You are on page 1of 451

SmartAX MA5600T Multi-service Access Module

V800R010C00

Commissioning and Configuration
Guide
Issue

01

Date

2012-01-18

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.
Address:

Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website:

http://www.huawei.com

Email:

support@huawei.com

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

i

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

About This Document

About This Document
Intended Audience
This document describes the commissioning of the basic functions provided by the device in
terms of hardware, software, interconnection, and maintenance and management to ensure that
the device runs in a stable and reliable state. This document describes the configuration
procedures of various services supported by the MA5600T in terms of configuration method
and configuration example.
This document helps to learn the commissioning flows, commissioning methods, and
configuration procedures of various services of the MA5600T.
This document is intended for:
l

Installation and commissioning engineers

l

System maintenance engineers

l

Data configuration engineers

Symbol Conventions
The following symbols may be found in this document. They are defined as follows
Symbol

Description
Indicates a hazard with a high level of risk which, if not
avoided, will result in death or serious injury.

Indicates a hazard with a medium or low level of risk which,
if not avoided, could result in minor or moderate injury.

Indicates a potentially hazardous situation that, if not
avoided, could cause equipment damage, data loss, and
performance degradation, or unexpected results.
Indicates a tip that may help you solve a problem or save
your time.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

ii

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

Symbol

About This Document

Description
Provides additional information to emphasize or
supplement important points of the main text.

Command Conventions
Convention

Description

Boldface

The keywords of a command line are in boldface.

Italic

Command arguments are in italics.

[]

Items (keywords or arguments) in square brackets [ ] are
optional.

{ x | y | ... }

Alternative items are grouped in braces and separated by
vertical bars. One is selected.

[ x | y | ... ]

Optional alternative items are grouped in square brackets
and separated by vertical bars. One or none is selected.

{ x | y | ... } *

Alternative items are grouped in braces and separated by
vertical bars. A minimum of one or a maximum of all can
be selected.

GUI Conventions
Convention

Description

Boldface

Buttons, menus, parameters, tabs, window, and dialog titles
are in boldface. For example, click OK.

>

Multi-level menus are in boldface and separated by the ">"
signs. For example, choose File > Create > Folder

Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.

Updates in Issue 01 (2012-01-18)
This document is the first release.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

iii

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

Contents

Contents
About This Document.....................................................................................................................ii
1 Commissioning..............................................................................................................................1
1.1 Commissioning Introduction..............................................................................................................................2
1.1.1 Commissioning Definition........................................................................................................................2
1.1.2 Commissioning Procedure.........................................................................................................................2
1.2 Commissioning Preparations..............................................................................................................................3
1.2.1 Checking Hardware...................................................................................................................................3
1.2.2 Preparing Software....................................................................................................................................4
1.2.3 Preparing Tools..........................................................................................................................................4
1.2.4 Planning Data............................................................................................................................................6
1.3 Stand-Alone Commissioning..............................................................................................................................6
1.3.1 Powering On the Indoor Device................................................................................................................6
1.3.2 Checking the Power Supply of the Power Board......................................................................................7
1.3.3 Configuring the Maintenance Terminal....................................................................................................8
1.3.4 Logging In to the System.........................................................................................................................10
1.3.5 Checking the Software Version...............................................................................................................48
1.3.6 Loading the Script...................................................................................................................................48
1.3.7 Configuring a Board................................................................................................................................49
1.3.8 Modifying the Reserved VLANs.............................................................................................................52
1.3.9 Configuring Link Aggregation and Switching........................................................................................53
1.3.10 Checking the Status of the Service Port................................................................................................54
1.3.11 Checking the Status of the Upstream Port.............................................................................................55
1.3.12 Changing the System Name..................................................................................................................55
1.3.13 Configuring a System User....................................................................................................................56
1.3.14 Configuring the System Time................................................................................................................60
1.3.15 Commissioning the EMU......................................................................................................................62
1.3.16 Configuring the RADIUS server...........................................................................................................65
1.3.17 Configuring the System Energy-Saving Function.................................................................................67
1.3.18 Checking the Configuration of the Auto-Save Function.......................................................................68
1.3.19 Saving the Data......................................................................................................................................70
1.3.20 Backing Up System Files......................................................................................................................71
1.4 Interconnection Commissioning.......................................................................................................................72
1.4.1 Commissioning the Interconnection with the NMS................................................................................72
Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

iv

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

Contents

1.4.2 Commissioning the Interconnection with the Router..............................................................................84
1.4.3 Commissioning the Management Channel Between the OLT and the GPON MDU.............................85
1.4.4 Commissioning the Management Channel Between the OLT and the EPON MDU..............................90
1.4.5 Commissioning the Management Channel Between the OLT and the GPON ONT..............................93
1.4.6 Commissioning the Management Channel Between the OLT and the EPON ONT...............................97
1.5 Maintenance and Management Commissioning.............................................................................................100
1.5.1 Checking the System Switchover..........................................................................................................100
1.5.2 Checking Alarms and Events................................................................................................................101
1.5.3 Configuring a Log Host.........................................................................................................................105
1.6 Supplementary Information............................................................................................................................109
1.6.1 Making a Script.....................................................................................................................................109
1.6.2 Configuring the File Transfer Mode .....................................................................................................110
1.6.3 Software Package Settings.....................................................................................................................117

2 Basic Configurations.................................................................................................................126
2.1 Configuring the License Function..................................................................................................................128
2.2 Configuring Alarms........................................................................................................................................129
2.3 Configuring the Network Time......................................................................................................................132
2.3.1 (Optional) Configuring NTP Authentication.........................................................................................134
2.3.2 Configuring the NTP Broadcast Mode..................................................................................................135
2.3.3 Configuring the NTP Multicast Mode...................................................................................................137
2.3.4 Configuring the Unicast NTP Client.....................................................................................................140
2.3.5 Configuring the NTP Peer.....................................................................................................................141
2.4 Adding Port Description.................................................................................................................................143
2.5 Configuring the Attributes of an Upstream Ethernet Port..............................................................................144
2.6 Configuring a VLAN......................................................................................................................................146
2.7 Configuring a VLAN Service Profile.............................................................................................................152
2.8 Configuring the User Security........................................................................................................................154
2.8.1 Configuring Anti-Theft and Roaming of User Account Through PITP................................................155
2.8.2 Configuring Anti-Theft and Roaming of User Accounts Through DHCP............................................159
2.8.3 Configuring Anti-IP Spoofing...............................................................................................................161
2.8.4 Configuring Anti-MAC Spoofing.........................................................................................................162
2.9 Configuring System Security..........................................................................................................................166
2.9.1 Configuring Firewall.............................................................................................................................167
2.9.2 Configuring Anti-Attack........................................................................................................................169
2.9.3 Preventing the Access of Illegal Users..................................................................................................172
2.10 Configuring the ACL....................................................................................................................................173
2.10.1 Filtering Packets by a Basic ACL........................................................................................................175
2.10.2 Filtering Packets by an Advanced ACL..............................................................................................176
2.10.3 Filtering Packets by a Link-layer ACL................................................................................................177
2.10.4 Filtering Packets by a User-defined ACL............................................................................................178
2.11 Configuring QoS...........................................................................................................................................181
2.11.1 Configuring Traffic Management........................................................................................................182
Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

v

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

Contents

2.11.2 Configuring Early Drop.......................................................................................................................196
2.11.3 Configuring the Queue Scheduling.....................................................................................................198
2.11.4 Configuring Traffic Management Based on ACL Rules.....................................................................202
2.12 Configuring AAA.........................................................................................................................................206
2.12.1 Configuring the Local AAA................................................................................................................208
2.12.2 Configuring the Remote AAA (RADIUS Protocol)............................................................................209
2.12.3 Configuration Example of the RADIUS Authentication and Accounting..........................................217
2.12.4 Configuring the Remote AAA (HWTACACS Protocol)....................................................................219
2.12.5 Configuration Example of the HWTACACS Authentication (802.1X access user)...........................223
2.12.6 Configuration Example of HWTACACS Authentication (Management User)..................................226
2.13 Configuring ANCP.......................................................................................................................................229

3 Configuring L3 Features...........................................................................................................233
3.1 Configuring ARP Proxy for Interworking......................................................................................................234
3.2 Configuring DHCP.........................................................................................................................................236
3.2.1 Configuring the Standard DHCP Mode.................................................................................................238
3.2.2 Configuring the DHCP Option60 Mode................................................................................................240
3.2.3 Configuring the DHCP MAC Address Segment Mode.........................................................................243
3.3 Configuring the Route....................................................................................................................................245
3.3.1 Configuration Example of the Routing Policy......................................................................................246
3.3.2 Configuration Example of the Static Route...........................................................................................248
3.3.3 Configuration Example of RIP..............................................................................................................249
3.3.4 Configuration Example of OSPF...........................................................................................................253

4 Configuring the GPON Internet Access Service.................................................................257
4.1 Configuring xPON Profiles............................................................................................................................261
4.1.1 Configuring a DBA Profile....................................................................................................................261
4.1.2 Configuring a GPON ONT Line Profile................................................................................................262
4.1.3 Configuring a GPON ONT Service Profile...........................................................................................265
4.1.4 Configuring a GPON ONT Alarm Profile.............................................................................................268
4.2 Configuring a VLAN......................................................................................................................................269
4.3 Configuring an Upstream Port........................................................................................................................275
4.4 Configuring a GPON ONT.............................................................................................................................276
4.5 Configuring a GPON Port..............................................................................................................................279
4.6 Creating a GPON Service Port.......................................................................................................................281

5 Configuring the EPON Internet Access Service..................................................................286
5.1 Configuring an EPON ONT Profile...............................................................................................................290
5.1.1 Configuring a DBA Profile....................................................................................................................290
5.1.2 Configuring an EPON ONT Line Profile..............................................................................................291
5.1.3 Configuring an EPON ONT Service Profile.........................................................................................292
5.2 Configuring a VLAN......................................................................................................................................295
5.3 Configuring an Upstream Port........................................................................................................................300
5.4 Configure the EPON ONT.............................................................................................................................301
Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

vi

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

Contents

5.5 Configuring an EPON User Port....................................................................................................................303
5.6 Creating an EPON Service Port......................................................................................................................304

6 Configuring the Multicast Service (PON)............................................................................308
6.1 Configuring Multicast Global Parameters......................................................................................................313
6.2 Configuring the Multicast VLAN and the Multicast Program.......................................................................315
6.3 Configuring the Multicast EPON ONT..........................................................................................................319
6.4 Configuring the Multicast GPON ONT..........................................................................................................321
6.5 Configuring a Multicast User.........................................................................................................................322
6.6 (Optional) Configuring the Multicast Bandwidth..........................................................................................325
6.7 (Optional) Configuring Multicast Preview.....................................................................................................326
6.8 (Optional) Configuring Program Prejoin........................................................................................................328
6.9 (Optional) Configuring the Multicast Logging Function...............................................................................329

7 Configuring MPLS and PWE3................................................................................................333
7.1 Configuring the MPLS Service......................................................................................................................335
7.1.1 Configuring the Static LSP....................................................................................................................335
7.1.2 Configuring the LDP LSP.....................................................................................................................338
7.1.3 Configure an RSVP-TE LSP.................................................................................................................340
7.1.4 Configuring the MPLS OAM................................................................................................................344
7.2 Configuring the PWE3 Private Line Service..................................................................................................354
7.2.1 Configuring the PWE3 Outer Tunnel....................................................................................................355
7.2.2 Configuring the Tunnel Policy..............................................................................................................357
7.2.3 Configuring the PWE3 Inner PW..........................................................................................................358
7.2.4 Binding the Service to the PW..............................................................................................................362
7.2.5 Configuring MPLS Tunnel Protection..................................................................................................363
7.3 Configuring TDM PWE3 Private Line Service (T1 Upstream Transmission)...............................................366

