LSW7 interface GigabitEthernet0/0/1
tc-notify segment 1
#
stp disable
sep segment 1
#
stp disable

#
stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 20 30 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
tc-notify segment 1
sep segment 3
control-vlan 30
tc-notify segment 1
#
stp disable
#
stp disable
#
stp disable
sep segment 1
#
stp disable
sep segment 1
sep segment 1 priority 128
#
return
#
sysname LSW4
#
vlan batch 10 30 100 200
#
sep segment 1
control-vlan 10
sep segment 3
control-vlan 30
block port hop 5
tc-notify segment 1
#


stp disable
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname LSW5
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
#
port hybrid tagged vlan 10 100 200 300
stp disable
sep segment 1
#
return
#
sysname LSW6
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2

#
return
#
sysname LSW7
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2
#
#
return
#
sysname LSW8
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2
#
return
#
sysname LSW9
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3

#
stp disable
sep segment 3
#
return
#
sysname LSW10
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3
#
stp disable
sep segment 3
#
#
return
#
sysname LSW11
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3
#
stp disable
sep segment 3
#
return
#
sysname CE1
#
vlan batch 100
#

#
return

#
sysname CE2
#
vlan batch 200
#
#
return
Related Content
Videos
Configuring SEP
17.11.3 Example for Configuring a Hybrid SEP+MSTP Ring

Network
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
In Figure 17-20, multiple Layer 2 switching devices form a ring at the access layer, and
multiple Layer 3 devices form a ring at the aggregation layer. The two devices where the
access layer and the aggregation layer are intersected do not support SEP. You can configure
SEP at the access layer to implement redundancy protection switching and configure the
topology change notification function on an edge device in a SEP segment. This function
enables an upper-layer network to detect topology changes in a lower-layer network in time.
l When there is no faulty link on the ring network, SEP can eliminate loops.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes.
l The topology change notification function must be configured on an edge device in a
SEP segment. This enables an upper-layer network to detect topology changes in a
lower-layer network in time.
After receiving a message indicating the topology change in a lower-layer network, a device
on an upper-layer network sends TC packets to instruct other devices to delete original MAC
addresses and learn new MAC addresses after the topology of the lower-layer network
changes. This ensures uninterrupted traffic forwarding.

Figure 17-20 Networking diagram of a hybrid-ring SEP network
IP/MPLS Core
Core
GE0/0/2
GE0/0/3 GE0/0/3
GE0/0/2
Aggregation
PE3 PE4
GE0/0/1
GE0/0/1
MSTP
GE0/0/2 PE1 PE2 GE0/0/2
GE0/0/3
GE0/0/1 Do not Support SEP GE0/0/1
GE0/0/1 GE0/0/1
SEP
LSW1 Segment1 LSW2
GE0/0/2 GE0/0/2
GE0/0/2 GE0/0/1
Access
GE0/0/3 LSW3
GE0/0/1
CE
VLAN100 Block Port(SEP)
Block Port(MSTP)
a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the
b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on the edge
devices (LSW1 and LSW2) of the SEP segment.

NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1 and LSW2
connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located, specify the
interface in the middle of the SEP segment as the interface to block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-layer network
running MSTP can be notified of topology changes in the SEP segment.
2. Configure basic MSTP functions.
a. Add LSW1, LSW2, PE1 to PE4 to an MST region RG1.
b. Create VLANs on LSW1, LSW2, PE1 to PE4 and add interfaces on the STP ring to
the VLANs.
c. Configure PE3 as the root bridge and PE4 as the backup root bridge.
3. Configure the Layer 2 forwarding function on CE and LSW1 to LSW3.
Procedure
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure LSW1.
# Configure LSW2.
# Configure LSW3.
NOTE
control VLAN.
2. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
# Configure LSW1.


[LSW1-GigabitEthernet0/0/1] sep segment 1 edge no-neighbor primary
# Configure LSW2.
[LSW2-GigabitEthernet0/0/1] sep segment 1 edge no-neighbor secondary
# Configure LSW3.

# On LSW1 where the no-neighbor primary edge interface of SEP segment 1 is located,
specify the interface in the middle of the SEP segment as the interface to block.
[LSW1-sep-segment1] block port middle

# Configure the manual preemption mode on LSW1.

# Configure devices in SEP segment 1 to notify the MSTP network of topology changes.
# Configure LSW1.
[LSW1-sep-segment1] tc-notify stp
# Configure LSW2.
[LSW2-sep-segment1] tc-notify stp

1. Configure an MST region.
# Configure PE1.

# Configure PE2.
# Configure PE3.
# Configure PE4.
# Configure LSW1.
[LSW1] stp region-configuration
[LSW1-mst-region] region-name RG1
[LSW1-mst-region] active region-configuration
[LSW1-mst-region] quit
# Configure LSW2.
[LSW2-mst-region] region-name RG1
2. Create VLANs and add interfaces to VLANs.

# On PE1, create VLAN 100 and add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
# On PE2, PE3, and PE4, create VLAN 100 and add GE0/0/1, GE0/0/2, and GE0/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1. For
details about the configuration, see the configuration files.
# On LSW1 and LSW2, create VLAN 100 and add GE0/0/1 to VLAN 100. The
configurations of LSW1 and LSW2 are similar to the configuration of PE1. For details
about the configuration, see the configuration files.
3. Enable MSTP.
# Configure PE1.
[PE1] stp enable

# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
# Configure LSW1.
[LSW1] stp enable
# Configure LSW2.
[LSW2] stp enable
4. Configure PE3 as the root bridge and PE4 as the backup root bridge.
# Set the priority of PE3 to 0 in MSTI0 to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTI0 to ensure that PE4 functions as the backup
root bridge.
[PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.
After the configurations are complete and network becomes stable, run the following
commands to verify the configuration. LSW1 is used as an example.
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
#


sep segment 1 edge no-neighbor primary
#
stp disable
sep segment 1
#
return
#
sysname LSW2
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
tc-notify stp
#
sep segment 1 edge no-neighbor secondary
#
stp disable
sep segment 1
#
return
#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
port hybrid tagged vlan vlan 100
#
return
#
sysname PE1

#
vlan batch 100
#
region-name RG1
#
#
#
#
return
#
sysname PE2
#
vlan batch 100
#
region-name RG1
#
#
#
#
return
#
sysname PE3
#
vlan batch 100 200
#
#
region-name RG1
#
#
#

#
return

#
sysname PE4
#
vlan batch 100 200
#
#
region-name RG1
#
#
#
#
return
l CE configuration file
#
sysname CE
#
vlan batch 100
#
#
return
Related Content
Videos
Configuring SEP
17.11.4 Example for Configuring a Hybrid SEP+RRPP Ring

Network
In this example, you can configure SEP at the access layer to implement redundancy
protection switching and configure the topology change notification function on an edge

device in a SEP segment. This enables an upper-layer network to detect topology changes in a
lower-layer network in time.
Figure 17-21 Hybrid rings running SEP and RRPP
Network
NPE1 NPE2
GE0/0/2
GE0/0/3 GE0/0/3
GE0/0/2
Aggregation
PE3 PE4
GE0/0/1
GE0/0/1
RRPP
GE0/0/2 PE1 PE2 GE0/0/2
GE0/0/3
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
SEP
LSW1 Segment1 LSW2
GE0/0/2 GE0/0/2
GE0/0/2 GE0/0/1
Access
LSW3
GE0/0/3
GE0/0/1
CE
Primary Edge Port
Secondary Edge Port
VLAN100 Block Port(SEP)
Block Port(RRPP)
In Figure 17-21, multiple Layer 2 switching devices at the access layer and aggregation layer
form a ring network to access the core layer. RRPP has been configured at the aggregation
layer to eliminate loops. In this case, SEP needs to run at the access layer to implement the
following functions:
l Eliminates loops when there is no faulty link on the ring network.

l Rapidly restores communication between nodes when a link fault occurs on the ring
network.

l Provides the topology change notification function on an edge device in a SEP segment.
This function enables an upper-layer network to detect topology changes in a lower-layer
network in time.
After receiving a message indicating the topology change in a lower-layer network, a
device on an upper-layer network sends TC packets to instruct other devices to delete
original MAC addresses and learn new MAC addresses after the topology of the lower-
layer network changes. This ensures uninterrupted traffic forwarding.
a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN
10 as the control VLAN of SEP segment 1.
b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1, and configure interface
roles on edge devices (PE1 and PE2) of the SEP segment.
c. Set an interface blocking mode on the device where a primary edge interface is
located to specify an interface to block.
d. Configure the preemption mode to ensure that the specified interface is blocked
when a fault is rectified.
e. Configure the topology change notification function so that the topology change in
the local SEP segment can be notified to the upper-layer network where RRPP is
enabled.
2. Configure basic RRPP functions.
a. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and
configure a protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as transit nodes on the major
ring, and configure the primary and secondary interfaces of the major ring.
c. Create a VLAN on PE1 to PE4, and add the interfaces on the RRPP ring network to
the VLAN.
3. Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
Procedure
1. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN 10 as
the control VLAN of SEP segment 1.
# Configure PE1.
[PE1] sep segment 1
[PE1-sep-segment1] control-vlan 10
[PE1-sep-segment1] protected-instance all
[PE1-sep-segment1] quit
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] control-vlan 10

[PE2-sep-segment1] protected-instance all

# Configure LSW1.
# Configure LSW2.
# Configure LSW3.
2. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on an interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# Configure PE1.
[PE1-GigabitEthernet0/0/1] sep segment 1 edge primary
# Configure LSW1.
[LSW1-GigabitEthernet0/0/1] port link-type trunk
# Configure LSW2.
# Configure LSW3.


# Configure PE2.
[PE2-GigabitEthernet0/0/1] sep segment 1 edge secondary
After completing the preceding configurations, run the display sep topology command
on PE1 to view the topology of the SEP segment. The command output shows that the
blocked interface is one of the two interfaces that complete neighbor negotiations last.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE0/0/1 primary forwarding 1
LSW1 GE0/0/1 common forwarding 2
PE2 GE0/0/1 secondary discarding 8
3. Set an interface blocking mode.

# In SEP segment 1, block the interface in the middle of the SEP segment on PE1 where
the primary edge interface resides.
[PE1] sep segment 1
[PE1-sep-segment1] block port middle
4. Set the preemption mode.

# In SEP segment 1, set manual preemption on PE1 where the primary edge interface
resides.
[PE1-sep-segment1] preempt manual

# Configure devices in SEP segment 1 to notify topology changes to the RRPP ring
network.
# Configure PE1.
[PE1-sep-segment1] tc-notify rrpp
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
After the preceding configurations are successful, perform the following operations to verify
the configurations. PE1 is used as an example.
l Run the display sep topology command on PE1 to view the topology of the SEP
segment.
The command output shows that the status of GE 0/0/2 on LSW3 is discarding and the
status of the other interfaces is forwarding.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------

System Name Port Name Port Role Port Status Hop

-------------------------------------------------------------------------
PE1 GE0/0/1 primary forwarding 1
LSW3 GE0/0/2 common discarding 4
PE2 GE0/0/1 secondary forwarding 8
l Run the display sep interface verbose command on PE1 to view detailed information
about the interfaces added to the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------
Interface :GE0/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - GE0/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
Step 2 Configure basic RRPP functions.

1. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and
configure a protected VLAN.
# Configure PE1.
[PE1-mst-region] instance 1 vlan 5 6 100
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] control-vlan 5
[PE1-rrpp-domain-region1] protected-vlan reference-instance 1
# Configure PE2.
[PE2] rrpp domain 1
# Configure PE3.
[PE3] rrpp domain 1
# Configure PE4.

[PE4] rrpp domain 1
2. Create a VLAN and add interfaces on the ring network to the VLAN.
# Create VLAN 100 on PE1, and add GE 0/0/1, GE 0/0/2, and GE 0/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
# Create VLAN 100 on PE2, and add GE 0/0/1, GE 0/0/2, and GE 0/0/3 to VLAN 100.
[PE2] vlan 100
[PE2-vlan100] quit
# Create VLAN 100 on PE3, and add GE 0/0/1 and GE 0/0/2 to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit
# Create VLAN 100 on PE4, and add GE 0/0/1 and GE 0/0/2 to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit


3. Configure PE1 as the master node and PE2 to PE4 as transit nodes on the major ring, and
configure the primary and secondary interfaces of the major ring.
# Configure PE1.
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet0/0/2 secondary-port gigabitethernet0/0/3 level 0
[PE1-rrpp-domain-region1] ring 1 enable
# Configure PE2.
[PE2] rrpp domain 1
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port
# Configure PE3.
[PE3] rrpp domain 1
# Configure PE4.
[PE4] rrpp domain 1
4. Enable RRPP.
# Configure PE1.
[PE1] rrpp enable
# Configure PE2.
[PE2] rrpp enable
# Configure PE3.
[PE3] rrpp enable
# Configure PE4.
[PE4] rrpp enable
After completing the preceding configurations, run the display rrpp brief or display rrpp
verbose domain command on PE1 to check the RRPP configuration.
[PE1] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
RRPP Protocol Status: Enable

RRPP Working Mode: HW
RRPP Linkup Delay Timer: 0 sec (0 sec default)
Number of RRPP Domains: 1
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 M GigabitEthernet0/0/2 GigabitEthernet0/0/3 Yes
The command output shows that RRPP is enabled on PE1. In domain 1, VLAN 5 is the major
control VLAN, VLAN 6 is the sub-control VLAN, Instance 1 is the protected VLAN, and
PE1 is the master node in major ring 1 with the primary and secondary interfaces as
GigabitEthernet0/0/2 and GigabitEthernet0/0/3 respectively.

[PE1] display rrpp verbose domain 1

Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet0/0/2 Port status: UP
Secondary port : GigabitEthernet0/0/3 Port status: BLOCKED
The command output shows that in domain 1, VLAN 5 is the major control VLAN, VLAN 6
is the sub-control VLAN, Instance 1 is the protected VLAN, PE1 is the master node in major
ring 1 with the primary and secondary interfaces as GigabitEthernet0/0/2 and
GigabitEthernet0/0/3 respectively, and the node status is Complete.
Step 3 Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
For the configuration details, see the configuration files.
After the previous configurations, run the following commands to verify the configuration
when the network is stable. LSW1 is used as an example.
then run the display sep interface command on LSW3 to check whether the status of
GE0/0/2 changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 0/0/2
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return


#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
#
return

#
sysname PE1
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
instance 1 vlan 5 to 6 100
#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet 0/0/2 secondary-port
GigabitEthernet 0/0/3 level 0

ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100
stp disable
#
stp disable
#
return

#
sysname PE2
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 node-mode transit primary-port GigabitEthernet 0/0/2 secondary-port
ring 1 enable
#
sep segment 1
control-vlan 10
tc-notify rrpp
#
stp disable
#
stp disable
#
stp disable
#
return

#
sysname PE3
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
#
return
#
sysname PE4
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
#
return


#
sysname CE1
#
vlan batch 100
#
#
return
Related Content
Videos
Configuring SEP
17.11.5 Example for Configuring SEP Multi-Instance
On a closed ring network, two SEP segments are configured to process different VLAN
services, implement load balancing, and provide link backup.
bandwidth.
To improve bandwidth efficiency and implement traffic load balancing, Huawei develops SEP
multi-instance.

Figure 17-22 SEP multi-instance on a closed ring network
IP/MPLS Core
NPE1 NPE2
Core
/0/3 GE0
/0/3
GE0/0/2 GE0 GE0/0/2
LSW1 LSW4
GE0/0/1
GE0/0/1
Aggregation
P2 P1
GE0/0/1 GE0/0/1
LSW2 GE LSW3
0/0 /0/2
GE0/0/3 / 2 GE0 GE0/0/3
GE0/0/1 GE0/0/1
Access
CE1 CE2
VLAN VLAN
100~300 301~500
SEP Segment1
SEP Segment2
Primary Edge Port
Secondary Edge Port
Block Port
In Figure 17-22, a ring network comprising Layer 2 switches (LSW1 to LSW5) is connected
to the network. SEP runs at the aggregation layer. SEP multi-instance is configured on LSW1
to LSW4 to allow for two SEP segments to improve bandwidth efficiency, implement load
balancing, and provide link backup.

a. Create two SEP segments and a control VLAN on LSW1 to LSW4.

Different SEP segments can use the same control VLAN.
b. Configure SEP protected instances, and set mappings between SEP protected
instances and user VLANs to ensure that topology changes affect only
corresponding VLANs.
c. Add all the devices on the ring network to the SEP segments, and configure
GE0/0/1 as the primary edge interface and GE0/0/3 as the secondary edge interface
on LSW1.
d. Configure an interface blocking mode on the device where the primary edge
interface resides.
e. Configure the preemption mode to ensure that the specified interface is blocked
when a fault is rectified.
2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
Procedure
l Configure SEP segment 1 and control VLAN 10.
# Configure LSW1.
# Configure LSW2.
[LSW2] sep segment1
# Configure LSW3.
# Configure LSW4.
l Configure SEP segment 2 and control VLAN 10.

# Configure LSW1.
# Configure LSW2.
[LSW2] sep segment2
# Configure LSW3.

# Configure LSW4.
NOTE
l The control VLAN must be a new one.

l The command used to create a common VLAN is automatically displayed in a configuration file.
l Each SEP segment must be configured with a control VLAN. After being added to a SEP segment
configured with a control VLAN, an interface is added to the control VLAN automatically. You do
not need to run the port trunk allow-pass vlan command. In the configuration file, the port trunk
allow-pass vlan command, however, is displayed in the view of the interface added to the SEP
segment.
Step 2 Configure SEP protected instances, and configure mappings between SEP protected instances
and user VLANs.
# Configure LSW1.
[LSW1] vlan batch 100 to 500
[LSW1-sep-segment1] protected-instance 1
[LSW1-sep-segment2] protected-instance 2
[LSW1-mst-region] instance 1 vlan 100 to 300
[LSW1-mst-region] instance 2 vlan 301 to 500
The configurations of LSW2 to LSW4 are similar to that of LSW1, and are not mentioned
here. For details, see the configuration files.
Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# On LSW1, configure GE0/0/1 as the primary edge interface and GE0/0/3 as the secondary
edge interface.
# Configure LSW2.


# Configure LSW3.
# Configure LSW4.
Step 4 Specify an interface to block.
# Configure delayed preemption and block an interface based on the device and interface
names on LSW1 where the primary edge interface is located.
NOTE
l In this configuration example, an interface fault needs to be simulated and then rectified to
implement delayed preemption. To ensure that delayed preemption takes effect on the two SEP
segments, simulate an interface fault in the two SEP segments. For example:
– In SEP segment 1, run the shutdown command on GE 0/0/1 of LSW2 to simulate an interface
fault. Then, run the undo shutdown command on GE0/0/1 to simulate interface fault recovery.
– In SEP segment 2, run the shutdown command on GE 0/0/1 of LSW3 to simulate an interface
fault. Then, run the undo shutdown command on GE0/0/1 to simulate interface fault recovery.
Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
The configuration details are not mentioned here. For details, see the configuration files.
Simulate a fault, and then check whether the status of the blocked interface changes from
blocked to forwarding.
Run the shutdown command on GE0/0/1 of LSW2 to simulate an interface fault.

Run the display sep interface command on LSW3 to check whether the status of GE0/0/1 in
SEP segment 1 changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 0/0/1
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
SEP segment 2
----------------------------------------------------------------
----------------------------------------------------------------
The preceding command output shows that the status of GE0/0/1 changes from blocked to
forwarding and the forwarding path change in SEP segment 1 does not affect the forwarding
path in SEP segment 2.
----End
Configuration Files
#
sysname LSW1
#
#
#
sep segment 1
control-vlan 10
preempt delay 15
protected-instance 1
sep segment 2
control-vlan 10
preempt delay 15
#
stp disable
#
stp disable
#
return

#
sysname LSW2
#
#

#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#
stp disable
sep segment 1
sep segment 2
#
stp disable
sep segment 1
sep segment 2
#
#
return

#
sysname LSW3
#
#
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#
stp disable
sep segment 1
sep segment 2
#
stp disable
sep segment 1
sep segment 2
#
#
return


#
sysname LSW4
#
vlan batch 10 60 100 to 500
#
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#
stp disable
sep segment 1
sep segment 2
#
stp disable
sep segment 1
sep segment 2
#
return

#
sysname CE1
#
#
#
return

#
sysname CE2
#
#
#
return
Related Content
Videos
Configuring SEP

Configuration Guide - Ethernet Switching 18 RRPP Configuration
18 RRPP Configuration
About This Chapter
This chapter describes how to configure the Rapid Ring Protection Protocol (RRPP) to
prevent loops and implement fast convergence on ring networks.
18.1 Overview of RRPP

18.2 Understanding RRPP
18.3 Application Scenarios for RRPP
18.4 Summary of RRPP Configuration Tasks
18.5 Licensing Requirements and Limitations for RRPP
18.6 Default Settings for RRPP
18.7 Configuring RRPP
18.8 Configuring RRPP Snooping
18.9 Clearing RRPP Statistics
18.10 Configuration Examples for RRPP
18.11 Troubleshooting RRPP
18.12 FAQ About RRPP
18.1 Overview of RRPP
Definition
The Rapid Ring Protection Protocol (RRPP) is a link layer protocol used to prevent loops on
an Ethernet ring network.

Once a network is established, RRPP-enabled devices discover and eliminate loops on the
network by blocking certain interfaces. If a network fault occurs, RRPP-enabled devices
unblock blocked interfaces and switch data services to a functioning link.
Purpose
The ring network topology is applied to metropolitan area networks (MANs) and enterprise
intranets to improve network reliability. If a fault occurs on a node or on a link between
nodes, data services are switched to the backup link to ensure service. However, broadcast
storms may occur on ring networks.
Many protocols can prevent broadcast storms on ring networks. However, if a fault occurs on
a ring network, most protocols are slow to switch data services to the backup link. The
network convergence is slow, causing service interruptions.
To shorten the convergence time and eliminate the impact of network scale on convergence
time, Huawei developed RRPP. Compared with other Ethernet ring protocols, RRPP has the
following advantages:
l RRPP can be applied to large networks because the convergence time is not affected by
the number of nodes on the ring network.
l RRPP prevents broadcast storms caused by data loops when an Ethernet ring is
complete.
l If a fault occurs on an Ethernet ring network, the backup link rapidly restores the
communication among the Ethernet ring network nodes.
Table 18-1 Comparison of ring network protocols

Ring Network Characteristics
Protocol
Token ring The token ring was the first ring technology introduced to the data
communication field and applied in LANs.
The token ring does not have the self-healing capability.
FDDI Fiber Distributed Digital Interface (FDDI) is an improved token ring

technology that uses a token to transmit the right to control a ring
network. FDDI uses a double-ring structure.
FDDI uses optical fibers for transmission, which greatly improves the
performance and efficiency compared with the token ring. FDDI does
not have self-healing capability.
The bandwidth of an FDDI ring network cannot be efficiently utilized
because FDDI uses source address stripping technology.

Ring Network Characteristics

Protocol
SDH/SONET Synchronous Digital Hierarchy/Synchronous Optical Network (SDH/

SONET) is a widely used ring technology that supports both single
and multiple rings. SDH/SONET features high reliability and an
automatic protection switching (APS)-based self-healing mechanism.
On an SDH/SONET network, the bandwidth between two nodes is
fixed and reserved based on its point-to-point (P2P) structure and the
circuit switching design. The bandwidth cannot adapt to the actual
situation, which leads to inefficient bandwidth use. As a result, the
SDH/SONET technology cannot meet the bandwidth requirements of
IP data services with frequent data bursts.
In addition, broadcast and multicast packets on the SDH/SONET
network are transmitted as unicast packets, wasting bandwidth. APS
requires a maximum of 50% redundant bandwidth, which makes a
flexible selection mechanism impossible.
RPR Resilient Packet Ring (RPR) is a MAC-layer protocol on the ring

topology developed and standardized by IEEE 802.17 and RPR
alliance. RPR defines a logical P2P closed ring based on the MAC
layer.
On the physical layer, an RPR network is a ring network that consists
of P2P links; on the data link layer, an RPR network is a broadcast
network similar to an Ethernet network.
RPR is implemented based on dedicated hardware and a complex
fairness algorithm.
STP/RSTP/MSTP The Spanning Tree Protocol (STP)/Rapid Spanning Tree Protocol

(RSTP)/Multi-Spanning Tree Protocol (MSTP) builds a loop-free tree
to prevent broadcast storms and implement redundancy backup.
Multiple spanning trees perform load balancing and transmit traffic in
different VLANs along different paths.
As a protocol with the automatic calculation function, STP/RSTP/
MSTP supports any topology.
The network convergence time is affected by the topology.
RRPP RRPP is short for Rapid Ring Protection Protocol.

The network convergence time is not determined by the number of
nodes on a ring network, so the convergence speed is fast.
RRPP multi-instance supports load balancing of different types of
service traffic.
RRPP is a Huawei proprietary protocol.
18.2 Understanding RRPP

18.2.1 Basic Concepts of RRPP

After an RRPP domain and ring are created, RRPP specifies devices on the ring network as
nodes in different roles. Nodes on the ring network detect the ring network status and transmit
topology changes by sending, receiving, and processing RRPP packets through primary and
secondary interfaces. Nodes on the ring network block or unblock the interfaces based on the
ring network status. RRPP can prevent loops when the ring is complete, and rapidly switch
service data to the backup link if a device or link fails, ensuring nonstop service transmission.
RRPP Entities
A group of interconnected switches configured with the same domain ID and control VLAN
constitute an RRPP domain.
Figure 18-1 illustrates the entities in an RRPP domain.
Figure 18-1 RRPP network

RRPP Domain
Transit Node Edge Node

Master Node SwitchA SwitchC SwitchE Master Node
S S
E
P C P
Major Ring Sub Ring
C
E
Transit Node SwitchB SwitchD SwitchF Transit Node

Transit Node Assistant-Edge Node
P: Primary Interface
S: Secondary Interface
C: Common Interface
E: Edge Interface
RRPP Domain ID
An RRPP domain ID distinguishes an RRPP domain.
RRPP Ring
A physical RRPP ring uses an Ethernet ring topology. An RRPP domain comprises a single
ring or multiple interconnected rings. When multiple interconnected rings exist, one ring is
the major ring and the others are sub-rings.
An RRPP domain may have multiple sub-rings but only one major ring. The RRPP domain in
Figure 18-1 consists of a major ring and a sub-ring.
RRPP is applied to the networking of a single ring, intersecting rings, and tangent rings. For
details about different ring types, see Common RRPP Rings.

Control VLAN and Data VLAN

In an RRPP domain, a control VLAN is used to transmit only RRPP packets, while a data
VLAN is used to transmit data packets. The control VLAN is relative to the data VLAN.
When an RRPP domain consists of a major ring and sub-rings, the RRPP domain is
configured with two control VLANs: a major control VLAN and a sub-control VLAN. A
major control VLAN belongs to the major ring, while a sub-control VLAN belongs to a sub-
ring. You only need to specify the major control VLAN. The VLAN whose ID is one greater
than the ID of the major control VLAN automatically becomes the sub-control VLAN.
Protocol packets on the major ring are transmitted in the major control VLAN, and RRPP
packets on the sub-rings are transmitted in the sub-control VLAN. Protocol packets on the
sub-rings are transmitted as data packets on the major ring. For example, in Figure 18-1,
when the secondary interface of the master node on the major ring is blocked, both data
packets and protocol packets on the sub-ring must be blocked. When the secondary interface
is unblocked, both data packets and protocol packets on the sub-ring are forwarded. Protocol
packets on the sub-ring are transmitted as data packets on the major ring, and protocol packets
on the major ring are only transmitted on the major ring.
Node
Each device on an RRPP ring is a node. Nodes on the RRPP ring are classified into the
following types:
l Master node
The master node determines how to handle topology changes. Each RRPP ring must
have only one master node.
Any device on an Ethernet ring can serve as the master node.
The master node can be in either Complete or Failed state. The master node status
indicates the RRPP ring status.
l Transit node
On an RRPP ring, all nodes except the master node are transit nodes. A transit node
monitors the status of its directly-connected links and notifies the master node of link
changes.
A transit node can be in LinkUp, LinkDown, or Preforwarding state.
– When the primary and secondary interfaces of a transit node are Up, the transit node
is in LinkUp state. The transit node can receive and forward data packets and RRPP
packets.
– When the primary or secondary interface of a transit node is Down, the transit node
is in LinkDown state.
– When the primary or secondary interface of a transit node is Blocked, the transit
node is in Preforwarding state and can receive and forward only RRPP packets.
l Edge node and assistant edge node
A switch functions as an edge node or an assistant edge node on a sub-ring, and
functions as a transit node on the major ring.
On the link where the major ring and sub-ring overlap, if the switch on one intersection
point is an edge node, the switch on the other intersection point is an assistant edge node.
A sub-ring has only one edge node and one assistant edge node.
Edge nodes and assistant edge nodes are special transit nodes. They support the same
states as transit nodes but differ in the following situations:

– If an edge interface is Up, the edge node or assistant edge node is in LinkUp state
and can receive and forward data packets and RRPP packets.
– If an edge interface is Down, the edge node or assistant edge node is in LinkDown
state.
– If an edge interface is blocked, the edge node or assistant edge node is in
Preforwarding state and can receive and forward only RRPP packets.
If the changes of the link status on the interface of an edge node or assistant edge node
causes the state transition, only the edge interface status changes.
NOTE
The status of the RRPP ring on a node is the status of the node.
Interfaces
Interfaces are classified into the following types:
l Primary interface and secondary interface
On both the master node and transit node, one of the two interfaces connected to an
Ethernet ring is the primary interface, and the other is the secondary interface. The
interface roles depend on the configuration.
The primary and secondary interfaces on the master node provide different functions:
– The master node sends Hello packets from its primary interface and receives Hello
packets on its secondary interface.
– Based on the network status, the master node blocks the secondary interface to
prevent loops or unblocks the secondary interface to ensure communication among
all the nodes on the ring.
The primary and secondary interfaces on a transit node provide the same function.
l Common interface and edge interface
On an edge node or an assistant edge node, an interface shared by the major ring and a
sub-ring is called the common interface. An interface used only by a sub-ring is called
the edge interface.
The common interface is considered an interface on the major ring and belongs to both
the major control VLAN and sub-control VLAN. The edge interface belongs only to the
sub-control VLAN.
Common RRPP Rings

RRPP can be applied to networks consisting of a single ring, intersecting rings, or tangent
rings. Different networks require different RRPP domain configurations:
l All the devices on a single ring must be configured in the same RRPP domain.
l All the devices on intersecting rings must be configured in the same RRPP domain.
l Devices on two tangent rings must be configured in different RRPP domains. The
tangent rings are equal to two single rings and must be configured in two RRPP
domains. Each RRPP domain has only one ring.
Single Ring
When only a single ring exists in the network topology, you can define one RRPP domain and
one RRPP ring. This topology is applicable to simple ring networks and features a quick
response to topology changes and short convergence time.

Figure 18-2 Single ring
Domain 1
SwitchA SwitchB
Master Node Transit Node
Ring 1
Transit Node Transit Node

SwitchD SwitchC
Intersecting Rings
When two or more rings exist in the network topology, and multiple common nodes exist
between two neighboring rings, they are considered intersecting rings and you need to define
only one RRPP domain. Configure one ring as the major ring and the remaining rings as sub-
rings. This topology is applicable when the master node on a sub-ring needs to be dual-homed
to the major ring through the edge node and assistant edge node to provide uplink backup.
Figure 18-3 Intersecting rings

Domain 1
SwitchA SwitchB
Edge Node
Master Node
SwitchE
Ring 1
Ring 2
Master Node
Transit Node Assistant-Edge Node

SwitchD SwitchC

Tangent Rings
When two or more rings exist in the network topology and only one common node exists
between two neighboring rings, they are considered to be tangent rings, and you need to
configure the rings to belong to different RRPP domains. This topology is applicable to large-
scale networks that require domain-based management.
Figure 18-4 Tangent rings

Domain 1
SwitchA SwitchE
Transit Node
Transit Node
SwitchB
SwitchD
Ring 2
SwitchF
Master Node Ring 1
SwitchC Transit Node
Transit Node Master Node
SwitchG
Domain 2
Transit Node
18.2.2 RRPP Packets

Table 18-2 lists different types of RRPP packets.
Table 18-2 Types of RRPP packets

RRPP Packet Description
Type
Hello The master node sends Hello packets to check for loops on a network.
(HEALTH)
LINK-DOWN Transit nodes, edge nodes, or assistant edge nodes send LINK-
DOWN packets to notify the master node that an interface is Down.
COMMON- The master node sends COMMON-FLUSH-FDB packets to request

FLUSH-FDB that transit nodes, edge nodes, or assistant edge nodes update their
MAC address entries, ARP entries, and ND entries.
COMPLETE- The master node sends COMPLETE-FLUSH-FDB packets to request

FLUSH-FDB that transit nodes, edge nodes, or assistant edge nodes update their
MAC address entries, ARP entries, and ND entries, and enable transit
nodes to unblock temporarily blocked interfaces to forward data
packets.

RRPP Packet Description

Type
EDGE-HELLO The edge node sends EDGE-HELLO packets on a sub-ring and the
assistant edge node on the same sub-ring receives EDGE-HELLO
packets to check whether the major ring is complete in the same
RRPP domain as the sub-ring.
MAJOR-FAULT The assistant edge node on a sub-ring sends MAJOR-FAULT packets

to notify the edge node that the major ring in the RRPP domain fails
when the assistant edge node does not receive the Edge-Hello packet
from the edge interface within a specified period.
Although there are many different types of RRPP packets, they all have a similar format.
Figure 18-5 demonstrates the format of an RRPP packet.
Figure 18-5 Format of an RRPP packet
0 7 8 15 16 23 24 31 32 47
Destination MAC address (6 bytes)
Source MAC address (6 bytes)
EtherType PRI VLAN ID Frame Length
DSAP/SSAP CONTROL OUI = 0x00e02b
0x00bb 0x99 0x0b RRPP Length
RRPP_VER RRPP TYPE Domain ID Ring ID
0x0000 SYSTEM_MAC_ADDR (6 bytes)
HELLO_TIMER FAIL_TIMER
0x00 LEVEL HELLO_SEQ 0x0000
RESERVED(0x000000000000)
RESERVED(0x000000000000)
RESERVED(0x000000000000)
RESERVED(0x000000000000)
RESERVED(0x000000000000)
RESERVED(0x000000000000)
Descriptions of each field in an RRPP packet are as follows:
l Destination MAC address: indicates the destination MAC address of the packet. The
field occupies 48 bits.
l Source MAC address: indicates the source MAC address of the packet. The MAC
address is the bridge MAC address. The field occupies 48 bits.
l EtherType: indicates the encapsulation type. The EtherType value is fixed as 0x8100,
which indicates tagged encapsulation. The field occupies 16 bits.

l PRI: indicates the Class of Service (CoS) value. The PRI value is fixed as 0xe. The field
occupies 4 bits.
l VLAN ID: indicates the ID of the VLAN to which the packet belongs. The field
occupies 12 bits.
l Frame Length: indicates the length of the Ethernet frame. The Frame Length value is
fixed as 0x0048. The field occupies 16 bits.
l DSAP/SSAP: indicates the destination or source service access point. The DSAP/SSAP
value is fixed as 0xaaaa. The field occupies 16 bits.
l CONTROL: The field has no significance and occupies 8 bits. The CONTROL value is
fixed as 0x03.
l OUI: The field has no significance and occupies 24 bits. The OUI value is fixed as
0x00e02b.
l RRPP_LENGTH: indicates the length of the RRPP data unit. The RRPP_LENGTH
value is fixed as 0x0040. The field occupies 16 bits.
l RRPP_VER: indicates the RRPP version. The current version is 0x01. The field
occupies 8 bits.
l RRPP TYPE: indicates the type of the RRPP packet. The field occupies 8 bits. The
RRPP packet types and values are described as follows:
– HEALTH = 0x05
– COMPLETE-FLUSH-FDB = 0x06
– COMMON-FLUSH-FDB = 0x07
– LINK-DOWN = 0x08
– EDGE-HELLO = 0x0a
– MAJOR-FAULT = 0x0b
l DOMAIN_ID: indicates the ID of the RRPP domain to which the packet belongs. The
field occupies 16 bits.
l RING_ID: indicates the ID of the RRPP ring to which the packet belongs. The field
occupies 16 bits.
l SYSTEM_MAC_ADDR: indicates the bridge MAC address from which the packet is
sent. The field occupies 48 bits.
l HELLO_TIMER: indicates the timeout period (in seconds) of the Hello timer on the
node that sends the packet. The field occupies 16 bits.
l FAIL_TIMER: indicates the timeout period (in seconds) of the Fail timer on the node
that sends the packet. The field occupies 16 bits.
l LEVEL: indicates the level of the RRPP ring to which the packet belongs. The field
occupies 8 bits.
l HELLO-SEQ: indicates the sequence number of the Hello packet. The field occupies 16
bits.
18.2.3 Implementation of a Single RRPP Ring (When the Ring is

Complete)
Implementation of a Single RRPP Ring

When all the links and nodes on a single ring are Up, the master node is in Complete state.

In Figure 18-6, the master node blocks its secondary interface to prevent broadcast loops
caused by data packets. The blocked secondary interface can only receive RRPP packets but
cannot forward data packets. Hello packets sent by the master node to monitor the ring status
can pass through the secondary interface.
Figure 18-6 Complete RRPP ring
Network
Router1 Router2
Master Node
Block
P S
User primary interface

network secondary interface
Data Packet
Hello
Polling Mechanism
The master node uses a polling mechanism to monitor the ring status and perform operations
by sending Hello packets.
Hello timer and Fail timer
The polling mechanism uses the Hello timer and Fail timer.
l The value of the Hello timer specifies the interval at which the master node sends Hello
packets from the primary interface.
l The value of the Fail timer specifies the maximum delay in which the primary interface
sends a Hello packet and the secondary interface receives the Hello packet.
l The value of the Fail timer must be three times or larger the value of the Hello timer.
The master node determines whether to unblock the secondary interface by sending a Hello
packet according to the value of the Hello timer and checking whether the secondary interface
receives the Hello packet within the delay specified by the Fail timer.
Process of the polling mechanism
The process of the polling mechanism is as follows:

1. The master node periodically sends a Hello packet from its primary interface based on
the value of the Hello timer.
2. The Hello packet is transmitted along transit nodes on the ring, as shown in Figure 18-6.
The master node typically receives the Hello packet on its secondary interface.
– If the secondary interface on the master node receives the Hello packet before the
Fail timer times out, the master node considers the ring complete.
– If the secondary interface on the master node does not receive the Hello packet after
the Fail timer times out, the master node considers the ring faulty.
18.2.4 Implementation of a Single RRPP Ring (When the Ring is

Faulty)

In Figure 18-7, the link between SwitchA and SwitchB fails. SwitchA and SwitchB are
transit nodes on the ring.
Figure 18-7 Faulty RRPP ring
Network
Router1 Router2
Interface2
SwitchB
Link Failure
SwitchA
Interface1 Master Node
P S
User
network primary interface
secondary interface
Data Packet
LINK-DOWN
l When SwitchA and SwitchB detect the link failure, they send LinkDown packets to the
master node from Interface1 and Interface2 respectively.
l Upon receiving a LinkDown packet, the master node changes from Complete state to
Failed state and unblocks the secondary interface so that data packets can pass through.

l When the network topology changes, the master node updates the forwarding entries to
ensure correct packet forwarding. In addition, the master node sends a Common-Flush-
FDB packet from the primary and secondary interfaces to request that all transit nodes
update the forwarding entries.
Fault Detection and Processing

Faults on a ring can be detected in the following two ways:
LinkDown notification mechanism
Nodes on an RRPP ring monitor the link status of their interfaces. If a fault occurs on a link,
the status of the interface directly connected to the link becomes Down. Upon detecting the
Down state, the node immediately takes the following measures:
l If the primary interface on the master node is Down, the master node detects the link
fault and immediately unblocks the secondary interface. In addition, the master node
sends a Common-Flush-FDB packet from the secondary interface to request that all the
transit nodes on the ring update their MAC address entries and ARP entries.
l If the interface on a transit node is Down, the node sends a LinkDown packet from its
interface in Up state to the master node. When receiving the LinkDown packet, the
master node changes to Failed state and unblocks its secondary interface. When the
network topology changes, the master node must update its MAC address entries and
ARP entries to prevent incorrect packet forwarding. In addition, the master node sends a
Common-Flush-FDB packet from its primary and secondary interfaces to request that all
transit nodes update their MAC address entries and ARP entries.
Polling mechanism
If the LinkDown packet is lost during transmission, the polling mechanism is used on the
master node.
The master node periodically sends Hello packets from its primary interface. The packets are
then transmitted through all transit nodes on the ring. If the secondary interface on the master
node does not receive the Hello packet from the primary interface in the specified period, the
master node considers the ring faulty. The fault is processed in the same way as a fault
actively reported by a transit node. The master node changes to Failed state and unblocks the
secondary interface. In addition, the master node sends a Common-Flush-FDB packet from its
primary and secondary interfaces to request that all transit nodes update their MAC address
entries and ARP entries.
The LinkDown notification mechanism processes faults more quickly than the polling
mechanism, allowing RRPP to implement fast link switchover and convergence.
18.2.5 Implementation of a Single RRPP Ring (When the Fault is

Rectified)

In Figure 18-8:
1. When the faulty interface on a transit node recovers, the transit node enters the
Preforwarding state and blocks the recovered interface.

2. After all the failed links on the ring recover, the secondary interface on the master node
receives the Hello packets sent from the primary interface.
3. When receiving the Hello packets, the master node enters the Complete state and blocks
the secondary interface.
4. The master node sends a Complete-Flush-FDB packet from the primary interface to
request that all transit nodes update forwarding entries.
5. When receiving the Complete-Flush-FDB packet, the transit node enters the LinkUp
state, unblocks the temporarily blocked interface, and updates forwarding entries.
Figure 18-8 RRPP implementation
Network
Router1 Router2
Master Node
Block
P S
User
network
primary interface
secondary interface
Data Packet
COMPLETE-FLUSH-FDB
Fault Rectification Detection and Processing

When the primary interface on a transit node changes to Up, the master node does not
immediately detect the change and the secondary interface remains unblocked. If the transit
node immediately switches back to the LinkUp state, a temporary loop caused by data packets
occurs on the ring. To prevent such loops, the transit node immediately blocks the recovered
interfaces and enters the Preforwarding state when the primary and secondary interfaces on
the transit node recover. However, the ring does not recover because ring recovery is initiated
by the master node. When all links on the ring are Up and the secondary interface on the
master node can receive the Hello packets sent by the primary interface on the master node,
the master node enters the Complete state.
When the network topology changes, the master node must update the MAC address entries
and ARP entries. The master node must also send a Common-Flush-FDB packet from the

primary interface to request that all transit nodes update their MAC address entries and ARP
entries. Upon receiving the Complete-Flush-FDB packet from the master node, the transit
nodes in Preforwarding state enter the LinkUp state.
If the Complete-Flush-FDB packet is lost during transmission, a backup mechanism is used to
unblock the temporarily blocked interfaces on transit nodes. If a transit node is in
Preforwarding state, the transit node unblocks the temporarily blocked interfaces when
receiving no Complete-Flush-FDB packet from the master node in the period specified by the
Fail timer. The transit node then updates its MAC address entries and ARP entries to recover
data communication.
LinkUp Timer
After the link recovers, traffic transmission paths are switched frequently if the link status
changes frequently on a ring. As a result, loop flapping occurs and system performance
deteriorates. To address this problem, a LinkUp timer is used to set the period after which the
faulty master node enters the Complete state. This prevents transmission paths from changing
frequently and reduces loop flapping impact on system performance.
If a LinkUp timer is configured, the master node does not immediately enter Complete state
when its secondary interface receives a Hello message. Instead, the master node triggers the
LinkUp timer and performs the following operations:
l Before the LinkUp timer expires, the master node does not process the Hello message
received from the secondary interface and the RRPP ring topology remains unchanged.
If the link status changes (for example, the master node receives a LinkDown packet or
the link goes Down) the timer is closed.
l After the LinkUp timer expires, the master node processes the Hello message. The
master node blocks its secondary interface and requests all transit nodes to update their
forwarding entries. The RRPP ring is re-converged.

Figure 18-9 LinkUp timer implementation
Network
Router1 Router2
SwitchD
Link Failure
Master Node
SwitchC
Block
P S
User
network primary interface
secondary interface
Data Flow1
Data Flow2
In Figure 18-9, traffic between SwitchC and SwitchD is forwarded along data flow 1 when
the ring fails. After the fault is rectified, the RRPP ring recalculates the topology. Traffic
between SwitchC and SwitchD is switched to data flow 2.
l When no LinkUp timer is configured, if the recovered link is unstable and fails again, the
RRPP ring recalculates the topology. Traffic between SwitchC and SwitchD is switched
to data flow 1. This may cause frequent changes of traffic transmission paths. As a result,
traffic is lost and system performance deteriorates.
l When a LinkUp timer is configured, traffic is not switched immediately when the fault is
rectified. If the recovered link fails again, traffic between SwitchC and SwitchD is still
transmitted along data flow 1.
18.2.6 Implementation of Multiple Rings
A multi-ring RRPP network works in almost the same way as a single-ring RRPP network.
On a multiple-ring network:
l When receiving Common-Flush-FDB or Complete-Flush-FDB packets from a sub-ring,

a node on the major ring relearns the entries and updates its forwarding entries. Data
flows re-select the path.
l A transit node on the major ring unblocks the temporarily blocked interface only when
receiving a Complete-Flush-FDB packet sent from the major ring, not from the sub-ring.

l The path status detection mechanism for sub-ring protocol packets on the major ring is
used on a network with multiple rings. For details, see Path Status Detection
Mechanism for Sub-Ring Protocol Packets on the Major Ring.
l Ring groups are used to improve system performance. For details, see Ring Group.
Path Status Detection Mechanism for Sub-Ring Protocol Packets on the Major
Ring
This mechanism applies to networks where multiple sub-rings intersect with the master ring.
It is used to prevent loops among sub-rings after secondary interfaces are unblocked by
master nodes on sub-rings.
Figure 18-10 shows an example of broadcast loops forming between sub-rings, and how the
path status detection mechanism can prevent these loops.
Figure 18-10 Loop formation between sub-rings
Network
Router1 Router2
Master Transit
Major Ring
Edge
Assistant-Edge
Block Block
Sub-Ring1 Sub-Ring2
P P
Sub S Sub
S
Master 1 Master2
PC1 PC2
Block MAJOR_FAULT packets
P Primary Interface EDGE-HELLO packets
S Secondary Interface Possible ring if the Edge interfaces are not blocked
When the common link between the major ring and sub-ring is faulty and at least one non-
common link is faulty, the master node on each sub-ring unblocks its secondary interface (S in

Figure 18-10) because the secondary interface does not receive Hello packets. In this case,
broadcast loops (blue dashed lines in Figure 18-10) may occur between sub-rings. To prevent
loops, the network deploys the path status detection mechanism for sub-ring protocol packets
on the major ring. After this mechanism is configured, the edge node and assistant edge node
detect the path status. When the edge node detects that the path is interrupted, the edge
interfaces on the two sub-rings are blocked before the master nodes on the two sub-rings
unblock their secondary interfaces. This prevents loops between sub-rings. The edge
interfaces on the edge nodes of sub-ring 1 and sub-ring 2 are blocked, preventing loops. If the
edge port is blocked, device connectivity cannot be ensured.
The specific procedure for preventing loops using the path status detection mechanism for
sub-ring protocol packets is as follows:
1. The edge node checks the path status of sub-ring protocol packets on the major ring.
The edge node on a sub-ring periodically sends Edge-Hello packets to the major ring
through two RRPP interfaces on the major ring. Edge-Hello packets are transmitted
through all transit nodes on the ring. The assistant edge node does not forward the
received Edge-Hello packets.
In Figure 18-11, the edge node sends Edge-Hello packets to the major ring through
Interface1 and Interface2, which are also located on the major ring.
Figure 18-11 Edge node sending Edge-Hello packets
Network
Router1 Router2
P
Master
S Block
Major Ring
Interface1
Edge
Assistant
Interface2
Sub Ring
Block
S P
Master
EDGE-HELLO
Data Packet
Block
PC
P Primary Interface
S Secondary Interface

If the assistant edge node receives the Edge-Hello packets within the specified period,
the protocol packet path is normal; if the assistant edge node receives no Edge-Hello
packets within the specified period, the path is faulty.
2. The path is disconnected and the edge node blocks the edge interfaces.
Upon detecting that the sub-ring protocol packet path is disconnected, the assistant edge
node immediately sends a Major-Fault packet to the edge node. After receiving the
Major-Fault packet, the edge node blocks its edge interfaces.
In Figure 18-12, the assistant node sends a Major-Fault packet to the edge node from
Interface3.
Figure 18-12 Blocking edge interfaces
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Block Master
MAJOR-FAULT
Data Packet
Block
PC
P Primary Interface
3. The master node on the sub-ring unblocks the secondary interface after the Fail timer
expires.
After the edge node blocks its edge interfaces, the path for sub-ring protocol packets is
disconnected because of the failure on the major ring. As a result, the master node on the
sub-ring cannot receive the Hello packet sent by the master node within the specified
period. The master node changes to Failed state and unblocks the secondary interface.
In Figure 18-13, the edge node blocks its edge interfaces. The master node on the sub-
ring unblocks the secondary interface that is blocked in Figure 18-12.

Figure 18-13 Sub-ring disconnected due to the blocked path on the major ring
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Master
Data Packet
Block
PC
P Primary Interface
4. The sub-ring protocol packet path recovers.

After the link on the major ring recovers, the communication between the edge node and
assistant edge node recovers, and the path for the sub-ring protocol packets is recovered.
The secondary interface on the sub-ring can receive the Hello packets sent from the
master node. The master node then changes to Complete state and blocks the secondary
interface. Figure 18-14 illustrates this process (recovery of the sub-ring protocol packet
path).

Figure 18-14 Recovery of the sub-ring protocol packet path
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Block Master
Hello
Data Packet
Block
PC
P Primary Interface
In Figure 18-15, the master node on the sub-ring sends a Complete-Flush-FDB packet.
Upon receiving the packet, the edge node unblocks the edge interfaces.

Figure 18-15 Unblocking the edge interfaces on the edge node of the sub-ring
Network
Router1 Router2
P
Master
S
Major Ring
Edge
Assistant
Interface3 Block
Sub Ring
S P
Block Master
Hello
Data Packet
Block
PC
P Primary Interface
Ring Group
In RRPP multi-instance, sub-rings are grouped to reduce the number of received and sent
Edge-Hello packets, improving system performance.
In the path status detection mechanism for sub-ring protocol packets on the major ring, the
edge node on a sub-ring periodically sends Edge-Hello packets to the two RRPP interfaces on
the major ring to detect the completeness of the path for sub-ring protocol packets.
In Figure 18-16, the edge nodes on multiple sub-rings (sub-ring 2 and sub-ring 3 in domain 1;
sub-ring 2 and sub-ring 3 in domain 2) are the same device, and the assistant edge nodes on
the sub-rings are the same device. In addition, edge nodes and assistant edge nodes connect to
the major ring in the same link. The Edge-Hello packets from edge nodes on the sub-rings
arrive at assistant edge nodes along the same path. In this case, the sub-rings that have the
same edge nodes and assistant edge nodes can be added into a ring group. A sub-ring in the
ring group is selected to send Edge-Hello packets to detect the path for sub-ring protocol
packets on the major ring. This reduces the number of received and sent Edge-Hello packets
and improves system performance.

Figure 18-16 Ring group in RRPP multi-instance
Network
Router1 Router2
SwitchC SwitchD
Domain 1 Major ring 1
Domain 2 Major ring 1
Edge
Assistant
SwitchA SwitchB
Domain 1 sub ring 2 Domain 1 sub ring 3

Domain 2 sub ring 2
Domain 2 sub ring 3
SwitchE SwitchF
Master Master
PC1 PC2
domain 1
domain 2
A sub-ring in the ring group is selected to send the Edge-Hello packet in the following
procedure:
1. The sub-rings with the smallest domain ID are selected from all the activated rings in the
ring group on the edge node. In Figure 18-16, the sub-rings with the smallest domain ID
are ring 2 in domain 1 and ring 3 in domain 1.
2. The smallest ring ID is selected from the rings with the smallest domain ID. The edge
node on the ring with the smallest ring ID then sends Edge-Hello packets. In Figure
18-16, the sub-ring with the smallest ring ID is Ring 2 in Domain 1. Therefore, the edge
node on Ring 2 in Domain 1 sends Edge-Hello packets in the ring group formed by ring
2 in domain 1, ring 3 in domain 1, ring 2 in domain 2, and ring 3 in domain 2.
3. When any sub-ring receives an Edge-Hello packet on all the activated rings in the ring
group where assistant edge nodes reside, the sub-ring notifies other sub-rings of the
packet.
18.2.7 RRPP Multi-Instance

On a common RRPP network, a physical ring contains only one RRPP domain.
When an RRPP ring is in Complete state, the master node blocks the secondary interface,
preventing all service packets from passing through. All service packets are transmitted on the
RRPP ring along one path. As a result, the link on the secondary interface side of the master
node becomes idle, wasting bandwidth. For example, in Figure 18-17, the link between
SwitchA and SwitchC is idle and does not forward data.
Figure 18-17 RRPP network

SwitchC
S( Block)
Master
SwitchA P
VLAN 100-200
SwitchE
RRPP ring Backbone
network
VLAN 201-400
SwitchB
Block
SwitchD P Primary interface

S Secondary interface
VLAN 100 - 200
VLAN 201 - 400
In Figure 18-17, the devices (SwitchA, SwitchB, SwitchC, and SwitchD) support multiple
RRPP domains on one physical ring. An RRPP domain takes effect for data from a protected
VLAN associated with the domain. Therefore, you can configure different protected VLANs
for each domain. When the master node in a domain blocks its secondary interface, data from
protected VLANs in different domains is transmitted through different paths. This allows for
link backup and traffic load balancing.
NOTE
RRPP only takes effect for data from protected VLANs. Loops may occur if data does not belong to the
protected VLANs.
In the example shown in Figure 18-18, two domains exist on the RRPP multi-instance ring
that consists of SwitchA, SwitchB, SwitchC, SwitchD, and SwitchE. SwitchC is the master
node in domain 2 and SwitchD is the master node in domain 1.
l Instance1 is created in domain 1, and data in VLANs 100 to 200 is mapped to Instance1
and transmitted along the path SwitchA -> SwitchC -> SwitchE. Master2 (SwitchC)
serves as the master node in Domain 2. The secondary interface on Master2 is blocked.
Only data in VLANs 201 to 400 is blocked and data in VLANs 100 to 200 can pass
through.

l Instance2 is created in domain 2, and data in VLANs 201 to 400 is mapped to Instance2
and transmitted along the path SwitchB -> SwitchD -> SwitchE. Master1 (SwitchD)
serves as the master node in Domain 1. The secondary interface on Master1 is blocked.
Only data in VLANs 100 to 200 is blocked and data in VLANs 201 to 400 can pass
through.
Figure 18-18 RRPP multi-instance

SwitchC
S(Block) Master2
SwitchA P
Instance1:
VLAN 100 - 200
SwitchE
RRPP ring
Backbone
network
Instance2:
VLAN 201 - 400
SwitchB P
S(Block) Master1
SwitchD
Block
P Primary interface
Instance1:VLAN 100-200
When a node or link is faulty, each RRPP domain independently calculates the topology and
updates forwarding entries on each node.
In Figure 18-19, a fault occurs on the link between SwitchD and SwitchE. This fault does not
affect the transmission path for the packets in VLANs 100 to 200 in domain 1, but the
transmission path is blocked for the packets in VLANs 201 to 400 in Domain 2.
The master node SwitchC in domain 2 cannot receive Hello packets on the secondary
interface. As a result, SwitchC unblocks the secondary interface and requests nodes in domain
2 to update their forwarding entries. After the topology in domain 2 re-converges, the
transmission path of the packets in VLANs 201 to 400 changes to SwitchB ->SwitchA -
>SwitchC->SwitchE.

Figure 18-19 RRPP multi-instance (when the link is faulty)

SwitchC
S(Unblock) Master2
SwitchA P
Instance1:
VLAN 100 - 200
SwitchE
RRPP ring Backbone
network
Instance2:
VLAN 201 - 400
SwitchB
P
S(Block) Master1
SwitchD Block
P Primary interface
After the link between SwitchD and SwitchE recovers, SwitchC receives Hello packets on the
secondary interface. As a result, SwitchC blocks the secondary interface and requests nodes in
domain 2 to update their forwarding entries. After the topology in domain 2 re-converges, the
packets in VLANs 201 to 400 are switched back to the original path SwitchB ->SwitchD -
>SwitchE.
18.3 Application Scenarios for RRPP
18.3.1 Application of a Single Ring

To provide link backup and improve network reliability, you can construct a ring on the
network.

Figure 18-20 Network of a single ring

RRPP Domain
Transit 2
CE
Master
P
Core Net
CE Transit 1 S
BLOCK MSE/NPE
Data Flow
CE: Customer Edge
MSE: Multi Service Edge
Transit 3 NPE: Network Provider Edge
In Figure 18-20, Transit 1, Transit 2, Transit 3, and Master constitute a single RRPP ring.
Data traffic is transmitted along the path Transit 1 -> Transit 2 -> Master.
If RRPP detects a fault on the link between Transit 1 and Transit 2, Master unblocks its
secondary interface and immediately instructs other nodes on the ring to re-learn MAC
address entries and ARP entries. Traffic on the RRPP ring is then switched to the path Transit
1 -> Transit 3 -> Master.
18.3.2 Application of Tangent RRPP Rings

Metro Ethernet typically uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs (for example,
RRPP domain 1 in Figure 18-21).
l The other layer is the access layer between PE-AGGs and UPEs (for example, RRPP
domain 2 and RRPP domain 3 in Figure 18-21).

Figure 18-21 Tangent RRPP rings

Master
UPE
UPE PE-AGG
RRPP Transit 1
Domain2
Master
PE-AGG
UPE RRPP P IP/MPLS
Domain1 Core
UPE S
UPE Block NPE
RRPP Transit 2
Domain3
PE-AGG
PE-AGG: PE-Aggregation
NPE: Network Provider Edge
Master UPE: Underlayer Provider Edge
UPE
Tangent RRPP rings can be used in this scenario, as shown in Figure 18-21. The aggregation
layer and access layer are RRPP rings and the different layer's rings are tangent.
18.3.3 Application of Intersecting RRPP Rings
Metro Ethernet typically uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs.

l The other layer is the access layer between PE-AGGs and UPEs
Figure 18-22 Intersecting RRPP rings

RRPP Domain
UPE
PE-AGG
Edge Master
Sub PE-AGG
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG PE-AGG: PE-Aggregation
Master NPE: Network Provider Edge
UPE: Underlayer Provider Edge
CE
Intersecting RRPP rings can be used in this scenario, as shown in Figure 18-22. The
aggregation layer is the RRPP major ring and the access layer is the RRPP sub-ring.

18.3.4 Application of RRPP and STP

RRPP cannot be configured with STP/RSTP/MSTP on the same interface at the same time,
but you can configure RRPP and STP on different interfaces of a device. Figure 18-23 shows
an example of a network that has RRPP and STP configured on different interfaces of the
same device.
Figure 18-23 Network of RRPP and STP

STP Network

NPE: Network Provider Edge
PE-AGG: PE-Aggregation
UPE5 PE-AGG NPE NPE

UPE4
Master
UPE1
RRPP Ring
UPE3
PE-AGG NPE
UPE2
In Figure 18-23, RRPP is applied to an Ethernet network enabled with STP/RSTP/MSTP in

tangent mode. You can enable RRPP and STP/RSTP/MSTP on different interfaces of the
intersecting device (UPE1) so that the RRPP network and the STP/RSTP/MSTP network are
used together.
18.3.5 Application of Intersecting RRPP Rings of Multi-Instance

on a MAN
In Figure 18-24, Customer Edges (CEs) are dual-homed to Underlayer Provider Edges
(UPEs) and two RRPP rings are formed.

Figure 18-24 Intersecting RRPP rings of multi-instance in a MAN (CEs supporting RRPP
multi-instance)
CE
Master Domain 1 ring 2 Domain 1 ring 1
UPE
Edge UPE
Domain 2
ring 2
PE-AGG
Backbone
network
ring 3 Master
Domain 2
Assistant
UPE
Master UPE
Block
CE Domain 1 ring 3 Instance1: VLAN 101-200
Domain 2 ring 1
Instance2: VLAN 1-100
domain 1
domain 2
In Figure 18-24, four UPEs and one PE-AGG construct a ring and RRPP multi-instance is
configured on the ring. Traffic on the RRPP ring flows into the backbone network through the
PE-AGG.
Two RRPP rings are configured on the four UPEs and the PE-AGG: ring 1 in domain 1 and
ring 1 in domain 2. Domain 1 processes data in VLANs 101 to 200 and domain 2 processes
data in VLANs 1 to 100.
Four RRPP rings are configured on the two CEs and two UPEs: ring 2 in domain 1, ring 2 in
domain 2, ring 3 in domain 1, and ring 3 in domain 2.
RRPP rings provide master/slave protection and load balancing for the Layer 2 services in
VLANs 1 to 200. When all the nodes and links on the rings are working properly, traffic sent
to sub-rings is transmitted along different paths according to the service VLAN, implementing
load balancing.
However, CEs may not support RRPP multi-instance, like the example shown in Figure
18-25. The major ring constructed by four UPEs and one PE-AGG belongs to multiple
domains; however, the sub-rings constructed by CEs and UPEs belong to only one domain.
Load balancing is not implemented on the sub-ring, and data in all VLANs is transmitted
along the same path on the sub-ring. After entering the major ring, the traffic sent to sub-rings
is transmitted along different paths according to the service VLAN, implementing load
balancing.

Figure 18-25 Intersecting RRPP rings of multi-instance on a MAN (CEs not supporting
multi-instance)
CE
Master Domain 1 ring 1
UPE
Edge UPE
Domain 2
ring 2
PE-AGG
Backbone
network
ring 3 Master
Domain 2
Assistant
UPE
Master UPE
Block
CE Instance1: VLAN 101-200
Domain 2 ring 1
domain 1
domain 2
18.3.6 Application of Tangent RRPP Rings of Multi-Instance on a

MAN
In Figure 18-26, two RRPP rings (ring 1 in domain 1 and ring 1 in domain 2) are configured
on the five UPEs on the CE (left) side. One RRPP ring (ring 1 in domain 3) is configured on
the four UPEs on the right side.

Figure 18-26 Tangent RRPP rings of multi-instance in a MAN

Domain 1 ring 1
UPE
CE UPE UPE
UPE
Master Domain 3 ring 1
UPE Master
CE UPE UPE
Domain 2 ring 1 UPE

Block
domain 1
domain 2
domain 3
Domain 1 processes data in VLANs 101 to 200, Domain 2 processes data in VLANs 1 to 100,
and Domain 3 processes data in VLANs 1 to 200.
The RRPP ring on the left side implements master/slave protection and load balancing for the
Layer 2 services in VLANs 1 to 200. When all the nodes and links on the RRPP rings are
working properly, traffic sent to rings from CEs is transmitted along different paths according
to the service VLAN, implementing traffic load balancing.
Traffic in VLANs 1 to 200 flows from the tangent node into the RRPP ring on the right side.
18.3.7 Application of Multiple Instances Single-homed to an

RRPP Aggregation Ring
In Figure 18-27, CEs access an RRPP ring through UPEs, and then access the backbone
network through the PE-AGG.

Figure 18-27 Multiple instances single-homed to an RRPP aggregation ring

CE
UPE
in S
st
an P
ce
1 UPE
Master 2
e 2
anc
inst
CE Backbone
network
PE-AGG
Master 1 Block
UPE P Primary interface
P S Secondary interface
S UPE Domain 1
Domain 2
Four UPEs and one PE-AGG construct a ring in two domains: ring 1 in domain 1 and ring 1
in domain 2. Domain 1 processes data in VLANs 101 to 200 and domain 2 processes data in
VLANs 1 to 100.
Domain 1 maps instance 1 and domain 2 maps instance 2. Services in VLANs 1 to 200 are
sent from CEs.
Service VLANs processed in the two RRPP domains do not overlap and all service VLANs
are processed. Traffic in domain 1 and domain 2 is load balanced on the RRPP ring.
18.3.8 Application of the RRPP Multi-instance Ring and Smart

Link Network
In Figure 18-28, CEs are dual-homed to UPEs through Smart Link technology.

Figure 18-28 RRPP multi-instance ring and Smart Link network
Domain 1 ring 1
UPE UPE
PE-AGG
CE
Backbone
network
Master
UPE UPE
Block
Domain 2 ring 1
domain 1
domain 2
Four UPEs and one PE-AGG construct a ring. After RRPP multi-instance on the ring is
enabled, traffic flows into the backbone network through the PE-AGG.
Nodes on the RRPP ring and the PE-AGG must support Smart Link.
18.3.9 Application of RRPP Snooping
NOTE
Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support this function.
RRPP snooping notifies a VPLS network of changes on the RRPP ring. After RRPP snooping
is enabled on sub-interfaces or VLANIF interfaces, the VPLS network can transparently
transmit RRPP packets, detect changes on the RRPP ring, and update forwarding entries,
ensuring that traffic can be rapidly switched to a non-blocking path.
In Figure 18-29, UPEs are connected as an RRPP ring to the VPLS network where NPEs
reside. NPEs are connected through a PW, and therefore cannot serve as RRPP nodes to
directly respond to RRPP packets. As a result, the VPLS network cannot sense the status
change of the RRPP ring. When the RRPP ring topology changes, each node on the VPLS
network forwards downstream data according to the MAC address table generated before the
RRPP ring topology changes. As a result, the downstream traffic cannot be forwarded.

Figure 18-29 Network of RRPP and VPLS
NPEB
NPEA VPLS NPEC
GE0/0/1.100 GE0/0/2.100
NPED
GE RRPP ring
Control VLAN:100
P User VLAN:10~20
UPEA UPEB
S
data packet
hello packet
P primary interface
S secondary interface
To solve this problem, RRPP snooping can be enabled on the sub-interface or VLANIF
interface of NPED and associated with other VSIs on the local device. When RRPP snooping
is enabled, if the RRPP ring is faulty, NPED on the VPLS network clears the forwarding
entries of the VSIs (including the associated VSIs) on the local node and the forwarding
entries of the remote NPEB to re-learn forwarding entries. This ensures that traffic can be
switched to a normal path and downstream traffic can be properly forwarded.
In Figure 18-30, when the link between NPED and UPEA is faulty, and the master node
UPEA sends a Common-Flush-FDB packet to request that the transit nodes on the RRPP ring
clear their MAC address tables.

Figure 18-30 Network of RRPP and VPLS (when the RRPP ring is faulty)
NPEB
NPEA VPLS NPEC
GE0/0/1.100 GE0/0/2.100
NPED
GE RRPP ring
Control VLAN:100
P User VLAN:10~20
UPEA UPEB
S
data packet
COMMON-FLUSH-FDB
P primary interface
The original MAC address table is not cleared because NPED cannot process the Common-
Flush-FDB packet. If downstream service packets are still sent to UPEA, NPED sends the
packets to UPEA along the original path. This interrupts the downstream traffic between
NPED and NPEA. After UPEB clears the MAC address table, the upstream service packets
sent by UPEA are regarded as unknown unicast packets and are forwarded to the VPLS
network along the path UPEA -> UPEB -> NPED. After re-learning the MAC address, NPED
can forward the downstream traffic destined to UPEA.
When the fault on the RRPP ring is recovered, the master node UPEA sends a Complete-
Flush-FDB packet to request that the transit nodes clear their MAC address tables. The
downstream traffic between NPED and UPEA is interrupted because NPED cannot process
the Complete-Flush-FDB packet.
Figure 18-31 demonstrates that after RRPP snooping is enabled on sub-interfaces
GE0/0/1.100 and GE0/0/2.100 of NPED, NPED can process the Common-Flush-FDB and
Complete-Flush-FDB packets.

Figure 18-31 Network of RRPP and VPLS (when RRPP snooping is enabled)
NPEB
NPEA VPLS NPEC
GE0/0/1.100 GE0/0/2.100
RRPP snooping RRPP snooping
NPED
GE RRPP ring
Control VLAN:100
P User VLAN:10~20
UPEA UPEB
S
data packet
COMMON-FLUSH-FDB
P primary interface
When the RRPP ring topology changes and NPED receives the Common-Flush-FDB or
Complete-Flush-FDB packet from the master node UPEA, NPED clears the MAC address
table of the VSI associated with sub-interfaces GE0/0/1.100 and GE0/0/2.100. NPED then
requests that other NPEs in this VSI clear their MAC address tables.
If the downstream data packets are still sent to UPEA, the packets are regarded as unknown
unicast packets and are broadcast in the VLAN and sent to UPEA along the path UPED ->
UPEB -> NPEA because NPED cannot find mapping MAC address entries. This ensures
downstream traffic continuity.
18.4 Summary of RRPP Configuration Tasks

You can deploy RRPP only after basic functions of RRPP are configured. If RRPP is
deployed with VPLS, you need to configure RRPP snooping. Table 18-3 describes the RRPP
configuration tasks.

Table 18-3 RRPP configuration tasks

Configure RRPP RRPP prevents loops when 18.7 Configuring RRPP

the ring is complete. RRPP
can rapidly restore
communication on the ring
network when the ring
network is faulty. There are
three networking modes:
single ring, intersectant ring,
and tangent ring.
Configure RRPP snooping RRPP snooping notifies a 18.8 Configuring RRPP

NOTE VPLS network of changes Snooping
Only the S5720HI, S5720EI, on an RRPP ring. After
S6720S-EI, and S6720EI RRPP snooping is enabled
support this function. on sub-interfaces or
VLANIF interfaces, the
VPLS network can
transparently transmit RRPP
packets, detect changes on
the RRPP ring, and update
forwarding entries, ensuring
that traffic can be rapidly
switched to a non-blocking
path.
18.5 Licensing Requirements and Limitations for RRPP

RRPP configuration commands are available only after the S1720GW, S1720GWR, and
loaded and activated and the switches are restarted. RRPP configuration commands on other

Table 18-4 Products and versions supporting RRPP

Model
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00


Model
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE

Feature Limitations
l Only the S5700HI, S5710HI, S5720EI, S5720HI, S5710EI, S6700EI, S6720S-EI, and
S6720EI support RRPP snooping.
l When you configure the list of protected VLANs, note the following points:
– Protected VLANs must be configured before you configure an RRPP ring.
– You can delete or change existing protected VLANs before configuring an RRPP
ring. The protected VLANs cannot be changed after the RRPP ring is configured.
– In the same physical topology, the control VLAN in a domain cannot be configured
as a protected VLAN in another domain.
– The control VLAN must be included in the protected VLANs; otherwise, the RRPP
ring cannot be configured.
– The control VLAN can be mapped to other instances before the RRPP ring is
created. After the RRPP ring is created, the mapping cannot be changed unless you
delete the RRPP ring.
– When the mapping between instances and VLANs changes, the protected VLANs
in the RRPP domain also change.
– All the VLANs allowed by an RRPP interface must be configured as protected
VLANs.
18.6 Default Settings for RRPP

Table 18-5 lists the detailed RRPP default settings.
Table 18-5 Default setting for RRPP
Parameter Default Value
RRPP domain Not created
RRPP ring Not created
RRPP protocol Disabled
RRPP snooping Disabled

NOTE
Only the S5720HI, S5720EI, S6720S-EI, and
S6720EI support this function.
LinkUp delay timer 0 seconds
Hello timer 1 second
Fail timer 6 seconds
18.7 Configuring RRPP

18.7.1 Configuring Interfaces on an RRPP Ring
Context
Data in different VLANs is transmitted on the RRPP ring, including data VLANs and control
VLANs. You need to configure an interface to allow data from these VLANs to pass through,
ensuring data transmission on the ring.
RRPP cannot be configured on an interface configured with Smart Link, MUX VLAN, or
MSTP. Before configuring RRPP, ensure that the interface is not configured with protocols
that conflict with RRPP.
Procedure
The link type of the interface is configured as hybrid.
Step 4 Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The VLAN allowed by an RRPP-enabled interface is specified.
An RRPP-enabled interface needs to allow packets of control VLANs and data VLANs to
pass through, so the interface must be configured as a trunk or hybrid interface.
After the control-vlan command is use in the RRPP domain view to configure a control
VLAN and the ring node-mode command is configured, the interfaces on the RRPP ring
allow packets of the control VLAN to pass through. Therefore, you need to specify only the
IDs of data VLANs in this step.
NOTE
If RRPP snooping is enabled on the VLANIF interface of a VLAN, RRPP-enabled interfaces cannot be
added to the VLAN.
Step 5 Run stp disable
STP is disabled on the RRPP interface.
RRPP and STP cannot be configured on an interface simultaneously. By default, STP is

enabled on all the interfaces on the device. Therefore, before creating an RRPP ring, disable
STP on the interfaces that need to be added to the RRPP ring.
----End
18.7.2 Creating an RRPP Domain and the Control VLAN

Context
A group of interconnected switches configured with the same domain ID and control VLAN
constitute an RRPP domain. Different RRPP domains must be configured with different
domain IDs and control VLANs.
An RRPP domain has two control VLANs, that is, the major control VLAN and sub-control
VLAN. Protocol packets on the major ring are transmitted in the major control VLAN, and
RRPP packets on the sub-rings are transmitted in the sub-control VLAN.
Procedure
Step 1 On each switch in an RRPP domain, run system-view
Step 2 Run rrpp domain domain-id
An RRPP domain is created and the RRPP domain view is displayed.
A maximum of 24 domains can be created on the S5720EI, S5720SI, S5720S-SI, S5730SI,
S5730S-EI, S6720SI, S6720S-SI, S6720LI, S6720S-LI, S5720HI, S6720S-EI, and S6720EI.
On other devices, a maximum of 8 domains can be created.
When creating an RRPP domain, specify the domain ID. If the domain to be configured
exists, the domain view is displayed.
A description is configured for the RRPP domain.
By default, no description is configured for an RRPP domain.
After RRPP is configured on a device, you can run the description command to configure the
description of the RRPP domain, including the RPPP domain ID, to facilitate maintenance.
A control VLAN is created.
An RRPP domain has two control VLANs, that is, the major control VLAN and sub-control
VLAN. You need to specify only the major control VLAN. The VLAN whose ID is one
greater than the ID of the major control VLAN becomes the sub-control VLAN.
The control VLAN specified by vlan-id and the sub-control VLAN specified by vlan-id plus
one must be VLANs that have not been created or used.
After configuring a control VLAN for an RRPP domain, you cannot directly change the
control VLAN. To change the control VLAN, you need to delete the domain and then
configure a new control VLAN. You can also run the undo control-vlan command to delete
the control VLAN and then configure a new control VLAN. The sub-control VLAN is deleted
when the RRPP domain is deleted.