8 Configuring Network Protection............................................................................................379
8.1 Configuring the NE Subtending Through the FE or GE Port.........................................................................381
8.2 Configuring the Uplink Redundancy Backup................................................................................................382
8.3 Configuring the Smart Link Redundancy Backup.........................................................................................384
8.4 Configuring the MPLS Service Board Redundancy Backup.........................................................................388
8.5 Configuring GPON Type B Protection..........................................................................................................389
8.6 Configuring EPON Type B Protection...........................................................................................................390
8.7 Configuring the Switchover of the Protect Group..........................................................................................392
8.8 Configuring the MSTP...................................................................................................................................394
8.9 Configuring RRPP..........................................................................................................................................397
8.10 Configuring the BFD....................................................................................................................................400
8.10.1 Configuration Example of the BFD Link Detection (Static Route)....................................................400
8.10.2 Configuration Example of the BFD Link Detection (Dynamic Route)...............................................403
8.11 Configuring ETH OAM................................................................................................................................405
8.11.1 Configuring Ethernet CFM OAM.......................................................................................................405
8.11.2 Configuring Ethernet EFM OAM........................................................................................................409
Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

vii

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

Contents

9 Configuration Example of the FTTH Service.......................................................................412
9.1 FTTH Network...............................................................................................................................................413
9.2 FTTH Data Plan (GPON Access)...................................................................................................................413
9.3 Configuring the FTTH Internet Access Service.............................................................................................417
9.4 Configuring the FTTH VoIP Service (SIP-based).........................................................................................422
9.5 Configuring the FTTH IPTV Service.............................................................................................................428

10 FAQ............................................................................................................................................435
10.1 How to Query the MAC Addresses of the Online Users and the Ports That Provide the Access for the Users
in the MA5600T...................................................................................................................................................436
10.2 How to Resolve the Issue of Unsuccessful Traffic Stream Configuration...................................................436
10.3 How to Calculate the Remaining Bandwidth of a PON Port on the MA5600T...........................................438
10.4 How to Change the Management IP Address and VLAN Remotely...........................................................439
10.5 How to Change the Rate of the User Port in a PON System........................................................................440
10.6 How to Realize the Communication Between Users on the Same Board....................................................440
10.7 How to Select the Matched Hardware for Expanding the Bandwidth of the Upstream Port.......................441
10.8 How to Confirm an Upgraded Board...........................................................................................................442

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

viii

6 Supplementary Information This topic provides the commissioning supplementary information. software. 1.5 Maintenance and Management Commissioning To ensure the stability of the MA5600T. you need to verify the maintainability and reliability of the device after completing the stand-alone commissioning and interconnection commissioning. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. a stand-alone MA5600T should be commissioned to ensure that the stand-alone MA5600T works in the normal state. 1. interconnection. 1. and default software settings.4 Interconnection Commissioning The MA5600T provides multiple interfaces for interconnection. 1. including script making. 1. Ltd..2 Commissioning Preparations This topic describes the hardware. and tool preparations for the commissioning. 1. This topic describes the interconnection commissioning of the MA5600T.1 Commissioning Introduction The topic describes the commissioning definition and procedure. software. 1 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning 1 Commissioning About This Chapter This document describes the commissioning of the basic functions provided by the device in terms of hardware. transmission mode setting.3 Stand-Alone Commissioning After the hardware installation. and maintenance and management to ensure that the device runs in a stable and reliable state.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning 1. 2 . and tool preparations for the commissioning. 1. Stand-Alone Commissioning Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 1.1 Commissioning Definition Commissioning refers to the stand-alone commissioning.1. the interconnection commissioning. This ensures that the device works in the normal state according to the design specifications. Flowchart Perform the commissioning according to the flowchart.1 Commissioning Introduction The topic describes the commissioning definition and procedure. Figure 1-1 shows the commissioning procedure. Figure 1-1 Commissioning procedure Commissioning Item The commissioning items in the commissioning procedure are described as follows: Commissioning Preparations This topic describes the hardware.2 Commissioning Procedure This topic describes the procedure for commissioning the device.. software.1. and the maintenance and management commissioning after the hardware installation. Ltd.

l The connectors of the external ground cables and protection ground cables of the cabinet are connected properly. 1. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. ground cable. software.2 Commissioning Preparations This topic describes the hardware..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning After the hardware installation. network cable. l Cables are bundled properly. Interconnection Commissioning The MA5600T provides multiple interfaces for interconnection. l The labels of the power cable. subscriber cable. Ltd. and ensure that they meet the following requirements: l The connectors are tight and firm. legible and complete. This facilitates the subsequent commissioning. and tool preparations for the commissioning. 2 Cables and connectors Check the local maintenance serial port cable. l The cable jacket is intact. 1. l Cable labels are legible. l The power supply for the device is in the normal state. and connectors. and power distribution switch are correct. Context Table 1-1 lists the hardware to be checked before the commissioning. Table 1-1 Hardware checklist SN Item Description 1 Power supply and grounding Ensure that the power cable and the grounding meet the following requirements: l The power cable and the ground cable are connected properly and are in good contact. Maintenance and Management Commissioning To ensure the stability of the MA5600T.2. a stand-alone MA5600T should be commissioned to ensure that the stand-alone MA5600T works in the normal state. optical fiber. This topic describes the interconnection commissioning of the MA5600T. 3 . without any damage. you need to verify the maintainability and reliability of the device after completing the stand-alone commissioning and interconnection commissioning.1 Checking Hardware This topic describes how to prepare the hardware required before the commissioning.

huawei. 1. Table 1-3 lists the tools to be prepared for the commissioning. The common commissioning tools are as follows: l HyperTerminal (provided by the Windows OS): used for logging in to the MA5600T using the CLI.exe and SSH client software putty. They can be downloaded from http:// support. SFTP. Ltd. and FTP tools: used for loading software.3 Preparing Tools This topic describes how to prepare the tools required before the commissioning. NOTE Different boards (daughter boards) provide different external ports.exe: used for logging in to the MA5600T through the SSH. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. This facilitates the subsequent commissioning. 2 Software commissioning tools Ensure that all the commissioning tools are available. Table 1-2 shows the software checklist before the commissioning. This facilitates the subsequent commissioning. see Board Overview of the MA5600T Hardware Description.2.2 Preparing Software This topic describes how to prepare the software required before the commissioning. 4 .com. l Client software key generator Puttygen. 4 Board (daughter board) The board (daughter board) selected should meet the requirements for the external ports.. Table 1-2 Software checklist SN Item Description 1 Software package Ensure that files in the software package for the commissioning are complete and the software version is correct. l The upper-layer device works in the normal state and can be used for the commissioning.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning SN Item Description 3 Upper-layer device Ensure that the upper-layer device meets the following requirements: l The position of the interconnection port of the upper-layer device is correct. client software key convertor sshkey.exe. For details about the boards and their external ports on the MA5600T. l TFTP.2. 1.

5 . It is a meter with the multiplexing and demultiplexing functions. One multimeter Used to measure the voltage. One optical multiplexer/demultiplexer Used to test the input optical power of a single-fiber bidirectional optical port. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. such as a laptop Used to log in to the MA5600T to commission the MA5600T.. Ltd. resistance and current intensity during the power commissioning. Some optical fibers and patch cords with different connectors Used for the upstream transmission and optical power test. It is used to transmit data to simulate the networking environment.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Table 1-3 Tool checklist Issue 01 (2012-01-18) SN Item Description Remarks 1 Cables One RS-232 serial port cable (One end with an RJ-45 connector used to connect to the board and the other end with a DB-9 or DB-25 female connector used to connect to the maintenance terminal) Used to connect the maintenance terminal to the MA5600T for maintenance using the serial port. One crossover cable Used to connect the maintenance terminal to the MA5600T for maintenance through telnet. 2 Maintena nce terminal One maintenance terminal configured with a HyperTerminal application. One data network performance analyzer Used to test the input optical power. One optical attenuator Used to attenuate the input optical signal. 3 Auxiliary device and meter One optical power meter Used to test the mean launched power and the input optical power of an optical port. It is used to protect the optical port from being damaged by intense optical signals during the device commissioning.

l For details about the default settings of the main software on the MA5600T.. 6 . Prerequisites The after-installation check and the power-on check must be performed on the device.3. Ltd.3 Stand-Alone Commissioning After the hardware installation. a stand-alone MA5600T should be commissioned to ensure that the stand-alone MA5600T works in the normal state. see 1. and data plan before the commissioning based on the engineering document.6. networking.2. This facilitates the data configuration. 1. Table 1-4 lists the data collected for the commissioning. For how to make a script. Table 1-4 Data checklist SN Item Description 1 Hardware configuration This includes but is not limited to the following: l Types and slot distribution of the control board and service boards l Types and physical positions of the upstream ports and the service ports 2 Networking and data plan This includes but is not limited to the following: l Networking mode l IP address assignment l VLAN planning NOTE l A commissioning script can be made based on the actual networking and the data plan.6.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning 1.4 Planning Data This topic describes the information to be collected about the hardware configuration. 1. see 1. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.1 Making a Script.3 Software Package Settings.1 Powering On the Indoor Device This topic describes how to power on the indoor device to ensure that all the boards can be normally powered on.

Context In the normal state.2 Checking the Power Supply of the Power Board This topic describes how to check the redundancy backup function of the power boards. ----End Result The device can be normally powered on. replace the board in time to prevent the shelf from working for a long time when only one power board supplies power. Prerequisites The two power boards configured must work in the normal state.3. Procedure Step 1 Connect the input power supply of the DC PDU. and check the power supply for the service board. 1.. When one power board is faulty. and the RUN LED on the boards are on for 1s and off for 1s repeatedly. do not remove or insert the power connector. Ltd. When checking the power supply of the power board. the other power board provides power for all the service boards in the shelf. Step 3 Repeat steps 1 and 2 to check the other power board. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. pay attention to the following points: l Wear an ESD wrist strap during the operation. In addition. 7 . Step 2 Turn on the switch again. the two power boards work in the load balancing mode and provide power for all the service boards in the shelf. Step 2 Turn on the output control switch of the DC PDU.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Context CAUTION Inserting or removing boards is prohibited during startup. l If one power board is faulty. Procedure Step 1 Turn off the switch on the PDU that corresponds to one power board. l Turn off the -48 V input switch on the PDU that corresponds to the power board before replacing the board. when the board is powered on.

Ltd. The Windows OS starts automatically.. Step 3 Click the General tab. Procedure Step 1 Right-click My Network Places and choose Properties. Configuring the IP Address of the Maintenance Terminal This topic describes how to configure the IP address of the maintenance terminal to ensure that you can log in to the MA5600T in the telnet or SSH mode using the maintenance terminal.3. 8 . and then select Internet Protocol (TCP/IP) in Components checked are used by this connection. The Local Area Connection Properties dialog box is displayed.3 Configuring the Maintenance Terminal During the commissioning. Starting the Maintenance Terminal This topic describes how to start the maintenance terminal to prepare for the subsequent commissioning. you need to maintain the device using the maintenance terminal. Procedure Step 1 Power on the maintenance terminal. and the Log In dialog box is displayed.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Result The boards in the shelf work in the normal state after the switch on the PDU that corresponds to either power board is turned off. right-click Local Area Connection. input the user name and the password of the administrator in the Log In dialog box. The Network Connections window is displayed. Step 3 Click OK to enter the Windows OS. the RUN LED on the board is on for 1s and off for 1s repeatedly. Prerequisites The maintenance terminal must be started. 1. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Context A maintenance terminal is usually a laptop embedded with a HyperTerminal application. that is. ----End Result The maintenance terminal runs in the normal state. This topic describes how to start the maintenance terminal and configure the IP address of the maintenance terminal to meet the commissioning requirements. Step 2 In the Network Connections window. and choose Properties. Step 2 (Optional) If the user name and the password are required. as shown in the following figure.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-2 Configure the local area connection properties Step 4 Click Properties to display the Internet Protocol (TCP/IP) Properties dialog box. 9 . as shown in the following figure. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Step 5 Click General.. and then select Use the following IP address: to configure the IP address and the subnet mask. Ltd.