NOTE
DHCP services cannot be configured for control VLANs.

Do not run the mac-limit command in the control VLAN view to configure a MAC address limiting
rule.
VLAN 1 is the default VLAN and cannot be configured as the control VLAN.
----End
18.7.3 Creating an Instance
Context
You can map data in VLANs to an instance and configure the instance to the protected VLAN
so that the device can control data in VLANs based on RRPP.
Procedure
Step 3 Run instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
The mapping between the instance and VLAN is configured.
instance-id in this command must be the same as instance-id used by the protected-instance
command.
NOTE
The control VLANs of the major ring and the sub-rings must be contained in the VLAN list.
To configure the mapping between an instance and a MUX VLAN, you are advised to configure the
principal VLAN, subordinate group VLANs, and subordinate separate VLANs of the MUX VLAN in
the same instance. Otherwise, loops may occur.
If the stp mode (system view) command is used to configure the switch to work in VBST mode, the
static instance protected by RRPP cannot be directly deleted.
Instance 0 is the default instance and does not need to be created.
By default, all VLANs are mapped to Instance 0.
The configuration of the MST domain is activated.
----End
18.7.4 Configuring a Protected VLAN

Context
The device controls only data in the protected VLANs based on RRPP. Data out of the
protected VLANs may cause storms on the ring network.
Procedure
The RRPP domain view is displayed.
Step 3 Run protected-vlan reference-instance { { instance-id1 [ to instance-id2 ] } &<1-10> | all }
The list of protected VLANs in the RRPP domain is configured.
All the VLANs whose packets need to pass through an RRPP interface, including the control
VLANs and data VLANs, must be configured as protected VLANs.
NOTE
When you configure the list of protected VLANs, note the following points:
l Protected VLANs must be configured before you configure an RRPP ring.
l You can delete or change existing protected VLANs before configuring an RRPP ring. The protected
VLANs cannot be changed after the RRPP ring is configured.
l In the same physical topology, the control VLAN in a domain cannot be configured as a protected
VLAN in another domain.
l The control VLAN must be included in the protected VLANs; otherwise, the RRPP ring cannot be
configured.
l The control VLAN can be mapped to other instances before the RRPP ring is created. After the
RRPP ring is created, the mapping cannot be changed unless you delete the RRPP ring.
l When the mapping between an instance and VLANs changes, the protected VLANs in the RRPP
domain also change.
l All the VLANs allowed by an RRPP interface must be configured as protected VLANs.
----End
18.7.5 Creating and Enabling an RRPP Ring
Context
You need to manually add nodes to an RRPP ring and configure an interface role for each
node.
The RRPP ring can be activated only when both the RRPP ring and the RRPP protocol are
enabled on all the switches on an RRPP ring.
Prerequisites
STP has been disabled on the interfaces that need to be added to the RRPP ring. (By default,
STP is enabled on all interfaces of the device.)

Procedure
Step 3 Run ring ring-id node-mode { master | transit } primary-port interface-type interface-
number secondary-port interface-type interface-number level level-value
An RRPP ring is created.
Level 0 indicates the major ring, and Level 1 indicates a sub-ring.
NOTE
l A domain contains only one major ring. Before creating a sub-ring, you must create the major ring.
l The master node on the sub-ring cannot server as the edge node or the assistant edge node.
l A maximum of 24 rings can be created on the S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI,
S6720SI, S6720S-SI, S5720HI, S6720LI, S6720S-LI, S6720S-EI, and S6720EI, and 16 rings on
other models.
l Before adding an interface to an RRPP ring, disable port security on the interface; otherwise, loops
Step 4 Run ring ring-id node-mode { edge | assistant-edge } common-port interface-type

interface-number edge-port interface-type interface-number
An edge node and an assistant edge node on the RRPP sub-ring are configured.
The common interfaces on the edge node and assistant edge node must be located on the
major ring.
The system automatically sets the level of the ring where the edge node and assistant edge
node reside to 1.
Step 5 Run ring ring-id enable
The RRPP ring is enabled.
----End
18.7.6 Enabling RRPP
Context
After the RRPP ring is enabled, you need to enable the RRPP protocol for devices on the
RRPP ring so that RRPP can work properly.
Procedure
Step 2 Run rrpp enable

RRPP is enabled.
----End
18.7.7 (Optional) Creating a Ring Group
Context
To reduce the number of received and sent Edge-Hello packets, you can use a ring group, in
which a group of sub-rings with the same configuration of edge nodes or assistant edge nodes
are added to the ring group.
Procedure
Step 1 On the edge node or assistant edge node, run system-view
Step 2 Run rrpp ring-group ring-group-id
A ring group is created.
A ring group can be created only on an edge node or an assistant edge on a sub-ring.
All the sub-rings in a ring group must be on nodes of the same type, for example, all the sub-
rings are located on edge nodes or assistant edge nodes.
Step 3 Run domain domain-id ring { ring-id1 [ to ring-id2 ] } &<1-10>
Sub-rings are added to the ring group.
Sub-rings in the same ring group share the same edge node, and the same assistant edge node.
A sub-ring can belong to only one ring group.
When you add a sub-ring to a ring group or delete a sub-ring from the ring group, note the
following points:
l To add an activated sub-ring to a ring group, add the sub-ring to the ring group on the
assistant edge node, and then perform the same operation on the edge node.
l To delete an activated sub-ring from a ring group, delete the sub-ring from the ring group
on the edge node, and then perform the same operation on the assistant edge node.
----End
18.7.8 (Optional) Setting the Values of the Hello Timer and Fail
Timer in an RRPP Domain
Context
The Hello timer and Fail timer are used when the master node sends and receives RRPP
packets. The value of the Hello timer specifies the interval at which the master node sends
Hello packets from the primary interface. The value of the Fail timer specifies the maximum
delay in which the primary interface on the master node sends a Hello packet and the
secondary interface receives the Hello packet.

You only need to set the values of the Hello timer and Fail timer on the master node in an
RRPP domain.
Procedure
Step 3 Run timer hello-timer hello-value fail-timer fail-value
The values of the Hello timer and the Fail timer in an RRPP domain are set.
The value of the Fail timer must be no smaller than three times the value of the Hello timer.
By default, the value of the Hello timer on an edge node is half of the value of the Hello timer
on the master node of the major ring.
The values of both the Hello timer and Fail timer must be set the same on each node in an
RRPP domain; otherwise, edge interfaces on the edge nodes may be unstable.
It is recommended that the value of the Fail timer be configured based on the actual
networking. If the value of the Fail timer is incorrect, for example, the value is too small,
loops may occur.
----End
18.7.9 (Optional) Setting the Value of the Link-Up Timer
Context
After the value of the Link-Up timer is set, the RRPP link does not immediately change its
status but changes the status when the Link-Up timer times out. This reduces flapping of the
link status.
You only need to set the value of the Link-Up timer on the master node.
Procedure
Step 1 On the master node, run system-view
Step 2 Run rrpp linkup-delay-timer linkup-delay-timer-value
The value of the Link-Up timer is set for the RRPP link.
The value set by the linkup-delay-timer-value command must be no larger than the value of
the Fail timer minus twice the value of the Hello timer. The default value of the Link-Up
timer is 0.
----End

18.7.10 Verifying the RRPP Configuration
Procedure
l Run the display stp region-configuration command to check the mapping between
MSTIs and VLANs.
l Run the display rrpp brief [ domain domain-id ] command to check summary
information about an RRPP domain.
l Run the display rrpp verbose domain domain-id [ ring ring-id ] command to check
detailed information about an RRPP domain.
l Run the display rrpp statistics domain domain-id [ ring ring-id ] command to check
the statistics on packets in an RRPP domain.
----End
18.8 Configuring RRPP Snooping
Prerequisites
NOTE
Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support this function.
RRPP snooping is a technology that notifies the VPLS network of changes in the RRPP ring.
After RRPP snooping is enabled on sub-interfaces or VLANIF interfaces, the VPLS network
can transparently transmit RRPP packets, detect changes on the RRPP ring, and upgrade
forwarding entries, ensuring that traffic can be rapidly switched to a non-blocking path.
Before configuring RRPP snooping, complete the following tasks:
l Configuring a VPLS network
l Configuring RRPP
18.8.1 Enabling RRPP Snooping
Context
When RRPP snooping is enabled on an interface, the status of the RRPP ring can be detected
through RRPP control packets. When the status of the RRPP ring changes, the interface
requests the VSI bound to the interface to update its MAC address table.
NOTE
RRPP and RRPP snooping cannot be simultaneously configured on the same interface.
Configure RRPP snooping only on the node connecting the RRPP ring to the VPLS network.
Procedure

Step 2 Entering the view of the interface to be enabled with RRPP snooping using the following
commands as required
l Run interface interface-type interface-number.subinterface-number
l Run interface vlanif vlan-id
Specifying that the sub-interface or VLANIF interface permits only the packets in the control
VLAN of the RRPP domain to pass through.
Step 3 Run rrpp snooping enable
RRPP snooping is enabled.
Before running this command, bind the sub-interface or VLANIF interface to the VSI.
If the sub-interface or VLANIF interface is removed from the VSI, RRPP snooping is
automatically disabled on the interface.
After RRPP snooping is enabled on the sub-interface or VLANIF interface, the sub-interface
or VLANIF interface is automatically associated with the VSI.
By default, RRPP snooping is disabled.
----End
18.8.2 Configuring the VSI Associated with RRPP Snooping
Context
If you associate an RRPP snooping-enabled sub-interface or VLANIF interface with another
VSI on the device, the interface notifies the associated VSI of changes of the RRPP ring
status. In this way, the VSI can immediately update the MAC address table.
You only need to configure the VSI associated with RRPP snooping on the NPE node
connecting the RRPP ring to the VPLS network.
Procedure
Step 2 Entering the view of the interface to be enabled with RRPP snooping using the following
commands as required
l Run interface interface-type interface-number.subinterface-number
l Run interface vlanif vlan-id
The VLANIF interface in this step must map the RRPP control VLAN. For example, if
the RRPP control VLAN ID is 100, the VLANIF interface here must be VLANIF 100.
Step 3 Configuring the VSI associated with RRPP snooping on the sub-interface or VLANIF
interface using the following commands as required

l Run rrpp snooping vsi vsi-name

The VSI associated with RRPP snooping is configured on the sub-interface or VLANIF
interface.
l Run rrpp snooping all-vsi
VSIs that are bound to all the other sub-interfaces connected to the same main interface
are automatically associated on the sub-interface.
NOTE
The rrpp snooping vsi vsi-name command associates the interface with only one VSI at a time. To
associate the sub-interface or VLANIF interface with multiple VSIs, run this command multiple times.
----End
18.8.3 Verifying the RRPP Snooping Configuration
Procedure
l Run the display rrpp snooping enable { all | interface vlanif interface-number }
command to check the interfaces that are enabled with RRPP snooping.
l Run the display rrpp snooping vsi { all | interface vlanif interface-number } command
to check the VSIs associated with RRPP snooping.
----End
18.9 Clearing RRPP Statistics
Context
You can set the RRPP statistics to 0 for collecting new statistics about RRPP packets.
RRPP statistics cannot be restored after you clear them. Therefore, exercise caution when you
run the command.
Procedure
Step 1 Run the reset rrpp statistics domain domain-id [ ring ring-id ] command in the user view to
clear RRPP statistics.
----End
18.10 Configuration Examples for RRPP

18.10.1 Example for Configuring a Single RRPP Ring with a

Single Instance
As shown in Figure 18-32, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and implement fast
convergence to rapidly restore communication between nodes on the ring when the ring fails.
You can enable RRPP on SwitchA, SwitchB, and SwitchC to meet this requirement.
Figure 18-32 Networking diagram of a single RRPP ring

SwitchB
GE0/0/2
GE0/0/1 GE0/0/1
Ring 1
GE0/0/2 GE0/0/2 SwitchC
GE0/0/1
SwitchA
Primary interface
Secondary interface
1. Configure interfaces to be added to the RRPP domain on the devices so that data can
pass through the interfaces. Disable protocols that conflict with RRPP, such as STP.
2. Create an RRPP domain and its control VLAN.
3. Map data that needs to pass through the VLANs on the RRPP ring to Instance 1,
including data VLANs 100 to 300 and control VLANs 20 and 21 (VLAN 21 is the sub-
control VLAN generated by the device).
4. In the RRPP domain, configure a protected VLAN, create an RRPP ring and configure
SwitchA, SwitchB, and SwitchC as nodes on Ring 1 in Domain 1. Configure SwitchA as
the master node on Ring 1, and configure SwitchB and SwitchC as transit nodes on Ring
1.
5. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure SwitchA. The configurations on SwitchB and SwitchC are similar to that on
SwitchA and not mentioned here. For details, see the configuration files.
[SwitchA] rrpp domain 1

[SwitchA-rrpp-domain-region1] control-vlan 20
[SwitchA-rrpp-domain-region1] quit
Step 2 Map Instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300.
# Configure SwitchA. The configurations on SwitchB and SwitchC are the same as that of
[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces, allow data VLANs
100 to 300 to pass through the interfaces, and disable STP on the interfaces.
# Configure SwitchA. The configurations on SwitchB and SwitchC are the same as that
ofSwitchA and not mentioned here. For details, see the configuration files.
[SwitchA-GigabitEthernet0/0/1] stp disable
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet 0/0/1 secondary-port gigabitethernet 0/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure SwitchC.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
Step 5 Enable RRPP.

# Configure SwitchA. The configurations on SwitchB and SwitchC are the same as that of
[SwitchA] rrpp enable


After the preceding configurations are complete and the network becomes stable, run the
following commands to verify the configuration. The display on Switch A is used as an
example.
# Run the display rrpp brief command on SwitchA. The command output is as follows:
[SwitchA] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchA, the major control VLAN of
domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21, and SwitchA is the master
node on Ring 1. The primary interface is GigabitEthernet0/0/1 and the secondary interface is
GigabitEthernet0/0/2.
# Run the display rrpp verbose domain command on SwitchA. The command output is as
follows:
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that the RRPP ring is complete.
----End
Configuration Files
#
sysname SwitchA
#
#
rrpp enable
#
instance 1 vlan 20 to 21 100 to 300

#
rrpp domain 1
control-vlan 20
ring 1 node-mode master primary-port GigabitEthernet0/0/1 secondary-port
GigabitEthernet0/0/2 level 0
ring 1 enable
#
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
stp disable
#
return
#
sysname SwitchB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 20
ring 1 node-mode transit primary-port GigabitEthernet0/0/1 secondary-port
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 20


ring 1 enable
#
stp disable
#
stp disable
#
return
Relevant Information
Video
Configure RRPP
18.10.2 Example for Configuring Intersecting RRPP Rings with a

Single Instance
Ethernet network uses two-layer rings: one is the aggregation layer between aggregation
devices PE-AGGs and the other is the access layer between PE-AGGs and UPEs.
Figure 18-33 Networking diagram of intersecting RRPP rings with a single instance
RRPP Domain
UPE1 PE-AGG2
Edge Master
Sub PE-AGG1
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG3 PE-AGG: PE-Aggregation
Master NPE: Network Provider Edge
LANSwitch
As shown in Figure 18-33, the network is required to prevent loops when the ring is complete
and implement fast convergence to rapidly restore communication between nodes on the ring
when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You can
configure the aggregation layer as the major ring and the access layer as the sub-ring,
simplifying the network configuration.
As shown in Figure 18-34, SwitchB, SwitchA, SwitchD, and SwitchC map PE-AGG1, PE-
AGG2, PE-AGG3, and UPE1 in Figure 18-33 respectively. Figure 18-34 is used as an

example to describe how to configure intersecting RRPP rings with a single instance in the
RRPP version defined by Huawei.
Figure 18-34 Networking diagram of intersecting RRPP rings with a single instance
SwitchA
GE0/0/3 GE0/0/1
SwitchC GE0/0/2 SwitchB

GE0/0/2 GE0/0/1
sub-ring major ring
GE0/0/1 GE0/0/2
GE0/0/2
GE0/0/3 GE0/0/1 SwitchD
1. Create an RRPP domain and its control VLAN.

2. Map the VLANs that need to pass through the RRPP ring to Instance 1, including data
VLANs 2 to 9 and control VLANs 10 and 11 (VLAN 11 is the sub-control VLAN
generated by the device).
4. Configure a protected VLAN and create an RRPP ring in the RRPP domain.
a. Configure Ring 1 (major ring) in Domain 1 on SwitchA, SwitchB, and SwitchD.
b. Configure Ring 2 (sub-ring) in Domain 1 on SwitchA, SwitchC, and SwitchD.
c. Configure SwitchB as the master node on the major ring and configure SwitchA
and SwitchD as transit nodes on the major ring.
d. Configure SwitchC as the master node on the sub-ring, configure SwitchA as the
edge node on the sub-ring, and configure SwitchD as the assistant edge node on the
sub-ring.
Procedure
Step 1 Configure SwitchB as the master node on the major ring.
# Create data VLANs 2 to 9 on SwitchB.

# Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.

# Configure Domain 1 on SwitchB. Configure VLAN 10 as the major control VLAN and bind
Instance 1 to the protected VLAN in Domain 1.
[SwitchB-rrpp-domain-region1] control-vlan 10
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
# Configure the RRPP interface as a trunk interface to allow data from VLANs 2 to 9 to pass
through and disable STP on the interface to be added to the RRPP ring.
[SwitchB-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchB-GigabitEthernet0/0/1] stp disable
[SwitchB-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
# Configure the primary interface and secondary interface on the master node of the major
ring.
[SwitchB-rrpp-domain-region1] ring 1 node-mode master primary-port
Step 2 Configure SwitchC as the master node on the sub-ring.

# Create data VLANs 2 to 9 on SwitchC.
RRPP interface.
# Configure Domain 1 on SwitchC. Configure VLAN 10 as the major control VLAN and bind
Instance 1 to the protected VLAN in Domain 1.
[SwitchC-rrpp-domain-region1] control-vlan 10
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP
interface as a trunk interface to allow data from VLANs 2 to 9 to pass through.
[SwitchC-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet0/0/1] stp disable

[SwitchC-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1

# Configure the primary interface and secondary interface on the master node of the sub-ring.
[SwitchC-rrpp-domain-region1] ring 2 node-mode master primary-port
Step 3 Configure SwitchA as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchA.
RRPP interface.
# Configure Domain 1 on SwitchA. Configure VLAN 10 as the major control VLAN and
bind Instance 1 to the protected VLAN in Domain 1.
[SwitchA-rrpp-domain-region1] control-vlan 10
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP
interface as a trunk interface to allow data from VLANs 2 to 9 to pass through.
# Configure the primary interface and secondary interface on the transit node of the major
ring.
[SwitchA-rrpp-domain-region1] ring 1 node-mode transit primary-port
# Configure the common interface and edge interface on the edge node of the sub-ring.


[SwitchA-rrpp-domain-region1] ring 2 node-mode edge common-port gigabitethernet
0/0/2 edge-port gigabitethernet 0/0/3
Step 4 Configure SwitchD as the transit node on the major ring and the assistant edge node on the
sub-ring.
# Create data VLANs 2 to 9 on SwitchD.
[SwitchD] vlan batch 2 to 9
RRPP interface.
# On SwitchD, configure Domain 1. Configure VLAN 10 as the major control VLAN and
bind Instance 1 to the protected VLAN in Domain 1.
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] control-vlan 10
[SwitchD-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchD-rrpp-domain-region1] quit
# Disable STP on the interface to be added to the RRPP ring, configure the RRPP interface as
a trunk interface, and configure the interfaces to allow service packets of VLAN 2 to VLAN 9
to pass through.
[SwitchD-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet0/0/1] stp disable
# Configure the primary interface and secondary interface on the transit node of the major
ring.
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchD-rrpp-domain-region1] ring 1 enable
# Configure the common interface and edge interface on the assistant edge node of the sub-
ring.
[SwitchD-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port

gigabitethernet 0/0/2 edge-port gigabitethernet 0/0/3

Step 5 Enable RRPP.

# Configure SwitchA. The configurations on SwitchB, SwitchC, and SwitchD are the same as
that of SwitchA and not mentioned here. For details, see the configuration files.

following commands to verify the configuration.
# Run the display rrpp brief command on SwitchB. The command output is as follows:
[SwitchB] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchB. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11; SwitchB is the master node on the major
ring, with GE0/0/1 as the primary interface and GE0/0/2 as the secondary interface.
# Run the display rrpp verbose domain command on SwitchB. The command output is as
follows:
[SwitchB] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that the ring is in Complete state, and the secondary interface on
the master node is blocked.
# Run the display rrpp brief command on SwitchC. The command output is as follows:
[SwitchC] display rrpp brief


Domain Index : 1

----------------------------------------------------------------------------
You can find that RRPP is enabled on SwitchC. The major control VLAN is VLAN 10, and
the sub-control VLAN is VLAN 11; SwitchC is the master node on the sub-ring, with
GE0/0/1 as the primary interface and GE0/0/2 as the secondary interface.
# Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
[SwitchC] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 2
Ring Level : 1
Node Mode : Master
The command output shows that the sub-ring is in Complete state, and the secondary interface
on the master node of the sub-ring is blocked.
# Run the display rrpp brief command on SwitchA. The command output is as follows:
[SwitchA] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
1 0 T GigabitEthernet0/0/2 GigabitEthernet0/0/1 Yes
2 1 E GigabitEthernet0/0/2 GigabitEthernet0/0/3 Yes
The command output shows that RRPP is enabled on SwitchA. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchA is the transit node on the major
ring. The primary interface is GE0/0/2 and the secondary interface is GE0/0/1.
SwitchA is also the edge node on the sub-ring, with GE0/0/2 as the common interface and
GE0/0/3 as the edge interface.

# Run the display rrpp verbose domain command on SwitchA. The command output is as
follows:
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
Secondary port : GigabitEthernet0/0/1 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
Common port : GigabitEthernet0/0/2 Port status: UP
Edge port : GigabitEthernet0/0/3 Port status: UP
# Run the display rrpp brief command on SwitchD. The command output is as follows:
[SwitchD] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
2 1 A GigabitEthernet0/0/2 GigabitEthernet0/0/3 Yes
The command output shows that RRPP is enabled on SwitchD. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchD is the transit node on the major
ring, with GE0/0/2 as the primary interface and GE0/0/1 as the secondary interface. SwitchD
is also the assistant edge node on the sub-ring, with GE0/0/2 as the common interface and
GE0/0/3 as the edge interface.
# Run the display rrpp verbose domain command on SwitchD. The command output is as
follows:
[SwitchD] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp

RRPP Ring : 2
Ring Level : 1
Node Mode : Assistant-edge
Ring State : LinkUp
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
ring 2 node-mode edge common-port GigabitEthernet0/0/2 edge-port
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
return

#
sysname SwitchB
#
vlan batch 2 to 11
#
rrpp enable
#
#

rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
vlan batch 2 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 2 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchD
#
vlan batch 2 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10

ring 1 enable
ring 2 node-mode assistant-edge common-port GigabitEthernet0/0/2 edge-port
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
return
Video
Configure RRPP
18.10.3 Example for Configuring Tangent RRPP Rings
Ethernet network uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs, such as RRPP
Domain 1 in Figure 18-35.
l The other layer is the access layer between PE-AGGs and UPEs, such as RRPP Domain
2 and RRPP Domain 3 in Figure 18-35.

Figure 18-35 Tangent RRPP rings

Master
UPE1
UPE2 PE-AGG3
RRPP Transit 1
Domain2
Master
PE-AGG1
UPE RRPP P IP/MPLS
Domain1 Core
UPE S
UPE Block NPE
RRPP Transit 2
Domain3
PE-AGG2
Master PE-AGG: PE-Aggregation
UPE NPE: Network Provider Edge
LANSwitch LANSwitch
Master
UPE1
UPE2 PE-AGG3
RRPP Transit 1
Domain2
Master
PE-AGG1
UPE RRPP P IP/MPLS
Domain1 Core
UPE S
UPE Block NPE
RRPP Transit 2
Domain3
PE-AGG2
Master PE-AGG: PE-Aggregation
UPE NPE: Network Provider Edge
LANSwitch LANSwitch
As shown in Figure 18-35, the network is required to prevent loops when the ring is complete
and implement fast convergence to rapidly restore communication between nodes on the ring
when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You can
configure the aggregation layer and access layer as RRPP rings and the two rings are tangent,
simplifying the network configuration.

As shown in Figure 18-36, SwitchE, SwitchD, SwitchC, SwitchA, and SwitchB map PE-
AGG1, PE-AGG2, PE-AGG3, UPE 1, and UPE 2 in Figure 18-35 respectively. Figure 18-36
is used as an example to describe how to configure tangent RRPP rings with a single instance.
Figure 18-36 Network of tangent RRPP rings
SwitchA SwitchE
GE0/0/2 GE0/0/1
GE0/0/1 GE0/0/3 GE0/0/2 GE0/0/2
Domain 2 Ring 2 SwitchC Ring 1 Domain 1

GE0/0/4 GE0/0/1
GE0/0/2 GE0/0/1
GE0/0/1 GE0/0/2
SwitchB SwitchD
1. Create different RRPP domains and control VLANs to configure an RRPP ring.
2. Map the VLANs that need to pass through Ring 1 to Instance 1, including data VLANs
and control VLANs to configure protected VLANs.
Map the VLANs that need to pass through Ring 2 to Instance 2, including data VLANs
and control VLANs to configure protected VLANs.
3. Configure timers for different RRPP domains.
NOTE
You can configure two timers for tangent points because two tangent rings locate in different
domains.
5. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Configure Ring 2 in Domain 2 on SwitchA, SwitchB, and SwitchC.
b. Configure Ring 1 in Domain 1 on SwitchC, SwitchD, and SwitchE.
c. Configure SwitchA as the master node on Ring 2, and configure SwitchB and
SwitchC as transit nodes on Ring 2.
d. Configure SwitchE as the master node on Ring 1, and configure SwitchC and
SwitchD as transit nodes on Ring 1.
Procedure
Step 1 Configure instance 2, and map it to the data VLANs and control VLANs allowed by the
RRPP interface.

# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, and SwitchE are
similar to the configuration of SwitchA and not mentioned here. For details, see the
Step 2 Create RRPP domains and configure control VLANs and protected VLANs in the domains.
# Configure SwitchE. The configurations of SwitchA, SwitchB, SwitchC, and SwitchD are
similar to the configuration of SwitchE and not mentioned here. For details, see the
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchE-rrpp-domain-region1] quit
Step 3 Set the timers of RRPP domains.
# Set the timers for SwitchE, the master node on Ring 1.

[SwitchE-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchD, the transit node on Ring 1.

[SwitchD-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchC, the transit node on Ring 1.

[SwitchC-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchA, the master node on Ring 2.

[SwitchA-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
# Set the timers for SwitchB, the transit node on Ring 2.

[SwitchB-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
# Set the timers for SwitchC, the transit node on Ring 2.

[SwitchC-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
Step 4 Configure the interfaces to be added to the RRPP ring as trunk interfaces and disable STP on
the interfaces.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, and SwitchE are
similar to the configuration of SwitchA and not mentioned here. For details, see the


Step 5 Create and enable RRPP rings.

l Configure nodes on Ring 2.
# Configure SwitchA as the master node on Ring 2 and specify the primary and
secondary interfaces.
[SwitchA-rrpp-domain-region2] ring 2 node-mode master primary-port
# Configure SwitchB as a transit node on Ring 2 (major ring) and specify the primary
and secondary interfaces.
[SwitchB-rrpp-domain-region2] ring 2 node-mode transit primary-port
# Configure SwitchC as a transit node on Ring 2 and specify the primary and secondary
interfaces.
l Configure nodes on Ring 1. The configuration procedure is as follows:

# Configure SwitchE as the master node on Ring 1 (major ring) and specify the primary
and secondary interfaces.
[SwitchE-rrpp-domain-region1] ring 1 node-mode master primary-port
[SwitchE-rrpp-domain-region1] ring 1 enable
# Configure SwitchC as a transit node on Ring 1 and specify the primary and secondary
interfaces.
# Configure SwitchD as a transit node on Ring 1 and specify the primary and secondary
interfaces.
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
Step 6 Enable RRPP.

# Configure SwitchA. The configurations on SwitchB, SwitchC, SwitchD, and SwitchE are
the same as that of SwitchA and not mentioned here. For details, see the configuration files.

perform the following operations to verify the configuration. The tangent point SwitchC is
used as an example.
# Run the display rrpp brief command on SwitchC. The command output is as follows:
[SwitchC] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on SwitchC. In Domain 1, the major
control VLAN is VLAN 10, and the sub-control VLAN is VLAN 11. SwitchC is the transit
node on the major ring, with GigabitEthernet0/0/1 as the primary interface and
GigabitEthernet0/0/2 as the secondary interface.
In Domain 2, the major control VLAN is VLAN 20, and the sub-control VLAN is VLAN 21.
SwitchC is a transit node on Ring 2. GigabitEthernet0/0/3 is the primary interface and
GigabitEthernet0/0/4 is the secondary interface.
Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
# Display detailed information about Domain 1 on SwitchC.
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp


# Display detailed information about Domain 2 on SwitchC.

Domain Index : 2
RRPP Ring : 2
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#
#
rrpp domain 2
control-vlan 20
timer hello-timer 3 fail-timer 10
ring 2 enable
#
stp disable
#
stp disable
#
return

#
sysname SwitchB
#
vlan batch 20 to 21
#
rrpp enable
#

#
rrpp domain 2
control-vlan 20
ring 2 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
rrpp domain 2
control-vlan 20
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#

stp disable
#
return
#
sysname SwitchD
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l SwitchE configuration file
#
sysname SwitchE
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#


stp disable
#
return
Video
Configure RRPP
18.10.4 Example for Configuring a Single RRPP Ring with

Multiple Instances
As shown in Figure 18-37, on a ring network, idle links are required to forward data. In this
way, data in different VLANs is forwarded along different paths, improving network
efficiency and implementing load balancing.
Figure 18-37 Network of single RRPP ring with multiple instances
UPEB
GE0/0/1 GE0/0/2
CE 1
VLAN 100-300
PEAGG
GE0/0/1 Ring GE0/0/1
1 Master 1 Backbone
UPEA
Master 2 network
GE0/0/2 GE0/0/2
CE 2
VLAN 100-300
Domain 1 ring 1
GE0/0/2 GE0/0/1
Domain 2 ring 1
UPEC
Data Plan
Table 18-6 shows the mapping between protected VLANs and instances in Domain 1 and
Domain 2.

Table 18-6 Mapping between the protected VLAN and instance

Domain ID Control VLAN ID Data VLAN ID Instance ID
Domain 1 VLANs 5 and 6 VLANs 100 to 200 Instance 1
Table 18-7 shows the master node on each ring and the primary and secondary interfaces on
each master node.
Table 18-7 Master node and its primary and secondary interfaces
Ring ID Master Node Primary Port Secondary Port
Ring 1 in Domain 1 PEAGG GE0/0/1 GE0/0/2
Ring 1 in Domain 2 PEAGG GE0/0/2 GE0/0/1
1. Create different RRPP domains and control VLANs.
2. Map the VLANs that need to pass through Ring 1 in Domain 1 to Instance 1, including
data VLANs and control VLANs.
Map the VLANs that need to pass through Ring 1 in Domain 2 to Instance 2, including
data VLANs and control VLANs.
a. Add UPEA, UPEB, UPEC, and PEAGG to Ring 1 in Domain 1. Configure PEAGG
as the master node on Ring 1 in Domain 1 and configure UPEA, UPEB, and UPEC
as transit nodes.
b. Add UPEA, UPEB, UPEC, and PEAGG to Ring 1 in Domain 2. Configure PEAGG
as the master node on Ring 1 in Domain 2 and configure UPEA, UPEB, and UPEC
as transit nodes.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure UPEA. The configurations on UPEB, UPEC, and PEAGG are similar to that on
UPEA and not mentioned here. For details, see the configuration files.
[HUAWEI] sysname UPEA
[UPEA] rrpp domain 1
[UPEA-rrpp-domain-region1] control-vlan 5

[UPEA-rrpp-domain-region1] quit
Step 2 Configure instances, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure UPEA. The configurations on UPEB, UPEC, and PEAGG are the same as that of
[UPEA] vlan batch 100 to 300
[UPEA] stp region-configuration
[UPEA-mst-region] instance 1 vlan 5 6 100 to 200
[UPEA-mst-region] active region-configuration
[UPEA-mst-region] quit
Step 3 Configure the interfaces to be added into the RRPP rings.
[UPEA] interface gigabitethernet 0/0/1
[UPEA-GigabitEthernet0/0/1] port link-type trunk
[UPEA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[UPEA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 300
[UPEA-GigabitEthernet0/0/1] stp disable
[UPEA-GigabitEthernet0/0/1] quit
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure UPEA as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEA.
[UPEA-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEA-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
0/0/1 secondary-port gigabitethernet 0/0/2 level 0
[UPEA-rrpp-domain-region1] ring 1 enable
# Configure UPEB as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEB.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPEB-rrpp-domain-region1] ring 1 enable
[UPEB-rrpp-domain-region1] quit

[UPEB-rrpp-domain-region2] protected-vlan reference-instance 2
# Configure UPEC as a transit node on Ring 1 in Domain 1 and specify primary and
secondary interfaces on UPEC.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPEC-rrpp-domain-region1] ring 1 enable
[UPEC-rrpp-domain-region1] quit
[UPEC-rrpp-domain-region2] protected-vlan reference-instance 2
# Configure PEAGG as the master node on Ring 1 in Domain 1, with GE0/0/1 as the primary
interface and GE0/0/2 as the secondary interface.
[PEAGG] rrpp domain 1
[PEAGG-rrpp-domain-region1] protected-vlan reference-instance 1
[PEAGG-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
[PEAGG-rrpp-domain-region1] ring 1 enable
[PEAGG-rrpp-domain-region1] quit
[PEAGG-rrpp-domain-region2] protected-vlan reference-instance 2
Step 5 Enable RRPP.

[UPEA] rrpp enable

following commands to verify the configuration. UPEA and PEAGG are used as examples.
# Run the display rrpp brief command on UPEA. The command output is as follows:
[UPEA] display rrpp brief


Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPEA.

In Domain 1, the major control VLAN is VLAN 5 and the protected VLANs are VLANs
mapping Instance 1. UPEA is a transit node on Ring 1. GigabitEthernet0/0/1 is the primary
interface and GigabitEthernet0/0/2 is the secondary interface.
In Domain 2, the major control VLAN is VLAN 10 and the protected VLANs are VLANs
mapping Instance 2. UPEA is a transit node on Ring 1. GigabitEthernet0/0/1 is the primary
# Run the display rrpp brief command on PEAGG. The command output is as follows:
[PEAGG] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on PEAGG.

In Domain 1, the major control VLAN is VLAN 5, the protected VLAN is the VLAN mapped
to Instance 1, and the master node on Ring 1 is PEAGG. GigabitEthernet0/0/1 is the primary
In Domain 2, the major control VLAN is VLAN 10, the protected VLAN is the VLAN
mapped to Instance 2, and the master node on Ring 1 is PEAGG. GigabitEthernet0/0/2 is the
primary interface and GigabitEthernet0/0/1 is the secondary interface.
# Check detailed information about UPEA in Domain 1. Run the display rrpp verbose
domain command on UPEA. The command output is as follows:
[UPEA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the
protected VLANs are the VLANs mapping Instance 1. UPEA is a transit node in Domain 1
and is in LinkUp state.
# Check detailed information about UPEA in Domain 2.
[UPEA] display rrpp verbose domain 2
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that, in Domain 2, the control VLAN is VLAN 10 and the
protected VLAN is the VLAN mapped to Instance 2. UPEA is a transit node in Domain 2 and
is in LinkUp state.
Run the display rrpp verbose domain command on PEAGG. The command output is as
follows:
# Check detailed information about PEAGG in Domain 1.
[PEAGG] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master

protected VLANs are the VLANs mapping Instance 1.
PEAGG is the master node in Domain 1 and is in Complete state.
The primary interface is GigabitEthernet0/0/1 and the secondary interface is
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that, in Domain 2, the control VLAN is VLAN 10, and the
protected VLAN is the VLAN mapped to Instance 2.
----End
Configuration Files
l UPEA configuration file
#
sysname UPEA
#
vlan batch 5 to 6 10 to 11 100 to 300
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300

stp disable
#
stp disable
#
return
l UPEB configuration file
#
sysname UPEB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l UPEC configuration file
#
sysname UPEC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2

control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l PEAGG configuration file

#
sysname PEAGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
Video
Configure RRPP

18.10.5 Example for Configuring Intersecting RRPP Rings with

Multiple Instances
Figure 18-38 Networking diagram of intersecting RRPP rings with multiple instances
Backbone
network
GE0/0/1 GE0/0/2
PEAGG
Master 1
GE0/0/1 Master 2 GE0/0/1
UPEA Domain 1 ring 1 UPED
GE0/0/2 Domain 2 ring 1 GE0/0/2
GE0/0/2 Edge Transit Edge Transit

GE0/0/1
UPEB GE0/0/1 UPEC
GE0/0/2
GE0/0/3 GE0/0/3
GE0/0/4 GE0/0/4
Domain 2 ring 2 Domain 2 ring 3

GE0/0/1 GE0/0/2
Master 1 Master 1
Master 2 GE0/0/2 GE0/0/1 Master 2
CE1 Domain 1 ring 2 Domain 1 ring 3
CE2
VLAN 100-300 VLAN 100-300
Domain 1
Domain 2
Data Plan
Table 18-8 shows the mapping between protected VLANs and instances in Domain 1 and
Domain 2.

Domain ID Control VLAN ID Data VLAN ID Instance ID
Table 18-9 shows the master node on each ring and the primary and secondary interfaces on
each master node.
Ring ID Master Node Primary Port Secondary Port Ring Type
Ring 1 in PEAGG GE0/0/1 GE0/0/2 Major ring

Domain 1
Ring 1 in PEAGG GE0/0/2 GE0/0/1 Major ring

Domain 2
Ring 2 in CE1 GE0/0/1 GE0/0/2 Sub-ring

Domain 1

Domain 2

Domain 1

Domain 2
Table 18-10 shows the edge nodes, assistant edge nodes, common interface, and edge
interfaces of the sub-rings.
Table 18-10 Edge nodes, assistant edge nodes, common interface, and edge interfaces of the
sub-rings
Ring Edge Common Edge Edge-Assistant Common Edge

ID Node Port Port Node Port Port
Ring 2 UPEB GE0/0/1 GE0/0/3 UPEC GE0/0/2 GE0/0/4

in
Domain
1

in
Domain
1

Ring Edge Common Edge Edge-Assistant Common Edge

ID Node Port Port Node Port Port

in
Domain
2

in
Domain
2
2. Map the VLANs that need to pass through Domain 1 to Instance 1, including data
VLANs and control VLANs.
Map the VLANs that need to pass through Domain 2 to Instance 2, including data
VLANs and control VLANs.
a. Add UPEA, UPEB, UPEC, UPED, and PEAGG to Ring 1 in Domain 1 and Ring 1
in Domain 2.
b. Add CE1, UPEB, and UPEC to Ring 2 in Domain 1 and Ring 2 in Domain 2.
c. Add CE2, UPEB, and UPEC to Ring 3 in Domain 1 and Ring 3 in Domain 2.
d. Configure PEAGG as the master node and configure UPEA, UPEB, UPEC, and
UPED as transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
e. Configure CE1 as the master node, UPEB as an edge node, and UPEC as an
assistant edge node on Ring 2 in Domain 1 and Ring 2 in Domain 2.
f. Configure CE2 as the master node, UPEB as an edge node, and UPEC as an
assistant edge node on Ring 3 in Domain 1 and Ring 3 in Domain 2.
5. To prevent topology flapping, set the LinkUp timer on the master nodes.
6. To reduce the Edge-Hello packets sent on the major ring and increase available
bandwidth, add the four sub-rings to a ring group.
Procedure
interface.
# Configure CE1. The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PEAGG are
the same as that of CE1 and not mentioned here. For details, see the configuration files.


[CE1-mst-region] instance 1 vlan 5 6 100 to 200
[CE1-mst-region] instance 2 vlan 10 11 201 to 300
[CE1] vlan batch 100 to 300
[CE1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[CE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 300
[CE1-GigabitEthernet0/0/1] stp disable
[CE1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[CE1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 300
Step 3 Create RRPP domains and configure protected VLANs and control VLANs.
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] protected-vlan reference-instance 1
[CE1-rrpp-domain-region1] control-vlan 5
[CE1-rrpp-domain-region1] quit
[CE1] rrpp domain 2
[CE1-rrpp-domain-region2] protected-vlan reference-instance 2
[CE1-rrpp-domain-region2] control-vlan 10
Step 4 Create RRPP rings.

# Configure UPED as a transit node on Ring 1 in Domain 1 and specify primary and
[UPED] rrpp domain 1
[UPED-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPED-rrpp-domain-region1] ring 1 enable
[UPED-rrpp-domain-region1] quit
# Configure UPEB as an edge node on Ring 2 in Domain 1, with GE0/0/1 as the common
interface and GE0/0/3 as the edge interface.
[UPEB-rrpp-domain-region1] ring 2 node-mode edge common-port gigabitethernet


# Configure UPEC as an assistant edge node on Ring 2 in Domain 1, with GE0/0/2 as the
common interface and GE0/0/4 as the edge interface.
[UPEC-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port

# Configure CE1 as the master node on Ring 2 in Domain 1, with GE0/0/1 as the primary
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] ring 2 node-mode master primary-port gigabitethernet
[CE1-rrpp-domain-region1] ring 2 enable
[CE1] rrpp domain 2
[CE2] rrpp domain 1
[CE2] rrpp domain 2
Step 5 Enable RRPP.

[CE1] rrpp enable
Step 6 Configure ring groups.

# Create ring group 1 on UPEC, which consists of four sub-rings: Ring 2 in Domain 1, Ring 3
in Domain 1, Ring 2 in Domain 2, and Ring 3 in Domain 2.
[UPEC] rrpp ring-group 1
[UPEC-rrpp-ring-group1] domain 1 ring 2 to 3
[UPEC-rrpp-ring-group1] domain 2 ring 2 to 3
[UPEC-rrpp-ring-group1] quit
# Create ring group 1 on UPEB, which consists of four sub-rings: Ring 2 in Domain 1, Ring 3
in Domain 1, Ring 2 in Domain 2, and Ring 3 in Domain 2.
[UPEB] rrpp ring-group 1
[UPEB-rrpp-ring-group1] domain 1 ring 2 to 3
[UPEB-rrpp-ring-group1] domain 2 ring 2 to 3
[UPEB-rrpp-ring-group1] quit
Step 7 Set the LinkUp timer.

# Set the LinkUp timer to 1 second. CE1 is used as an example. The configurations on CE2
and PEAGG are the same as that of CE1 and not mentioned here. For details, see the

[CE1] rrpp linkup-delay-timer 1

perform the following operations to verify the configuration. UPEB and PEAGG are used as
examples.
# Run the display rrpp brief command on UPEB. The command output is as follows:
[UPEB] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPEB.

In Domain 1:
The major control VLAN is VLAN 5 and the protected VLANs are the VLANs mapped to
Instance 1.
UPEB is a transit node on Ring 1. The primary interface is GE0/0/1 and the secondary
interface is GE0/0/2.
On Ring 2, UPEB is the edge node. GE0/0/1 is the common interface and GE0/0/3 is the edge
interface.
interface.
In Domain 2:
The major control VLAN is VLAN 10, and the protected VLANs are the VLANs mapped to
Instance 2.
UPEB is a transit node on Ring 1. The primary interface is GE0/0/1 and the secondary
interface is GE0/0/2.

interface.
interface.
# Run the display rrpp brief command on PEAGG. The command output is as follows:
[PEAGG] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on PEAGG, and the LinkUp timer is 2
seconds.
In Domain 1, the major control VLAN is VLAN 5, the protected VLAN is the VLAN mapped
to Instance 1, and the master node on Ring 1 is PEAGG. The primary interface is GE0/0/1
and the secondary interface is GE0/0/2.
In Domain 2, the major control VLAN is VLAN 10, the protected VLAN is the VLAN
mapped to Instance 2, and the master node on Ring 1 is PEAGG. The primary interface is
GE0/0/2 and the secondary interface is GE0/0/1.
Run the display rrpp verbose domain command on UPEB. The command output is as
follows:
# Check detailed information about UPEB in Domain 1.

[UPEB] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp

RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
UPEB is a transit node on Ring 1 in Domain 1 and is in LinkUp state.
UPEB is the edge node on Ring 2 in Domain 1 and is in LinkUp state. GE0/0/1 is the
common interface and GE0/0/3 is the edge interface.
# Check detailed information about UPEB in Domain 2.

[UPEB] display rrpp verbose domain 2
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
You can find that, in Domain 2, the control VLAN is VLAN 10, and the protected VLAN is
the VLAN mapped to Instance 2.
UPEB is a transit node on Ring 1 in Domain 2 and is in LinkUp state.

Run the display rrpp verbose domain 1 command on PEAGG. The command output is as
follows:

Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
GE0/0/1 is the primary interface and GE0/0/2 is the secondary interface.

Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
GE0/0/2 is the primary interface and GE0/0/1 is the secondary interface.
Run the display rrpp ring-group command on UPEB to check the configuration of the ring
group.
# Check the configuration of ring group 1.

[UPEB] display rrpp ring-group 1
Ring Group 1:
domain 1 ring 2 to 3
domain 1 ring 2 send Edge-Hello packet
----End

Configuration Files
#
sysname CE1
#
#
rrpp enable
rrpp linkup-delay-timer 1
#
#
rrpp domain 1
control-vlan 5
ring 2 enable
rrpp domain 2
control-vlan 10
ring 2 enable
#
port trunk allow-pass vlan 6 11 100 to 300
stp disable
#
stp disable
#
return

#
sysname CE2
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 3 enable
rrpp domain 2
control-vlan 10
ring 3 enable

#
stp disable
#
stp disable
#
return
#
sysname UPEA
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname UPEB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5

ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
rrpp ring-group 1
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
#
sysname UPEC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5

ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
rrpp ring-group 1
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
l UPED configuration file
#
sysname UPED
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable

rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l PEAGG configuration file

#
sysname PEAGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
Video
Configure RRPP

18.10.6 Example for Configuring Tangent RRPP Rings with

Multiple Instances
Figure 18-39 Networking diagram of tangent RRPP rings with multiple instances
UPEB UPEE
GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/2
Domain 1 ring 1
CE GE0/0/2 GE0/0/1 GE0/0/3 GE0/0/1 UPEF

Master 1
UPEA
Master 2 UPED Master 3
VLAN 100-300 GE0/0/1 GE0/0/2 GE0/0/4 GE0/0/2
Domain 2 ring 1 Domain 3 ring 1
GE0/0/2 GE0/0/1 GE0/0/2 GE0/0/1

UPEC UPEG
domain 1
domain 2
domain 3
Data Plan
Table 18-11 shows the mapping between protected VLANs and instances in Domain 1,
Domain 2, and Domain 3.

Domain ID Control VLAN Data VLAN Instance ID
Domain 3 (on VLANs 20 and 21 VLANs 100 to 300 Instance 1, Instance

UPED) 2, and Instance 3
Domain 3 (on VLANs 20 and 21 VLANs 100 to 300 Instance 1

UPEE, UPEF, and
UPEG)
Table 18-12 shows the master node on each ring, and its primary and secondary interfaces.

Ring ID Master Node Primary Port Secondary Port
Ring 1 in Domain 1 UPED GE0/0/1 GE0/0/2
Ring 1 in Domain 2 UPED GE0/0/2 GE0/0/1
Ring 1 in Domain 3 UPEF GE0/0/1 GE0/0/2
2. Map the VLANs that need to pass through the domain to the instance.
a. Add UPEA, UPEB, UPEC, and UPED to Ring 1 in Domain 1 and Ring 1 in
Domain 2.
b. Add UPED, UPEE, UPEF, and UPEG to Ring 1 in Domain 3.
c. Configure UPED as the master node and configure UPEA, UPEB, and UPEC as
transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
d. Configure UPEF as the master node and configure UPED, UPEE, and UPEG as
transit nodes on Ring 1 in Domain 3.
Procedure
interface.
# Configure UPEA. The configurations on UPEB, UPEC, UPED, UPEE, UPEF, and UPEG
are the same as that of UPEA and not mentioned here. For details, see the configuration files.
[HUAWEI] sysname UPEA
[UPEA] stp region-configuration
[UPEA-mst-region] active region-configuration
[UPEA-mst-region] quit

[UPEA] vlan batch 100 to 300

Step 3 Create RRPP domains and configure protected VLANs and control VLANs.
are similar to that on UPEA and not mentioned here. For details, see the configuration files.
Step 4 Create RRPP rings.


# Configure UPED as the master node on Ring 1 in Domain 1 and specify GE0/0/1 as the
primary interface and GE0/0/2 as the secondary interface on UPED.
[UPED-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
# Configure UPED as the master node on Ring 1 in Domain 2 and specify GE0/0/2 as the
primary interface and GE0/0/1 as the secondary interface on UPED.
[UPED-rrpp-domain-region2] ring 1 node-mode master primary-port gigabitethernet
secondary interfaces on UPED.
# Configure UPEE as a transit node on Ring 1 in Domain 3 and specify primary and
secondary interfaces on UPEE.
[UPEE] rrpp domain 3
[UPEE-rrpp-domain-region3] ring 1 node-mode transit primary-port gigabitethernet
[UPEE-rrpp-domain-region3] ring 1 enable
[UPEE-rrpp-domain-region3] quit
# Configure UPEF as the master node on Ring 1 in Domain 3 and specify GE0/0/1 as the
primary interface and GE0/0/2 as the secondary interface on UPEF.
[UPEF] rrpp domain 3

[UPEF-rrpp-domain-region3] ring 1 node-mode master primary-port gigabitethernet
[UPEF-rrpp-domain-region3] ring 1 enable
[UPEF-rrpp-domain-region3] quit
# Configure UPEG as a transit node on Ring 1 in Domain 3 and specify primary and
[UPEG] rrpp domain 3
[UPEG-rrpp-domain-region3] ring 1 node-mode transit primary-port gigabitethernet
[UPEG-rrpp-domain-region3] ring 1 enable
[UPEG-rrpp-domain-region3] quit
Step 5 Enable RRPP.


[UPEA] rrpp enable

perform the following operations to verify the configuration. UPED is used as an example.
# Run the display rrpp brief command on UPED. The command output is as follows:
[UPED] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
Domain Index : 2

----------------------------------------------------------------------------
Domain Index : 3
Protected VLAN : Reference Instance 1 to 3

----------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPED.

In Domain 1:
Instance 1.
UPED is the master node on Ring 1. GigabitEthernet0/0/1 is the primary interface and
In Domain 2:
Instance 2.
UPED is the master node on Ring 1. GigabitEthernet0/0/2 is the primary interface and
In Domain 3:

instances 1 to 3.
UPED is a transit node on Ring 1. GigabitEthernet0/0/3 is the primary interface and
Run the display rrpp verbose domain command on UPED. The command output is as
follows:
# Check detailed information about UPED in Domain 1.
[UPED] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
UPED is the master node in Domain 1 and is in Complete state.
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
UPED is the master node in Domain 2 and is in Complete state.
Domain Index : 3
Protected VLAN : Reference Instance 1 to 3
RRPP Ring : 1

Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that, in Domain 3, the control VLAN is VLAN 20 and the
protected VLANs are the VLANs mapped to instances 1 to 3.
UPED is a transit node in Domain 3 and is in LinkUp state.
----End
Configuration Files
#
sysname UPEA
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname UPEB
#
#
rrpp enable
#

#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname UPEC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable

#
return
l UPED configuration file
#
sysname UPED
#
vlan batch 5 to 6 10 to 11 20 to 21 100 to 300
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
rrpp domain 3
control-vlan 20
protected-vlan reference-instance 1 to 3
ring 1 enable
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
l UPEE configuration file
#
sysname UPEE
#
#
rrpp enable
#

#
rrpp domain 3
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
l UPEF configuration file
#
sysname UPEF
#
#
rrpp enable
#
#
rrpp domain 3
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
l UPEG configuration file
#
sysname UPEG
#
#
rrpp enable
#
#

rrpp domain 3
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
Video
Configure RRPP
18.11 Troubleshooting RRPP
18.11.1 A Loop Occurs After the RRPP Configuration is Complete
Fault Description
After the RRPP configuration is complete, a loop occurs.
This fault is commonly caused by one of the following:
l RRPP is incorrectly configured.
l The values of the Fail timers are set different on the devices of the ring.
Procedure
Step 1 Check whether nodes are correctly configured on the RRPP ring.
Run the display this command in the RRPP domain view on nodes of the ring to check RRPP
configurations.
Check whether nodes on the RRPP ring are located in the same domain, whether the control
VLAN map the instance, and whether only one master node exists on the RRPP ring.
l If a fault occurs in the preceding configurations, see 18 RRPP Configuration.
l If the preceding configurations are correct, go to step 2.
Step 2 Check whether the values of Fail timers are set the same on nodes of the RRPP ring.
Run the display rrpp verbose domain domain-id command in any view to check detailed
information about the RRPP configuration.

If the values of the Fail timer are set different on nodes of the RRPP ring, see 18 RRPP
Configuration.
----End
18.12 FAQ About RRPP
18.12.1 Why Does a Broadcast Storm Occur When the Secondary

Port of the Master Node Is Blocked?
After an RRPP ring network is built, the master node and transit nodes work properly. The
secondary port on the master node has been blocked. However, a broadcast storm still occurs
when unknown unicast packets are sent to the RRPP ring network.
On some RRPP nodes, data VLANs are not added to the control VLAN instance, causing a
failure to block data VLANs. Consequently, a broadcast storm occurs. The problem can be
solved after the data VLANs are added to the control VLAN instance.
18.12.2 Can Data Packets Be Blocked in the Control VLAN of

RRPP?
Data packets are not blocked in the control VLAN though the control VLAN is configured in
the instance.

Configuration Guide - Ethernet Switching 19 ERPS (G.8032) Configuration
19 ERPS (G.8032) Configuration
About This Chapter
This chapter describes how to configure Ethernet Ring Protection Switching (ERPS). ERPS is
a protocol defined by the International Telecommunication Union - Telecommunication
Standardization Sector (ITU-T) to eliminate loops at Layer 2. It implements convergence of
carrier-class reliability standards, and allows all ERPS-capable devices on a ring network to
communicate.
19.1 Overview of ERPS

19.2 Understanding ERPS
19.3 Application Scenarios for ERPS
19.4 Summary of ERPS Configuration Tasks
19.5 Licensing Requirements and Limitations for ERPS
19.6 Default Settings for ERPS
19.7 Configuring ERPSv1
19.9 Configuring the ERPS over VPLS Function
19.10 Clearing ERPS Statistics
19.11 Configuration Examples for ERPS
19.12 Troubleshooting ERPS
19.1 Overview of ERPS
Definition
ERPS is a protocol defined by the International Telecommunication Union -
Telecommunication Standardization Sector (ITU-T) to eliminate loops at Layer 2. Because

the standard number is ITU-T G.8032/Y1344, ERPS is also called G.8032. ERPS defines
Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs) and protection
switching mechanisms.
ERPS has two versions: ERPSv1 released by ITU-T in June 2008 and ERPSv2 released in
August 2010. ERPSv2, fully compatible with ERPSv1, provides the following enhanced
functions:
l Multi-ring topologies, such as intersecting rings
l RAPS PDU transmission on virtual channels (VCs) and non-virtual-channels (NVCs) in
sub-rings
l Forced Switch (FS) and Manual Switch (MS)
l Revertive and non-revertive switching
Purpose
Generally, redundant links are used on an Ethernet switching network such as a ring network
to provide link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address table unstable.
As a result, communication quality deteriorates, and communication services may even be
interrupted. Table 19-1 describes ring network protocols supported by devices.
Table 19-1 Ring network protocols supported by devices

Ring Network Advantage Disadvantage
Protocol
RRPP Provides fast convergence and l Supports only level-1 sub-

carrier-class reliability. ring in ring networking.
l Is a Huawei proprietary
protocol that cannot be used
for communication between
Huawei and non-Huawei
devices.
STP/RSTP/MSTP l Applies to all Layer 2 Provides low convergence on a

networks. large network, which cannot
l Is a standard IEEE protocol meet the carrier-class reliability
that allows Huawei devices requirement.
to communicate with non-
Huawei devices.
SEP l Applies to all Layer 2 Is a Huawei proprietary

networks. protocol that cannot be used for
l Provides fast convergence communication between
and carrier-class reliability. Huawei and non-Huawei
devices.
l Displays the topology of an
entire ring, facilitating fault
location and device
maintenance.

Ring Network Advantage Disadvantage

Protocol
ERPS l Provides fast convergence Requires the network topology

and carrier-class reliability. to be planned in advance. The
l Is a standard ITU-T configuration is complex.
protocol that allows Huawei
devices to communicate
with non-Huawei devices.
l Supports single-ring and
multi-ring topologies in
ERPSv2.
Ethernet networks demand faster protection switching. STP does not meet the requirement for
fast convergence. RRPP and SEP are Huawei proprietary ring protocols, which cannot be
used for communication between Huawei and non-Huawei devices on a ring network.
ERPS, a standard ITU-T protocol, prevent loops on ring networks. It optimizes detection and
performs fast convergence. ERPS allows all ERPS-capable devices on a ring network to
communicate.
Benefits
l Prevents broadcast storms and implements fast traffic switchover on a network where
there are loops.
l Provides fast convergence and carrier-class reliability.
l Allows all ERPS-capable devices on a ring network to communicate.
19.2 Understanding ERPS
19.2.1 Basic Concepts of ERPS

ERPS eliminates loops at the link layer of an Ethernet network. ERPS works for ERPS rings.
There are several nodes in an ERPS ring. ERPS blocks the RPL owner port and controls
common ports to switch the port status between Forwarding and Discarding and eliminate
loops. ERPS uses the control VLAN, data VLAN, and Ethernet Ring Protection (ERP)
instance.
On the network shown in Figure 19-1, SwitchA through SwitchD constitute a ring and are
dual-homed to the upstream network. This access mode will cause a loop on the entire
network. To eliminate redundant links and ensure link connectivity, ERPS is used to prevent
loops.

Figure 19-1 ERPS single-ring networking
Network
Router1 Router2
SwitchA SwitchD
ERPS
RPL SwitchC
SwitchB
User
network
RPL owner
RPL neighbour
ERPS can be deployed on the network shown in Figure 19-1.
ERPS Ring
An ERPS ring consists of interconnected Layer 2 switching devices configured with the same
control VLAN.
An ERPS ring can be a major ring or a sub-ring. By default, an ERPS ring is a major ring.
The major ring is a closed ring, whereas a sub-ring is a non-closed ring. The major ring and
sub-ring are configured using commands. On the network shown in Figure 19-2, SwitchA
through SwitchD constitute a major ring, and SwitchC through SwitchF constitute a sub-ring.
Only ERPSv2 supports sub-rings.
Figure 19-2 ERPS major ring and sub-ring networking

SwitchC
SwitchA SwitchE
Major Ring Sub-Ring
SwitchB SwitchF
SwitchD

Node
A node refers to a Layer 2 switching device added to an ERPS ring. A maximum of two ports
on each node can be added to the same ERPS ring. SwitchA through SwitchD in Figure 19-2
are nodes in an ERPS major ring.
Port Role
ERPS defines three port roles: RPL owner port, RPL neighbor port (only in ERPSv2), and
common port.
l RPL owner port
An RPL owner port is responsible for blocking traffic over the Ring Protection Link
(RPL) to prevent loops. An ERPS ring has only one RPL owner port.
When the node on which the RPL owner port resides receives an RAPS PDU indicating
a link or node fault in an ERPS ring, the node unblocks the RPL owner port. Then the
RPL owner port can send and receive traffic to ensure nonstop traffic forwarding.
The link where the RPL owner port resides is the RPL.
l RPL neighbor port
An RPL neighbor port is directly connected to an RPL owner port.
Both the RPL owner port and RPL neighbor ports are blocked in normal situations to
prevent loops.
If an ERPS ring fails, both the RPL owner and neighbor ports are unblocked.
The RPL neighbor port helps reduce the number of FDB entry updates on the device
where the RPL neighbor port resides.
l Common port
Common ports are ring ports other than the RPL owner and neighbor ports.
A common port monitors the status of the directly connected ERPS link and sends RAPS
PDUs to notify the other ports of its link status changes.
Port Status
On an ERPS ring, an ERPS-enabled port has two statuses:
l Forwarding: forwards user traffic and sends and receives RAPS PDUs.
l Discarding: only sends and receives RAPS PDUs.
Control VLAN
A control VLAN is configured in an ERPS ring to transmit RAPS PDUs.
Each ERPS ring must be configured with a control VLAN. After a port is added to an ERPS
ring configured with a control VLAN, the port is added to the control VLAN automatically.
Different ERPS rings must use different control VLANs.
Data VLAN
Unlike control VLANs, data VLANs are used to transmit data packets.

ERP Instance
On a Layer 2 device running ERPS, the VLAN in which RAPS PDUs and data packets are
transmitted must be mapped to an Ethernet Ring Protection (ERP) instance so that ERPS
forwards or blocks the packets based on configured rules. If the mapping is not configured,
the preceding packets may cause broadcast storms on the ring network. As a result, the
network becomes unavailable.
Timer
ERPS defines four timers: Guard timer, WTR timer, Holdoff timer, and WTB timer (only in
ERPSv2).
l Guard timer
After a faulty link or node recovers or a clear operation is executed, the device sends
RAPS No Request (NR) messages to inform the other nodes of the link or node recovery
and starts the Guard timer. Before the Guard timer expires, the device does not process
any RAPS (NR) messages to avoid receiving out-of-date RAPS (NR) messages. After
the Guard timer expires, if the device still receives an RAPS (NR) message, the local
port enters the Forwarding state.
l WTR timer
If an RPL owner port is unblocked due to a link or node fault, the involved port may not
go Up immediately after the link or node recovers. Blocking the RPL owner port may
cause network flapping. To prevent this problem, the node where the RPL owner port
resides starts the wait to restore (WTR) timer after receiving an RAPS (NR) message. If
the node receives an RAPS Signal Fail (SF) message before the timer expires, it
terminates the WTR timer. If the node does not receive any RAPS (SF) message before
the timer expires, it blocks the RPL owner port when the timer expires and sends an
RAPS (no request, root blocked) message. After receiving this RAPS (NR, RB)
message, the nodes set their recovered ports on the ring to the Forwarding state.
l Holdoff timer
On Layer 2 networks running ERPS, there may be different requirements for protection
switching. For example, on a network where multi-layer services are provided, after a
server fails, users may require a period of time to rectify the server fault so that clients do
not detect the fault. You can set the Holdoff timer. If the fault occurs, the fault is not
immediately sent to ERPS until the Holdoff timer expires.
l WTB timer
The wait to block (WTB) timer starts when Forced Switch (FS) or Manual Switch (MS)
is performed. Because multiple nodes on an ERPS ring may be in FS or MS state, the
clear operation takes effect only after the WTB timer expires. This prevents the RPL
owner port from being blocked immediately.
The WTB timer value cannot be configured. Its value is the Guard timer value plus 5.
The default WTB timer value is 7s.
Revertive and Non-revertive Switching

After link faults in an ERPS ring are rectified, re-blocking the RPL owner port depends on the
switching mode:
l In revertive switching, the RPL owner port is re-blocked after the WTR timer expires,
and the RPL is blocked.

l In non-revertive switching, the WTR timer is not started, and the original faulty link is
still blocked.
ERPS rings use revertive switching by default.
ERPSv1 supports only revertive switching. ERPSv2 supports both revertive and non-revertive
switching.
Port Blocking Modes

Because the Ring Protection Link (RPL) may have high bandwidth, you can block the low-
bandwidth link so that user traffic can be transmitted on the RPL. ERPSv2 supports both
Forced Switch (FS) and Manual Switch (MS) modes for blocking an ERPS port:
l FS: forcibly blocks a port immediately after FS is configured, irrespective of whether
link failures have occurred.
l MS: blocks a port on which MS is configured when the ERPS ring is in Idle or Pending
state.
In addition to FS and MS operations, ERPS also supports the clear operation. The clear
operation has the following functions:
l Clears an existing FS or MS operation.
l Triggers revertive switching before the WTR or WTB timer expires in the case of
revertive switching operations.
l Triggers revertive switching in the case of non-revertive switching operations.
Only ERPSv2 supports port blocking modes.
RAPS PDU Transmission Mode in a Sub-ring

ERPSv2 supports single-ring and multi-ring topologies. In multi-ring topologies, both the
virtual channel (VC) and non-virtual-channel (NVC) can be used to transmit RAPS PDUs in
sub-rings.
l VC: RAPS PDUs in sub-rings are transmitted to the major ring through interconnected
nodes. The RPL owner port of the sub-ring blocks both RAPS PDUs and data traffic.
l NVC: RAPS PDUs in sub-rings are terminated on the interconnected nodes. The RPL
owner port blocks data traffic but not RAPS PDUs in each sub-ring.
On the network shown in Figure 19-3, a major ring is interconnected with two sub-rings. The
sub-ring on the left has a VC, whereas the sub-ring on the right has an NVC.

Figure 19-3 Interconnected rings with a VC or NVC
Major Ring
Sub-Ring Sub-Ring
with virtual without virtual
channel channel
Ethernet Ring Node
Interconnection Node
RPL owner Interface
RAPS Virtual Channel
By default, sub-rings use NVCs to transmit RAPS PDUs, except for the scenario shown in
Figure 19-4.
NOTE
When sub-ring links are discontiguous, VCs must be used.
On the network shown in Figure 19-4, links b and d belong to major rings 1 and 2
respectively; links a and c belong to the sub-ring. As links a and c are discontiguous, they
cannot detect the status change between each other, so VCs must be used for RAPS PDU
transmission.

Figure 19-4 VC networking

a
Sub-Ring
with virtual
channel
b d
Major Major
Ring1 Ring2
c
Ethernet Ring Node
Interconnection Node
RPL owner Interface
RAPS Virtual Channel
Table 19-2 lists the advantages and disadvantages of RAPS PDU transmission modes in sub-
rings with VCs or NVCs.
Table 19-2 Comparison between RAPS PDU transmission modes in a sub-ring with VCs or
NVCs
RAPS Advantage Disadvantage
PDU
Transmis
sion
Mode in
a Sub-
ring
VC Applies to scenarios in which Requires VC resource reservation and

sub-ring links are controls VLAN assignment from adjacent
discontiguous. rings.
NVC Does not need to reserve Is not applicable to scenarios in which sub-
resources or control VLAN ring links are discontiguous.
assignment from adjacent rings.

19.2.2 RAPS PDUs
ERPS protocol packets are called Ring Auto Protection Switching (RAPS) Protocol Data
Units (PDUs), which are transmitted in ERPS rings to convey ERPS ring information. Figure
19-5 shows the RAPS PDU format.
Figure 19-5 RAPS PDU format

1 2 34
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1
1
MEL Version(0) OpCode(R-APS=40) Flags(0) TLV Offset(32)
5
... R-APS Specific Information(32 octets)
...
37
[optional TLV starts here;otherwise End TLV]
last End TLV(0)
Table 19-3 describes the fields in an RAPS PDU.
Table 19-3 Fields in an RAPS PDU

Field Lengt Description
h
MEL 3 bits Identifies the maintenance entity group (MEG) level of the
RAPS PDU.
Version 5 bits l 0x00: ERPSv1

l 0x01: ERPSv2
OpCode 8 bits Indicates an RAPS PDU. The value of this field is 0x28.
Flags 8 bits Is ignored upon RAPS PDU receiving. The value of this field
is 0x00.
TLV Offset 8 bits Indicates that the TLV starts after an offset of 32 bytes. The
value of this field is 0x20.
R-APS Specific 32x8 Is the core field in an RAPS PDU and carries ERPS ring
Information bits information. There are differences between sub-fields in
ERPSv1 and ERPSv2. Figure 19-6 shows the R-APS
Specific Information field format in ERPSv1. Figure 19-7
shows the R-APS Specific Information field format in
ERPSv2.
TLV Not Describes information to be loaded. The end TLV value is

limite 0x00.
d

Figure 19-6 Format of the R-APS Specific Information field in ERPSv1

1 2 34
8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1 8 7 6 5 4 3 2 1
Request Reserved Status Node ID(6 octets)

/State 1 R D
Status
B N
Reserved
F
(Node ID)
Reserved 2(24 octets)
Figure 19-7 Format of the R-APS Specific Information field in ERPSv2
Table 19-4 describes sub-fields in the R-APS Specific Information field.
Table 19-4 Sub-fields in the R-APS Specific Information field
Sub-Field Length Description
Request/ 4 bits Indicates that this RAPS PDU is a request or state PDU. The
State value can be:
l 1101: forced switch (FS)
l 1110: Event
l 1011: signal failed (SF)
l 0111: manual switch (MS)
l 0000: no request (NR)
l Others: reserved
Reserved 1 4 bits Reserved 1 is used in ERPSv1 for message reply or protection

identifier.
Sub-code is used in ERPSv2. The value depends on the
Request/State field value:

Sub-Field Length Description
Sub-code l If the Request/State field value is 1110, the Sub-code value

is 0000, indicating FDB entry update.
l If the Request/State field value is any other value than
1110, the Sub-code value is 0000 and ignored upon RAPS
PDU receiving.
Status 8 bits Includes the following status information:

l RPL Blocked (RB) (1 bit): The value 1 indicates that the
RPL owner port is blocked; the value 0 indicates that the
RPL owner port is unblocked. The nodes where the RPL
owner port is not configured set this sub-field to 0 in
outgoing RAPS PDUs.
l Do Not Flush (DNF) (1 bit): The value 1 indicates that
FDB entries are not updated when RAPS PDUs are
received; the value 0 indicates that FDB entries may be
updated when RAPS PDUs are received.
l Blocked port reference (BPR) (1 bit): The value 0 indicates
that ring link 0 is blocked; The value 1 indicates that ring
link 1 is blocked.
BPR is valid only in ERPSv2.
l Status Reserved: This sub-field is reserved. This sub-field
is all 0s during RAPS PDU transmission, and is ignored
upon RAPS PDU receiving. In ERPSv1, this sub-field has
6 bits. In ERPSv2, this sub-field has 5 bits.
Node ID 6 x 8 bits Identifies the MAC address of a node in an ERPS ring. It is

informational and does not affect protection switching in the
ERPS ring.
Reserved 2 24 x 8 bits Is reserved and ignored upon RAPS PDU receiving. The value
is all 0 during RAPS PDU transmission.
19.2.3 ERPS Single-ring Implementation

ERPS is a standard ring protocol used to prevent loops in ERPS rings at the Ethernet link
layer. A maximum of two ports on each Layer 2 switching device can be added to the same
ERPS ring.
To prevent loops in an ERPS ring, you can enable a loop-breaking mechanism to block the
Ring Protection Link (RPL) owner port to eliminate loops. If a link on the ring network fails,
the ERPS-enabled device immediately unblocks the blocked port and performs link switching
to restore communication between nodes on the ring network.
This section describes how ERPS is implemented on a single-ring network when links are
normal, when a link fails, and when the link recovers (including protection switching
operations).