1.. ----End Result The IP address of the maintenance terminal and the IP address of the maintenance Ethernet port of the device are in the same network segment. and SSH mode. and the subnet mask is 255. NOTE By default.0.4 Logging In to the System You must log in to the MA5600T before commissioning the MA5600T using the maintenance terminal. Ltd. Step 6 Click OK to return to the Local Area Connection Properties dialog box. local serial port mode.255. the IP address of the maintenance Ethernet port (ETH port on the control board) is 10. telnet mode. 10 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-3 Configure the IP address and the subnet mask NOTE The IP address of the maintenance terminal and the IP address of the maintenance Ethernet port of the device must be in the same network segment.255. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.3.104. The following describes three login modes. Step 7 Click OK.11.2. namely.

Ltd. Network Topology Figure 1-4 shows the networking for logging in to the MA5600T using the local serial port. Figure 1-4 Logging in to the MA5600T using the local serial port Flowchart Figure 1-5 shows the flowchart for logging in to the system using the local serial port. l An RS-232 serial port cable (one end with an RJ-45 connector and the other end with a DB-9 or DB-25 female connector) must be available. you can log in to the system using the local serial port.. Prerequisites l A maintenance terminal (generally a laptop configured with a HyperTerminal application) must be available.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Login Through the Local Serial Port When you need to maintain and manage the MA5600T locally. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 11 .

Use an RS-232 serial port cable to connect a serial port of the PC to the CON port of the SCU control board. Choose All Programs > Accessories > Communications > Hyper Terminal to display the Connection Description dialog box. as shown in Figure 1-4. and click OK. 12 . Set up a connection. as shown in the following figure. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Step 2 Set the HyperTerminal communication parameters. 1. Input the connection name.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-5 Flowchart for logging in to the system using the local serial port Procedure Step 1 Connect the serial port cable.. Ltd. Click Start.

. and click OK. You can select COM1 or COM2 (here. Ltd. 13 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2. Select the serial port that is connected to the MA5600T. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. see the following figure. Issue 01 (2012-01-18) Set the HyperTerminal communication parameters. as shown in the following figure. 3. 1 Commissioning Set the serial port. use COM2 as an example). For details.

57600 bit/s. By default. and 115200 bit/s. 4. 38400 bit/s. Step 3 (Optional) Set the properties of the HyperTerminal. l If illegible characters are displayed on the HyperTerminal interface after you log in to the system. Set the emulation type of the HyperTerminal. set the consistent baud rate for the HyperTerminal to log in to the system. and set Emulation to VT100 or Auto Detect. 14 . it is generally because the baud rate of the HyperTerminal is different from the baud rate of the MA5600T. In this case. 1. It is Auto Detect by default. Ltd. In the dialog box that is displayed. the baud rate of the serial port is 9600 bit/s. 19200 bit/s. Click OK to display the HyperTerminal interface. Choose File > Properties on the HyperTerminal interface.. as shown in the following figure. The system supports the baud rates of 9600 bit/s.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning NOTE l The baud rate of the HyperTerminal must be the same as the baud rate of the serial port on the MA5600T. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. click the Settings tab.

as shown in the following figure. By default. Ltd. and then click OK. 1 Commissioning Set the line delay and the character delay of the ASCII code.. and Character delay is 0. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2. Line delay is 0. In the dialog box that is displayed. 15 . set line delay to 200 and Character delay to 300. Click ASCII Setup.

Prerequisites Engineers are logged in to the MA5600T by using the local serial port or the ETH port. Ltd. press Enter.104. run the ip address command to change the IP address of the device to 10. and the system prompts you to input the user name. This IP address is on the same subnet as the IP address of the maintenance Ethernet port but is not the IP address of the maintenance Ethernet port. and then try again.1. loss of characters occurs. When the pasted text is displayed abnormally. – After logging in to the MA5600T.0. and wait until the CLI prompt character is displayed. If a delay is very short. Input the user name and the password for user registration (by default. see Login Through the Local Serial Port. Login Through Telnet (Outband Management) This topic describes how to log in to the MA5600T using the local maintenance Ethernet port (outband management port) in the telnet mode to maintain and manage the MA5600T. For example.2.104. and the subnet mask is 255. For example. – Change the IP address of the PC to be on the same subnet as the IP address of the maintenance Ethernet port but is not the IP address of the maintenance Ethernet port. and then click on the operation interface. and Figure 1-7 shows an example network for outband management through telnet in a WAN. NOTE The default IP address of the maintenance Ethernet port (ETH port on the control board) is 10.1.6. ----End Result On the Hyper Terminal interface.10/24.50.11. configure the IP address to 10. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning NOTE When you paste a text to the HyperTerminal.11. the super user name is root and the password is admin). If the login still fails. change the IP address of the device to 10..50. l For details about how to log in to the MA5600T by using the ETH port.255. modify the delay. see the following: – Configure the IP address of the PC that is used for logging in to the MA5600T. the character delay controls the character transmit speed. in the MEth mode.255. If the login fails. 16 . and the line delay controls the interval of transmitting every line.11/24. Network Topology Figure 1-6 shows an example network for outband management through telnet in a LAN. click return to step 1 to check the parameter settings and the physical connections. l For details about how to log in to the MA5600T by using the local serial port.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-6 Example network for outband management through telnet in a LAN NOTE The MA5600T is connected to the LAN using the straight using cable. Ltd.. Alternatively. the Ethernet port of the maintenance terminal can be directly connected to the maintenance Ethernet port of the MA5600T to manage the MA5600T in the outband management mode. 17 .255. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0.2. In such a condition.11.1.50. a crossover cable must be used.255. and the subnet mask is 255. Table 1-5 Data plan for the outband management through telnet in a LAN Item Data Maintenance Ethernet port of the MA5600T IP address: 10. Figure 1-7 Network example for outband management through telnet in a WAN Data Plan Table 1-5 and Table 1-6 provide the data plan for the outband management through telnet in a LAN and in a WAN respectively. the IP address of the maintenance Ethernet port (ETH port on the control board) is 10.104.10/24 NOTE By default. and the IP address of the maintenance Ethernet port of the MA5600T is in the same network segment as the IP address of the maintenance terminal.

Figure 1-8 Flowchart for logging in to the MA5600T through telnet (outband management) Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.2.1.255.10.10/24 NOTE By default.10/24 Router port connecting to the MA5600T IP address: 10..50.50. Ltd.50. Maintenance terminal IP address: 10.1.255.11.1.1/24 Flowchart Figure 1-8 shows the flowchart for logging in to the MA5600T through telnet (outband management). the IP address of the maintenance Ethernet port (ETH port on the control board) is 10. 18 .20/24 (in the same subnet as the IP address of the maintenance Ethernet port) Table 1-6 Data plan for the outband management through telnet in a WAN Item Data Maintenance Ethernet port of the MA5600T IP address: 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Item Data Maintenance terminal IP address: 10.1. and the subnet mask is 255.104.0.

Ltd. set up a network environment according to Figure 1-7. When the login is successful. and the password is admin. huawei(config-if-meth0)#quit huawei(config)#ip route-static 10.1. Step 2 Configure the IP address of the maintenance Ethernet port. set up a network environment according to Figure 1-6. In the telnet dialog box.1.50.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Procedure Step 1 Set up the network environment. By default.1 Step 4 Run the telnet application. the system displays the following information: >>:root >>:admin Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0 24 10. Then. you need not add a route. run the ip route-static command to add a route from the maintenance Ethernet port of the MA5600T to the maintenance terminal. input "telnet 10. choose Start > Run.50.. and click OK.1.50.10 24 Step 3 Add a route for the outband management. the user name is root. 19 . l If you log in to the MA5600T in the MAN outband management mode through telnet. On the Run window. l If the network environment is set up as shown in Figure 1-6. In the MEth mode. l If you log in to the MA5600T in the LAN outband management mode through telnet. l If the network environment is set up as shown in Figure 1-7. huawei(config)#interface meth 0 huawei(config-if-meth0)#ip address 10. the telnet dialog box is displayed.1.10. run the ip address command to configure the IP address of the maintenance Ethernet port. On the maintenance terminal.10" in the Open field as shown in Figure 1-9 (considering the Windows OS as an example). Figure 1-9 Running the telnet application Step 5 Log in to the system. input the user name and the password.

10.74 2011-03-29 16:11:10+08:00 1 Telnet 10..10. Last IP-Address Indicates the IP address of the latest failed login.193 2011-03-25 18:19:04+08:00 1 ----------------------------------------------------------------------------- The following table describes the parameters in response to this login.74 Last Login Time : 2011-03-29 16:11:10+08:00 Login Failure Times : 2 --------------------------------------------------------------------------------------------------------------------------------------------------------All user fail login information: ----------------------------------------------------------------------------Access Type IP-Address Time Login Times ----------------------------------------------------------------------------Telnet 10.. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10.10. IP-Address Indicates the IP address of the latest successful login. Last Login Time Indicates the time of the latest failed login. Access Type Indicates the access type of the latest successful login.10. 2002-2011. Ltd. ----------------------------------------------------------------------------User last login information: ----------------------------------------------------------------------------Access Type : Telnet IP-Address : 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Huawei Integrated Access SoftwareMA5600T. Logout Time Indicates the time of the latest successful logout. All rights reserved. it displays as "--".10. User password Indicates the user password that is not displayed on the maintenance terminal.10. but not the accumulative login failures. Ltd.122 Login Time : 2011-03-29 16:03:20+08:00 Logout Time : 2011-03-29 16:08:40+08:00 --------------------------------------------------------------------------------------------------------------------------------------------------------User fail login information: ----------------------------------------------------------------------------Last Access Type : Telnet Last IP-Address : 10. Issue 01 (2012-01-18) Parameter Description User name Indicates the user name. Login Failure Times Indicates the failed login times. User last login information Indicates the information about the latest successful login. 20 . It is the times of login failures between two login successes.10. Copyright(C) Huawei Technologies Co. Login Time Indicates the time of the latest successful login. which can be viewed only by user root or security administrator. If the user does not log out.10. User fail login information Indicates the information about the failed login. All user fail login information Indicates the information about failed login of all users.10.122 2011-03-29 15:37:05+08:00 3 Telnet 10. Last Access Type Indicates the access type of the latest failed login.

– After logging in to the MA5600T.255.2.50. see Login Through the Local Serial Port. NOTE The default IP address of the maintenance Ethernet port (ETH port on the control board) is 10.104. in the MEth mode.11. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.11/24.1. For example. see the following: – Configure the IP address of the PC that is used for logging in to the MA5600T. This IP address is on the same subnet as the IP address of the maintenance Ethernet port but is not the IP address of the maintenance Ethernet port. run the ip address command to change the IP address of the device to 10.0.255.6.104. Time Indicates the time of the login. change the IP address of the device to 10. Login Times Indicates the login times.. Prerequisites Engineers are logged in to the MA5600T by using the local serial port or the ETH port. For example. IP-Address Indicates the IP address of the login.10/24. ----End Result After logging in to the system. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Parameter Description Access Type Indicates the access type of the login. l For details about how to log in to the MA5600T by using the ETH port. configure the IP address to 10. Login Through Telnet (Inband Management) This topic describes how to log in to the MA5600T using the upstream port (inband management port) in the telnet mode to maintain and manage the MA5600T. l For details about how to log in to the MA5600T by using the local serial port. and the subnet mask is 255. 21 .11.50. Network Topology Figure 1-10 shows an example network for inband management through telnet in a LAN. and Figure 1-11 shows an example network for inband management through telnet in a WAN. – Change the IP address of the PC to be on the same subnet as the IP address of the maintenance Ethernet port but is not the IP address of the maintenance Ethernet port. you can maintain and manage the MA5600T.1.

20/24 (in the same subnet as the IP address of the maintenance Ethernet port) Table 1-8 Data plan for the inband management through telnet in a WAN Item Data Upstream port of the MA5600T l VLAN ID: 30 l Port: 0/17/0 l IP address: 10.10/24 Maintenance terminal IP address: 10.10/24 Maintenance terminal Issue 01 (2012-01-18) IP address: 10. Ltd.1. 22 .1.50.1. Table 1-7 Data plan for the inband management through telnet in a LAN Item Data Upstream port of the MA5600T l VLAN ID: 30 l Port: 0/17/0 l IP address: 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-10 Example network for inband management through telnet in a LAN Figure 1-11 Example network for inband management through telnet in a WAN Data Plan Table 1-7 and Table 1-8 provide the data plan for the inband management through telnet in a LAN and in a WAN respectively.50.10.10/24 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.1.50..

l If you log in to the MA5600T in the LAN inband management mode through telnet. huawei(config)#vlan 30 standard 2. Run the vlan command to create a management VLAN. Figure 1-12 Flowchart for logging in to the MA5600T through telnet (inband management) Procedure Step 1 Set up the network environment. Issue 01 (2012-01-18) Run the port vlan command to add an upstream port to the VLAN. Step 2 Configure the IP address of the VLAN Layer 3 interface.50.1. 1. set up a network environment according to Figure 1-10.. set up a network environment according to Figure 1-11. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l If you log in to the MA5600T in the WAN inband management mode through telnet.1/24 Flowchart Figure 1-12 shows the flowchart for logging in to the MA5600T through telnet (inband management). Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Item Data Router port connecting to the MA5600T IP address: 10. 23 .

50. input the user name and the password. When the login is successful. the telnet dialog box is displayed. Ltd.1. the system displays the following information: >>:root >>:admin Huawei Integrated Access SoftwareMA5600T. In the VLANIF mode.1.1 Step 4 Run the telnet application. Step 3 Add a route for the inband management.1..1. and the password is admin. Ltd. run the native-vlan command to configure the native VLAN of the upstream port to be the same as the VLAN of the upstream port. choose Start > Run.10" in the Open field as shown in Figure 1-13 (considering the Windows OS as an example)..10. run the ip route-static command to add a route from the maintenance Ethernet port of the MA5600T to the maintenance terminal.10. On the maintenance terminal. All rights reserved. Figure 1-13 Running the telnet application Step 5 Log in to the system.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning huawei(config)#port vlan 30 0/17 0 3. huawei(config-if-meth0)#quit huawei(config)#ip route-static 10. On the Run window. By default. you need not add a route. l If the network environment is set up as shown in Figure 1-10. 2002-2011. and click OK. In the telnet dialog box. ----------------------------------------------------------------------------User last login information: ----------------------------------------------------------------------------Access Type : Telnet IP-Address : 10.50.50. l If the network environment is set up as shown in Figure 1-11. run the ip address command to configure the IP address of the VLAN Layer 3 interface. huawei(config)#interface vlanif 30 huawei(config-if-vlanif30)#ip address 10.10 24 NOTE If the packet transmitted from the upstream port is untagged. 24 . Copyright(C) Huawei Technologies Co.10. input "telnet 10. the user name is root.122 Login Time : 2011-03-29 16:03:20+08:00 Logout Time : 2011-03-29 16:08:40+08:00 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Then.0 24 10.

All user fail login information Indicates the information about failed login of all users. IP-Address Indicates the IP address of the login. Login Times Indicates the login times.122 2011-03-29 15:37:05+08:00 3 Telnet 10. which can be viewed only by user root or security administrator. IP-Address Indicates the IP address of the latest successful login. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. If the user does not log out. Access Type Indicates the access type of the latest successful login. Last IP-Address Indicates the IP address of the latest failed login. Login Failure Times Indicates the failed login times. Logout Time Indicates the time of the latest successful logout. Ltd. Time Indicates the time of the login. User last login information Indicates the information about the latest successful login. Issue 01 (2012-01-18) Parameter Description User name Indicates the user name.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning --------------------------------------------------------------------------------------------------------------------------------------------------------User fail login information: ----------------------------------------------------------------------------Last Access Type : Telnet Last IP-Address : 10.10.10.10.10. 25 . It is the times of login failures between two login successes. Login Time Indicates the time of the latest successful login. Last Login Time Indicates the time of the latest failed login.10.. it displays as "--".10.193 2011-03-25 18:19:04+08:00 1 ----------------------------------------------------------------------------- The following table describes the parameters in response to this login.10. User fail login information Indicates the information about the failed login.74 2011-03-29 16:11:10+08:00 1 Telnet 10. Last Access Type Indicates the access type of the latest failed login. but not the accumulative login failures. Access Type Indicates the access type of the login.74 Last Login Time : 2011-03-29 16:11:10+08:00 Login Failure Times : 2 --------------------------------------------------------------------------------------------------------------------------------------------------------All user fail login information: ----------------------------------------------------------------------------Access Type IP-Address Time Login Times ----------------------------------------------------------------------------Telnet 10.10. User password Indicates the user password that is not displayed on the maintenance terminal.

1. 26 . – Change the IP address of the PC to be on the same subnet as the IP address of the maintenance Ethernet port but is not the IP address of the maintenance Ethernet port.6.255. Ltd. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Network Topology Figure 1-14 shows an example network for outband management through SSH in a LAN.50. For example. For example. NOTE The default IP address of the maintenance Ethernet port (ETH port on the control board) is 10.11/24. run the ip address command to change the IP address of the device to 10.10/24.11. and Figure 1-15 shows an example network for outband management through SSH in a WAN. This IP address is on the same subnet as the IP address of the maintenance Ethernet port but is not the IP address of the maintenance Ethernet port. see the following: – Configure the IP address of the PC that is used for logging in to the MA5600T.2. encryption. and the subnet mask is 255.11. l For details about how to log in to the MA5600T by using the ETH port. When a user logs in to the MA5600T remotely over an insecure network. The SSH provides authentication.50.1.0. SSH provides security guarantee and powerful authentication to protect the MA5600T against attacks such as IP address spoofing and interception of plain text password. in the MEth mode.104. see Login Through the Local Serial Port. and authorization to ensure the network communication security. change the IP address of the device to 10. Prerequisites Engineers are logged in to the MA5600T by using the local serial port or the ETH port.104..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning ----End Result After logging in to the system. – After logging in to the MA5600T. Login Through SSH (Outband Management) This topic describes how to log in to the MA5600T using the local maintenance Ethernet port (outband management port) in the SSH mode to maintain and manage the MA5600T.255. l For details about how to log in to the MA5600T by using the local serial port. you can maintain and manage the MA5600T. configure the IP address to 10.

Figure 1-15 Example network for outband management through SSH in a WAN Data Plan Table 1-9 and Table 1-10 provide the data plan for the outband management through SSH in a LAN and in a WAN respectively. In such a condition.. the Ethernet port of the maintenance terminal can be directly connected to the maintenance Ethernet port of the MA5600T to manage the MA5600T in the outband management mode. Alternatively. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-14 Example network for outband management through SSH in a LAN NOTE The MA5600T is connected to the LAN using the straight using cable. 27 . and the IP address of the maintenance Ethernet port of the MA5600T is in the same network segment as the IP address of the maintenance terminal. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. a crossover cable must be used.

1.104.1/24 Flowchart Figure 1-16 shows the flowchart for logging in to the MA5600T through SSH.50.11.50.255. and the subnet mask is 255.104. 28 .20/24 (in the same subnet as the IP address of the maintenance Ethernet port) Table 1-10 Data plan for the outband management through SSH in a WAN Item Data Maintenance Ethernet port of the MA5600T l IP address: 10. l User name/Password: huawei/test01 New user l Authority: Operator l Permitted reenter number: 4 Maintenance terminal IP address: 10.255.0.10/24 l User authentication mode: RSA public key authentication l RSA key name: key NOTE By default.255.1. and the subnet mask is 255.50.1.11.50.2.1. the IP address of the maintenance Ethernet port (ETH port on the control board) is 10.10/24 l User authentication mode: RSA public key authentication l RSA key name: key NOTE By default.. l User name/Password: huawei/test01 New user l Authority: Operator l Permitted reenter number: 4 Maintenance terminal IP address: 10.0. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Table 1-9 Data plan for the outband management through SSH in a LAN Item Data Maintenance Ethernet port of the MA5600T l IP address: 10.10/24 Router port connecting to the MA5600T IP address: 10.1.2.255. the IP address of the maintenance Ethernet port (ETH port on the control board) is 10.

Ltd. 29 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-16 Flowchart for logging in to the MA5600T through SSH (Outband Management) Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co..

.. It will take a few minutes. l If you log in to the MA5600T in the WAN outband management mode through SSH. l If the network environment is set up as shown in Figure 1-14. huawei(config)#rsa local-key-pair create The key name will be: Host The range of public key size is (512 ~ 2048).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Procedure Step 1 Set up the network environment. before performing other SSH configurations. you need not add a route.1. run the ip route-static command to add a route from the maintenance Ethernet port of the MA5600T to the maintenance terminal. .10 24 Step 3 Add a route for the outband management.0 24 10.. Therefore.50. 30 .++++++++++++ . l If you log in to the MA5600T in the LAN outband management mode through SSH.. Run the terminal user name command to create a user.++++++++++++ Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Common User 2. Operator:2 Permitted Reenter Number(0--4):4 User's Appended Info(<=30 chars): Adding user succeeds Repeat this operation? (y/n)[n]:n Step 5 Create the local RSA key pair..15>):test01 //The password is not displayed on the maintenance terminal.. huawei(config-if-meth0)#quit huawei(config)#ip route-static 10..15>):test01 //The password is not displayed on the maintenance terminal.50. make sure that the local RSA key pair is generated..1. huawei(config)#interface meth 0 huawei(config-if-meth0)#ip address 10. Input the bits in the modulus[default = 512]: Generating keys.. Confirm Password(length<6... NOTES: If the key modulus is greater than 512..10. In the MEth mode. l If the network environment is set up as shown in Figure 1-15.. set up a network environment according to Figure 1-14..1 Step 4 Create a user. run the ip address command to configure the IP address of the maintenance Ethernet port.. Step 2 Configure the IP address of the maintenance Ethernet port..15>):huawei User Password(length<6.. User profile name(<=15 chars)[root]: User's Level: 1.. set up a network environment according to Figure 1-15. Run the rsa local-key-pair create command to create the local RSA key pair.. CAUTION The prerequisite for the login through SSH is that the local RSA key pair must be configured and generated. Ltd...1. huawei(config)#terminal user name User Name(length<6...

. huawei(config)#ssh user huawei authentication-type { all<K>|password-publickey<K>|password<K>|rsa<K> }:rsa Command: ssh user huawei authentication-type rsa %Authentication type setted... Run the key generator. l rsa: authentication based on an RSA public key... Run the client software key generator Puttygen. Figure 1-17 shows the interface of the key generator... In this topic....exe... as shown in the following........ The user can log in to the device only after both the password and the RSA public key authentication.. There are four authentication modes for SSH users. l all: authentication based on a password or an RSA public key. Figure 1-17 Interface of the key generator Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning ... 31 ... authentication mode rsa is considered as an example. and will be in effect next time.... The user can log in to the device either by the password or the RSA public key.++++++++ .... 1. Step 7 Generate the RSA public key....++++++++ Step 6 Set the SSH user authentication mode.. Ltd. Run the ssh user huawei authentication-type rsa command to choose the authentication mode of the SSH user... l password: authentication based on a password.. l password-publickey: authentication based on a password and a public key....

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2.

1 Commissioning

Generate the client key.
Select SSH-2 RSA as the key type under Parameters, click Generate, and move the cursor
according to the prompt on the interface to generate the client key, as shown in Figure
1-18.
Figure 1-18 Interface of the key generator

Click Save public key and Save private key to save the public key and the private key
respectively after they are generated, as shown in Figure 1-19.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

32

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Figure 1-19 Save the public key and the private key

3.