Links Are Normal

On the network shown in Figure 19-8, SwitchA through SwitchE constitute a ring network,
and they can communicate with each other.
1. To prevent loops, ERPS blocks the RPL owner port and also the RPL neighbor port (if
any is configured). All other ports can transmit service traffic.
2. The RPL owner port sends RAPS (NRRB) messages to all other nodes in the ring at an
interval of 5s, indicating that ERPS links are normal.
Figure 19-8 ERPS single-ring networking (links are normal)
Network
Router1 Router2
SwitchA SwitchE
ERPS
RPL SwitchD
SwitchB
RPL owner SwitchC
User
network
Blocked Interface
Data Flow
A Link Fails
As shown in Figure 19-9, if the link between SwitchD and SwitchE fails, the ERPS
protection switching mechanism is triggered. The ports on both ends of the faulty link are
blocked, and the RPL owner port and RPL neighbor port are unblocked to send and receive
traffic. This mechanism ensures nonstop traffic transmission. The process is as follows:
1. After SwitchD and SwitchE detect the link fault, they block their ports on the faulty link
and update Filtering Database (FDB) entries.
2. SwitchD and SwitchE send three consecutive RAPS Signal Fail (SF) messages to the
other LSWs and send one RAPS (SF) message at an interval of 5s afterwards.

3. After receiving an RAPS (SF) message, the other LSWs update their FDB entries.
SwitchC on which the RPL owner port resides and SwitchB on which the RPL neighbor
port resides unblock the respective RPL owner port and RPL neighbor port, and update
FDB entries.
Figure 19-9 ERPS single-ring networking (unblocking the RPL owner port and RPL neighbor
port if a link fails)
Network
Router1 Router2
SwitchA SwitchE
ERPS
SwitchB RPL
SwitchD
RPL owner SwitchC
User
network Failed Link
Blocked Interface
Data Flow
The Link Recovers

After the link fault is rectified, either of two situations may occur:
l If the ERPS ring uses revertive switching, the RPL owner port is blocked again, and the
link that has recovered is used to forward traffic.
l If the ERPS ring uses non-revertive switching, the RPL remains unblocked, and the link
that has recovered is still blocked.
The following example uses revertive switching to illustrate the process after the link
recovers.
1. After the link between SwitchD and SwitchE recovers, SwitchD and SwitchE start the
Guard timer to avoid receiving out-of-date RAPS PDUs. The two switches do not
receive any RAPS PDUs before the timer expires. At the same time, SwitchD and
SwitchE send RAPS (NR) messages to the other LSWs.

2. After receiving an RAPS (NR) message, SwitchC on which the RPL owner port resides
starts the WTR timer. After the WTR timer expires, SwitchC blocks the RPL owner port
and sends RAPS (NR, RB) messages.
3. After receiving an RAPS (NR, RB) message, SwitchD and SwitchE unblock the ports at
the two ends of the link that has recovered, stop sending RAPS (NR) messages, and
update FDB entries. The other LSWs also update FDB entries after receiving an RAPS
(NR, RB) message.
Protection Switching
l Forced switch
On the network shown in Figure 19-10, SwitchA through SwitchE in the ERPS ring can
communicate with each other. A forced switch (FS) operation is performed on the
SwitchE's port that connects to SwitchD, and the SwitchE's port is blocked. Then the
RPL owner port and RPL neighbor port are unblocked to send and receive traffic. This
mechanism ensures nonstop traffic transmission. The process is as follows:
a. After the SwitchD's port that connects to SwitchE is forcibly blocked, SwitchE
update FDB entries.
b. SwitchE sends three consecutive RAPS (SF) messages to the other LSWs and sends
one RAPS (SF) message at an interval of 5s afterwards.
c. After receiving an RAPS (SF) message, the other LSWs update their FDB entries.
SwitchC on which the RPL owner port resides and SwitchB on which the RPL
neighbor port resides unblock the respective RPL owner port and RPL neighbor
port, and update FDB entries.
Figure 19-10 Layer 2 ERPS ring networking (blocking a port in FS mode)
Network
Router1 Router2
SwitchA SwitchE
ERPS
SwitchB RPL
SwitchD
RPL owner SwitchC
User
network
Blocked Interface
Data Flow

l Clear
After a clear operation is performed on SwitchE, the port that is forcibly blocked by FS
sends RAPS (NR) messages to all other ports in the ERPS ring.
– If the ERPS ring uses revertive switching, the RPL owner port starts the WTB timer
after receiving an RAPS (NR) message. After the WTB timer expires, the FS
operation is cleared. Then the RPL owner port is blocked, and the blocked port on
SwitchE is unblocked. If you perform a clear operation on SwitchC on which the
RPL owner port resides before the WTB timer expires, the RPL owner port is
immediately blocked, and the blocked port on SwitchE is unblocked.
– If the ERPS ring uses non-revertive switching and you want to block the RPL
owner port, perform a clear operation on SwitchC on which the RPL owner port
resides.
l Manual switch
The MS process in an ERPS ring is similar to the FS process. The difference is that the
MS operation does not take effect when the ERPS ring is not idle or pending.
19.2.4 ERPS Multi-ring Implementation

Ethernet Ring Protection Switching Version 1 (ERPSv1) supports only single-ring topology,
whereas ERPSv2 supports single-ring and multi-ring topologies.
A multi-ring network consists of one or more major rings and sub-rings. A sub-ring can have
a virtual channel (VC) or non-virtual channel (NVC), depending on whether RAPS PDUs in
the sub-ring will be transmitted to a major ring.
This section describes how ERPS is implemented on a multi-ring network where sub-rings
use NVCs when links are normal, when a link fails, and when the link recovers.
Links Are Normal

On the multi-ring network shown in Figure 19-11, SwitchA through SwitchE constitute a
major ring; SwitchB, SwitchC, and SwitchF constitute sub-ring 1, and SwitchC, SwitchD, and
SwitchG constitute sub-ring 2. The LSWs in each ring can communicate with each other.
1. To prevent loops, each ring blocks its RPL owner port. All other ports can transmit
service traffic.
2. The RPL owner port on each ring sends RAPS (NRRB) messages to all other nodes in
the same ring at an interval of 5s. The RAPS (NRRB) messages in the major ring are
transmitted only in this ring. The RAPS (NRRB) messages in each sub-ring are
terminated on the interconnected nodes and therefore are not transmitted to the major
ring.
Traffic between PC1 and the upper-layer network travels along the path PC1 -> SwitchF ->
SwitchB -> SwitchA -> Router1; traffic between PC2 and the upper-layer network travels
along the path PC2 -> SwitchG -> SwitchD -> SwitchE -> Router2.

Figure 19-11 ERPS multi-ring networking (links are normal)
Network
Router1 Router2
SwitchA SwitchE
Major Ring SwitchD

SwitchB
L
RP
Sub-Ring2
Sub-Ring1 RP
L SwitchC L
RP
SwitchF SwitchG
PC1 PC2
RPL owner
Data Flow
A Link Fails
As shown in Figure 19-12, if the link between SwitchD and SwitchG fails, the ERPS
protection switching mechanism is triggered. The ports on both ends of the faulty link are
blocked, and the RPL owner port in sub-ring 2 is unblocked to send and receive traffic. In this
situation, traffic from PC1 still travels along the original path. SwitchC and SwitchD inform
the other nodes in the major ring of the topology change so that traffic from PC2 is also not
interrupted. Traffic between PC2 and the upper-layer network travels along the path PC2 ->
SwitchG -> SwitchC -> SwitchB -> SwitchA -> SwitchE -> Router2. The process is as
follows:
1. After SwitchD and SwitchG detect the link fault, they block their ports on the faulty link
and update Filtering Database (FDB) entries.

2. SwitchG sends three consecutive RAPS (SF) messages to the other LSWs and sends one
RAPS (SF) message at an interval of 5s afterwards.
3. SwitchG then unblocks the RPL owner port and updates FDB entries.
4. After the interconnected node SwitchC receives an RAPS (SF) message, it updates FDB
entries. SwitchC and SwitchD then send RAPS Event messages within the major ring to
notify the topology change in sub-ring 2.
5. After receiving an RAPS Event message, the other LSWs in the major ring update FDB
entries.
Then traffic from PC2 is switched to a normal link.
Figure 19-12 ERPS multi-ring networking (unblocking the RPL owner port if a link fails)
Network
Router1 Router2
SwitchA SwitchE
Major Ring SwitchD

SwitchB
L
RP
Sub-Ring2
Sub-Ring1 RP
L L
RP SwitchC
SwitchG
PC1 PC2
Blocked Interface
Data Flow

The Link Recovers

After the link fault is rectified, either of two situations may occur:
l If the ERPS ring uses revertive switching, the RPL owner port is blocked again, and the
link that has recovered is used to forward traffic.
l If the ERPS ring uses non-revertive switching, the RPL remains unblocked, and the link
that has recovered is still blocked.
The following example uses revertive switching to illustrate the process after the link
recovers.
1. After the link between SwitchD and SwitchG recovers, SwitchD and SwitchG start the
Guard timer to avoid receiving out-of-date RAPS PDUs. The two devices do not receive
any RAPS PDUs before the timer expires. Then SwitchD and SwitchG send RAPS (NR)
messages within sub-ring 2.
2. SwitchG on which the RPL owner port resides starts the WTR timer. After the WTR
timer expires, SwitchG blocks the RPL owner port and unblocks its port on the link that
has recovered and then sends RAPS (NR, RB) messages within sub-ring 2.
3. After receiving an RAPS (NR, RB) message from SwitchG, SwitchD unblocks its port
on the recovered link, stops sending RAPS (NR) messages, and updates FDB entries.
SwitchC also updates FDB entries.
4. SwitchC and SwitchD (interconnected nodes) send RAPS Event messages within the
major ring to notify the link recovery of sub-ring 2.
5. After receiving an RAPS Event message, the other LSWs in the major ring update FDB
entries.
Then traffic changes to the normal state, as shown in Figure 19-11.
19.2.5 ERPS Multi-instance

On a common ERPS network, a physical ring can be configured with a single ERPS ring, and
only one blocked port can be specified in the ring. When the ERPS ring is in normal state, the
blocked port prohibits all service packets from passing through. As a result, all service data is
transmitted through one path over the ERPS ring, and the other link on the blocked port
becomes idle, wasting bandwidth. As shown in Figure 19-13, when only ERPS Ring1 is
configured, Interface1 is blocked and data is forwarded through the path where Data Flow1
travels. The link SwitchC -> SwitchD -> SwitchE is idle.

Figure 19-13 Networking diagram of ERPS multi-instance
Network
Router1 Router2
SwitchE
SwitchA
ERPS Ring2
ERPS Ring1
SwitchD
SwitchB
SwitchC
Ring1 Blocked Port
CE1 Ring2 Blocked Port
Data Flow1
VLAN 100-200 Data Flow2
and VLAN 300-
400
To improve link use efficiency, only two logical rings can be configured in the same physical
ring in the ERPS multi-instance. A port may have different roles in different ERPS rings and
different ERPS rings use different control VLANs. A physical ring can have two blocked
ports accordingly. Each blocked port independently monitors the physical ring status and is
blocked or unblocked. An ERPS ring must be configured with an ERP instance, and each
ERP instance specifies a range of VLANs. The topology calculated for a specific ERPS ring
only takes effect in the ERPS ring. Different VLANs can use separate paths, implementing
traffic load balancing and link backup.
As shown in Figure 19-13, you can configure ERPS Ring1 and ERPS Ring2 in the physical
ring consisting of SwitchA through SwitchE. Interface1 is the blocked port in ERPS Ring1.
The VLANs mapping to the ERP instance is VLANs 100 to 200. Interface2 is the blocked
port in ERPS Ring2. The VLANs mapping to the ERP instance is VLANs 300 to 400. After
the configuration is completed, data from VLANs 100 to 200 is forwarded through Data
Flow1, and data from VLANs 300 to 400 is forwarded through Data Flow2. In this manner,
load balancing is implemented and link use efficiency is improved.
19.3 Application Scenarios for ERPS

causing broadcast storms and rendering the MAC address table unstable. As a result,
communication quality deteriorates, and communication services may even be interrupted.
To prevent loops caused by redundant links, enable ERPS on the nodes of the ring network.
ERPS is a Layer 2 loop-breaking protocol defined by the ITU-T, and provides fast
convergence of carrier-class reliability standards.
Figure 19-14 Layer 2 application of ERPS
Network
Router1 Router2
SwitchE
SwitchA
ERPS SwitchD
SwitchB
RPL
RPL Owner
SwitchC
User User
network1 network3
User
network2
Blocked Port
Data Flow1
Data Flow2
Data Flow3
As shown in Figure 19-14, SwitchA through SwitchE constitute a ring. The ring runs ERPS
to provide protection switching for Layer 2 redundant links and prevent loops that cause
broadcast storms and render the MAC address table unstable.

Generally, the RPL owner port is blocked and does not forward service packets, preventing
loops. If a fault occurs on the link between SwitchA and SwitchB, ERPS will unblock the
blocked RPL owner port and traffic from User network1 and User network2 is forwarded
through the path SwitchC ->SwitchD ->SwitchE.
19.4 Summary of ERPS Configuration Tasks

After a single ERPS ring or intersecting ERPS ring is configured, a specified port can be
blocked to remove loops. Table 19-5 describes the ERPS configuration tasks.
Table 19-5 ERPS configuration tasks

Configure ERPS single-ring You can configure ERPS 19.7 Configuring ERPSv1
networking single-ring networking when
there is only one ring in the
network topology.
Configure ERPS You can configure ERPS 19.8 Configuring ERPSv2

intersecting-ring networking intersecting-ring networking
when there are two or more
rings in the network
topology and many common
nodes between two rings.
Configure association ERPS cannot automatically 19.7.7 (Optional)

between ERPS and CFM detect link faults. When Configuring Association
there are transmission Between ERPS and
devices in an ERPS ring, Ethernet CFM
ERPS cannot detect whether
faults on transmission
devices cause slow
convergence and traffic
interruption. Association
between ERPS and CFM
solves this problem.
19.5 Licensing Requirements and Limitations for ERPS

Other network elements are required to support ERPS functions.
ERPS configuration commands are available only after the S1720GW, S1720GWR, and
loaded and activated and the switches are restarted. ERPS configuration commands on other

Table 19-6 Products and versions supporting ERPS

Model
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700HI V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI Not supported
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10


Model
S5700SI V200R001C00, V200R002C00, V200R003C00,

V200R005C00
S5700EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02&C03)
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5700HI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
Feature Limitations
l V200R002 and earlier versions support only ERPSv1.

l Before adding a port to an ERPS ring, ensure that port security has been disabled on the
port. Otherwise, loops cannot be eliminated.
l Before adding a port to an ERPS ring, ensure that the Spanning Tree Protocol (STP),
Rapid Ring Protection Protocol (RRPP), Smart Ethernet Protection (SEP), or Smart Link
is not enabled on the port.
l The service loopback function and ERPS cannot be configured on an Eth-Trunk
simultaneously.
l The S6700EI does not support association between an ERPS interface and Ethernet
CFM.
19.6 Default Settings for ERPS

Table 19-7 describes default ERPS settings.
Table 19-7 Default setting for ERPS

ERPS ring Not created
Guard timer 200 centiseconds
Wait to restore (WTR) timer 5 minutes
Holdoff timer 0 deciseconds
ERPS version ERPSv1
19.7.1 Creating an ERPS Ring
Context
ERPS works for ERPS rings. An ERPS ring consists of interconnected Layer 2 switching
devices configured with the same control VLAN and data VLAN. Before configuring other
ERPS functions, you must configure an ERPS ring.
Procedure
Step 2 Run erps ring ring-id
An ERPS ring is created and the ERPS ring view is displayed.

Step 3 (Optional) Run description
The description of the device is configured. The description can contain the ERPS ring ID,
which facilitate device maintenance in an ERPS ring.
By default, the description of an ERPS ring is the ERPS ring name, for example, Ring 1.
----End
19.7.2 Configuring the Control VLAN
Context
In an ERPS ring, the control VLAN is used only to forward RAPS PDUs but not service
packets, so the security of ERPS is improved. All the devices in an ERPS ring must be
configured with the same control VLAN, and different ERPS rings must use different control
VLANs.
Procedure
The ERPS ring view is displayed.
The control VLAN of the ERPS ring is configured.
l The control VLAN specified by vlan-id must be a VLAN that has not been created or
used.
l If you run the control-vlan command multiple times, only the latest configuration takes
effect.
l If the ERPS ring contains ports, the control VLAN cannot be changed. To delete the
configured control VLAN, run the undo erps ring command in the interface view or the
undo port command in the ERPS ring view to delete ports from the ERPS ring, and run
the undo control-vlan command to delete the control VLAN.
l After a control VLAN is created, the vlan batch vlan-id1 [ to vlan-id2 ] &<1-10>
command used to create common VLANs is displayed in the configuration file.
l After a port is added to an ERPS ring configured with a control VLAN, the port is added
to the control VLAN.
– If the port is a trunk port, the port trunk allow-pass vlan vlan-id command is
displayed in the record of the port that has been added to the ERPS ring in the
configuration file.
– If the port is a hybrid port, the port hybrid tagged vlan vlan-id command is
configuration file.
----End

19.7.3 Configuring an ERP Instance and Activating the Mapping

Between the ERP Instance and VLAN
Context
transmitted must be mapped to an ERP instance so that ERPS forwards or blocks the packets
based on configured rules. If the mapping is not configured, the preceding packets may cause
broadcast storms on the ring network. As a result, the network becomes unavailable.
Procedure
Step 3 Run protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
An ERP instance is created for the ERPS ring.
By default, no ERP instance is configured in an ERPS ring.
NOTE
l If the stp mode (system view) command is used to set the STP working mode to VLAN-based
Spanning Tree (VBST), the ERP instance specified by the protected-instance command must be the
created static instance.
l If you run the protected-instance command multiple times in the same ERPS ring, multiple ERP
instances are configured.
l If the ERPS ring contains ports, the ERP instance cannot be changed. To delete the configured ERP
instance, run the undo erps ring command in the interface view or the undo port command in the
ERPS ring view to delete ports from the ERPS ring, and run the undo protected instance command
to delete the ERP instance.
Step 4 Run quit
Step 5 Configure the mapping between an ERP instance and VLAN.

The Multiple Spanning Tree (MST) region view is displayed.
2. Run instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
The mapping between the ERP instance and VLAN is configured.
By default, all VLANs in an MST region are mapped to instance 0.
instance-id in this command must be the same as instance-id used by the protected-
instance command.

NOTE
– A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has already been
mapped to an MSTI to another MSTI, the original mapping will be deleted.
– The vlan-mapping modulo modulo command configures the mapping between MSTIs and
VLANs based on the default algorithm. However, the mapping configured using this command
cannot always meet the actual demand. Therefore, running this command is not recommended.
– To configure the mapping between an ERP instance and a MUX VLAN, you are advised to
configure the principal VLAN, subordinate group VLANs, and subordinate separate VLANs
of the MUX VLAN in the same ERP instance. Otherwise, loops may occur.
The mapping between the ERP instance and the VLAN is activated.
----End
19.7.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the

Port Role
Context
After ERPS is configured, add Layer 2 ports to an ERPS ring and configure port roles so that
ERPS can work properly.
You can add a Layer 2 port to an ERPS ring in either of the following ways:
l In the ERPS ring view, add a specified port to the ERPS ring and configure the port role.
l In the interface view, add the current port to the ERPS ring and configure the port role.
NOTE
l A port can be added to at most two ERPS rings, but cannot be added to ERPS rings configured with
the same protected instance.
l An ERPS-enabled port needs to allow packets of control VLANs and data VLANs to pass through,
so the link type of the port must be configured as trunk or hybrid.
l Flush-FDB packets for updating MAC addresses cannot be separately sent, so do not configure a
direct link between two upstream nodes as the RPL.
l Before changing the port role, use the shutdown command to disable the port. When the port role is
changed, use the undo shutdown command to enable the port. This prevents traffic interruptions.
l Before adding an interface to an ERPS ring, disable port security on the interface; otherwise, loops
Prerequisites
l The port is not a Layer 3 port. If the port is a Layer 3 port, run the portswitch command
to switch the port to the Layer 2 mode.
l Spanning Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), Smart Ethernet
Protection (SEP), or Smart Link is not enabled on the port.
– If the port has STP enabled, run the stp disable command in the interface view to
disable STP.
– If the port has RRPP enabled, run the undo ring ring-id command in the RRPP
domain view to disable RRPP.
– If the port has SEP enabled, run the undo sep segment segment-id command in the
interface view to disable SEP.

– If the port has Smart Link enabled, run the undo port command in the Smart Link
group view to disable Smart Link.
l The control-vlan command has been executed to configure a control VLAN and the
protected-instance command has been executed to configure an ERP instance.
Procedure
Step 2 Add a Layer 2 port to an ERPS ring and configure the port role in either of the following
ways.
a. Run interface interface-type interface-number
b. Run stp disable
STP is disabled on the ERPS-enabled port.
c. Run port link-type trunk
The link type of the ERPS-enabled port is configured as trunk.
d. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The VLANs allowed by the ERPS-enabled port are specified.
After the control-vlan command is used in the ERPS ring view to configure a
control VLAN and the port interface-type interface-number [ rpl owner ]
command is configured, the ports in the ERPS ring allow packets of the control
VLAN to pass through. Therefore, you need to specify only the IDs of data VLANs
in this step.
e. Run quit
f. Run erps ring ring-id
g. Run port interface-type interface-number [ rpl owner ]
The port is added to the ERPS ring and its role is configured. If rpl owner is
specified, the port is configured as an RPL owner port. If rpl owner is not
specified, the port is a common port.
The specified interface view is displayed.
b. Run stp disable
control VLAN and the port interface-type interface-number [ rpl owner ]

command is configured, the ports in the ERPS ring allow packets of the control
VLAN to pass through. Therefore, you need to specify only the IDs of data VLANs
in this step.
e. Run erps ring ring-id [ rpl owner ]
The current port is added to the ERPS ring and its role is configured. If rpl owner
is specified, the port is configured as an RPL owner port. If rpl owner is not
specified, the port is a common port.
----End
19.7.5 (Optional) Configuring Timers in an ERPS Ring
Context
After a link or node failure in an ERPS ring recovers, the device starts timers in the ERPS
ring to reduce traffic interruptions. This prevents network flapping.
Procedure
Step 3 Configure the WTR timer, Guard timer, and Holdoff timer in the ERPS ring according to
actual networking.
l Run wtr-timer time-value
The WTR timer is set.
By default, the WTR timer is 5 minutes in an ERPS ring.
l Run guard-timer time-value
The Guard timer is set.
By default, the Guard timer is 200 centiseconds in an ERPS ring.
l Run holdoff-timer time-value
The Holdoff timer is set.
By default, the Holdoff timer is 0 deciseconds in an ERPS ring.
----End
19.7.6 (Optional) Configuring the MEL Value
Context
On a Layer 2 network running ERPS, if another fault detection protocol (for example, CFM)
is enabled, the MEL field in RAPS PDUs determines whether the RAPS PDUs can be
forwarded. If the MEL value in an ERPS ring is smaller than the MEL value of the fault
detection protocol, the RAPS PDUs have a lower priority and are discarded. If the MEL value
in an ERPS ring is larger than the MEL value of the fault detection protocol, the RAPS PDUs

can be forwarded. In addition, the MEL value can also be used for interworking with other
vendors' devices in an ERPS ring. The same MEL value ensures smooth communication
between devices.
Procedure
Step 3 Run raps-mel level-id
The MEL value in the ERPS ring is set.
By default, the MEL value in RAPS PDUs is 7.
----End
19.7.7 (Optional) Configuring Association Between ERPS and

Ethernet CFM
Context
Association between Ethernet Connectivity Fault Management (CFM) and Ethernet Ring
Protection Switching (ERPS) on a port added to an ERPS ring accelerates fault detection,
implements fast convergence, and shortens traffic interruptions.
Before configuring association between ERPS and Ethernet CFM, configure basic CFM
functions on the port added to the ERPS ring. For details, see Configuring Basic Ethernet
CFM Functions in "CFM Configuration" in the S1720, S2700, S5700, and S6720
V200R011C10 Configuration Guide - Reliability.
Procedure
Step 3 Run erps ring ring-id track cfm md md-name ma ma-name mep mep-id remote-mep rmep-
id
ERPS is associated with Ethernet CFM to fast detect link failures.
The association between ERPS and CFM takes effect only when the interface has ERPS
associated with CFM and has an interface-based MEP created using the mep mep-id
command.
----End

Follow-up Procedure
After ERPS is associated with Ethernet CFM, ensure that the maintenance entity group level
(MEL) value of Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs) in
ERPS rings is larger than the MEL value in CFM protocol packets. Otherwise, Ethernet CFM
cannot allow RAPS PDUs to pass through. The MEL value can be used for interworking with
other vendors' devices in an ERPS ring. The same MEL value ensures smooth communication
between devices.
You can run the raps-mel level-id command in the ERPS ring view to set the MEL value in
RAPS PDUs.
By default, the MEL in RAPS PDUs is 7.
19.7.8 Verifying the ERPSv1 Configuration
Procedure
l Run the display erps [ ring ring-id ] [ verbose ] command to check the device ports
added to an ERPS ring and ERPS ring configurations.
l Run the display erps interface interface-type interface-number [ ring ring-id ]
command to check physical configurations of the port added to an ERPS ring.
----End
19.8.1 Creating an ERPS Ring
Context
ERPS works for ERPS rings. An ERPS ring consists of interconnected Layer 2 switching
devices configured with the same control VLAN and data VLAN. Before configuring other
ERPS functions, configure an ERPS ring.
Procedure
An ERPS ring is created and the ERPS ring view is displayed.
By default, an ERPS ring configured using the erps ring ring-id command is a major ring.
Step 3 Run version v2
ERPSv2 is specified.
By default, ERPSv1 is used.

Before specifying ERPSv1 for an ERPSv2-enabled device, delete all ERPS configurations
that ERPSv1 does not support.
Step 4 (Optional) Run sub-ring
The ERPS ring is configured as a sub-ring.
By default, an ERPS ring is a major ring. Major rings are closed, and sub-rings are open. This
step is performed only when an existing ERPS ring needs to be used as a sub-ring.
An ERPS ring that has a port cannot be configured as a sub-ring. Before configuring an ERPS
ring that has a port as a sub-ring, run the undo erps ring command in the interface view or
the undo port command in the ERPS ring view to delete the port from the ERPS ring. Then
run the sub-ring command to configure the ERPS ring as a sub-ring.
Step 5 (Optional) Run virtual-channel { enable | disable }
The RAPS PDU transmission mode is specified in the sub-ring.
By default, sub-rings use non-virtual-channels (NVCs) to transmit RAPS PDUs. The default
transmission mode is recommended. When sub-ring links are noncontiguous, VCs must be
used. This step takes effect only in a sub-ring.
NOTE
If a virtual channel (VC) needs to be used, configure VCs on all nodes of a sub-ring and intersecting
point of the sub-ring and major ring.

The description is configured for the ERPS ring.
By default, the description of an ERPS ring is the ERPS ring name, for example, Ring 1.
----End
19.8.2 Configuring the Control VLAN

Context
In an ERPS ring, the control VLAN is used only to forward RAPS PDUs but not service
packets, so the security of ERPS is improved. All the devices in an ERPS ring must be
configured with the same control VLAN, and different ERPS rings must use different control
VLANs.
Procedure
The control VLAN of the ERPS ring is configured.
l The control VLAN specified by vlan-id must be a VLAN that has not been created or
used.

l If you run the control-vlan command multiple times, only the latest configuration takes
effect.
l If the ERPS ring contains ports, the control VLAN cannot be changed. To delete the
configured control VLAN, run the undo erps ring command in the interface view or the
undo port command in the ERPS ring view to delete ports from the ERPS ring, and run
the undo control-vlan command to delete the control VLAN.
l After a control VLAN is created, the vlan batch vlan-id1 [ to vlan-id2 ] &<1-10>
command used to create common VLANs is displayed in the configuration file.
l After a port is added to an ERPS ring configured with a control VLAN, the port is added
to the control VLAN.
– If the port is a trunk port, the port trunk allow-pass vlan vlan-id command is
configuration file.
– If the port is a hybrid port, the port hybrid tagged vlan vlan-id command is
configuration file.
----End
19.8.3 Configuring an ERP Instance and Activating the Mapping

Between the ERP Instance and VLAN
Context
transmitted must be mapped to an ERP instance so that ERPS forwards or blocks the packets
based on configured rules. If the mapping is not configured, the preceding packets may cause
broadcast storms on the ring network. As a result, the network becomes unavailable.
Procedure
Step 3 Run protected-instance { all | { instance-id1 [ to instance-id2 ] &<1-10> } }
An ERP instance is created for the ERPS ring.
By default, no ERP instance is configured in an ERPS ring.

NOTE
l If the stp mode (system view) command is used to set the STP working mode to VLAN-based
Spanning Tree (VBST), the ERP instance specified by the protected-instance command must be the
created static instance.
l If you run the protected-instance command multiple times in the same ERPS ring, multiple ERP
instances are configured.
l If the ERPS ring contains ports, the ERP instance cannot be changed. To delete the configured ERP
instance, run the undo erps ring command in the interface view or the undo port command in the
ERPS ring view to delete ports from the ERPS ring, and run the undo protected instance command
to delete the ERP instance.
Step 4 Run quit
Step 5 Configure the mapping between an ERP instance and VLAN.

The Multiple Spanning Tree (MST) region view is displayed.
2. Run instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
The mapping between the ERP instance and VLAN is configured.
By default, all VLANs in an MST region are mapped to instance 0.
instance-id in this command must be the same as instance-id used by the protected-
instance command.
NOTE
– A VLAN cannot be mapped to multiple MSTIs. If you map a VLAN that has already been
mapped to an MSTI to another MSTI, the original mapping will be deleted.
– The vlan-mapping modulo modulo command configures the mapping between MSTIs and
VLANs based on the default algorithm. However, the mapping configured using this command
cannot always meet the actual demand. Therefore, running this command is not recommended.
– To configure the mapping between an ERP instance and a MUX VLAN, you are advised to
configure the principal VLAN, subordinate group VLANs, and subordinate separate VLANs
of the MUX VLAN in the same ERP instance. Otherwise, loops may occur.
The mapping between the ERP instance and the VLAN is activated.
----End
19.8.4 Adding a Layer 2 Port to an ERPS Ring and Configuring the

Port Role
Context
After ERPS is configured, add Layer 2 ports to an ERPS ring and configure port roles so that
ERPS can work properly.
You can add a Layer 2 port to an ERPS ring in either of the following ways:

NOTE
l A port can be added to a maximum of two ERPS rings.

l An ERPS-enabled port needs to allow packets of control VLANs and data VLANs to pass through,
so the link type of the port must be configured as trunk or hybrid.
l Flush-FDB packets for updating MAC addresses cannot be separately sent, so do not configure a
direct link between two upstream nodes as the RPL.
l Before changing the port role, use the shutdown command to disable the port. When the port role is
changed, use the undo shutdown command to enable the port. This prevents traffic interruptions.
l Before adding an interface to an ERPS ring, disable port security on the interface; otherwise, loops
Prerequisites
l The port is not a Layer 3 port. If the port is a Layer 3 port, run the portswitch command
to switch the port to the Layer 2 mode.
l Spanning Tree Protocol (STP), Rapid Ring Protection Protocol (RRPP), Smart Ethernet
Protection (SEP), or Smart Link is not enabled on the port.
– If the port has STP enabled, run the stp disable command in the interface view to
disable STP.
– If the port has RRPP enabled, run the undo ring ring-id command in the RRPP
domain view to disable RRPP.
– If the port has SEP enabled, run the undo sep segment segment-id command in the
interface view to disable SEP.
– If the port has Smart Link enabled, run the undo port command in the Smart Link
group view to disable Smart Link.
l The control-vlan command has been executed to configure a control VLAN and the
protected-instance command has been executed to configure an ERP instance.
Procedure
Step 2 Add a Layer 2 port to an ERPS ring and configure the port role in either of the following
ways.
b. Run stp disable
control VLAN and the port interface-type interface-number [ rpl { owner |
neighbour } ] command is configured, the ports in the ERPS ring allow packets of

the control VLAN to pass through. Therefore, you need to specify only the IDs of
data VLANs in this step.
e. Run quit
f. Run erps ring ring-id
g. Run port interface-type interface-number [ rpl { owner | neighbour } ]
The port is added to the ERPS ring and its role is configured.
The specified interface view is displayed.
b. Run stp disable
control VLAN and the port interface-type interface-number [ rpl { owner |
neighbour } ] command is configured, the ports in the ERPS ring allow packets of
the control VLAN to pass through. Therefore, you need to specify only the IDs of
data VLANs in this step.
e. Run erps ring ring-id [ rpl { owner | neighbour } ]
The current port is added to the ERPS ring and its role is configured.
----End
19.8.5 Configuring the Topology Change Notification Function
Context
If an upper-layer Layer 2 network is not notified of the topology change in an ERPS ring, the
MAC address entries remain unchanged on the upper-layer network and therefore user traffic
is interrupted. To ensure nonstop traffic transmission, configure the topology change
notification function and specify the ERPS rings that will be notified of the topology change.
In addition, if an ERPS ring frequently receives topology change notifications, its nodes will
have lower CPU processing capability and repeatedly update Flush-FDB packets, consuming
much bandwidth. To resolve this problem, set the topology change protection interval at
which topology change notifications are sent to suppress topology change notification
transmission, and set the maximum number of topology change notifications that can be
processed during the topology change protection interval to prevent frequent MAC address
and ARP entry updates.
Procedure


Step 3 Run tc-notify erps ring { ring-id1 [ to ring-id2 ] } &<1-10>
The ERPS ring is configured to notify other ERPS rings of its topology change.
ring-id1 [ to ring-id2 ] specifies the start and end ring IDs of the ERPS rings that will be
notified of the topology change. Ensure that the ERPS rings specified by ring-id1 and ring-
id2 exist. If the specified rings do not exist, the topology change notification function does not
take effect.
After the ERPS rings receive the topology change notification from an ERPS ring, they send
Flush-FDB messages on their separate rings to instruct their nodes to update MAC addresses
so that user traffic is not interrupted.
Step 4 (Optional) Run tc-protection interval interval-value
The topology change protection interval at which topology change notification messages are
sent is set.
Step 5 (Optional) Run tc-protection threshold threshold-value
The number of times ERPS parses topology change notifications and updates forwarding
entries in the topology change protection interval is set.
The topology change protection interval is the one specified by the tc-protection interval
command.
----End
19.8.6 (Optional) Configuring ERPS Protection Switching

Context
To ensure that ERPS rings function normally when a node or link fails, configure revertive/
non-revertive switching, port blocking mode, and timers.
Procedure
Step 3 Run revertive { enable | disable }
The protection switching mode is specified.
By default, ERPS rings use revertive switching.
Step 4 Run quit

Step 6 Run erps ring ring-id protect-switch { force | manual }
A port blocking mode is specified.
The ERPS ring specified by ring ring-id must be the one to which the port belongs.
To delete the specified port blocking mode, run the clear command in the ERPS ring view.
Step 7 Run quit
----End
19.8.7 (Optional) Configuring Timers in an ERPS Ring
Context
After a link or node failure in an ERPS ring recovers, the device starts timers in the ERPS
ring to reduce traffic interruptions. This prevents network flapping.
Procedure
Step 3 Configure the WTR timer, Guard timer, and Holdoff timer in the ERPS ring according to
actual networking.
l Run wtr-timer time-value
The WTR timer is set.
By default, the WTR timer is 5 minutes in an ERPS ring.
l Run guard-timer time-value
The Guard timer is set.
By default, the Guard timer is 200 centiseconds in an ERPS ring.
l Run holdoff-timer time-value
The Holdoff timer is set.
By default, the Holdoff timer is 0 deciseconds in an ERPS ring.
----End

19.8.8 (Optional) Configuring Association Between ERPS and

Ethernet CFM
Context
Association between Ethernet Connectivity Fault Management (CFM) and Ethernet Ring
Protection Switching (ERPS) on a port added to an ERPS ring accelerates fault detection,
implements fast convergence, and shortens traffic interruptions.
Before configuring association between ERPS and Ethernet CFM, configure basic CFM
functions on the port added to the ERPS ring. For details, see Configuring Basic Ethernet
CFM Functions in "CFM Configuration" in the S1720, S2700, S5700, and S6720
V200R011C10 Configuration Guide - Reliability.
Procedure
Step 3 Run erps ring ring-id track cfm md md-name ma ma-name mep mep-id remote-mep rmep-
id
ERPS is associated with Ethernet CFM to fast detect link failures.
The association between ERPS and CFM takes effect only when the interface has ERPS
associated with CFM and has an interface-based MEP created using the mep mep-id
command.
----End
Follow-up Procedure
After ERPS is associated with Ethernet CFM, ensure that the maintenance entity group level
(MEL) value of Ring Auto Protection Switching (RAPS) Protocol Data Units (PDUs) in
ERPS rings is larger than the MEL value in CFM protocol packets. Otherwise, Ethernet CFM
cannot allow RAPS PDUs to pass through. The MEL value can be used for interworking with
other vendors' devices in an ERPS ring. The same MEL value ensures smooth communication
between devices.
You can run the raps-mel level-id command in the ERPS ring view to set the MEL value in
RAPS PDUs.
By default, the MEL in RAPS PDUs is 7.
19.8.9 Verifying the ERPSv2 Configuration
Procedure
l Run the display erps [ ring ring-id ] [ verbose ] command to check the device ports
added to an ERPS ring and ERPS ring configurations.

l Run the display erps interface interface-type interface-number [ ring ring-id ]

command to check physical configurations of the port added to an ERPS ring.
----End
19.9 Configuring the ERPS over VPLS Function
Prerequisites
1. A routing protocol has been run on the PEs on the VPLS network to ensure that they can
communicate.
2. Basic MPLS capabilities have been configured on the VPLS network, and LDP LSPs has
been established.
3. VPLS connections have been established between each two PEs, and each Ethernet sub-
interface or VLANIF interface has been bound to a VSI.
4. Interfaces on CEs and PEs have been added to the ERPS ring.
Context
On the VPLS network shown in Figure 19-15, CEs are dual-homed to PEs. However, PE3
receives two copies of CE1 traffic from both PE1 and PE2. To resolve this problem, enable
ERPS on CE1, CE2, PE1, and PE2 and configure CE2's interface2 as an RPL owner port to
block traffic from CE1. In this way, CE1's traffic reaches PE3 over PE1 without traversing
CE2, thereby preventing any duplicate traffic or loops.
In Figure 19-15, the ERPS ring connects to a VPLS network through Ethernet sub-interfaces
or VLANIF interfaces. To ensure that the VPLS network can promptly detect topology
changes of the ERPS ring, enable topology change notification on the main interface through
which PE1 and PE2 access the ERPS ring.
Figure 19-15 Example for configuring ERPS over VPLS in scenarios where a CE is dual-
homed to PEs (through Ethernet sub-interfaces or VLANIF interfaces)
VPLS Network
CE1 PE1
interface1 interface1
interface2
interface2 interface1
ERPS PW
sub-ring PE3
PW interface2
interface2
interface1 interface1 interface2

CE2 PE2
RPL owner
Sub-interface
VLANIF interface

NOTE
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this function.
Procedure
Step 3 Run erps vpls-subinterface enable
Topology change notification is enabled on the interface.
By default, the interface does not instruct VSI-bound sub-interfaces or VLANIF interfaces to
update MAC address entries promptly after the ERPS ring topology changes.
After topology change notification is enabled on the interface, when the forwarding status of
the interface changes to Discarding, its VSI-bound sub-interfaces or member interfaces of the
VLANIF interface will change to the Discarding state to prevent loops on the VPLS network
on which a CE is dual-homed to PEs.
----End

Run the display this command in the interface view to verify that topology change
notification is enabled.
19.10 Clearing ERPS Statistics
Context
Before recollecting ERPS statistics, run the reset erps command to clear existing ERPS
statistics.
The cleared ERPS statistics cannot be restored. Exercise caution when you run this command.
Procedure
Step 1 Run the reset erps [ ring ring-id ] statistics command to clear packet statistics in an ERPS
ring.
----End

19.11 Configuration Examples for ERPS
19.11.1 Example for Configuring ERPS Multi-instance
Figure 19-16 shows a network on which a multi-instance ERPS ring is used. SwitchA
through SwitchD constitute a ring network at the aggregation layer to implement service
aggregation at Layer 2 and process Layer 3 services. ERPS is used on the ring network to
provide protection switching for Layer 2 redundant links. ERPS ring 1 and ERPS ring 2 are
configured on SwitchA through SwitchD. P1 on SwitchB is a blocked port in ERPS ring 1,
and P2 on SwitchA is a blocked port in ERPS ring 2, implementing load balancing and link
backup.