Generate the RSA public key.
Open sshkey.exe, click Browse, and choose the public key file saved in the preceding step.
Then, click Convert to change the client public key to the RSA public key, as shown in
Figure 1-20.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

33

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Figure 1-20 Interface of converting the client public key to the RSA public key

Step 8 Generate the public key for the SSH user.
Create RSA public key. Copy the RSA public key to the server in the config-rsa-key-code
command line mode.
huawei(config)#rsa peer-public-key key
Enter "RSA public key" view, return system view with "peer-public-key end".
NOTE: The number of the bits of public key must be between 769 and 2048.
huawei(config-rsa-public-key)#public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
huawei(config-rsa-key-code)#30818702 81810098 933744B6 7C864EC7 A86A84CC 198BAC1
5
huawei(config-rsa-key-code)#D32834F7 365CFD17 E7FE4041 3266E416 710D13ED 22BD4D5
9
huawei(config-rsa-key-code)#DF0C3E46 A995CC61 DC4CB179 F6888B8C 3F8A3085 51EDB5C
7
huawei(config-rsa-key-code)#5DEBDBE1 3AB4A256 0D0B9AA8 9A419D85 35C0E562 AE0BBFA
B
huawei(config-rsa-key-code)#515299F9 D2803E84 3AE36C20 949367EA 0697EB20 2594A77
4
huawei(config-rsa-key-code)#9A0EFF04 26928874 FF9124C4 D28F0702 0125
huawei(config-rsa-key-code)#public-key-code end

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

34

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

huawei(config-rsa-public-key)#peer-public-key end

Step 9 Assign the public key to the SSH user.
Run the ssh user assign rsa-key command to assign the RSA public key to the SSH user.
huawei(config)#ssh user huawei assign rsa-key key

Step 10 Log in to the system.
1.

Run the client software.
Run the SSH client software putty.exe, choose SSH > Auth from the navigation tree, and
assign a file for the RSA private key, as shown in Figure 1-21. Click Browse to display
the window for selecting the file. In the window, select the file for the private key, and click
OK.
Figure 1-21 Interface of the SSH client software

2.

Log in to the system.
Choose Session from the navigation tree, and then input the IP address of the MA5600T
in the Host Name (or IP address) field, as shown in Figure 1-22. Then, click Open to log
in to the system.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

35

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Figure 1-22 Interface for logging in to the system using the SSH client software

The user authentication mode is set to the RSA authentication mode, and the system
therefore displays the prompt, as shown in Figure 1-23. Input the user name to log in to
the system (here, the user name is huawei).
Figure 1-23 Interface for logging in to the system using the SSH client software

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

36

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

----End

Result
After logging in to the system, you can maintain and manage the MA5600T.

Login Through SSH (Inband Management)
This topic describes how to log in to the MA5600T using the upstream port (inband management
port) in the SSH mode to maintain and manage the MA5600T. The secure shell (SSH) provides
authentication, encryption, and authorization to ensure the network communication security.
When a user logs in to the MA5600T remotely over an insecure network, SSH provides security
guarantee and powerful authentication to protect the MA5600T against attacks such as IP address
spoofing and interception of plain text password.

Prerequisites
Engineers are logged in to the MA5600T by using the local serial port or the ETH port.
NOTE

The default IP address of the maintenance Ethernet port (ETH port on the control board) is 10.11.104.2,
and the subnet mask is 255.255.255.0.

l

For details about how to log in to the MA5600T by using the local serial port, see Login
Through the Local Serial Port.

l

For details about how to log in to the MA5600T by using the ETH port, see the following:
– Configure the IP address of the PC that is used for logging in to the MA5600T. This IP
address is on the same subnet as the IP address of the maintenance Ethernet port but is
not the IP address of the maintenance Ethernet port. For example, configure the IP
address to 10.11.104.6.
– After logging in to the MA5600T, in the MEth mode, run the ip address command to
change the IP address of the device to 10.50.1.10/24.
– Change the IP address of the PC to be on the same subnet as the IP address of the
maintenance Ethernet port but is not the IP address of the maintenance Ethernet port.
For example, change the IP address of the device to 10.50.1.11/24.

Network Topology
Figure 1-24 shows an example network for inband management through SSH in a LAN, and
Figure 1-25 shows an example network for inband management through SSH in a WAN.
Figure 1-24 Example network for inband management through SSH in a LAN

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

37

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Figure 1-25 Example network for inband management through SSH in a WAN

Data Plan
Table 1-11 and Table 1-12 provide the data plan for the inband management through SSH in a
LAN and in a WAN respectively.
Table 1-11 Data plan for the inband management through SSH in a LAN
Item

Data

Upstream port of the MA5600T

l VLAN ID: 30
l Port: 0/7/0
l IP address: 10.50.1.10/24
l User authentication mode: RSA public
key authentication
l RSA key name: key
l User name/Password: huawei/test01

New user

l Authority: Operator
l Permitted reenter number: 4
Maintenance terminal

IP address: 10.50.1.20/24 (in the same subnet
as the IP address of the maintenance Ethernet
port)

Table 1-12 Data plan for the inband management through SSH in a WAN
Item

Data

Upstream port of the MA5600T

l VLAN ID: 30
l Port: 0/7/0
l IP address: 10.50.1.10/24
l User authentication mode: RSA public
key authentication
l RSA key name: key

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

38

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Item

Data

New user

l User name/Password: huawei/test01
l Authority: Operator
l Permitted reenter number: 4

Maintenance terminal

IP address: 10.10.1.10/24

Router port connecting to the MA5600T

IP address: 10.50.1.1/24

Flowchart
Figure 1-26 shows the flowchart for logging in to the MA5600T through SSH.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

39

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Figure 1-26 Flowchart for logging in to the MA5600T through SSH (Inband Management)

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

40

run the native-vlan command to configure the native VLAN of the upstream port to be the same as the VLAN of the upstream port. Therefore. huawei(config)#terminal user name User Name(length<6. User profile name(<=15 chars)[root]: User's Level: 1. l If the network environment is set up as shown in Figure 1-25.50. CAUTION The prerequisite for the login through SSH is that the local RSA key pair must be configured and generated. set up a network environment according to Figure 1-25.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Procedure Step 1 Set up the network environment. huawei(config)#interface vlanif 30 huawei(config-if-vlanif30)#ip address 10. 41 . run the ip route-static command to add a route from the maintenance Ethernet port of the MA5600T to the maintenance terminal.15>):test01 //The password is not displayed on the maintenance terminal. run the ip address command to configure the IP address of the VLAN Layer 3 interface. you need not add a route.1. Operator:2 Permitted Reenter Number(0--4):4 User's Appended Info(<=30 chars): Adding user succeeds Repeat this operation? (y/n)[n]:n Step 5 Create the local RSA key pair.15>):huawei User Password(length<6. Ltd. l If you log in to the MA5600T in the LAN inband management mode through SSH. l If you log in to the MA5600T in the WAN inband management mode through SSH. huawei(config)#vlan 30 standard 2.10 24 NOTE If the packet transmitted from the upstream port is untagged.15>):test01 //The password is not displayed on the maintenance terminal. make sure that the local RSA key pair is generated.10. Run the port vlan command to add an upstream port to the VLAN. Common User 2. set up a network environment according to Figure 1-24. Confirm Password(length<6. Run the vlan command to create a management VLAN. Step 3 Add a route for the inband management. l If the network environment is set up as shown in Figure 1-24. Run the terminal user name command to create a user. before performing other SSH configurations.1. In the VLANIF mode.1 Step 4 Create a user. huawei(config)#port vlan 30 0/7 0 3. huawei(config-if-meth0)#quit huawei(config)#ip route-static 10.50.0 24 10. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.1. 1. Step 2 Configure the IP address of the VLAN Layer 3 interface.. Run the rsa local-key-pair create command to create the local RSA key pair.

.. l rsa: authentication based on an RSA public key... The user can log in to the device either by the password or the RSA public key.. Input the bits in the modulus[default = 512]: Generating keys.... 42 . NOTES: If the key modulus is greater than 512. Step 7 Generate the RSA public key..... l password-publickey: authentication based on a password and a public key.exe. l all: authentication based on a password or an RSA public key. Ltd........ as shown in the following.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning huawei(config)#rsa local-key-pair create The key name will be: Host The range of public key size is (512 ~ 2048).... ..... The user can log in to the device only after both the password and the RSA public key authentication.++++++++++++ .... Figure 1-27 shows the interface of the key generator.. and will be in effect next time. Run the ssh user huawei authentication-type rsa command to choose the authentication mode of the SSH user.... authentication mode rsa is considered as an example. 1..++++++++++++ . There are four authentication modes for SSH users.... Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l password: authentication based on a password...........++++++++ Step 6 Set the SSH user authentication mode..... huawei(config)#ssh user huawei authentication-type { all<K>|password-publickey<K>|password<K>|rsa<K> }:rsa Command: ssh user huawei authentication-type rsa %Authentication type setted....++++++++ ..... In this topic..... It will take a few minutes. Run the key generator. Run the client software key generator Puttygen..

and move the cursor according to the prompt on the interface to generate the client key. as shown in Figure 1-28. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd. 43 . Select SSH-2 RSA as the key type under Parameters.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-27 Interface of the key generator 2. Generate the client key.. click Generate.

44 . Figure 1-29 Save the public key and the private key Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-28 Interface of the key generator Click Save public key and Save private key to save the public key and the private key respectively after they are generated. as shown in Figure 1-29. Ltd.

Figure 1-30 Interface of converting the client public key to the RSA public key Step 8 Generate the public key for the SSH user.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3. huawei(config-rsa-key-code)#30818702 81810098 933744B6 7C864EC7 A86A84CC 198BAC1 5 huawei(config-rsa-key-code)#D32834F7 365CFD17 E7FE4041 3266E416 710D13ED 22BD4D5 9 huawei(config-rsa-key-code)#DF0C3E46 A995CC61 DC4CB179 F6888B8C 3F8A3085 51EDB5C 7 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd. click Convert to change the client public key to the RSA public key. 45 . Copy the RSA public key to the server in the config-rsa-key-code command line mode. Open sshkey. NOTE: The number of the bits of public key must be between 769 and 2048. return system view with "peer-public-key end".. huawei(config-rsa-public-key)#public-key-code begin Enter "RSA key code" view.exe. Create RSA public key. 1 Commissioning Generate the RSA public key. as shown in Figure 1-30. click Browse. huawei(config)#rsa peer-public-key key Enter "RSA public key" view. and choose the public key file saved in the preceding step. return last view with "public-key-code end". Then.

Figure 1-31 Interface of the SSH client software 2. click Open to log in to the system.exe. Run the ssh user assign rsa-key command to assign the RSA public key to the SSH user. 46 . select the file for the private key. Log in to the system. Run the client software. and assign a file for the RSA private key. choose SSH > Auth from the navigation tree. and then input the IP address of the MA5600T in the Host Name (or IP address) field. Ltd. Run the SSH client software putty. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. huawei(config)#ssh user huawei assign rsa-key key Step 10 Log in to the system. as shown in Figure 1-31. Then. In the window..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning huawei(config-rsa-key-code)#5DEBDBE1 3AB4A256 0D0B9AA8 9A419D85 35C0E562 AE0BBFA B huawei(config-rsa-key-code)#515299F9 D2803E84 3AE36C20 949367EA 0697EB20 2594A77 4 huawei(config-rsa-key-code)#9A0EFF04 26928874 FF9124C4 D28F0702 0125 huawei(config-rsa-key-code)#public-key-code end huawei(config-rsa-public-key)#peer-public-key end Step 9 Assign the public key to the SSH user. 1. as shown in Figure 1-32. and click OK. Click Browse to display the window for selecting the file. Choose Session from the navigation tree.

as shown in Figure 1-33. Figure 1-33 Interface for logging in to the system using the SSH client software Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-32 Interface for logging in to the system using the SSH client software The user authentication mode is set to the RSA authentication mode. Ltd. and the system therefore displays the prompt. the user name is huawei). Input the user name to log in to the system (here. 47 ..

Step 2 Run the display version command to check whether the version of the board software meets the deployment requirement.5 Checking the Software Version This topic describes how to verify that current software version meets the deployment requirement. 1. contact the Huawei Customer Service Center. l If the version of the host software and the version of the board software do not meet the deployment requirement. 48 . This shortens the commissioning duration and improves the Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.3. 7 hour(s). do as follows: huawei>display language Local: Description: CHINESE SIMPLIFIED (DEFAULT LANGUAGE) Version: MA5600V800R203C00 Encoding: GBK General: Description: ENGLISH (DEFAULT LANGUAGE) Version: MA5600V800R203C00 Encoding: ANSI huawei>display version { <cr>|backplane<K>|frameid/slotid<S><Length 1-15> }: Command: display version VERSION : MA5600V800R203C00 PRODUCT MA5600T Uptime is 4 day(s). 27 minute(s). 23 second(s) 1. Example To query the host software version and the board software version that are running in the system.3. see Contacting Huawei for Assistance. For the contact information. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning ----End Result After logging in to the system. Upgrade the host software if necessary.6 Loading the Script You can run the commands in the script in batches by loading the script instead of running the commands one by one. Procedure Step 1 Run the display language command to check whether the version of the host software meets the deployment requirement. ----End Result l The version of the host software and the version of the board software meet the deployment requirement. you can maintain and manage the MA5600T..

skip this operation. For details about how to make a script. do as follows: huawei(config)#display board 0 ------------------------------------------------------------------------SlotID BoardName PrimaryState SecondaryState SubType0 SubType1 ------------------------------------------------------------------------0 1 2 3 4 5 H801TOPA IS-NR NH1A 6 7 H801SCUN IS-NR STBYH 8 H801SCUN IS-NR WRK 9 10 11 H801TOPA IS-NR NH1A Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.1 Making a Script. l The operator must be in the privilege mode. Checking the Board Status This topic describes how to check whether the board works in the normal state. 1. Ltd. ----End Result The commands in the script can be executed automatically and successfully. If the script is not used.6. Procedure Step 1 Run the display board frameid command to query the status of all the boards.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning commissioning efficiency.. ----End Result All the boards work in the normal state. That is. all of the board status is displayed as Normal. see 1. l The script file must be ready. Procedure Step 1 Open the script file and copy all the commands to the CLI.7 Configuring a Board Specific services require specific boards. you need to first confirm the automatically discovered board or add the board offline.3. 49 . To use a board. Prerequisites l The hardware must be installed and checked. Example To query the information about all the boards of shelf 0. and follow the commissioning procedure to perform the subsequent operations.

. do as follows: huawei(config)#board confirm 0/4 huawei(config)#display board 0/4 --------------------------------------Board Name : H802GPBD Primary State : IS-NR Secondary State : --------------------------------------------------------------------------------------------------Port Port min-distance max-distance Optical-module type (km) (km) status ------------------------------------------------------------0 GPON 0 20 Offline 1 GPON 0 20 Offline 2 GPON 0 20 Offline 3 GPON 0 20 Offline 4 GPON 0 20 Offline 5 GPON 0 20 Offline 6 GPON 0 20 Offline 7 GPON 0 20 Offline Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. After that. the system automatically identifies the board type. run the board confirm frameid/slotid command. ----End Result The board status is displayed as Normal. Prerequisites A board must be installed in an idle slot or all the boards in the shelf must be installed. NOTE l To confirm only one board.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning 12 13 H802GPBD IS-NR 14 15 16 17 H801GICK IS-NR 18 H801GICG IS-NR 19 20 ------------------------------------------------------------------------- Confirming a Board This topic describes how to confirm a board after the board installed in an idle slot is automatically discovered. Procedure Step 1 Run the board confirm command to confirm an Auto_find board. Ltd. run the board confirm frameid command. Example To confirm the service board in slot 0/4. This ensures that the auto-discovered board runs in the normal state. 50 . l To confirm all the boards in a shelf. and the board status is Auto_find. Step 2 Run the display board frameid [ /slotid ] command to query the board status.

the total of ONTs are: 0 In port 4. If a board of a different type is installed. The board status becomes normal only when a board of the same type as the board added offline is installed in the slot. Otherwise. l After a board is added offline. the board status is displayed as Failed. 51 . l The type of the board added offline must be the same as the type of the board installed. when the board is installed. Step 2 Run the display board frameid [ /slotid ] command to query the type of the added board.. the total of ONTs are: 0 In port 6. when the board is installed. the total of ONTs are: 0 In port 3. Example To add a service board GPBD offline in slot 0/4. Ltd. the board resets repeatedly due to the board type mismatch. Context l The boards other than the control board can be added offline. the total of ONTs are: 0 In port 7. NOTE l The shelf ID and the slot ID of the board added offline must be the same as the actual position. the board status cannot be changed to normal. the board status is displayed as Normal. When a board is installed in the slot in which the board is added. do as follows: huawei(config)#board add 0/4 h802gpbd huawei(config)#display board 0/4 --------------------------------------Board Name : H802GPBD Primary State : IS-NR Secondary State : --------------------------------------- Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Prerequisites The slot to which a board is added must be idle. ----End Result The type of the added board is the same as the board type that is planned. the total of ONTs are: 0 In port 1. the total of ONTs are: 0 Adding a Board Offline This topic describes how to add a board to an idle slot that is consistent with the board actually planned beforehand to ensure that the board runs immediately the board is installed in the slot. the total of ONTs are: 0 In port 2. Procedure Step 1 Run the board add command to add a board offline.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning ------------------------------------------------------------In port 0. Otherwise. the total of ONTs are: 0 In port 5. the board status cannot be changed to normal.

the total of ONTs are: 0 In port 1.3. Step 2 Run the save command to save the configuration data. The system allocates 15 reserved VLANs ranging from 4079 to 4093. Ltd.8 Modifying the Reserved VLANs After the reserved VLANs are successfully modified. and VLAN 4095 is a reserved VLAN of the LAN switch. ----End Example To configure the range of the reserved VLANs to 4075-4089. system. These VLANs cannot be configured as reserved VLANs. the preset value is the start ID of the reserved VLANs and the system automatically allocates 15 reserved VLANs from the start ID. do as follows: huawei(config)#vlan reserve 4075 Are you sure to config reserved VLAN huawei(config)#save huawei(config)#reboot system Please check whether data has saved. A reserved VLAN cannot function as a service VLAN or a management VLAN. VLAN 4094 is a fixed reserved VLAN. the total of ONTs are: 0 In port 2. Step 3 Run the reboot command to make the configuration take effect. 52 . A configured VLAN cannot be configured as a reserved VLAN..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning ------------------------------------------------------------Port Port min-distance max-distance Optical-module type (km) (km) status ------------------------------------------------------------0 GPON 0 20 Offline 1 GPON 0 20 Offline 2 GPON 0 20 Offline 3 GPON 0 20 Offline 4 GPON 0 20 Offline 5 GPON 0 20 Offline 6 GPON 0 20 Offline 7 GPON 0 20 Offline ------------------------------------------------------------In port 0. l VLAN 1 is the default VLAN. l The start ID of the reserved VLANs ranges from 2 to 4079. the total of ONTs are: 0 In port 7. Context l The start ID of the reserved VLANs is 4079. Procedure Step 1 Run the vlan reserve command to modify a reserved VLAN. the total of ONTs are: 0 In port 3. the total of ONTs are: 0 In port 4. the total of ONTs are: 0 In port 5. the total of ONTs are: 0 In port 6. are you sure to reboot system? huawei(config)#display vlan reserve The start actived reserved VLAN ID : Issue 01 (2012-01-18) ? (y/n)[n]: y the unsaved data will lose if reboot (y/n)[n]: y 4075 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the total of ONTs are: 0 1.

Procedure Step 1 Run the link-aggregation command to create an Ethernet port aggregation group. ----End Result The connection from the MA5600T to the gateway is normal.3. Step 7 Run the shutdown command to deactivate the upstream port. Step 3 Run the VLAN command to add a standard VLAN. Step 5 Run the interface vlanif command to create a VLAN interface and enter the VLAN interface mode. inter-card aggregation is supported between the SCUN card and the GIU slot. Step 8 Run the ping command to check if the upstream port is reachable from the MA5600T to the gateway. 53 . An aggregation group can implement inter-card aggregation between two GIU slots.9 Configuring Link Aggregation and Switching This topic describes how to configure a link aggregation group to improve reliability of service transmission. the ports in an aggregation group back up each other. Context An uplink aggregation group aggregates multiple Ethernet ports as an aggregation group to increase the bandwidth and share the inbound/outbound load of each member port. which enhances the link security.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning The start configed reserved VLAN ID : 4075 The number of reserved VLAN IDs : 15 1. The IP address of the VLAN interface and the gateway IP address must be on the same network segment. another link can take the place of the faulty link. Ltd. Step 2 Run the link-aggregation description command to configure the description of the aggregation group. Add multiple upstream Ethernet ports to the same aggregation group to implement protection and load balancing between ports. Step 6 Run the ip address command to configure the IP address of the VLAN interface. When a link is disconnected.. the member physical links are backed up with each other dynamically. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. In addition. When only one control card is configured. Step 4 Run the port vlan command to add an upstream port to the VLAN. The description is applicable to the transaction language 1 (TL1) northbound interface. In a link aggregation group.

10 Checking the Status of the Service Port This topic describes how to check whether the service port is in the normal state.20: bytes=56 Sequence=5 ttl=255 time=1 ms ms ms ms ms --.10.10.10.10: 56 data bytes.20: bytes=56 Sequence=3 ttl=255 time=1 Reply from 10.. The primary port is 0/17/0 and its description is upport-link-aggregation. Procedure Step 1 Run the interface gpon command to enter the GPON mode. The following only describes how to check the status of a GPON port.10.10.10.20 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.20: bytes=56 Sequence=2 ttl=255 time=1 Reply from 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Example After the connection from the MA5600T to the gateway (with IP address 10. l The management VLAN from the MA5600T to the gateway is VLAN 100 and the IP address of the VLAN interface is 10. the connection from the MA5600T to the gateway is normal.00% packet loss round-trip min/avg/max = 1/1/1 ms 1.10.10. Step 2 Run the display port state command to check whether the service port is in the normal state.10. huawei(config)#link-aggregation 0/17 0 0/17 1 ingress huawei(config)#link-aggregation description 0/17/0 upport-link-aggregation huawei(config)#vlan 100 standard huawei(config)#port vlan 100 0/17 0.10 24 huawei(config)#interface giu 0/17 huawei(config-if-giu-0/17)#shutdown 0 huawei(config-if-giu-0/17)#quit huawei(config)#ping 10. That is . and Laser state is displayed as On.10. 54 .10.20: bytes=56 Sequence=1 ttl=255 time=1 Reply from 10.10. ----End Result All the service ports are in the normal state. run the shutdown command to deactivate upstream port 0/17/0. press CTRL_C to break Reply from 10.10.20) is configured successfully. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10 (on the same network segment as the gateway IP address).20: bytes=56 Sequence=4 ttl=255 time=1 Reply from 10. Then.10.3.10.43.10.10.1 huawei(config)#interface vlanif 100 huawei(config-if-vlanif100)#ip address 10. Ltd.20 PING 10. l Upstream ports 0/17/0 and 0/17/1 are configured as an aggregation group.10. Prerequisites NOTE The MA5600T provides various service ports.10. Status is displayed as Activated.10.10.71.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning 1.12 Changing the System Name This topic describes how to customize the useful system name to differentiate MA5600Ts. Run the interface scu command to enter the SCU mode. the upstream port is in the active state and the link is in the online state. Procedure Step 1 Run the sysname command to set the system name. ----End Result The upstream port is in the normal state. Run the interface giu command to enter the GIU mode.3. ----End Result The CLI prompt character changes to the system name that is set after the command is executed successfully. Procedure Step 1 Follow the steps below to check the status of the upstream port. the CLI prompt character changes to the new name accordingly. If the optical port is adopted for upstream transmission. l l If the control board is adopted for upstream transmission. do as follows: 1. Run the display port stateall command to check whether the upstream port is in the normal state. Context l By default. This facilitates the management of the MA5600T. l The system name takes effect immediately after change. 1. If the upstream board is adopted for upstream transmission. the device name is MA5600T. do as follows: 1. 55 .3. Optic Status is displayed as normal. Run the display port stateall command to check whether the upstream port is in the normal state. l After the system name is changed. do as follows: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. 2.11 Checking the Status of the Upstream Port This topic describes how to check whether the upstream port is in the normal state. That is. Example To name the first MA5600T at Shenzhen office in China shenzhen_MA5600T_A. 2. Ltd.