Figure 19-16 ERPS multi-instance networking
Network
Router1 Router2
SwitchC GE0/0/1 SwitchD

GE0/0/2
GE0/0/1
GE0/0/2
ERPS
GE0/0/2
GE0/0/1
SwitchA P2 GE0/0/2
SwitchB
GE0/0/1 P1
VLAN: VLAN:
100~200 300~400
ERPS ring1
ERPS ring2
Blocked Port1
Blocked Port2
Data Flow1
Data Flow2
1. Configure the link type of all ports to be added to ERPS rings as trunk.
2. Create ERPS rings and configure control VLANs and Ethernet Ring Protection (ERP)
instances in the ERPS rings.
3. Add Layer 2 ports to ERPS rings and specify port roles.
4. Configure the Guard timers and WTR timers in the ERPS rings.
5. Configure Layer 2 forwarding on SwitchA through SwitchD.

Procedure
Step 1 Configure the link type of all ports to be added to an ERPS ring as trunk.
# Configure SwitchD.
Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances in the two rings. Set the
control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring 2 to 20.
Enable ERPS ring 1 to transmit data packets from VLANs 100 to 200 and enable ERPS ring 2
to transmit data packets from VLANs 300 to 400.
[SwitchA] erps ring 1
[SwitchA-erps-ring1] control-vlan 10
[SwitchA-erps-ring1] protected-instance 1
[SwitchA-erps-ring1] quit
[SwitchA-mst-region] instance 1 vlan 10 100 to 200

[SwitchA-mst-region] instance 2 vlan 20 300 to 400

[SwitchB] erps ring 1
[SwitchB-erps-ring1] control-vlan 10
[SwitchB-erps-ring1] protected-instance 1
[SwitchB-erps-ring1] quit
[SwitchB-mst-region] instance 1 vlan 10 100 to 200
[SwitchB-erps-ring2] control-vlan 20
[SwitchB-erps-ring2] protected-instance 2
[SwitchB-mst-region] instance 2 vlan 20 300 to 400
[SwitchC] erps ring 1
[SwitchC-erps-ring1] control-vlan 10
[SwitchC-erps-ring1] protected-instance 1
[SwitchC-erps-ring1] quit
[SwitchC-mst-region] instance 1 vlan 10 100 to 200
[SwitchC-erps-ring2] control-vlan 20
[SwitchC-erps-ring2] protected-instance 2
[SwitchC-mst-region] instance 2 vlan 20 300 to 400
[SwitchD] erps ring 1
[SwitchD-erps-ring1] control-vlan 10
[SwitchD-erps-ring1] protected-instance 1
[SwitchD-erps-ring1] quit
[SwitchD-mst-region] instance 1 vlan 10 100 to 200
[SwitchD-erps-ring2] control-vlan 20
[SwitchD-erps-ring2] protected-instance 2
[SwitchD-mst-region] instance 2 vlan 20 300 to 400
Step 3 Add Layer 2 ports to ERPS rings and specify port roles. Configure GE 0/0/1 on SwitchA and
GE 0/0/2 on SwitchB as their respective RPL owner ports.
[SwitchA-GigabitEthernet0/0/1] erps ring 1
[SwitchA-GigabitEthernet0/0/1] erps ring 2 rpl owner

[SwitchB-GigabitEthernet0/0/1] erps ring 1
[SwitchB-GigabitEthernet0/0/2] erps ring 1 rpl owner
[SwitchC-GigabitEthernet0/0/1] erps ring 1
[SwitchD-GigabitEthernet0/0/1] erps ring 1
Step 4 Configure the Guard timers and WTR timers in the ERPS rings.
[SwitchA-erps-ring1] wtr-timer 6
[SwitchA-erps-ring1] guard-timer 100
[SwitchB-erps-ring1] wtr-timer 6
[SwitchB-erps-ring1] guard-timer 100
[SwitchB-erps-ring2] wtr-timer 6
[SwitchB-erps-ring2] guard-timer 100

[SwitchC-erps-ring1] wtr-timer 6
[SwitchC-erps-ring1] guard-timer 100
[SwitchC-erps-ring2] wtr-timer 6
[SwitchC-erps-ring2] guard-timer 100
[SwitchD-erps-ring1] wtr-timer 6
[SwitchD-erps-ring1] guard-timer 100
[SwitchD-erps-ring2] wtr-timer 6
[SwitchD-erps-ring2] guard-timer 100
Step 5 Configure Layer 2 forwarding on SwitchA through SwitchD.

[SwitchA] vlan batch 100 to 200 300 to 400
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchB] vlan batch 100 to 200 300 to 400
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchC] vlan batch 100 to 200 300 to 400
[SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchD] vlan batch 100 to 200 300 to 400
[SwitchD-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchD-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 200 300 to 400

# After the network becomes stable, run the display erps command to check brief
information about the ERPS ring and ports added to the ERPS ring. SwitchB is used as an
example.

[SwitchB] display erps

D : Discarding
F : Forwarding
R : RPL Owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
Total number of rings configured = 2
Ring Control WTR Timer Guard Timer Port 1 Port 2
ID VLAN (min) (csec)
--------------------------------------------------------------------------------
1 10 6 100 (F)GE0/0/1 (D,R)GE0/0/2
2 20 6 100 (F)GE0/0/1 (F)GE0/0/2
--------------------------------------------------------------------------------
# Run the display erps verbose command to check detailed information about the ERPS ring
and ports added to the ERPS ring. SwitchB is used as an example.
[SwitchB] display erps verbose
Ring ID : 1
Description : Ring 1
Control Vlan : 10
Protected Instance : 1
Service Vlan : 100 to 200
WTR Timer Setting (min) : 6 Running (s) : 0
Guard Timer Setting (csec) : 100 Running (csec) : 0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
WTB Timer Running (csec) : 0
Ring State : Idle
RAPS_MEL : 7
Revertive Mode : Revertive
R-APS Channel Mode : -
Version : 1
Sub-ring : No
Forced Switch Port : -
Manual Switch Port : -
TC-Notify : -
Time since last topology change : 0 days 0h:35m:5s
--------------------------------------------------------------------------------
Port Port Role Port Status Signal Status
--------------------------------------------------------------------------------
GE0/0/1 Common Forwarding Non-failed
GE0/0/2 RPL Owner Discarding Non-failed
Ring ID : 2
Control Vlan : 20
Ring State : Idle
RAPS_MEL : 7
Version : 1
Sub-ring : No
TC-Notify : -
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 100 to 200 300 to 400
#
instance 1 vlan 10 100 to 200
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2 rpl owner
#
stp disable
erps ring 1
erps ring 2
#
return

#
sysname SwitchB
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#

stp disable
erps ring 2
#
return
#
sysname SwitchC
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return
#
sysname SwitchD
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#


stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return
19.11.2 Example for Configuring Intersecting ERPS Rings
As shown in Figure 19-17, intersecting ERPS rings are used. SwitchA, SwitchB, SwitchC,
and SwitchD constitute the major ring, and SwitchA, LSW1, LSW2, LSW3, and SwitchD
constitute a sub-ring.

Figure 19-17 Networking of intersecting ERPS rings
Network
Router1 Router2
GE0/0/2
SwitchB GE0/0/2 SwitchC

GE0/0/1
GE0/0/1
major ring
ring 1
GE0/0/2 SwitchA SwitchD GE0/0/2
GE0/0/3
GE0/0/1 GE0/0/3 GE0/0/1
GE0/0/1 sub-ring GE0/0/2
ring 2 LSW3
LSW1
GE0/0/2 GE0/0/1
GE0/0/1 GE0/0/2
LSW2 RPL owner
1. Configure the link type of all ports to be added to ERPS rings as trunk.
2. Create ERPS rings and configure control VLANs and Ethernet Ring Protection (ERP)
instances in the ERPS rings.
3. Specify the ERPS version and configure a sub-ring.
4. Add Layer 2 ports to ERPS rings and specify port roles.
5. Configure the topology change notification and TC protection.
6. Configure the Guard timers and WTR timers in the ERPS rings.
7. Configure Layer 2 forwarding on SwitchA through SwitchD and LSW1 through LSW3.

Procedure
Step 1 Configure the link type of all ports to be added to ERPS rings as trunk.
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, LSW1, LSW2, and
LSW3 are similar to the configuration of SwitchA, and are not mentioned here.
Step 2 Create ERPS ring 1 and ERPS ring 2 and configure ERP instances in the two rings. Set the
control VLAN ID of ERPS ring 1 to 10 and the control VLAN ID of ERPS ring 2 to 20.
Enable ERPS rings 1 and 2 to transmit data packets from VLANs 100 to 200.
[SwitchA-mst-region] instance 1 vlan 10 20 100 to 200
Step 3 Specify ERPSv2 and configure ERPS ring 2 as a sub-ring.

LSW3 are similar to the configurations of SwitchA, and are not mentioned here.
[SwitchA-erps-ring1] version v2
[SwitchA-erps-ring2] version v2
[SwitchA-erps-ring2] sub-ring
Step 4 Add the ports to ERPS rings and specify port roles. Configure GE0/0/1 on SwitchB and
GE0/0/2 on LSW3 as their respective RPL owner ports.
# Configure SwitchA. The configurations of SwitchC, SwitchD, LSW1, and LSW2 are
similar to the configurations of SwitchA, and are not mentioned here.


# Configure SwitchB. The configurations of LSW3 are similar to the configurations of

SwitchB, and are not mentioned here.
[SwitchB-GigabitEthernet0/0/1] erps ring 1 rpl owner
Step 5 Configure the topology change notification function and TC protection on SwitchA and
SwitchD (interconnecting nodes).
[SwitchA-erps-ring1] tc-protection interval 200
[SwitchA-erps-ring1] tc-protection threshold 60
[SwitchA-erps-ring2] tc-notify erps ring 1
[SwitchD-erps-ring1] tc-protection interval 200
[SwitchD-erps-ring1] tc-protection threshold 60
[SwitchD-erps-ring2] tc-notify erps ring 1
Step 6 Configure the Guard timers and WTR timers in the ERPS rings.
Step 7 Configure Layer 2 forwarding on SwitchA through SwitchD.



# After the network becomes stable, run the display erps command to check brief
information about the ERPS ring and ports added to the ERPS ring. SwitchB is used as an
example.
[SwitchB] display erps
D : Discarding
F : Forwarding
R : RPL Owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
--------------------------------------------------------------------------------
1 10 6 100 (D,R)GE0/0/1 (F)GE0/0/2
--------------------------------------------------------------------------------
# Run the display erps verbose command to check detailed information about the ERPS ring
and ports added to the ERPS ring.
[SwitchB] display erps verbose
Ring ID : 1
Control Vlan : 10
Ring State : Idle
RAPS_MEL : 7
Version : 2
Sub-ring : No
TC-Notify : -
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
GE0/0/1 RPL Owner Discarding Non-failed
----End
Configuration Files
#
sysname SwitchA
#
#
instance 1 vlan 10 20 100 to 200
#
erps ring 1
control-vlan 10
wtr-timer 6

guard-timer 100
version v2
tc-protection interval 200
tc-protection threshold 60
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
version v2
sub-ring
tc-notify erps ring 1
#
port trunk allow-pass vlan 20 100 to 200
stp disable
erps ring 2
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return
#
sysname SwitchB
#
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
version v2
#
stp disable
#
stp disable
erps ring 1
#
return
#
sysname SwitchC
#
#

#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
version v2
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return

#
sysname SwitchD
#
#
instance 1 vlan 10 20 100 to 200
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
version v2
tc-protection interval 200
tc-protection threshold 60
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
version v2
sub-ring
tc-notify erps ring 1
#
stp disable
erps ring 2
#
stp disable
erps ring 1
#
stp disable
erps ring 1

#
return
#
sysname LSW1
#
#
#
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
version v2
sub-ring
#
stp disable
erps ring 2
#
stp disable
erps ring 2
#
return
#
sysname LSW2
#
#
#
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
version v2
sub-ring
#
stp disable
erps ring 2
#
stp disable
erps ring 2
#
return
#
sysname LSW3

#
#
#
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
version v2
sub-ring
#
stp disable
erps ring 2
#
stp disable
#
return
19.11.3 Example for Configuring ERPS over VPLS in Scenarios

Where a CE Is Dual-Homed to PEs (Through Ethernet Sub-
interfaces)
To configure ERPS over VPLS in scenarios where a CE is dual-homed to PEs, enable ERPS
on CE1, CE2, PE1, and PE2 and configure the ERPS sub-ring to access the VPLS network in
NVC mode. Using Ethernet sub-interfaces to access the VPLS network must have the TC
notification function enabled so that the VPLS network can have ARP and MAC address
entries updated promptly after receiving TC packets. On the VPLS network shown in Figure
19-18, CEs are dual-homed to PEs through Ethernet sub-interfaces. However, this networking
will cause PE3 to receive two copies of CE1 traffic from both PE1 and PE2. To resolve this
problem, enable ERPS on CE1, CE2, PE1, and PE2 and configure CE2's GE0/0/2 as an RPL
owner port to block traffic from CE1. In this way, CE1's traffic reaches PE3 over PE1 without
traversing CE2, thereby preventing any duplicate traffic or loops.
In Figure 19-18, the ERPS ring connects to a VPLS network through Ethernet sub-interfaces.

Figure 19-18 Configuring ERPS over VPLS in scenarios where a CE is dual-homed to PEs
(through Ethernet sub-interfaces)
VPLS Network
CE1 PE1
GE0/0/1 GE0/0/1.1
GE0/0/2
GE0/0/2 GE0/0/1
ERPS PW PE3
sub-ring GE0/0/3.1
PW GE0/0/2
GE0/0/2
GE0/0/1 GE0/0/1.1 GE0/0/2

CE2 PE2
RPL owner
Sub-interface
NOTE
This section uses CE dual-homing scenarios as an example. The configurations of ERPS over VPLS in
CE single-homing scenarios are similar to those in CE dual-homing scenarios.
The IP addresses of the interfaces on PE1, PE2, and PE3 are listed in Table 19-8.
Table 19-8 Data planning

Device Name Interface Name Interface IP Address
PE1 GE0/0/1.1 --
GE0/0/2 10.1.1.1/24
Loopback1 1.1.1.1/32
PE2 GE0/0/1.1 --
GE0/0/2 10.2.1.1/24
PE3 GE0/0/1 10.1.1.2/24
GE0/0/2 10.2.1.2/24
GE0/0/3.1 --

1. Run an IGP protocol on the PEs to ensure that they can communicate on the VPLS
network.
2. Configure basic MPLS capabilities on the VPLS network, and establish LDP LSPs.
3. Establish VPLS connections between every two PEs and bind each Ethernet sub-
interface to a VSI.
4. Configure ERPS, including:
– Enable ERPS on CE1, CE2, PE1, and PE2.
– Configure CE2's GE0/0/2 as an RPL owner port.
Data Preparation
To complete the configuration, you need the following data:
l Data needed for configuring OSPF: IP address of each interface, OSPF process ID, and
OSPF domain ID
l MPLS LSR ID (as the MPLS peer address)
l VSI name and VSI ID
l Names of the VSI-bound Ethernet sub-interfaces
l ERPS ring ID, control VLAN ID, and RPL owner port number
Procedure
Step 1 Assign an IP address to each interface and configure an IGP on the VPLS network to allow
PEs to communicate. This example uses OSPF as the IGP.
When configuring OSPF, advertise the 32-bit IP addresses of loopback interfaces, which are
used as LSR IDs, on the PEs.
For configuration details, see Configuration Files in this section.
Step 2 Configure basic MPLS capabilities on the MPLS backbone network, and set up LDP LSPs
among the PEs.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-GigabitEthernet0/0/2] mpls
[PE1-GigabitEthernet0/0/2] mpls ldp
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# Configure PE3.


[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
Step 4 Configure a VPLS network.

# Configure PE1.
[PE1] vsi s1 static
[PE1-vsi-s1] pwsignal ldp
[PE1-vsi-s1-ldp] vsi-id 10
[PE1-vsi-s1-ldp] peer 3.3.3.3
[PE1-vsi-s1-ldp] quit
[PE1-vsi-s1] quit
[PE1-GigabitEthernet0/0/1.1] shutdown
[PE1-GigabitEthernet0/0/1.1] l2 binding vsi s1
[PE1-GigabitEthernet0/0/1.1] undo shutdown
# Configure PE2.
[PE2] vsi s1 static
[PE2-vsi-s1] quit
# Configure PE3.
[PE3] vsi s1 static

[PE3-vsi-s1] quit
Step 5 Configure ERPS on PE1, PE2, CE1, and CE2.

# Configure PE1.
[PE1] erps ring 1
[PE1-erps-ring1] control-vlan 100
[PE1-erps-ring1] protected-instance 1
[PE1-erps-ring1] version v2
[PE1-erps-ring1] sub-ring
[PE1-erps-ring1] quit
[PE1-mst-region] instance 1 vlan 10 100
[PE1-GigabitEthernet0/0/1] erps ring 1
[PE1-GigabitEthernet0/0/1] erps vpls-subinterface enable
# Configure PE2.
[PE2] erps ring 1
# Configure CE1.
<Switch> system-view
[Switch] sysname CE1
[CE1] erps ring 1
[CE1-erps-ring1] control-vlan 100
[CE1-erps-ring1] protected-instance 1
[CE1-erps-ring1] version v2
[CE1-erps-ring1] sub-ring
[CE1-erps-ring1] quit
[CE1-mst-region] instance 1 vlan 10 100
[CE1-GigabitEthernet0/0/1] erps ring 1


# Configure CE2.
[CE2] erps ring 1
[CE2-GigabitEthernet0/0/2] erps ring 1 rpl owner
After completing the configuration, run the display vsi name s1 verbose command on PE3.
The command output shows that PE3 has established PWs with PE1 (1.1.1.1) and PE2
(2.2.2.2).
[PE3] display vsi name s1 verbose
***VSI Name : s1
VSI Index : 2
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 10
VC Label : 32891
Peer Type : dynamic
Session : up
Tunnel ID : 0x0000000001004c4b41
Broadcast Tunnel ID : --
Broad BackupTunnel ID : --

CKey : 2
NKey : 1862271177
Stp Enable : 0
PwIndex : 1
VC Label : 32892
Peer Type : dynamic
Session : up
Tunnel ID : 0x0000000001004c4b42
CKey : 2
NKey : 1862271178
Stp Enable : 0
PwIndex : 2
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x0000000001004c4b41
Ckey : 2
Nkey : 1862271177
Main PW Token : 0x0
Tnl Type : ldp
OutInterface : LDP LSP
Backup OutInterface : --
Stp Enable : 0
PW Last Up Time : 2016/06/14 17:35:12
PW State : up
PW Type : label
Tunnel ID : 0x0000000001004c4b42
Ckey : 2
Nkey : 1862271178
Main PW Token : 0x0
Tnl Type : ldp
Stp Enable : 0
PW Last Up Time : 2016/06/14 10:35:45
The command output also shows that the link between CE1 and CE2 is blocked.

[CE2] display erps

D : Discarding
F : Forwarding
R : RPL Owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
--------------------------------------------------------------------------------
1 100 5 200 (F)GE0/0/1 (D,R)GE0/0/2
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname PE1
#
vlan batch 100
#
instance 1 vlan 10 100
#
erps ring 1
control-vlan 100
version v2
sub-ring
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls l2vpn
#
vsi s1 static
pwsignal ldp
vsi-id 10
peer 3.3.3.3
#
mpls ldp
#
stp disable
erps ring 1
erps vpls-subinterface enable
#
l2 binding vsi s1
#
undo portswitch
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1

area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 100
#
#
erps ring 1
control-vlan 100
version v2
sub-ring
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls l2vpn
#
vsi s1 static
pwsignal ldp
vsi-id 10
peer 3.3.3.3
#
mpls ldp
#
stp disable
erps ring 1
#
l2 binding vsi s1
#
undo portswitch
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return
#
sysname PE3
#
mpls lsr-id 3.3.3.3
#
mpls
#

mpls l2vpn
#
vsi s1 static
pwsignal ldp
vsi-id 10
peer 1.1.1.1
peer 2.2.2.2
#
mpls ldp
#
undo portswitch
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo portswitch
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
l2 binding vsi s1
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
#
sysname CE1
#
vlan batch 10 100
#
#
erps ring 1
control-vlan 100
version v2
sub-ring
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return
#
sysname CE1

#
vlan batch 10 100
#
#
erps ring 1
control-vlan 100
version v2
sub-ring
#
stp disable
erps ring 1
#
stp disable
#
return
19.11.4 Example for Configuring ERPS over VPLS in Scenarios

Where a CE Is Dual-Homed to PEs (Through VLANIF Interfaces)
To configure ERPS over VPLS in scenarios where a CE is dual-homed to PEs, enable ERPS
on CE1, CE2, PE1, and PE2 and configure the ERPS sub-ring to access the VPLS network in
NVC mode. Using VLANIF interfaces to access the VPLS network must have the TC
notification function enabled so that the VPLS network can have ARP and MAC address
entries updated promptly after receiving TC packets. On the VPLS network shown in Figure
19-19, CEs are dual-homed to PEs. However, this networking will cause PE3 to receive two
copies of CE1 traffic from both PE1 and PE2. To resolve this problem, enable ERPS on CE1,
CE2, PE1, and PE2 and configure CE2's GE0/0/2 as an RPL owner port to block traffic from
CE1. In this way, CE1's traffic reaches PE3 over PE1 without traversing CE2, thereby
preventing any duplicate traffic or loops.
In Figure 19-19, the ERPS ring connects to a VPLS ring through VLANIF interfaces.

Figure 19-19 Configuring ERPS over VPLS in scenarios where CE1 is dual-homed to PE1
and PE2 through VLANIF interfaces
VPLS Network
CE1 PE1
GE0/0/1 VLANIF10
GE0/0/2
GE0/0/2 GE0/0/1
ERPS PW PE3
sub-ring VLANIF10
PW GE0/0/2
GE0/0/2
GE0/0/1 VLANIF10 GE0/0/2

CE2 PE2
RPL owner
Sub-interface
NOTE
This section uses CE dual-homing scenarios as an example. The configurations of ERPS over VPLS in
CE single-homing scenarios are similar to those in CE dual-homing scenarios.
The IP addresses of the interfaces on PE1, PE2, and PE3 are listed in Table 19-9.
Table 19-9 Data planning

Device Name Interface Name Interface IP Address
PE1 GE0/0/1 --
GE0/0/2 10.1.1.1/24
PE2 GE0/0/1 --
GE0/0/2 10.2.1.1/24
PE3 GE0/0/1 10.1.1.2/24
GE0/0/2 10.2.1.2/24
GE0/0/3 --

1. Run an IGP protocol on the PEs to ensure that they can communicate on the VPLS
network.
2. Configure basic MPLS capabilities on the VPLS network, and establish LDP LSPs.
3. Establish VPLS connections between each two PEs and bind each VLANIF interface to
a VSI.
4. Configure ERPS, including:
– Enable ERPS on CE1, CE2, PE1, and PE2.
– Configure CE2's GE0/0/2 as an RPL owner port.
Data Preparation
To complete the configuration, you need the following data:
l Data needed for configuring OSPF: IP address of each interface, OSPF process ID, and
OSPF domain ID
l MPLS LSR ID (as the MPLS peer address)
l VSI name and VSI ID
l VSI-bound VLANIF interfaces
l ERPS ring ID, control VLAN ID, and RPL owner port number
Procedure
Step 1 Assign an IP address to each interface and configure an IGP on the VPLS network to allow
PEs to communicate. This example uses OSPF as the IGP.
When configuring OSPF, advertise the 32-bit IP addresses of loopback interfaces, which are
used as LSR IDs, on the PEs.
For configuration details, see Configuration Files in this section.
Step 2 Configure basic MPLS capabilities on the MPLS backbone network, and set up LDP LSPs
among the PEs.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# Configure PE3.


[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
Step 4 Configure a VPLS network.

# Configure PE1.
[PE1] vsi s1 static
[PE1-vsi-s1] quit
[PE1] vlan 10
[PE1-vlan10] quit
[PE1] interface vlanif10
[PE1-Vlanif10] l2 binding vsi s1
[PE1-Vlanif10] quit
# Configure PE2.
[PE2] vsi s1 static
[PE2-vsi-s1] quit
[PE2] vlan 10
[PE2-vlan10] quit
[PE2-Vlanif10] quit
# Configure PE3.
[PE3] vsi s1 static
[PE3-vsi-s1] quit

[PE3] vlan 10
[PE3-vlan10] quit
[PE3-Vlanif10] quit
Step 5 Configure ERPS on PE1, PE2, CE1, and CE2.

# Configure PE1.
[PE1] erps ring 1
# Configure PE2.
[PE2] erps ring 1
# Configure CE1.
[CE1] erps ring 1


# Configure CE2.
[CE2] erps ring 1
[CE2-GigabitEthernet0/0/2] erps ring 1 rpl owner
After completing the configuration, run the display vsi name s1 verbose command on PE3.
The command output shows that PE3 has established PWs with PE1 (1.1.1.1) and PE2
(2.2.2.2).
[PE3] display vsi name s1 verbose
***VSI Name : s1
VSI Index : 2
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 10
VC Label : 32891
Peer Type : dynamic
Session : up

Tunnel ID : 0x0000000001004c4b41
CKey : 2
NKey : 1862271177
Stp Enable : 0
PwIndex : 1
VC Label : 32892
Peer Type : dynamic
Session : up
Tunnel ID : 0x0000000001004c4b42
CKey : 2
NKey : 1862271178
Stp Enable : 0
PwIndex : 2
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x0000000001004c4b41
Ckey : 2
Nkey : 1862271177
Main PW Token : 0x0
Tnl Type : ldp
Stp Enable : 0
PW Last Up Time : 2016/06/14 17:35:12
PW State : up
PW Type : label
Tunnel ID : 0x0000000001004c4b42
Ckey : 2
Nkey : 1862271178
Main PW Token : 0x0
Tnl Type : ldp
Stp Enable : 0

PW Last Up Time : 2016/06/14 10:35:45

The command output also shows that the link between CE1 and CE2 is blocked.
[CE2] display erps
D : Discarding
F : Forwarding
R : RPL Owner
N : RPL Neighbour
FS : Forced Switch
MS : Manual Switch
--------------------------------------------------------------------------------
1 100 5 200 (F)GE0/0/1 (D,R)GE0/0/2
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 100
#
#
erps ring 1
control-vlan 100
version v2
sub-ring
#
mpls lsr-id 1.1.1.1
#
mpls
#
mpls l2vpn
#
vsi s1 static
pwsignal ldp
vsi-id 10
peer 3.3.3.3
#
mpls ldp
#
interface Vlanif10
l2 binding vsi s1
#
stp disable
erps ring 1
#
undo portswitch
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#

interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 10 100
#
#
erps ring 1
control-vlan 100
version v2
sub-ring
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls l2vpn
#
vsi s1 static
pwsignal ldp
vsi-id 10
peer 3.3.3.3
#
mpls ldp
#
interface Vlanif10
l2 binding vsi s1
#
stp disable
erps ring 1
#
undo portswitch
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return
#
sysname PE3
#
vlan batch 10

#
mpls lsr-id 3.3.3.3
#
mpls
#
mpls l2vpn
#
vsi s1 static
pwsignal ldp
vsi-id 10
peer 1.1.1.1
peer 2.2.2.2
#
mpls ldp
#
interface Vlanif10
l2 binding vsi s1
suppression enable percent
broadcast-suppression percent 1
multicast-suppression percent 1
unknown-unicast-suppression percent 1
#
undo portswitch
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo portswitch
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
#
sysname CE1
#
vlan batch 10 100
#
#
erps ring 1
control-vlan 100
version v2
sub-ring
#
stp disable
erps ring 1

#
stp disable
erps ring 1
#
return

#
sysname CE1
#
vlan batch 10 100
#
#
erps ring 1
control-vlan 100
version v2
sub-ring
#
stp disable
erps ring 1
#
stp disable
#
return
19.12 Troubleshooting ERPS
19.12.1 Traffic Forwarding Fails in an ERPS Ring
Fault Description
After ERPS is configured, user traffic cannot be properly forwarded due to abnormal ERPS
ring status.
Procedure
Step 1 Check the port roles in the ERPS ring and status of each device in the ring.
In an ERPS ring, there should be only one RPL owner port. Other ports are common ports or
RPL neighbor ports.
Run the display erps [ ring ring-id ] verbose command in any view to check whether the
value of Ring State is Idle. (Perform this operation on each device in the ERPS ring.)
If the ERPS ring is incomplete or its status is abnormal, perform the following operations:

1. Verify that all nodes in the ERPS ring are added to the ERPS ring.
2. Check whether the ERPS ring configuration including the ERPS version number and
major ring/sub-ring on devices in the ERPS ring are the same.
3. Verify that port roles, control VLANs, and protected instances are correctly configured
on all nodes in the ERPS ring.
4. Verify that ports can allow packets of the specified VLANs to pass.
----End

Configuration Guide - Ethernet Switching 20 LBDT Configuration
20 LBDT Configuration
About This Chapter
This chapter describes how to configure loopback detection (LBDT) function, which allows
the device to detect loopbacks on an interface, loops on the downstream network or device
and loops between two device interfaces. When detecting a loop, the device notifies users in a
timely manner and takes a preconfigured action on the problematic interface to minimize the
impact of the loop on the device and network.
20.1 Overview of LBDT

20.2 Understanding LDT and LBDT
20.3 Application Scenarios for LDT and LBDT
20.4 Licensing Requirements and Limitations for LDT and LBDT
20.5 Default Settings for LDT and LBDT
20.6 Configuring Automatic LBDT
20.7 Configuring Manual LBDT
20.8 Configuration Examples for LBDT
20.1 Overview of LBDT

LBDT periodically sends detection packets through an interface to detect loops on the
interface, on the downstream network or device, or between two device interfaces.
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
circulated on the network. This wastes network resources and can result in network
breakdowns. Quickly detecting loops on a Layer 2 network is crucial for users to minimize
the impact of loops on a network. LDT and LBDT help users check network connections and
configurations, and control the looped interface.
LBDT periodically sends detection packets on an interface to check whether the packets
return to the local device (through the same interface or another interface), and determines
whether a loop occurs on the interface, on the downstream network or device, or between two

device interfaces. After a loop is detected, the device sends a trap to the NMS and records a
log, and takes a preconfigured action on the looped interface (the interface is shut down by
default) to minimize impact of the loop on the device and entire network.
NOTE
LBDT can only detect loops on a single node, but cannot eliminate loops in the same manner as ring
network technologies including ERPS, RRPP, SEP, Smart Link, STP, RSTP, MSTP, and VBST.
20.2 Understanding LDT and LBDT

LBDT periodically sends detection packets on an interface (see Detection Packet) to check
whether the packets return to the local device (through the same interface or another
interface), and determines whether a loop occurs on the interface, on the downstream network
or device, or between two device interfaces.
l If detection packets are received by the same interface, a loopback occurs on the
interface or a loop occurs on the downstream network or device connected to the
interface.
l If detection packets are received by another interface on the same device, a loop occurs
on the device or network connected to the interface.
Once a loop is detected, a Huawei switch sends a trap to the NMS and records a log. It then
takes a preconfigured action on the interface (see Action Taken After a Loop Is Detected) to
minimize the impact of the loop on the device and entire network.
When the device does not receive detection packets from the interface within the recovery
time, the device considers that the loop is eliminated and restores the interface (see
Automatic Recovery of an Interface).
Detection Packet
LBDT periodically sends detection packets on an interface to check whether the packets
return to the local device to determine whether loops occur on the interface, on the
downstream network or device, or between two device interfaces. The following conditions
must be met:
l Detection packets sent from an interface are sent back to the local device when a loop
occurs on an interface, or network connected to the interface.
l The system identifies detection packets sent from the local device, and detection packets
that the interface sends.
Detection packets sent from a device carry the device's MAC address and outbound interface
number. The device can identify the packets sent by itself as well as the source interface. The
packets also carry the broadcast or multicast destination MAC address to ensure that the
packets can be sent back to the local device when a loop occurs on the interface or network
connected to the interface. Figure 20-1 shows the format of LBDT packets.
Figure 20-1 Format of LBDT packets
DMAC SMAC 802.1Q Tag LDT-Type PortInfo Flag

Table 20-1 describes the fields.
Table 20-1 Description of each field
Item Description
DMAC The destination MAC address of a tagged packet is all Fs; the destination
MAC address of an untagged packet is a BPDU MAC address, broadcast
MAC address (all Fs), or multicast MAC address.
The broadcast destination MAC address, multicast destination MAC
address, or BPDU MAC address ensures that the detection packet can be
sent back to the local device when a loop occurs on the interface or
network connected to the interface.
SMAC Source MAC address. The value is the system MAC address of the
device, which identifies packets sent from the local device.
802.1Q Tag Tag Protocol Identifier (TPID). The value of the TPID is 0x8100,
representing the 802.1Q tagged frame.
LDT-Type Detection packet type, including the protocol number and subprotocol
number.
The protocol number and subprotocol number are 0x9998 and 0x0001
respectively, indicating LBDT packets.
PortInfo Information about the interface that sends detection packets, which is
used by the device to determine whether packets are sent from the
interface.
Flag Untagged detection packet flag:

l 0x0003: indicates untagged packets.
l 0x0004: indicates tagged packets.
LBDT sends both tagged and untagged detection packets, so it can detect loops based on
interfaces and VLANs.
Action Taken After a Loop Is Detected

When the system detects a loop on an interface, it can take a preconfigured action on the
interface. Table 20-2 describes these preconfigured actions.
Table 20-2 Actions taken after a loop is detected
Action Description Usage Scenario
Trap The device only sends a trap to the Select this action when only traps need
NMS and records a log. to be reported without affecting traffic
forwarding on the interface.
This action cannot suppress broadcast
storms.

Action Description Usage Scenario
Block The device sends a trap to the NMS, Select this action when the interface
blocks the interface, and allows only needs to be disabled from forwarding
BPDUs to pass through. data packets and needs to forward
BPDUs such as Link Layer Discovery
Protocol Data Units (LLDPDUs).
This action can suppress broadcast
storms.
Shutdo The device sends a trap to the NMS Select this action to prevent broadcast
wn and shuts down the interface. storms when the interface does not
participate in any calculation or
forwarding.
storms.
No The device sends a trap to the NMS Select this action when the interface
learnin and disables the interface from needs to process data packets and send
g learning new MAC addresses. them to the correct link.
This action cannot suppress broadcast
storms.
Quitvla The device sends a trap to the NMS Select this action when loops in a
n and removes the interface from the VLAN need to be eliminated without
VLAN where the loop occurs. affecting traffic forwarding in other
VLANs.
storms.
LBDT can only detect loops on a single node, but cannot eliminate loops on the entire
network. After a loop is detected, you are advised to eliminate the loop immediately.
Automatic Recovery of an Interface

The automatic recovery mechanism of LBDT allows the looped interface to be restored
immediately after a loop is eliminated. After the configured recovery time expires, the system
attempts to restore the looped interface. If the device does not receive detection packets from
the looped interface within the next recovery time, it considers that the loop is eliminated on
the interface and restores the interface.

NOTE
l The interface that is disabled by LBDT cannot be restored after the recovery time.
l After the LBDT action of an interface is changed, the interface is restored. Then the changed LBDT
action is taken when a loop is detected.
l When VLAN-based LBDT is configured on an interface:
l If detection of this VLAN is canceled, the interface is restored automatically.
l If GVRP is not enabled on the interface and the interface is removed from the VLAN
manually, the interface is restored automatically.
l If GVRP is enabled on the interface, the interface is manually removed from the VLAN or
dynamically removed from the VLAN through GVRP, and the action to be taken is not
shutdown, the interface can be restored automatically.
l If GVRP is enabled on the interface, the interface is manually removed from the VLAN or
dynamically removed from the VLAN through GVRP, and the action to be taken is shutdown,
the interface cannot be restored automatically. In the alarm periodically reported by the device,
information about the VLAN where loops are detected is empty. You must run the shutdown
and undo shutdown commands to manually restore the interface or run the restart command
to enable the interface again.
20.3 Application Scenarios for LDT and LBDT

LBDT can be used to detect loopbacks on an interface, a loop on the downstream network
or device or a loop between two device interfaces.
Automatic loop detection is enabled in the VLAN specified by the PVID on an interface by
default.
Detecting Loopbacks on an Interface

Figure 20-2 shows a loopback on an interface of the Switch. During network deployment,
incorrect fiber connection or high voltage damage on the interface causes loopbacks to occur
between the Tx (transmit end) and Rx (receive end) ends of an interface. Packets sent from
one interface are forwarded back to the same interface, resulting in possible traffic forwarding
errors or MAC address flapping on the interface.
Figure 20-2 Detecting loopbacks on an interface

Switch
Tx Rx
You can configure LBDT on the interface of the Switch to detect loopbacks. When detecting a
loopback on the interface, the Switch reports a trap and records a log, and takes a
preconfigured action (such as Shutdown, Block, No learning, or Quitvlan) on the interface
to reduce the impact of the loopback on the Switch. When the Switch detects that the

loopback is eliminated on the interface, the interface can be restored. However, the interface
shut down cannot be restored.
Detecting a Loop on the Downstream Network or Device

Figure 20-3 shows two network examples whereas a loop is detected on a downstream
network or device connected to the Switch. Packets sent from Interface1 that pass through the
downstream network or device are sent back to Interface1.
Figure 20-3 Detecting a loop on the downstream network or device

Switch
Switch
Interface1
Interface1
a. Loop on the b. Loop on the

downstream network downstream device
You can configure LBDT on Interface1 of the Switch to detect whether a loop occurs on the
downstream network or device. When detecting a loop on the downstream network or device,
the Switch reports a trap and records a log, and takes a preconfigured action (such as
Shutdown, Block, No learning, or Quitvlan) on the interface to reduce the impact of the
loop on the Switch. When the Switch detects that the loop is eliminated on the downstream
network or device, the interface can be restored. However, the interface shut down cannot be
restored.
Detecting a Loop Between Two Device Interfaces

As shown in Figure 20-4, a loop occurs on the network where the Switch resides. Packets
sent from Interface1 are forwarded by devices on other networks and looped back to
Interface2.

Figure 20-4 Detecting a loop between two device interfaces
Switch
Interface1 Interface2 Switch
a. Loop on the local b. Loop between two

network device interfaces
You can configure LBDT on Interface1 and Interface2 of the Switch to detect whether a loop
occurs on the local network or between two device interfaces. When detecting a loop, the
Switch reports a trap and records a log, and takes preconfigured actions (such as Shutdown,
Block, No learning, or Quitvlan) on Interface1 and Interface2 to reduce the impact of the
loop on the Switch. When the Switch detects that the loop is eliminated on the local network
or between two interfaces, Interface1 or Interface2 can be restored. However, the interface
shut down cannot be restored.
Automatically Detecting Loops in the VLAN Specified by the PVID on an

Interface
The switch joins VLAN 1 by default, and the PVID of all interfaces is VLAN 1. When an
interface changes from Down to Up, a loop may occur. You can configure the switch to
automatically detect loops in the VLAN specified by the PVID on the interface. When a loop
is detected, only an alarm is reported.
By default, the switch is configured to automatically detect loops in the VLAN specified by
the PVID on an interface. You can run the loopback-detect auto disable command to disable
automatic loop detection.
Automatically Detecting Loops in the VLAN Where MAC Address Flapping Is

Detected
The device is enabled with MAC address flapping detection by default. When the device
detects MAC address flapping in a VLAN, automatic LBDT is triggered to detect loops in the
VLAN. The device sends LBDT packets in the VLAN specified in the MAC address flapping
record to detect whether there are loops. If loops exist in the VLAN where MAC address
flapping occurs, a trap is only sent by default. For a loop between two device interfaces, you
can run the loopback-detect auto action command to configure an action.
20.4 Licensing Requirements and Limitations for LDT and

LBDT


LBDT configuration commands are available only after the S1720GW, S1720GWR, and
loaded and activated and the switches are restarted. LBDT configuration commands on other
Table 20-3 Products and versions supporting LBDT

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700 S2700SI V100R005C01, V100R006(C00&C01&C03&C05)
S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00


Model
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10


Model
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
Feature Limitations
l In V200R008C00 and earlier versions, LBDT does not take effect in dynamic VLANs.
In V200R008C00 and later versions, the LBDT-enabled switch can detect loops in
dynamic VLANs, but the Quitvlan action is invalid for dynamic VLANs.
l LBDT requires that the device should send a large number of detection packets to detect
loops, occupying system resources. Therefore, disable LBDT if loops do not need to be
detected.
l LBDT cannot be configured on an Eth-Trunk or its member interfaces.
l The S2700SI and S2710SI support only detection of self-loops on an interface, and do
not support detection loops on the downstream device or between interfaces.
20.5 Default Settings for LDT and LBDT
Table 20-4 Default setting for LBDT

Automatic LBDT Enable
Manual LBDT Disabled on an interface and in a VLAN
Action after a loop is detected Shutdown
Interval for sending LBDT packets 5s
Interface recovery time 3 times the interval for sending detection

packets

20.6 Configuring Automatic LBDT

LBDT technology detects loops. To enable the switch to detect loops in the VLAN specified
by the PVID or in the VLAN where MAC address flapping is detected, you can configure
automatic LBDT. Then the switch can immediately detect loops on the downstream network
or between two interfaces and send traps to notify users to minimize the impact of loops on
the switch or the network.
20.6.1 Enabling Automatic LBDT
Context
The switch joins VLAN 1 by default, and the PVID of all interfaces is VLAN 1. When an
interface changes from Down to Up, a loop may occur. You can configure automatic LBDT to
detect loops in the VLAN specified by the PVID on an interface. When the switch is enabled
with MAC address flapping detection, if MAC address flapping is detected in a VLAN,
automatic LBDT is triggered to detect loops in the VLAN.
Procedure
Step 2 Run undo loopback-detect auto disable
Automatic LBDT is enabled on all interfaces.
By default, automatic LBDT is enabled on all interfaces. When a loop is detected in the
VLAN specified by the PVID on an interface, a trap is reported.
NOTE
l To disable automatic LBDT, run the loopback-detect auto disable command.

l When the loopback-detect enable command is used to configure manual LBDT, automatic LBDT
becomes invalid.
l When the loopback-detect enable command is used to configure manual LBDT, automatic LBDT
on the corresponding interface becomes invalid.
----End
Follow-up Procedure
To enable LBDT triggered by MAC address flapping, first configure MAC address flapping
detection. For details on how to configure MAC address flapping detection, see 3.9
Configuring MAC Address Flapping Detection.
By default, global MAC address flapping detection is enabled. The switch detects MAC
address flapping in all VLANs.
When automatic LBDT is triggered to automatically detect loops in the VLAN where MAC
address flapping is detected, you can configure either of the following actions on the
interface:

l trap: The interface only sends a trap.

l quitvlan: The interface is removed from the VLAN where a loop occurs.
You can run the loopback-detect auto action { quitvlan | trap } command in the system
view to configure the action when automatic LBDT is triggered to automatically detect loops
in the VLAN where MAC address flapping is detected.
By default, the action is trap when automatic LBDT is triggered to detect loops in the VLAN
where MAC address flapping is detected.
NOTE
The quitvlan action that is configured using this command takes effect only in the scenario where
automatic LBDT is triggered to detect a loop between interfaces in the VLAN where MAC address
flapping is detected. The trap action is used in the scenario where automatic LBDT is triggered to detect
a loop on the downstream network or device in the VLAN where MAC address flapping is detected.
20.6.2 (Optional) Setting the Interval for Sending LBDT Packets
Context
An LBDT-enabled interface sends LBDT packets at intervals. A shorter interval indicates that
the system sends more LBDT packets in a given period and detects loops more accurately.
However, more system resources are consumed and system performance is affected. You can
adjust the interval for sending LBDT packets according to actual networking to balance
system performance and LBDT accuracy.
Procedure
Step 2 Run loopback-detect packet-interval packet-interval-time
The interval for sending LBDT packets is set.
By default, the interval for sending LBDT packets is 5s.
----End
20.6.3 (Optional) Setting the Recovery Time of an Interface
Context
An LBDT-enabled interface periodically sends LBDT packets to detect loops. After a loop is
detected, an action configured by the loopback-detect action command is taken on the
interface. In addition, the system counts the time. After the configured recovery time expires,
the system attempts to restore the problematic interface. If the device does not receive
detection packets from the problematic interface within the next recovery time, it considers
that the loop is eliminated on the interface and restores the interface.

Procedure
Step 3 Run loopback-detect recovery-time recovery-time
The interface recovery time after a loop is removed is set.
By default, the interface recovery time is three times the interval for sending LBDT packets.
NOTE
It is recommended that the interface recovery time be three times the packet sending interval at least. If
the packet sending interval has been set to a small value, the interface recovery time should be at least
10 seconds longer than the packet sending interval.
----End
20.6.4 Verifying the Automatic LBDT Configuration

Procedure
l Run the display loopback-detect command to check the LBDT configuration and status
of LBDT-enabled interfaces.
----End
20.7 Configuring Manual LBDT
20.7.1 Enabling Manual LBDT

Context
l LBDT needs to send a large number of LBDT packets to detect loops, occupying system
resources. Therefore, disable LBDT if loops do not need to be detected.
An LBDT-enabled interface periodically sends untagged LBDT packets with the destination
MAC address as the BPDU MAC address to detect loops. Generally, the switch does not
allow BPDUs to pass through, so LBDT can only detect loopbacks on an Interface, but
cannot detect a loop on the downstream network or device or between two device
interfaces.
To enable LBDT to detect a loop on the downstream network or device, configure LBDT
in a specified VLAN. When the connected interface is an access interface or the PVIDs of the

inbound and outbound interfaces are the same, you can also run the loopback-detect untagged
mac-address command to detect loops.
To enable LBDT to detect a loop between two device interfaces, configure LBDT in a
specified VLAN.
On the switch, you can enable LBDT on all interfaces in the system view or on an interface.
Procedure
Step 2 Run the following commands as required.
l Enable LBDT on all interfaces.
Run the loopback-detect enable command to enable LBDT on all interfaces.
When LBDT needs to be configured on most interfaces, perform this operation. This
operation simplifies the configuration.
l Enable LBDT on an interface.
a. Run the interface interface-type interface-number command to enter the interface
view.
b. Run the loopback-detect enable command to enable LBDT on the interface.
By default, LBDT is disabled on an interface.
Step 3 Run the following commands as required.
If LBDT Detecting Loopbacks on an Interface is required, skip this step.
If Detecting a Loop on the Downstream Network or Device or Detecting a Loop Between
Two Device Interfaces is required, perform this step.
l Configuring LBDT in a specified VLAN
b. Select either of the following configurations to add the VLAN where loops need to
be detected.
n Access interface
1) Run port link-type access
The link type of the interface is configured as access.
2) Run port default vlan vlan-id
The access interface is added to the VLAN where loops need to be
detected.
n Hybrid interface
1) Run port link-type hybrid
The link type of the interface is configured as hybrid.
2) Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
all } or port hybrid untagged vlan { { vlan-id1 [ to vlan-
id2 ] }&<1-10> | all }

The hybrid interface is added to the VLAN where loops need to be

detected.
n Trunk interface
1) Run port link-type trunk
The link type of the interface is configured as trunk.
2) Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> |
all }
The trunk interface is added to the VLAN where loops need to be
detected.
c. Run loopback-detect packet vlan { vlan-id1 [ to vlan-id2 ] } &<1-8>
Configure LBDT in a specified VLAN.
By default, LBDT is disabled in a VLAN.
NOTE
– An interface sends tagged LBDT packets only when the specified VLAN has been created.
– When the PVID of the interface in the loop is the detected VLAN ID or the interface joins the
detected VLAN in untagged mode, VLAN tags of LBDT packets are removed. As a result, the
packet priority changes and the system may fail to detect loops.
l Configuring the destination MAC address of untagged LBDT packets
Run the loopback-detect untagged mac-address mac-address command to set the
destination MAC address of untagged LBDT packets.
By default, the destination MAC address of untagged LBDT packets is 0180-
C200-000A.
Do not configure the destination MAC address of untagged LBDT packets as the
destination MAC address of other protocols. You are advised to set the destination MAC
address of untagged LBDT packets to a broadcast MAC address (all Fs).
----End
20.7.2 (Optional) Setting the Interval for Sending LBDT Packets
Context
An LBDT-enabled interface sends LBDT packets at intervals. A shorter interval indicates that
the system sends more LBDT packets in a given period and detects loops more accurately.
However, more system resources are consumed and system performance is affected. You can
adjust the interval for sending LBDT packets according to actual networking to balance
system performance and LBDT accuracy.
Procedure
Step 2 Run loopback-detect packet-interval packet-interval-time
The interval for sending LBDT packets is set.

By default, the interval for sending LBDT packets is 5s.
----End
20.7.3 Configuring an Action Taken After a Loop Is Detected
Context
By default, when a loop on an interface or the network connected to the interface, the device
does not take any action on the interface. In this case, the interface needs to be shut down to
prevent the impact of the loopback on the device and entire network.
You can preconfigure an action to be taken after LBDT detects a loop. After detecting a loop,
the device takes the preconfigured action on the interface to prevent the impact of the loop on
the device and entire network.
The device provides the following actions after LBDT detects a loop:
l Trap: The device reports a trap to the NMS and records a log, but does not take any
action on the interface.
l Block: The device isolates an interface where a loop occurs from other interfaces, and
can forward only BPDUs.
l No learning: The interface is disabled from learning MAC addresses.
l Shutdown: The device shuts down the interface.
l Quitvlan: The interface is removed from the VLAN where a loop occurs.
For details about the actions, see Action Taken After a Loop Is Detected. You can configure
one of the actions according to actual networking.
Procedure
Step 2 (Optional) Run snmp-agent trap enable
Or, run snmp-agent trap enable feature-name lbdt
The trap function is enabled for LBDT. This function allows the device to send traps of
LBDT.
By default, the trap function is enabled for LBDT.
Step 4 Run loopback-detect action { block | nolearn | shutdown | trap | quitvlan }
An action taken on an interface where LBDT detects a loop is configured.
By default, the shutdown action is taken on an interface where LBDT detects a loop.

NOTE
l When the Quitvlan action is used, the configuration file remains unchanged.
l The LBDT action and MAC address flapping action affect each other, and cannot be configured
simultaneously.
l The Quitvlan action of LBDT conflicts with dynamic removal from VLANs (for example, GVRP
and HVRP), and cannot be configured simultaneously.
----End
20.7.4 (Optional) Setting the Recovery Time of an Interface
Context
An LBDT-enabled interface periodically sends LBDT packets to detect loops. After a loop is
detected, an action configured by the loopback-detect action command is taken on the
interface. In addition, the system counts the time. After the configured recovery time expires,
the system attempts to restore the problematic interface. If the device does not receive
detection packets from the problematic interface within the next recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
Procedure
Step 3 Run loopback-detect recovery-time recovery-time
The interface recovery time after a loop is removed is set.
By default, the interface recovery time is three times the interval for sending LBDT packets.
NOTE
l It is recommended that the interface recovery time be three times the packet sending interval at least.
If the packet sending interval has been set to a small value, the interface recovery time should be at
least 10 seconds longer than the packet sending interval.
l Automatic recovery is valid for Trap, Quitvlan, Block, and No learning. After a loop is eliminated,
the shutdown interface cannot be restored automatically. You must run the shutdown and undo
shutdown commands or run the restart command to restore the interface.
----End
20.7.5 Verifying the Manual LBDT Configuration
Procedure
l Run the display loopback-detect command to check the LBDT configuration and status
of LBDT-enabled interfaces.
----End

20.8 Configuration Examples for LBDT
20.8.1 Example for Configuring LBDT to Detect Loopbacks on an

Interface
As shown in Figure 20-5, aggregation switch SwitchA on an enterprise network connects to a
new access switch SwitchB. To prevent a loopback from occurring between the Tx and Rx
ends of GE0/0/1 due to incorrect fiber connection or high voltage damage, SwitchA is
required to detect loopbacks on GE0/0/1. Furthermore, it is required that the interface be
blocked to reduce the impact of the loopback on the network when a loopback is detected, and
the interface be restored after the loopback is removed.
Figure 20-5 Networking for configuring LBDT to detect loopbacks on an interface

SwitchA
GE0/0/1
Tx Rx
GE0/0/1
SwitchB
To detect loopbacks on downlink interface GE0/0/1 of SwitchA, configure LBDT on GE0/0/1
of SwitchA. The configuration roadmap is as follows:
1. Enable LBDT on GE0/0/1 of SwitchA to detect loopbacks.

2. Configure an action taken after a loopback is detected and set the recovery time. After a
loopback is detected, the system blocks the interface to reduce the impact of the
loopback on the network. After a loop is eliminated, the system restores the interface.
Procedure
Step 1 Enable LBDT on an interface.
[SwitchA-GigabitEthernet0/0/1] loopback-detect enable

Step 2 Configure an action taken after a loopback is detected and set the recovery time.
[SwitchA-GigabitEthernet0/0/1] loopback-detect action block
[SwitchA-GigabitEthernet0/0/1] loopback-detect recovery-time 30

1. Run the display loopback-detect command to check the LBDT configuration.
[SwitchA] display loopback-detect
Loopback-detect sending-packet interval:
5
(A): Auto Loopback-

detect
-----------------------------------------------------------------
Interface RecoverTime Action

Status
-----------------------------------------------------------------
GigabitEthernet0/0/1 30 block NORMAL
-----------------------------------------------------------------
The preceding command output shows that the LBDT configuration is successful.
2. After about 5s, run the display loopback-detect command to check whether GE0/0/1 is
blocked.
Loopback-detect sending-packet interval: 5
(A): Auto Loopback-

detect
-----------------------------------------------------------------

Status
-----------------------------------------------------------------
GigabitEthernet0/0/1 30 block BLOCK
-----------------------------------------------------------------
The preceding command output shows that GE0/0/1 is blocked, indicating that a
loopback occurs on GE0/0/1.
3. Manually remove the loopback. Run the display loopback-detect command to check
whether GE0/0/1 is restored.
5
(A): Auto Loopback-

detect
-----------------------------------------------------------------

Status
-----------------------------------------------------------------
-----------------------------------------------------------------
The preceding command output shows that GE0/0/1 is restored.
----End

Configuration Files
#
sysname SwitchA
#
loopback-detect recovery-time 30
loopback-detect enable
loopback-detect action block
#
return
20.8.2 Example for Configuring LBDT to Detect Loops on the

Downstream Network
As shown in Figure 20-6, a new department of an enterprise connects to aggregation switch
Switch, and this department belongs to VLAN 100. Loops may occur due to incorrect
connections or configurations. As a result, communication on the Switch and uplink network
may be affected.
It is required that the Switch should detect loops on the new network to prevent the impact of
loops on the Switch and connected network.
Figure 20-6 Networking for configuring LBDT to detect loops on the downstream network
Switch
GE0/0/1
New department
VLAN 100
The new department network has only VLAN 100, so configure LBDT on the Switch to
detect loops. The configuration roadmap is as follows:
1. Enable LBDT on the GE0/0/1 of the Switch to detect loops in a specified VLAN so that
loops on the downstream network can be detected.

2. Set LBDT parameters so that the Switch can immediately shut down GE0/0/1 after a
loop is detected. This prevents the impact of the loop on the Switch and connected
network.
NOTE
Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity on the new
network and between the new network and the Switch.
Procedure
Step 1 Enable LBDT on the interface.
[Switch-GigabitEthernet0/0/1] loopback-detect enable
Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100
[Switch-GigabitEthernet0/0/1] loopback-detect packet vlan 100
Step 3 Configure LBDT parameters.

# Set the interval for sending LBDT packets.
[Switch] loopback-detect packet-interval 10
# Configure an action taken after a loop is detected.

[Switch-GigabitEthernet0/0/1] loopback-detect action shutdown

[Switch] display loopback-detect
(A): Auto Loopback-

detect
-----------------------------------------------------------------

Status
-----------------------------------------------------------------
GigabitEthernet0/0/1 30 shutdown NORMAL
-----------------------------------------------------------------
2. Construct loops on the downstream network and run the display loopback-detect
command to check whether GE0/0/1 is shut down.
10

(A): Auto Loopback-

detect
-----------------------------------------------------------------

Status
-----------------------------------------------------------------
GigabitEthernet0/0/1 30 shutdown SHUTDOWN
-----------------------------------------------------------------
The preceding command output shows that GE0/0/1 is shut down.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
loopback-detect packet-interval 10
#
loopback-detect packet vlan 100
#
return
20.8.3 Example for Configuring LBDT to Detect Loops on the

Local Network
As shown in Figure 20-7, a small-scale enterprise uses Layer 2 networking and belongs to
VLAN 100. Because employees often move, the network topology changes frequently. Loops
may occur due to incorrect connections or configurations during the change. As a result,
broadcast storms may occur and affect communication of the Switch and entire network.
The requirements are as follows: The Switch detects loops. When a loop exists, the interface
is blocked to reduce the impact of the loop on the Switch and network. When the loop is
eliminated, the interface can be restored.
Figure 20-7 Networking for configuring LBDT to detect loops on the local network
Switch
GE0/0/1 GE0/0/2
VLAN 100

To detect loops on the network where the Switch is deployed, configure LBDT on GE0/0/1
and GE0/0/2 of the Switch. In this example, untagged LBDT packets sent by the Switch will
be discarded by other switches on the network. As a result, the packets cannot be sent back to
the Switch, and LBDT fails. Therefore, LBDT is configured in a specified VLAN. The
configuration roadmap is as follows:
1. Enable LBDT on an interface and configure the Switch to detect loops in VLAN 100 to
implement LBDT on the network where the Switch is deployed.
2. Configure an action taken after a loop is detected and set the recovery time. After a loop
is detected, the Switch blocks the interface to reduce the impact of the loop on the
network. After a loop is eliminated, the Switch restores the interface.
NOTE
Configure interfaces on other switching interfaces as trunk or hybrid interfaces and configure these
interfaces to allow packets from VLANs to pass through to ensure Layer 2 connectivity.
Procedure
Step 1 Enable LBDT on an interface.
Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100
Step 3 Configure an action taken after a loop is detected and set the recovery time.
[Switch-GigabitEthernet0/0/1] loopback-detect action block
[Switch-GigabitEthernet0/0/1] loopback-detect recovery-time 30
[Switch-GigabitEthernet0/0/2] loopback-detect action block
[Switch-GigabitEthernet0/0/2] loopback-detect recovery-time 30


(A): Auto Loopback-

detect
-----------------------------------------------------------------

Status
-----------------------------------------------------------------
-----------------------------------------------------------------
2. After about 5s, run the display loopback-detect command to check whether GE0/0/1 or
GE0/0/2 is blocked.
5
(A): Auto Loopback-

detect
-----------------------------------------------------------------

Status
-----------------------------------------------------------------
GigabitEthernet0/0/2 30 block BLOCK
-----------------------------------------------------------------
The preceding command output shows that GE0/0/2 is blocked.

3. Shut down GE0/0/1. After 30s, run the display loopback-detect command to check
whether GE0/0/2 is restored.
5
(A): Auto Loopback-

detect
-----------------------------------------------------------------

Status
-----------------------------------------------------------------
-----------------------------------------------------------------
The preceding command output shows that GE0/0/2 is restored.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#

#
#
return

S1720, S2700, S5700, and S6720 Series Ethernet Switches 21 Layer 2 Protocol Transparent Transmission
Configuration Guide - Ethernet Switching Configuration
21 Layer 2 Protocol Transparent

Transmission Configuration
About This Chapter
This chapter describes how to configure Layer 2 protocol transparent transmission.
21.1 Overview of Layer 2 Protocol Transparent Transmission

21.2 Understanding Layer 2 Protocol Transparent Transmission
21.3 Application Scenarios for Layer 2 Protocol Transparent Transmission
21.4 Summary of Layer 2 Protocol Transparent Transmission Configuration Tasks
21.5 Licensing Requirements and Limitations for Layer 2 Protocol Transparent Transmission
21.6 Configuring Interface-based Layer 2 Protocol Transparent Transmission
21.7 Configuring VLAN-based Layer 2 Protocol Transparent Transmission
21.8 Configuring QinQ-based Layer 2 Protocol Transparent Transmission
21.9 Configuring VPLS-based Layer 2 Protocol Transparent Transmission
21.10 Configuration Examples for Layer 2 Protocol Transparent Transmission
21.11 FAQ About Layer 2 Protocol Transparent Transmission
21.1 Overview of Layer 2 Protocol Transparent

Transmission
Definition
Layer 2 protocol transparent transmission is a Layer 2 tunneling technology that transparently
transmits BPDUs between private networks at different locations over a specified tunnel on a
public Internet Service Provider (ISP) network.

Purpose
Leased lines of ISPs are often used to establish Layer 2 networks. As a result, private user
networks can be located at two sides of ISP networks. In Figure 21-1, User A has two
networks: network1 and network2. The two networks are connected through the ISP network.
When network1 and network2 run the same Layer 2 protocol (such as MSTP), Layer 2
protocol packets from network1 and network2 must be transmitted through the ISP network to
perform Layer 2 protocol calculation (for example, calculating a spanning tree). Generally, the
destination MAC addresses in Layer 2 protocol packets of the same Layer 2 protocol are the
same. For example, the MSTP PDUs are BPDUs with the destination MAC address 0180-
C200-0000. Therefore, when a Layer 2 protocol packet reaches an edge device on the ISP
network, the edge device cannot identify whether the Layer 2 protocol packet comes from a
user network or the ISP network and sends the Layer 2 protocol packets to the CPU to
calculate a spanning tree.
In Figure 21-1, devices on user network1 build a spanning tree together with PE1 but not
with devices on user network2. As a result, the Layer 2 protocol packets on user network1
cannot traverse the ISP network to reach user network2.
Figure 21-1 Transparent transmission of Layer 2 protocol packets on the ISP network
ISP
PE1 network PE2
CE1 CE2
User A
User A
network1
network2
You can use Layer 2 protocol transparent transmission to transparently transmit Layer 2
protocol packets from the user networks for the ISP network. This addresses the network
identity issue. The procedure is as follows:
1. After receiving Layer 2 protocol packets sent from CE1, PE1 replaces the destination
MAC address with a specified multicast MAC address. Then PE1 forwards the packets
on the ISP network.
2. Layer 2 protocol packets are forwarded to PE2. PE2 restores the original destination
MAC address of the packets and sends them to CE2.
Huawei device can transparently transmit packets of the following Layer 2 protocols:
l Spanning Tree Protocol (STP)
l Link Aggregation Control Protocol (LACP)
l Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah)
l Link Layer Discovery Protocol (LLDP)
l GARP VLAN Registration Protocol (GVRP)
l GARP Multicast Registration Protocol (GMRP)
l HUAWEI Group Management Protocol (HGMP)

l VLAN Trunking Protocol (VTP)

l Unidirectional Link Detection (UDLD)
l Port Aggregation Protocol (PAGP)
l Cisco Discovery Protocol (CDP)
l Per VLAN Spanning Tree Plus (PVST+)
l Shared Spanning Tree Protocol (SSTP)
l Dynamic Trunking Protocol (DTP)
l Device Link Detection Protocol (DLDP)
l Ethernet Synchronization Message Channel (ESMC)
l User-defined protocols
21.2 Understanding Layer 2 Protocol Transparent

Transmission
Layer 2 protocol packets are transparently transmitted based on the following principles:
l The destination multicast MAC address of a Layer 2 protocol packet is replaced with a
specified multicast MAC address on the ingress Provider Edge (PE) of the ISP network.
l The devices on the ISP network determine whether to process the protocol packet based
on the configured transparent transmission mode.
l When the Layer 2 protocol packet reaches the egress, the PE restores the destination
multicast MAC address of the Layer 2 protocol packet to the standard destination
multicast MAC address based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol configured on the device. The egress
PE also determines whether to process the packet based on the configured transparent
transmission mode.
To transparently transmit Layer 2 protocol packets on the ISP network, ensure that the
following requirements are met:
l All branches of a user network can receive Layer 2 protocol packets from other
branches.
l Layer 2 protocol packets of a user network cannot be processed by the CPU of devices
on the ISP network.
l Layer 2 protocol packets from different user networks must be isolated and not affect
each other.
Huawei switches support the following Layer 2 protocol transparent transmission modes in
different scenarios:
l Interface-based
l VLAN-based
l QinQ-based
l VPLS-based

Interface-based Layer 2 Protocol Transparent Transmission
Figure 21-2 Interface-based Layer 2 protocol transparent transmission
ISP Network
BPDU Tunnel
PE1 PE2
Port based Port based

VLAN 300 VLAN 300
LAN-A
LAN-A
MSTP
MSTP
In Figure 21-2, each PE interface connects to one user network. These user networks do not
belong to the same LAN. If BPDUs received from user networks do not carry any VLAN tag,
the PE must identify the LAN that the BPDUs come from. BPDUs of a user network on LAN-
A must be sent to other user networks on LAN-A. In addition, BPDUs must not be processed
by devices on the ISP network.
In this scenario, the following processing methods are available:

l Change the default multicast MAC address of the Layer 2 protocol packet that can be
identified by the devices on the ISP network to another multicast MAC address. This
method only applies to STP, RSTP, or MSTP, and the configuration command is bpdu-
tunnel stp bridge role provider.
a. Set roles of all ISP network devices to provider so that the multicast MAC
addresses of BPDUs sent by these devices are changed to 01-80-C2-00-00-08.
b. Set roles of all user network devices to customer so that the multicast MAC
addresses of BPDUs sent by the user network are 01-80-C2-00-00-00.
c. Add interfaces that connect to the same user network to the same VLAN on ISP
network devices. PEs add VLAN tags to received Layer 2 protocol packets based
on default VLAN IDs of the interfaces.
d. PEs (providers) do not consider the packets as Layer 2 BPDUs and do not send
them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets based
on the default VLAN IDs of the interfaces.
e. Internal nodes on the ISP network forward the packets through the ISP network as
common Layer 2 packets.
f. PEs on the ISP network forward the packets to CEs without modifying the packets.
l Replace the original multicast MAC address of the Layer 2 protocol packet with a
specified multicast MAC address.
a. Add the interfaces that connect to the same user network to the same VLAN on the
switch of the ISP network. After receiving and identifying the Layer 2 protocol
packet (such as a BPDU of the STP protocol) from the user network, the switch on
the ISP network adds the default VLAN ID of the interface to the Layer 2 protocol
packet. This method applies to all modes of Layer 2 protocol transparent
transmission.

b. The ingress PE on the ISP network replaces the standard destination multicast MAC
address of the Layer 2 protocol packet with the specified destination multicast
MAC address based on the mapping between the specified destination multicast
MAC address and the Layer 2 protocol.
c. Internal nodes on the ISP network forward the packet as a common Layer 2 packet
through the ISP network.
d. The egress PE on the ISP network restores the original standard destination MAC
address of the packet based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol and forwards the packet to the CE.
VLAN-based Layer 2 Protocol Transparent Transmission
Figure 21-3 VLAN-based Layer 2 protocol transparent transmission
LAN-B LAN-B
MSTP MSTP
CE-VLAN 100 CE-VLAN 100
PE 1 PE 2
ISP Network
BPDU Tunnel

Trunk Link Trunk Link
100-200 100-200
LAN-A LAN-A
MSTP MSTP
In most cases, a PE serves as an aggregation device. In Figure 21-3, the aggregation interface
on PE1 receives Layer 2 protocol packets from LAN-A and LAN-B. To differentiate BPDUs
from two LANs, BPDUs sent from CEs to PEs must have VLAN tags. Packets sent from
LAN-A contain VLAN ID 200 and packets sent from LAN-B contain VLAN ID 100. BPDUs
of a user network in LAN-A must be forwarded to other user networks in LAN-A, but not to
user networks in LAN-B. In addition, BPDUs cannot be processed by PEs on the ISP
network. In this case, you can configure VLAN-based Layer 2 protocol transparent
transmission on PEs, so that Layer 2 protocol packets can traverse the ISP network through
Layer 2 tunnels.
Similar to interface-based Layer 2 protocol transparent transmission, you can use either of the
following methods to implement VLAN-based Layer 2 protocol transparent transmission:
l Change the default multicast MAC address of the Layer 2 protocol packet that can be
identified by the devices on the ISP network to another multicast MAC address. This
method only applies to STP, RSTP, or MSTP, and the configuration command is bpdu-
tunnel stp bridge role provider.

a. Set roles of all ISP network devices to provider, so that the multicast MAC
addresses of the BPDUs sent by these devices are changed from 01-80-C2-00-00-00
to 01-80-C2-00-00-08.
b. Set roles of all user network devices to customer, so that the multicast MAC
addresses of the BPDUs sent by the user network remain 01-80-C2-00-00-00.
c. Set specified VLAN IDs for Layer 2 protocol packets sent from user networks to
the ISP network.
d. Enable the devices on the ISP network to identify Layer 2 protocol packets with the
specified VLAN IDs and allow these packets to pass.
e. PEs (providers) do not consider these packets Layer 2 protocol BPDUs and do not
send them to the CPU. Instead, PEs select a Layer 2 tunnel to forward the packets
based on the default VLAN IDs of interfaces.
f. Internal nodes on the ISP network forward the packets as common Layer 2 packets
g. PEs on the ISP network forward the packets to CEs without modifying the packets.
l Replace the original multicast MAC address of the Layer 2 protocol packet with a
specified multicast MAC address. This method applies to all modes of Layer 2 protocol
transparent transmission.
a. Set specified VLAN IDs for Layer 2 protocol packets that are sent from user
networks to the ISP network.
b. Enable the devices on the ISP network to identify Layer 2 protocol packets with the
specified VLAN IDs and allow these packets to pass.
c. The ingress PE on the ISP network replaces the standard destination multicast MAC
address of the Layer 2 protocol packet with the specified destination multicast
MAC address based on the mapping between the specified destination multicast
MAC address and the Layer 2 protocol.
d. Internal nodes on the ISP network forward the packets as common Layer 2 packets
e. The egress PE on the ISP network restores the original standard destination MAC
address of the packet based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol and forwards the packet to the CE.
QinQ-based Layer 2 Protocol Transparent Transmission

If Layer 2 protocol packets are still transmitted transparently in VLAN-based mode when
many user networks are connected to the ISP network, many VLAN IDs of the ISP network
are required. This may result in insufficient VLAN ID resources. To conserve VLAN IDs, you
can configure QinQ-based Layer 2 protocol transparent transmission to forward Layer 2
protocol packets on the ISP network.
The QinQ protocol is a Layer 2 tunneling protocol based on IEEE 802.1Q. QinQ technology
improves VLAN utilization by adding another 802.1Q tag to a packet, allowing services on a
private VLAN to be transparently transmitted to the public network.