Up to 127 (total 128 including the root user) users can be added to the system. Prerequisites You must have the administrator authority or higher authority. The user name is unique in the system. User profile The name of a user profile consists of 1-15 printable characters. Table 1-13 lists the user attributes. and is case-sensitive.13 Configuring a System User For logging in to. When adding a user. an operator. password. you must configure the user attributes. l The user name must be unique. It must contain at least one digit and one letter. and managing the MA5600T. This topic describes how to add a system user and modify the user attributes. configuring. and appended information. This facilitates the management of the MA5600T. Context l The super user and the administrator have the authority to add a user at a lower level. configuring. A user profile includes the validity period of the user name. profile.3. l The super user and the administrator can add multiple users consecutively. authority. including the user account. 56 . permitted reenter number. or a common user. and cannot be all or online. Table 1-13 User attributes Issue 01 (2012-01-18) User Attribute Description Account An account is also called a user name and consists of 6-15 printable characters. login time. and managing the MA5600T. and logout time. l By default. Ltd. The super user cannot be added or deleted. It cannot contain any space and is case insensitive. the system has a super user with the name of root and password of admin. Password A password consists of 6-15 characters. that is: – The super user can add an administrator. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. – The administrator can add only an operator or a common user.. Adding a System User This topic describes how to add system users of different attributes for logging in to. validity period of the password.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning huawei(config)#sysname shenzhen_MA5600T_A shenzhen_MA5600T_A(config)# 1. l The system supports up to 10 concurrently online terminal users. system users of different attributes need to be added.

permitted reenter number as 3. Example With the administrator authority. operator. 57 . l The super user can add an administrator. user account. multiple administrators can coexist in the system. however. l Differences: l Only one super user exists in the system. and appended information as user. Step 2 Run the display terminal user command to query the user information. and administrator. l For the administrator and the super user. and user authority. l Common users can perform basic system operations and simple query operations. users of the MA5600T are classified into four levels: common user. l Operators can configure the device and the services.15>):huawei User Password(length<6.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning User Attribute Description Authority Users are classified into three levels: common user. Permitted reenter number The permitted reenter number determines whether a user name can be used to log in to the system from several terminals at the same time. do as follows: huawei(config)#terminal user name User Name(length<6.. Appended information Appended information is a type of additional information about the user. they have the following similarities and differences: l Similarities: l Perform all configurations. The permitted reenter number ranges from 0 to 4. Procedure Step 1 Run the terminal user name command to add a user that is consistent with the actual data plan. operator. Ltd. NOTE According to the operation authority. user level as Common User. and super user. The following lists the authority of all users. administrator. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l Maintain and manage the device. It consists of a string of 0-30 characters.15>):test01//The password is not displayed on the console. password as test01. user profile as the default root user profile. to add a common user with the account as huawei. but an administrator has no authority to add the super user. It can be the telephone number or the address of a user. The user at one level can add only the user at a lower level. ----End Result The queried user information is the same as the actual data plan. and is generally set to 1.

When changing the password of a user at a lower level. the super user and the administrator need not input the old password. l The common user and the operator can change only their own passwords. l The permitted reenter number of the super user cannot be changed. User profile l The user name and the password must meet the specifications described in the user profile to be bound. and appended information in the case that the user attributes are not consistent with the current data plan. permitted reenter number. the super user and the administrator can modify the user authority only to a level lower than them. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the binding operation fails. but they must input their old passwords for this purpose. Context Table 1-14 lists the user attributes that can be modified and the related restrictions. 58 . Prerequisites For details about the user authority. l The super user and the administrator can modify the profiles bound to them and the profiles bound to users at lower levels. including the password. In addition.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Confirm Password(length<6. Operator:1 Permitted Reenter Number(0--4):3 User's Appended Info(<=30 chars):user Adding user succeeds Repeat this operation? (y/n)[n]:n huawei(config)#display terminal user name huawei ---------------------------------------------------------------------------Name Level Status Reenter Profile Append Num Info --------------------------------------------------------------------------huawei User Offline 3 root user ---------------------------------------------------------------------------- Modifying the System User Attributes This topic describes how to modify the attributes of a system user.15>):test01//The password is not displayed on the console. Authority The super user and the administrator can modify the authority of users at lower levels. Permitted reenter number l The super user and the administrator can change the permitted reenter number of a user at a lower level.. user profile. Ltd. Table 1-14 Modifying the user attributes User Attribute Restriction Password l The super user and the administrator can change their own passwords and the passwords of users at lower levels. Common User 2. Otherwise. authority. see "Context". User profile name(<=15 chars)[root]: User's Level: 1.

do as follows: huawei(config)#terminal user password User Name(<=15 chars):huawei New Password(length<6. l The common user and the operator can modify only their own appended information.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning User Attribute Restriction Appended information l The super user and the administrator can modify their own appended information and the appended information about users at lower levels. permitted reenter number to 4. user profile to operator profile. l Run the terminal user user-profile command to modify the profile bound to a user. Procedure Step 1 Modify the system user attributes. l Run the terminal user apdinfo command to modify the appended information about a user. and appended information to operator. Confirm Password(length<6. in which at least one digit and one letter must be contained. ----End Result The queried user information is consistent with the user attributes that are modified. It is recommended that the user appended information be modified into the information that has the actual meaning. The password is case sensitive. Information takes effect Repeat this operation? (y/n)[n]:n huawei(config)#terminal user user-profile User Name(<=15 chars):huawei Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. When the system has any problem.15>):test02//The password is not displayed on the console. l Run the terminal user reenter command to change the permitted reenter number of a user. Ltd. you can contact the user after querying the user appended information. 59 . Example To modify the attributes of user huawei.15>):test02//The password is not displayed on the console. Step 2 Check the user information. including changing the password to test02. The password of a user consists of 6-15 characters. NOTE Before modifying the user attributes.. Run the display terminal user command to query the user information. such as the contact means and the user address. run the display terminal user command to query the user attributes to be modified. and login to the MA5600T by using the original user name and password is successful. l Run the terminal user password command to change the password of a user. l Run the terminal user level command to modify the authority of a user. user level to operator.

"GMT+" indicates the eastern time zone. you need not change it. time stamp. If the system time zone is consistent with the local standard time zone. Run the display time command to query the current system time. the local time is behind the Greenwich time. Step 3 Configure the system time stamp.14 Configuring the System Time This topic describes how to configure the system time. and start/end time of the daylight saving time (DST) of the MA5600T to ensure that they are consistent with those in the actual condition. If the system time zone is inconsistent with the local standard time zone. Procedure Step 1 Configure the system time.3. Run the display timezone command to query the current system time zone. Run the display time time-stamp command to query the time stamp between the NMS and the NE. run the time command to change the system time. "GMT-" indicates the western time zone.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Permitted user-profile[root]:operator Confirm user-profile:operator Configuration will take effect when the user logs on next time. Ltd. you need not change it. namely the displayed time format of the SNMP interface. If the system time stamp is Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l By default. 60 . time zone. If the system time is inconsistent with the local standard time. NOTE l The system time zone include the eastern time zone and the western time zone. If the system time is consistent with the local standard time. Step 2 Configure the system time zone. that is. Repeat this operation? (y/n)[n]:n huawei(config)#terminal user level User Name(<=15 chars):huawei 1. Common User 2. the local time is ahead of the Greenwich time. Operator: User's Level:2 Confirm Level:2 Information will take effect when this user logs on next time Repeat this operation? (y/n)[n]:n huawei(config)#terminal user reenter User Name(<=15 chars):huawei Permitted Reenter Number(0--4):4 Confirm Reenter Number(0--4):4 Information will take effect when this user logs on next time Repeat this operation? (y/n)[n]:n huawei(config)#terminal user apdinfo User Name(<=15 chars):huawei User's Appended Info(<=30 chars):operator Information takes effect Repeat this operation? (y/n)[n]:n huawei(config)#display terminal user name huawei ---------------------------------------------------------------------------Name Level Status Reenter Profile Append Num Info --------------------------------------------------------------------------huawei Operator Offline 4 operator operator ---------------------------------------------------------------------------- 1. NTP (Network Time Protocol). the system time zone is GMT+08:00. run the timezone command to change the system time zone.. that is.

l In the client/server mode. Run the display time dst command to query the current start/end time of the DST of the system. l Run the ntp-service unicast-server command to configure the NTP unicast server mode. peer. l In the client/server mode. Example To set the time stamp between the NMS and the NE to use the UTC time. this device and other devices can be set to synchronized from each other.. 61 . run the time dst command to change the start/end time of the DST. In addition. you need to configure only the client and the NTP master clock of the server. l The clock stratum of the synchronizing device must be smaller than that of the synchronized device. ----End Result The system time. l The device that runs the NTP protocol can be synchronized to other clock sources or function as the clock source for synchronizing other clocks. the device uses the network clock to adjust the time. Ltd. and multicast working modes. time zone. When the device works in the client mode. you need not change it.20. the clock synchronization fails. If the system time stamp is inconsistent with the actual data plan. If the start/end time of the DST is inconsistent with the actual start/end time of the DST. l The Layer 3 interface and the interface IP address must be available for the client and the server to communicate with each other. Step 4 Configure NTP to ensure that the clock of all devices in the network is the same. time stamp. see 2. you need not change it. do as follows: huawei#time time-stamp { local<K>|utc<K> }:utc Command: time time-stamp utc Assume that the current time zone of MA5600T A is GMT+7:00.20. the time type is the NE local time. broadcast. run the time time-stamp command to change the system time stamp. and VLAN interface 2 is used to sent a clock synchronization request packet to MA5600T B (the IP address is 10. NOTE l The NTP protocol supports the client/server. If you need to set the working mode to other modes. and specify the IP address of the remote server that functions as the local time server and the interface for transmitting and receiving NTP packets. Otherwise. If the start/end time of the DST is consistent with the actual start/end time of the DST. NTP. By default.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning consistent with the actual data plan. Step 5 Configure the start/end time of the DST. NOTE The time type of the SNMP interface between the NMS and the NE are categorized as UTC time and NE local time. the client is synchronized to the server but the server will not be synchronized to the client.3 Configuring the Network Time. l (Optional) Run the ntp-service refclock-master command to configure the NTP master clock. The following uses the client/server mode as an example. and start/end time of the DST are consistent with those in the actual condition.20/24 and the device works at layer 4) that Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. you need not set the system time and the device is automatically synchronized to the remote server.

the local time is used. the end time is 00:00:00 on September 30. and the adjust time is 1:00. The start time is 00:00:00 on May 1. To set the DST. and voltage of the power supply) to ensure that the MA5600T can work stably in a proper environment. Ltd. and the adjust time is 2:00.3.4:00.20. fire. Table 1-15 Default configuration of the H801CITB card Parameter Default Value Sub-node 20 Digital parameters CITB digital parameter IDs l Allocated by default (unable to be changed by a user) – 0: FAN – 1: load fuse l User-defined IDs – 2-8: allocated to other extended digital sensors.20. if the local time is 5:00. the time is adjusted to 7:00. Points of attention when commissioning H801CITB cards: l The EMU sub-nodes are numbered from 0 to 31. This topic describes how to commission the environment monitoring unit (EMU). That is. do as follows: huawei(config)A#timezone GMT.15 Commissioning the EMU The MA5600T monitors various environment parameters (including the temperature. the end time is 00:00:00 on September 30. The start time is 00:00:00 on May 1. the current time is 2010-01-01 12:10:10. Table 1-15 lists the default configuration of the H801CITB card. Commissioning the EMU_CITB This topic describes how to commission the H801CITB card to ensure that it accurately monitors the ambient conditions of the device. To set the DST. That is. voltage. smoke. ensure that the sub-nodes do not conflict with each other. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the time is adjusted to 6:00. 62 ..20 source-interface vlanif 2 huawei(config)A#time dst start 5-1 00:00:00 end 9-30 00:00:00 adjust 1:00 Assume that the current time zone of MA5600T A is GMT. l When the system is configured with multiple EMUs. humidity. water. It monitors environment parameters such as humidity. if the local time is 5:00.4:00 huawei(config)A#time 2010-01-01 12:10:10 huawei(config)A#time dst start 5-1 00:00:00 end 9-30 00:00:00 adjust 2:00 1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning functions as the NTP server. Context The H801CITB card is a universal interface card. and power supply through various sensors. do as follows: huawei(config)A#timezone GMT+ 7:00 huawei(config)B#ntp-service refclock-master 4 huawei(config)A#ntp-service unicast-server 10.