Figure 21-4 QinQ-based Layer 2 protocol transparent transmission
LAN-B LAN-B
MSTP MSTP
PE-VLAN20:CE-VLAN 100~199
ISP Network
PE1 PE2
CE-VLAN 100 BPDU Tunnel CE-VLAN 100
BPDU Tunnel
PE-VLAN30:CE-VLAN 200~299
LAN-A LAN-A
MSTP MSTP
In Figure 21-4, QinQ-based Layer 2 protocol transparent transmission is configured on

aggregation interfaces of PEs. Packets from different user networks are encapsulated in
different outer VLAN tags. QinQ-based Layer 2 protocol transparent transmission is
implemented as follows:
1. Set specified VLAN IDs for Layer 2 protocol packets sent from user networks to the ISP
network.
2. Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the ingress
PE on the ISP network.
3. Configure PEs to add different outer VLAN tags (public VLAN IDs) to packets based on
customer VLAN IDs. and based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol, the ingress PE on the ISP network
replaces the standard destination multicast MAC address of the Layer 2 protocol packet
with the specified destination multicast MAC address.
4. PEs select different Layer 2 tunnels based on outer VLAN tags of packets. Internal nodes
on the ISP network forward the packets as common Layer 2 packets through the ISP
network.
5. Enable Layer 2 protocol transparent transmission and QinQ on interfaces of the egress
PE on the ISP network.
6. The egress PE removes outer VLAN tags from packets and forwards them to user
networks based on customer VLAN IDs. and restores the original standard destination
MAC address of the packet based on the mapping between the specified destination
multicast MAC address and the Layer 2 protocol.
In Figure 21-4, PEs add outer VLAN ID 20 to Layer 2 protocol packets of VLAN 100 to
VLAN 199, add outer VLAN ID 30 to Layer 2 protocol packets of VLAN 200 to VLAN 299,
and forward the packets to other devices on the ISP network. In this way, Layer 2 protocol
packets of different user networks can be transparently transmitted on the ISP network and
carrier VLAN IDs are conserved.

VPLS-based Layer 2 Protocol Transparent Transmission

When access users use VPLS-based L2VPN on the carrier network for interworking, you can
configure VPLS-based Layer 2 protocol transparent transmission so that Layer 2 protocol
packets can be transparently transmitted on the backbone network.
Figure 21-5 VPLS-based Layer 2 protocol transparent transmission
VPLS Network
BPDU Tunnel
PE1 PE2
LAN-A
LAN-A
MSTP
MSTP
In Figure 21-5, VPLS-based Layer 2 protocol transparent transmission is configured on

aggregation interfaces of PEs, and interfaces of PEs are bound to VSIs.
1. Configure Layer 2 protocol transparent transmission on interfaces of PEs connected to
user network devices and configure PEs to replace the multicast MAC address of Layer 2
protocol packets with the specified multicast MAC address.
2. Bind user-side interfaces to the same L2VPN so that Layer 2 protocol packets can be
transparently transmitted on the backbone network through the L2VPN tunnel.
21.3 Application Scenarios for Layer 2 Protocol

Transparent Transmission
As shown in Figure 21-6, CE1 and CE2 are edge devices on private networks of User A in
different locations. The two private networks connect to the ISP network through PE1 and
PE2. Networks of User A have redundant links, so MSTP is used to remove loops on the
Layer 2 network. When MSTP packets sent by CEs reach PEs, PEs send the packets to the
CPUs for processing because they cannot identify the network that MSTP packets come from.
Layer 2 protocol calculations on the user network and ISP network affect each other and
cannot be implemented independently.
You can configure Layer 2 protocol transparent transmission on PEs, so that MSTP packets
are not sent to the CPUs of PEs for processing. This prevents PEs from participating in
spanning tree calculation.

Figure 21-6 Interface-based transparent transmission of Layer 2 control protocol packets on a

Layer 2 network
ISP
PE1 network PE2
CE1 CE2
User A
User A
network1
network2
21.4 Summary of Layer 2 Protocol Transparent

Transmission Configuration Tasks
Table 21-1 lists the configuration task summary of Layer 2 protocol transparent transmission.
Table 21-1 Layer 2 protocol transparent transmission configuration tasks

Configuring interface-based When each interface of a 21.6 Configuring

Layer 2 protocol transparent backbone device is Interface-based Layer 2
transmission connected to only one user Protocol Transparent
network and Layer 2 Transmission
protocol packets sent from
the user network do not
need VLAN tags, configure
interface-based Layer 2
protocol transparent
transmission on the interface
connected to the user
network. This configuration
allows Layer 2 protocol
packets to be transparently
transmitted on the backbone
network.

Configuring VLAN-based When each interface of a 21.7 Configuring VLAN-

Layer 2 protocol transparent backbone device is based Layer 2 Protocol
transmission connected to multiple user Transparent Transmission
networks and Layer 2
user networks contain
VLAN tags, configure
VLAN-based Layer 2
transmission. This
configuration allows Layer
2 protocol packets to be
transparently transmitted on
the backbone network.
Configuring basic QinQ- When each interface of a 21.8 Configuring QinQ-

based Layer 2 protocol backbone device is based Layer 2 Protocol
transparent transmission connected to multiple user Transparent Transmission
networks and Layer 2
user networks contain
VLAN tags, configure basic
QinQ-based Layer 2
transmission. This
configuration allows Layer
2 protocol packets to be
transparently transmitted on
the backbone network and
reduces VLAN IDs that the
carrier uses.
Configuring VPLS-based When the backbone network 21.9 Configuring VPLS-

Layer 2 protocol transparent is the L2VPN that is built based Layer 2 Protocol
transmission based on VPLS, you can Transparent Transmission
configure VPLS-based
Layer 2 protocol transparent
transmission so that Layer 2
protocol packets can be
transmitted on the backbone
network.
21.5 Licensing Requirements and Limitations for Layer 2

Protocol Transparent Transmission


Configuration commands of Layer 2 protocol transparent transmission are available only after
the S1720GW, S1720GWR, and S1720X have the license (WEB management to full
management Electronic RTU License) loaded and activated and the switches are restarted.
Configuration commands of Layer 2 protocol transparent transmission on other models are
not under license control.
Table 21-2 Products and versions supporting Layer 2 protocol transparent transmission
Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR-
E
S1720X, V200R011C00, V200R011C10

S1720X-E

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00


Model
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10


Model
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
Feature Limitations
l When the default CPCAR value is used, the device transparently transmits a maximum
of 10 Layer 2 protocol packets per second. Excess packets are discarded.
l On the S5700HI, if the VLANIF interface configured based on a PVID is bound to a
VSI, interfaces corresponding to this PVID cannot forward Layer 2 protocol BPDUs.
l In V200R005 and later versions, when PVST+ packets need to be transparently
transmitted, disable VBST on the interface. Otherwise, PVST+ packets cannot be
transparently transmitted.
l Do not replace the destination MAC addresses of SSTP, STP, GVRP, and GMRP packets
with the same multicast MAC address.
l When configuring Layer 2 protocol transparent transmission, do not use any of the
following multicast MAC addresses to replace the destination MAC address of Layer 2
protocol packets:
– Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
– Destination MAC address of Smart Link packets: 010F-E200-0004
– Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD. By
default, on the S2720EI and S2750EI, 0100-0CCC-CCCC and 0100-0CCC-CCCD
are not destination MAC addresses of BPDU packets.
– Common multicast MAC addresses that have been used on the device
l To transparently transmit BPDUs such as DLDP and EFM packets on a physical
interface, the L2PT tunnel egress cannot be the Eth-Trunk. Otherwise, BPDU negotiation
may be abnormal.
l When an interface is enabled to transparently transmit the packets of a certain protocol,
these packets do not participate in protocol processing. For example, after an interface is
enabled to transparently transmit STP packets, the interface does not participate in STP
calculation. Therefore, you are advised not to enable a protocol and the transparent
transmission of this protocol on the same interface.
l Only the S5720HI supports configuring VPLS-based Layer 2 Protocol Transparent
Transmission.

21.6 Configuring Interface-based Layer 2 Protocol

When each interface of a backbone device is connected to only one user network and Layer 2
protocol packets sent from the user network do not need VLAN tags, configure interface-
based Layer 2 protocol transparent transmission on the interface connected to the user
network. This configuration allows Layer 2 protocol packets to be transparently transmitted
on the backbone network.
Before configuring interface-based Layer 2 protocol transparent transmission, complete the
following task:
l Set link layer protocol parameters and IP addresses for interfaces to ensure that the link
layer protocol on the interfaces is Up.
l Use the bpdu enable command to enable the interfaces to send BPDUs to the CPU.
21.6.1 (Optional) Defining Characteristic Information About a

Layer 2 Protocol
Context
When non-standard Layer 2 protocol packets with a specified multicast destination MAC
address need to be transparently transmitted on the backbone network, define Layer 2
protocol characteristics on the PE. Layer 2 protocol characteristics include the protocol name,
Ethernet encapsulation format, destination MAC address, and MAC address that replaces the
destination MAC address of Layer 2 protocol packets.
When defining Layer 2 protocol characteristics, do not use the following multicast MAC
addresses to replace the destination MAC address of Layer 2 protocol packets:
l Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F

l Destination MAC addresses of Smart Link packets: 010F-E200-0004
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
l Common multicast MAC addresses that have been used on the switch
Perform the following operations on PEs.
Procedure
Step 2 Run l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac

[ encap-type { { ethernetii | snap } protocol-type protocol-type | llc dsap dsap-value ssap
ssap-value } ] group-mac { group-mac | default-group-mac }

Characteristic information about a Layer 2 protocol is defined.
----End
21.6.2 Configuring Layer 2 Protocol Transparent Transmission

Mode
Context
You can configure Layer 2 protocol transparent transmission on the device to replace:
l Default multicast MAC address of Layer 2 protocol packets that can be identified by PEs
with another multicast MAC address. This mode can be used to transparently transmit
Layer 2 protocol packets of only STP, RSTP, and MSTP.
l Original multicast MAC address of Layer 2 protocol packets with a specified multicast
MAC address. This mode can be used to transparently transmit all types of Layer 2
protocol packets.
Perform either of the following operations on PEs based on the Layer 2 protocol type and the
required transparent transmission mode.
Procedure
l Replace the default multicast MAC address of Layer 2 protocols that can be identified by
PEs with another multicast MAC address.
a. Run system-view
b. Run bpdu-tunnel stp bridge role provider
The PE is configured as a provider.
Only the S1720X, S1720X-E, S6720LI, S6720S-LI, S5730SI, S5730S-EI, S6720SI,
S6720S-SI, S5720SI and S5720S-SI support this configuration.
l Replace the original multicast MAC address of Layer 2 protocol packets from user
networks with a specified multicast MAC address.
a. Run system-view
b. (Optional) Run bpdu mac-address mac-address [ mac-address-mask ]
The specific MAC address is configured as the BPDU MAC address.
n For the S2750EI, if CDP packets need to be transparently transmitted, run the
bpdu mac-address 0100-0CCC-CCCC command to set the BPDU MAC
address to 0100-0CCC-CCCC.
n For the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E,
S1720GWR-E, S1720X-E, S2750EI, S2720EI, S5700LI, S5700S-LI, S5720LI,
S5720S-LI, S6720LI, S6720S-LI, S5710-X-LI, S5730SI, S5730S-EI, S6720SI,
S6720S-SI, S5720SI, and S5720S-SI, if PVST+ packets need to be
transparently transmitted, run the bpdu mac-address 0100-0CCC-CCCD
command to set the BPDU MAC address to 0100-0CCC-CCCD.
c. Run l2protocol-tunnel protocol-type group-mac group-mac

The original multicast destination MAC address of Layer 2 protocol packets is

replaced with a specified multicast MAC address.
NOTE
Do not replace the destination MAC addresses of SSTP, STP, GVRP, and GMRP packets
When configuring Layer 2 protocol transparent transmission, do not use the following
multicast MAC addresses to replace the destination MAC address of Layer 2 protocol
packets:
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD. By
default, on the S2750EI, 0100-0CCC-CCCC and 0100-0CCC-CCCD are not
destination MAC addresses of BPDU packets.
----End
21.6.3 Enabling Layer 2 Protocol Transparent Transmission on an

Interface
Context
Perform the following operations on PEs based on the required Layer 2 protocol transparent
transmission mode.
NOTE
The l2protocol-tunnel and l2protocol-tunnel vlan commands cannot specify the same protocol type on
the same interface. Otherwise, the configurations conflict.
Procedure
The user-side interface view is displayed.
Step 4 Run port hybrid pvid vlan vlan-id
The default VLAN of the interface is configured.
The interface is added to the default VLAN in untagged mode.
Step 6 Run l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name } enable
Layer 2 protocol transparent transmission is enabled on the interface.
----End

21.6.4 Verifying the Configuration of Interface-based Layer 2

Protocol Transparent Transmission
Procedure
l Run the display l2protocol-tunnel group-mac { all | protocol-type | user-defined-
protocol protocol-name } command to check transparent transmission information of
specified or all Layer 2 protocol packets.
----End
21.7 Configuring VLAN-based Layer 2 Protocol

When each interface of a backbone device is connected to multiple user networks and Layer 2
protocol packets sent from user networks contain VLAN tags, configure VLAN-based Layer
2 protocol transparent transmission. This configuration allows Layer 2 protocol packets to be
transparently transmitted on the backbone network.
Before configuring VLAN-based Layer 2 protocol transparent transmission, complete the
following task:

Layer 2 Protocol
Context


Procedure

----End

Mode
Context
protocol packets.
Procedure
a. Run system-view


a. Run system-view


NOTE
packets:
----End
21.7.3 Enabling VLAN-based Layer 2 Protocol Transparent

Transmission on an Interface
Context
Perform the following operations on PEs according to the type of Layer 2 protocol packets to
be transparently transmitted.
NOTE
The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type on
Procedure

Step 4 Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLANs in tagged mode.
NOTE
l The range of VLAN IDs specified in this step must include VLAN IDs of Layer 2 protocol packets
from user networks.
l The VLAN for VLAN-based Layer 2 protocol transparent transmission must be the static VLAN,
and cannot be the VLAN dynamically created by GVRP and VCMP.
Step 5 Run l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name } vlan

{ low-id [ to high-id ] } &<1-10>
VLAN-based Layer 2 protocol transparent transmission is enabled on the interface.
----End
21.7.4 Verifying the Layer 2 Protocol Transparent Transmission

Configuration
Procedure
protocol protocol-name } command to check information about transparent transmission
of specified or all Layer 2 protocol packets.
----End
21.8 Configuring QinQ-based Layer 2 Protocol

When each interface of a backbone device is connected to multiple user networks and Layer 2
protocol packets sent from user networks contain VLAN tags, configure QinQ-based Layer 2
protocol transparent transmission. This configuration allows Layer 2 protocol packets to be
transparently transmitted on the backbone network and reduces VLAN IDs that the carrier
uses.
Before configuring QinQ-based Layer 2 protocol transparent transmission, complete the
following task:

Layer 2 Protocol
Context


Procedure

----End

Mode
Context
You can configure the following Layer 2 protocol transparent transmission modes:
l Configure the device to replace the default multicast MAC address of Layer 2 protocol
packets that can be identified by PEs with another multicast MAC address. This mode
can be used to transparently transmit Layer 2 protocol packets of only STP, RSTP, and
MSTP.
l Configure the device to replace the original multicast MAC address of Layer 2 protocol
packets with a specified multicast MAC address. This mode can be used to transparently
transmit all types of Layer 2 protocol packets.
Procedure
a. Run system-view


a. Run system-view
NOTE
When configuring Layer 2 protocol transparent transmission, do not use the following multicast
MAC addresses to replace the destination MAC address of Layer 2 protocol packets:
l Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD. By default,
on the S2750EI, 0100-0CCC-CCCC and 0100-0CCC-CCCD are not destination MAC
addresses of BPDU packets.
----End
21.8.3 Enabling QinQ-based Layer 2 Transparent Transmission on

an Interface
Context
Perform the following operations on PEs based on the required Layer 2 protocol transparent
transmission mode.
NOTE
The l2protocol-tunnel vlan and l2protocol-tunnel commands cannot specify the same protocol type on

Procedure
Step 4 Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to specified VLANs in untagged mode.
Step 6 Run port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3
The interface is configured to add an outer VLAN tag to Layer 2 protocol packets.
Step 7 Run l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-name } vlan

{ low-id [ to high-id ] } &<1-10>
QinQ-based Layer 2 protocol transparent transmission is enabled on the interface.
NOTE
l The outer VLAN tag (vlan-id3) specified in the port vlan-stacking command must be included in
the VLAN range specified in the port hybrid untagged vlancommand.
----End

Configuration
Procedure
----End
21.9 Configuring VPLS-based Layer 2 Protocol

When the backbone network is the L2VPN that is built based on VPLS, you can configure
VPLS-based Layer 2 protocol transparent transmission so that protocol packets from different
user networks can be transmitted on the backbone network.

Before configuring VPLS-based Layer 2 protocol transparent transmission, deploy VPLS-
based L2VPN on PEs and the backbone network. For details, see VPLS Configuration in
S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - VPN.

Layer 2 Protocol
Context

Procedure

----End

Mode
Context

protocol packets.
Procedure
a. Run system-view


a. Run system-view

b. Run l2protocol-tunnel protocol-type group-mac group-mac

NOTE
packets:
----End
21.9.3 Enabling VPLS-based Layer 2 Protocol Transparent

Transmission on an Interface
Context
Perform the following operations on PEs according to the type of Layer 2 protocol packets to
be transparently transmitted.

Procedure
l Configure Layer 2 protocol transparent transmission when Ethernet interfaces are
connected to the VPLS network.
a. Run system-view
c. Run undo portswitch
The Ethernet interface is switched from Layer 2 mode to Layer 3 mode.
d. Run l2 binding vsi vsi-name
The Ethernet interface is bound to the VSI.
NOTE
l If the remote PE is configured to receive tagged packets only, run the mpls l2vpn
default vlan command to configure the default VLAN of the main interface before
binding the local Ethernet interface to the VSI.
l If the remote PE is configured to receive double-tagged packets only, run the mpls l2vpn
vlan-stacking stack-vlan command to configure the stacked VLAN of the main
interface before binding the local Ethernet interface to the VSI.
e. Run l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-
name } enable
VPLS-based Layer 2 protocol transparent transmission is enabled on the interface.
l Configure Layer 2 protocol transparent transmission when Ethernet sub-interfaces are
connected to the VPLS network.
a. Run system-view
The interface type is specified.
d. Run quit
The Ethernet sub-interface view is displayed.
f. Perform one of the following operations as required.
n Run dot1q termination vid low-pe-vid
The single VLAN ID for dot1q encapsulation is set on a sub-interface.
n Run qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
The double VLAN IDs for QinQ encapsulation are set on a sub-interface.
g. Run l2 binding vsi vsi-name
The Ethernet sub-interface is bound to the VSI.

h. Run l2protocol-tunnel { all | protocol-type | user-defined-protocol protocol-

name } enable
VPLS-based Layer 2 protocol transparent transmission is enabled on the sub-

interface.
----End

Configuration
Procedure
----End
21.10 Configuration Examples for Layer 2 Protocol

21.10.1 Example for Configuring Interface-based Layer 2 Protocol

In Figure 21-7, the CEs are edge devices on two private networks (located in different areas)
of an enterprise. The PEs are edge devices on the ISP network. The two private networks of
the enterprise are Layer 2 networks and they are connected through the ISP network. STP is
run on the Layer 2 networks to prevent loops. Enterprise users require that only STP run on
the private networks so that spanning trees can be generated correctly.
Figure 21-7 Networking diagram for configuring interface-based Layer 2 protocol transparent
transmission
PE1 PE2
GE0/0/2 ISP GE0/0/2
network
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1
CE2
User A User A
network1 network2

1. Configure STP on CEs to prevent loops on the Layer 2 network.

2. Add PE interfaces connected to CEs to specified VLANs so that PEs forward packets
from the VLANs.
3. Configure interface-based Layer 2 protocol transparent transmission on PEs so that STP
packets are not sent to the CPUs of PEs for processing.
Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] stp enable
[CE1-GigabitEthernet0/0/1] port hybrid untagged vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] stp enable
[CE2-GigabitEthernet0/0/1] port hybrid untagged vlan 100
Step 2 Add GE0/0/1 on PE1 and PE2 to VLAN 100 and enable Layer 2 protocol transparent
transmission on PEs.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1-GigabitEthernet0/0/1] l2protocol-tunnel stp enable
# Configure PE2.

[PE2] vlan 100
[PE2-vlan100] quit
[PE2-GigabitEthernet0/0/1] l2protocol-tunnel stp enable
Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-0100-0100
# Configure PE2.
Step 4 Configure CE2 to the priority of a switching device is 4096.

[CE2] stp priority 4096

# After the configuration is complete, run the display l2protocol-tunnel group-mac
command on PEs. You can view the protocol type or name, multicast destination MAC
address, group MAC address, and priority of Layer 2 protocol packets to be transparently
transmitted.
[PE1] display l2protocol-tunnel group-mac stp
Protocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0
ssap 0x42
# After 30s, run the display stp command on CE1 and CE2 to view the root in the MSTP
region. You can find that a spanning tree is calculated between CE1 and CE2. GE0/0/1 on
CE1 is the root port and GE0/0/1 on CE2 is the designated port.
[CE1] display stp brief
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#


#
return

#
sysname CE2
#
vlan batch 100
#
#
#
return

#
sysname PE1
#
vlan batch 100
#
l2protocol-tunnel stp group-mac 0100-0100-0100
#
l2protocol-tunnel stp enable
#
port link-type
trunk
#
return

#
sysname PE2
#
vlan batch 100
#
#
#
port link-type
trunk
#
return
21.10.2 Example for Configuring VLAN-based Layer 2 Protocol


In Figure 21-8, CEs are edge devices on two private networks of an enterprise located in
different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100 and VLAN
200 are Layer 2 networks for different users and are connected through the ISP network. STP
is run on the Layer 2 networks to prevent loops. Enterprise users require that only STP run on
l All the devices in VLAN 100 participate in calculation of a spanning tree.

Figure 21-8 Networking diagram for configuring VLAN-based Layer 2 protocol transparent
transmission
PE1 PE2
GE0/0/1 ISP GE0/0/1
network
GE0/0/2 GE0/0/3 GE0/0/2 GE0/0/3
GE0/0/1 GE0/0/1 GE0/0/1

GE0/0/1
CE1 CE3 CE2 CE4

User A User B User A User B
1. Configure STP on CEs to prevent loops on Layer 2 networks.

2. Configure CEs to send STP BPDUs with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.
3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP
BPDUs are not sent to the CPUs of PEs for processing.
Procedure
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.

[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP BPDUs with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP BPDUs with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1-GigabitEthernet0/0/1] stp bpdu vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
Step 3 Configure PE interfaces to transparently transmit STP BPDUs of CEs to the peer ends.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] vlan 200
[PE1-vlan200] quit
[PE1-GigabitEthernet0/0/2] l2protocol-tunnel stp vlan 100


[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] vlan 200
[PE2-vlan200] quit
[PE2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
Step 4 Configure PEs to replace the destination MAC address of STP BPDUs received from CEs.
# Configure PE1.
# Configure PE2.
Step 5 Configure CE2 and CE4 to the priority of a switching device is 4096.
# Configure CE2.
# Configure CE4.

transmitted.
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0
ssap 0x42
region. You can see that a spanning tree is calculated between CE1 and CE2. GE0/0/1 on CE1
is the root port and GE0/0/1 on CE2 is the designated port.


----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp bpdu vlan 100
#
return

#
sysname CE2
#
vlan batch 100
#
#
stp bpdu vlan 100
#
return

#
sysname CE3
#
vlan batch 200
#
stp bpdu vlan 200
#
return

#
sysname CE4
#

vlan batch 200

#
#
stp bpdu vlan 200
#
return

#
sysname PE1
#
vlan batch 100 200
#
#
port link-type
trunk
#
l2protocol-tunnel stp vlan 100
#
#
return

#
sysname PE2
#
vlan batch 100 200
#
#
port link-type
trunk
#
#
#
return
21.10.3 Example for Configuring QinQ-based Layer 2 Protocol


In Figure 21-9, CEs are edge devices on two private networks of an enterprise located in
different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100 and VLAN
200 are Layer 2 networks for different users and are connected through the ISP network. STP
is run on the Layer 2 networks to prevent loops. Enterprise users require that only STP run on
Because of shortage of public VLAN resources, VLAN IDs on carrier networks must be
saved.
Figure 21-9 Networking diagram for configuring QinQ-based Layer 2 protocol transparent
transmission
User A User A
VLAN100 VLAN100
GE0/0/1
GE0/0/1
GE0/0/2 GE0/0/2
CE1 CE2
GE0/0/1 ISP GE0/0/1
PE1 PE2
Network
CE3 GE0/0/3 GE0/0/3 CE4
GE0/0/1 GE0/0/1
User B User B
VLAN200 VLAN200
1. Configure STP on CEs to prevent loops on Layer 2 networks.
2. Configure CEs to send STP BPDUs with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.
3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP
BPDUs are not sent to the CPUs of PEs for processing.
4. Configure QinQ (VLAN stacking) on PEs so that PEs add outer VLAN tag 10 to STP
BPDUs sent from CEs, saving public network VLAN IDs.
Procedure
# Configure CE1.
[CE1] stp enable
# Configure CE2.

[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP BPDUs with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP BPDUs with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
Step 3 Configure QinQ-based Layer 2 protocol transparent transmission on PEs so that STP BPDUs
with VLAN tags 100 and 200 are tagged with outer VLAN 10 by PEs and can be transmitted
on the ISP network.
# Configure PE1.
[PE1] vlan 10
[PE1-vlan10] quit


[PE1-GigabitEthernet0/0/2] port vlan-stacking vlan 100 stack-vlan 10
# Configure PE2.
[PE2] vlan 10
[PE2-vlan10] quit
# Configure PE1.
# Configure PE2.
Step 5 Configure CE2 and CE4 to the priority of a switching device is 4096.
# Configure CE2.
# Configure CE4.


transmitted.

-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0
ssap 0x42
----End
Configuration Files
#
sysname CE1
#
vlan batch 100

#
stp bpdu vlan 100
#
return

#
sysname CE2
#
vlan batch 100
#
#
stp bpdu vlan 100
#
return


#
sysname CE3
#
vlan batch 200
#
stp bpdu vlan 200
#
return

#
sysname CE4
#
vlan batch 200
#
#
stp bpdu vlan 200
#
return

#
sysname PE1
#
vlan batch 10
#
#
port link-type
trunk
#
#
#
return

#
sysname PE2
#
vlan batch 10
#
#
port link-type
trunk

#
#
#
return
21.10.4 Example for Configuring VPLS-based Layer 2 Protocol

In Figure 21-10, CEs are located on two networks of an enterprise, and PE1 and PE2 are edge
devices of the carrier network. The two networks of the enterprise are Layer 2 networks, and
VPLS is used on the carrier network to construct an L2VPN to implement Layer 2
interconnection. STP is used to prevent loops on the Layer 2 network, and STP is required to
run on enterprise networks to generate correct spanning trees.
Figure 21-10 Networking of VPLS-based Layer 2 protocol transparent transmission

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/2
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/1 GE0/0/1
CE1
CE2
User A User A
network1 network2

- Loopback1 - 1.1.1.1/32
- Loopback1 - 3.3.3.3/32
- Loopback1 - 2.2.2.2/32
1. Use VPLS to build an L2VPN between PE1 and PE2.
2. Configure STP on CEs to prevent loops on the Layer 2 network.
3. Create termination sub-interfaces on interfaces of CEs connected to PEs and bind sub-
interfaces to VSIs so that CEs can be connected to the L2VPN.
4. Configure VPLS-based Layer 2 protocol transparent transmission on PEs so that STP
BPDUs are not sent to the CPU of PEs for processing.
NOTE
Procedure
Step 1 Configure a VPLS-based L2VPN between PEs.
1. Configure VLANs that interfaces belong to and IP addresses for VLANIF interfaces
according to Figure 21-10.
# Configure CE1.
[CE1] vlan batch 10


[CE1-Vlanif10] quit
# Configure CE2.
[CE2] vlan batch 10
[CE2-Vlanif10] quit
# Configure PE1. The configurations of PE2 and P device are similar to the
configuration of PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
2. Configure a routing protocol.

When configuring OSPF, advertise the 32-bit loopback interface addresses (LSR IDs) of
PE1, P device, and PE2.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure the P device.

[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] ospf 1

[PE2-ospf-1] area 0
[PE2-ospf-1] quit
3. Configure basic MPLS functions and LDP.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure the P device.

[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command on PE1,
P, and PE2. You can see that the peer relationship is set up between PE1 and P, and
between P and PE2. The status of the peer relationship is Operational. Run the display
mpls lsp command to check the LSP status. The display on PE1 is used as an example.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
4. Create a remote LDP session between PE1 and PE2.

# Configure PE1.
# Configure PE2.
After the configuration is complete, run the display mpls ldp session command on PE1
or PE2. The command output shows that Status of the peer relationship between PE1
and PE2 is Operational, indicating that the peer relationship has been established. The
display on PE1 is used as an example.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
6. Configure a VSI on the PEs.

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] quit
# Configure PE2.
[PE2] vsi a2 static
[PE2-vsi-a2] quit
Step 2 Enable spanning tree calculation on CEs.

# Configure CE1.
[CE1] stp enable

# Configure CE2.
[CE2] stp enable
Step 3 Bind access-side sub-interfaces on PE1 and PE2 to VSIs and enable Layer 2 protocol
transparent transmission.
# Configure PE1.
[PE1-GigabitEthernet0/0/1.1] l2protocol-tunnel stp enable
# Configure PE2.
[PE2-GigabitEthernet0/0/2.1] l2protocol-tunnel stp enable
# Configure PE1.
# Configure PE2.
Step 5 Set the priority of CE2 to 4096.

# After the configuration, run the display l2protocol-tunnel group-mac command. You can
check the protocol type or name, original destination MAC address, new destination MAC
address, and priority of Layer 2 protocol packets to be transparently transmitted.

-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-0100-0100 0
ssap 0x42
# Wait for 30s and run the display stp command on CE1 and CE2 to check the root in the
MST region. A spanning tree is calculated between CE1 and CE2. GE0/0/1 on CE1 is the root
port, and GE0/0/1 on CE2 is the designated port.


----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role
silent
#
vlan batch 20
#
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 3.3.3.3
#

interface Vlanif20
ip address 4.4.4.4 255.255.255.0
mpls
mpls ldp
#
#
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 4.4.4.0 0.0.0.255
#
return
#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 4.4.4.5 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 5.5.5.4 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255

#
return

#
sysname PE2
#
router id 3.3.3.3
#
vcmp role
silent
#
vlan batch 30
#
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 5.5.5.5 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 5.5.5.0 0.0.0.255
#
return
21.11 FAQ About Layer 2 Protocol Transparent

Transmission

21.11.1 How Can I Configure BPDU Tunnel to Transparently

Transmit BPDUs?
l To transparently transmit untagged BPDUs, run the port default vlan command on the
inbound and outbound interfaces of the BPDUs.
l To transparently transmit tagged BPDUs, run the port default vlan command on the
outbound interface of the BPDUs.
21.11.2 Can the Interfaces Not Enabled with the BPDU Function
Send BPDUs?
The BPDU function affects only BPDU receiving. Therefore, the interfaces not enabled with
the BPDU function can still send BPDUs.
If the BPDU function is not enabled, functions such as LACP, LLDP, STP, and HGMP that
communicate through BPDUs are affected.
NOTE
The S2700 enables the BPDU function globally rather than on interfaces.
The S3700, S5700, and S6700 need to enable the BPDU function on only interfaces.
21.11.3 How to View and Change MAC Addresses of BPDUs?

Run the display bpdu mac-address command to query the current BPDU MAC addresses.
By default, all multicast MAC addresses in the segment from 0180-c200-0010 to 0180-
c200-002f are BPDU MAC addresses, and 0100-0ccc-cccd is also a BPDU MAC address.
Run the bpdu mac-address mac-address command to specify an MAC address to be a BPDU
MAC address.
Example: bpdu mac-address 0100-0ccc-cccc
21.11.4 How Does a Switch Process BPDUs?

l On the S5710EI, S5710HI, S5720HI, S5720EI, S6720EI, and S6720S-EI, an interface
directly discards BPDUs by default. If BPDUs of a protocol need to be sent to the CPU
for processing, enable functions of the protocol. For example, if STP BPDUs need to be
sent to the CPU for processing, enable STP globally and on the interface.
l On other models, BPDUs are sent to the CPU for processing by default. If BPDUs do not
need to be sent to the CPU for processing, run the bpdu disable command to configure
an interface to directly discard BPDUs.

Configuration Guide - Ethernet Switching

Uploaded by

Copyright:

Available Formats

Configuration Guide - Ethernet Switching

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuration Guide - Ethernet Switching

Uploaded by

Copyright:

Available Formats

S1720, S2700, S5700, and S6720 Series Ethernet

Configuration Guide - Ethernet

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. i

About This Document

Indicates a potentially hazardous situation

NOTE Calls attention to important information,

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. ii

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. iii

Reference Standards and Protocols

Product Software Versions Matching NMS Versions

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. iv

S1720, S2700, S5700, and S6720 NMS

V200R011C10 eSight V300R008C00 (not matching the S1720)

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. v

About This Document.....................................................................................................................ii

3 MAC Address Table Configuration.........................................................................................26

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. vi

3.4 Summary of MAC Address Table Configuration Tasks...............................................................................................39

4 Link Aggregation Configuration..............................................................................................92

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. vii

4.2.1 Basic Concepts of Link Aggregation.........................................................................................................................93

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. viii

4.11 Creating an Eth-Trunk Sub-interface........................................................................................................................142

5 VLAN Configuration................................................................................................................ 166

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. ix

5.2.10 Inter-VLAN Layer 3 Isolation............................................................................................................................... 191

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. x

5.9.11 Example for Configuring an mVLAN to Implement Remote Management......................................................... 257

6 VLAN Aggregation Configuration........................................................................................ 276

7 MUX VLAN Configuration..................................................................................................... 295

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xi

7.4.1 Configuring a Principal VLAN for MUX VLANs..................................................................................................301

8 VLAN Termination Configuration........................................................................................ 310

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xii

8.11.7 Example for Connecting Dot1q Termination Sub-interfaces to an L3VPN.......................................................... 383

9 Voice VLAN Configuration.....................................................................................................413

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xiii

10.7 Configuring Selective QinQ..................................................................................................................................... 455

11 VLAN Mapping Configuration............................................................................................ 549

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xiv

11.5.3 Configuring 2:2 VLAN Mapping.......................................................................................................................... 562

12 GVRP Configuration.............................................................................................................. 587

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xv

13.8 Example for Configuring VCMP to Implement Centralized VLAN Management..................................................626

14 STP/RSTP Configuration....................................................................................................... 632

Issue 08 (2019-07-31) Copyright © Huawei Technologies Co., Ltd. xvi

14.10.4 Configuring Loop Protection on a Port............................................................................................................... 680