l Close the doors of the cabinet and query alarms. 6: Rectifier. The default sub-node ID is 31. l In the H801CITX mode. Step 3 Run the interface emu command to enter the H801CITX mode. Ensure that none of the monitoring alarms are generated.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Parameter 1 Commissioning Default Value Definitions of user-defined alarm indexes 1: AC voltage. ----End Result l After the configuration. run the display citx system parameter command to check whether the EMU information is the same as the data plan. 13: Fan. 2: AC switch. and set the available level of the alarm to high level). 18: Odor 19: Air-condition. 12: Wiring. 63 . 16: Water. 10: Thief. 5: Load fuse. Step 4 Run the citx digital command to set the digital parameters. 15: Fog.. set the alarm name to Door_1. the RUN ALM LED on the H801CITB card turns green and is on for 1s and off for 1s repeatedly. 17: Diesel. 3: Battery voltage. 20: Arrester Procedure Step 1 Insert the H801CITB card into the corresponding slot. 11: Thief. Ltd. 14: Fire. 4: Battery fuse. Example Add an H801CITB card and set its digital parameters (set the user-defined digital parameter ID to 7. do as follows: huawei(config)#emu add 1 H801CITX 0 15 H801CITX huawei(config)#interface emu 1 huawei(config-if-h801citx-1)#citx digital 7 digital-alarm 8 name Door_1 availablelevel high-level huawei(config-if-h801citx-1)#display citx system parameter EMU ID: 1 Citx system parameter ---------------------------------------------------------------------------DigitalID Name Level |DigitalID Name Level 0 FAN 1 | 1 Load fuse 1 2 1 | 3 1 4 1 | 5 1 6 1 | 7 Door_1 1 8 1 ---------------------------------------------------------------------------- Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. set the door status alarm ID to 8. Step 5 Run the save command to save the data. Step 2 Run the emu add command to add an H801CITB card. 8: Room door. 9: Room door. which indicates that the H801CITB card is accurately monitoring the environment. 7: DC power.

the fan alarm reporting function is permitted. it is possible to run the #GUID54A2D511-8A06-4A65-8ED6-BC8EFCB484D1_1 command to set the fan speed. Step 2 Run the emu add command to add a FAN. The fan alarms are read temperature failure alarm. Points of attention when commissioning the FAN: l The EMU sub-nodes are numbered from 0 to 31. Step 4 Run the fan speed mode command to set the fan speed adjustment mode. Context NOTE When the device is delivered. 64 . 3. 4. over temperature alarm. Ltd. The default sub-node ID is 1. 1. the EMU_FAN is already correctly connected to the shelf. 2. Step 3 Run the interface emu command to enter the FAN mode. By default. Table 1-16 lists the default settings of a fan tray. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Step 6 Run the save command to save the data. and power failure alarm. NOTE When the fan speed adjustment mode is the manual mode. ensure that all the sub-nodes do not conflict with each other. l When the system is configured with multiple EMUs. fan block alarm. The connection does not need to be changed during device commissioning. l It is recommended that you use the auto mode as the fan speed adjustment mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Commissioning the EMU_FAN This topic describes how to commission the FAN to ensure that it accurately monitors the running status of fans on the device. Here. Table 1-16 Default setting of a FAN Parameter Default Value Sub-node 1 Fan speed adjustment mode Automatic Report fan alarm Permit Procedure Step 1 Insert the fan tray into the corresponding slot of the service shelf. The speed level can be 0. Step 5 Run the fan alarmset command to configure the fan alarm reporting function. 5 stands for the highest level and 0 stands for the lowest level. 5. The default fan speed adjustment mode is set to automatic. The fan tray is used to accurately monitor the running status of fans and correctly set the fan rotation speed to ensure the proper heat dissipation of the device..

run the display fan system parameter command to query the parameters of the fan tray. l In the FAN mode. Background Information l Principle of RADIUS: – When a user tries to access another network (or some network resources) by setting up a connection to the NAS using a network.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Result l In the FAN mode. authenticates the user account and password contained in the user data.. – The RADIUS server receives the connection requests of users sent from the NAS. l Specification: – For the MA5600T. Ltd. run the display fan environment info command to query the running status of fans. the NAS forwards the user authentication and accounting information to the RADIUS server. Example To add a FAN with the default speed adjustment mode and the permitted alarm reporting function. run the display fan alarm command to query the alarm information generated by the fan tray. The states of all the fan alarms are normal. Ensure that the configuration is the same as the data plan. and returns the required data to the NAS.3. – In actual networking. the RADIUS is configured based on each RADIUS server group. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. do as follows: huawei(config)#emu add 0 FAN 0 1 FAN huawei(config)#interface emu 0 huawei(config-if-fan-0)#display fan system parameter EMU ID: 0 FAN configration parameter: ---------------------------------------------------------------------------FAN timing mode: Auto timing by temperature ---------------------------------------------------------------------------Alarm_name Permit/Forbid Read temperature fault Permit Fan block Permit Temperature high Permit Power fault Permit ---------------------------------------------------------------------------- 1. l In the FAN mode.16 Configuring the RADIUS server The MA5600T is interconnected with the RADIUS server using the RADIUS protocol to implement authentication and accounting. a RADIUS server group can be an independent RADIUS server or a pair of primary/secondary RADIUS servers with the same configuration but different IP addresses. 65 . The RADIUS protocol specifies the means of transmitting the user information and accounting information between the NAS and the RADIUS server.

Step 3 Run the radius-server accounting command to configure the IP address and the UDP port ID of the RADIUS server for accounting. the timeout time is 5s. run the radius-server template command to use the RADIUS server template. Step 8 Run the quit command to return to the global config mode. and thus transmits the RADIUS request packets to another RADIUS server. the MA5600T re-transmits the request packets to the RADIUS to ensure that users can get corresponding services from the RADIUS server. By default. before configuring the IP address and UDP port of the RADIUS server. l Make sure that the configuration of the RADIUS service port of the MA5600T is consistent with the port configuration of the RADIUS server. Step 7 Run the (undo)radius-server user-name domain-included command to configure the user name (not) to carry the domain name when transmitted to the RADIUS server. The MA5600T classifies a user into a domain according to the domain name. the RADIUS server group cannot be set or used in two or more domains. If the RADIUS server does not respond within the response timeout time. The MA5600T sends the request packets to the RADIUS server. 66 . They check the validity of the packets by setting the encryption key. Step 4 Run the radius-server shared-key command to configure the shared key of the RADIUS server.. They can receive the packets from each other and can respond to each other only when their keys are the same. Step 2 Run the radius-server authentication command to configure the IP address and the UDP port ID of the RADIUS server for authentication. Step 5 (Optional) Run the radius-server timeout command to set the response timeout time of the RADIUS server.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Procedure Step 1 Run the radius-server template command to create an RADIUS server template and enter the RADIUS server template mode. Step 6 (Optional) Run the radius-server retransmit command to set the maximum re-transmit time of the RADIUS request packets. make sure that the route between the RADIUS server and the MA5600T is in the normal state. the user name of the RADIUS server carries the domain name. and the part after @ is the domain name. l By default. When the re-transmit time of the RADIUS request packets to a RADIUS server exceeds the maximum re-transmit time. the shared key of the RADIUS server is huawei. By default. NOTE l To guarantee normal communication between the MA5600T and the RADIUS server. l If an RADIUS server group rejects the user name carrying the domain name. the RADIUS server considers that these users are the same because the names transmitted to the server are the same. Otherwise. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. By default. the MA5600T considers that its communication with the RADIUS server is interrupted. NOTE l The RADIUS client (MA5600T) and the RADIUS server use the MD5 algorithm to encrypt the RADIUS packets. Step 9 In the domain mode. l An access user is named in the format of userid@domain-name. Ltd. the maximum re-transmit time is 3. when some access users in different domains have the same user name.

the system prompts that the board is currently powered off. the system recovers the power supply of the boards that are automatically powered off. Procedure l Set the manual energy-saving mode. l Manual energy-saving mode (powering off a board manually). ----End 1. and the system determines that the board is offline and then recovers the power supply of the slot. Set the automatic energy-saving mode. l Issue 01 (2012-01-18) Run the board power-offcommand to manually power off a board. When the automatic energy-saving mode is enabled.12. You can manually powering off a board that is not used in the shelf according to the plan for the energy-saving purpose. When the automatic energy-saving mode is disabled.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning NOTE You can use a RADIUS server template in a domain only after the RADIUS server template is created. reinstall the board. the boards are automatically powered on. When the service is provisioned from the OSS server to a board that is powered off. please see 2. 67 . Context Energy-saving modes include the manual energy-saving mode and automatic energy-saving mode. l Automatic energy-saving mode (automatically powering off a board).. Ltd. to provision the service to a board that is automatically powered off. By default. Similarly. the RADIUS server group should be referenced in a certain domain. – Run the undo system energy-saving mode command to disable the system energysaving mode. 1.17 Configuring the System Energy-Saving Function This topic describes how to power off a board that is not configured with any service for a long time to reduce the system power and thus to reduce the system energy consumption. l You can recover the power supply of the board that is automatically powered off in the following three ways: – Run the board power-on command to power on the board. the board configured with no service and the board whose ports are all deactivated will be automatically powered off in a certain period. The detail configuration of the RADIUS Authentication and Accounting. – Remove the board from the slot that is automatically powered off. Then. After the power supply is recovered.3. you must manually power on the board or disable the automatic energy-saving mode. the system energy-saving mode is disabled. Prerequisites The board must support the power-off mode and the energy-saving mode. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. To make the essential parameters take effect. you can manually power on the board according to the prompt.3 Configuration Example of the RADIUS Authentication and Accounting. you must run the board power-on command to manually power it on. l To power on a board that is powered off manually. Only the essential parameters are configur for the information exchange between the MA5600T and the RADIUS server. In this case.

----End Result The system energy-saving mode queried is enable. 2. auto-save at intervals). 2. 68 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l 1 Commissioning 1. Context The MA5600T supports two auto-save modes. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Set high-temperature protection of a board. do as follows: huawei(config)#temperature threshold 70 10 huawei(config)#display temperature threshold The temperature threshold of the system: Up-limit : 70C( 158F) Down-limit: 10C( 50F) 1. Run the display temperature threshold command to query the high-temperature threshold and low-temperature threshold of the system.18 Checking the Configuration of the Auto-Save Function This topic describes how to check the configuration of the auto-save function on the MA5600T. 1.. Ltd. Run the display system energy-saving mode command to query the system energysaving mode. Run the temperature threshold command to set the high-temperature threshold and low-temperature threshold of the system. the system automatically powers off the board. auto-save at preset time). the system energy-saving mode is disabled. the system automatically powers off the board. which prevents data loss in case of unexpected restart. These two auto-save modes conflict with each other. When the temperature of a board exceeds the high-temperature threshold or low-temperature threshold. do as follows: huawei(config)#system energy-saving mode Set the energy-saving mode successfully huawei(config)#display system energy-saving mode The status of the energy-saving switch: enable To set the high-temperature threshold of the system to 70°C and low-temperature threshold of the system to 10°C. and the other mode is that the data is automatically saved at preset time by running the autosave time command (that is.3. Example To enable the system energy-saving mode. Run the system energy-saving mode command to enable the system energy-saving mode. and the auto-save at intervals is recommended. By default. If no service is configured 15 minutes after the board is confirmed and works normally. the board is powered off automatically When the temperature of a board exceeds the high-temperature threshold or low-temperature threshold. One mode is that the data is automatically saved at certain intervals by running the autosave interval command (that is.

Step 5 Run the display autosave configuration command to check whether the configuration of the auto-save function is the same as the actual data plan. before enabling an auto-save function. run the autosave interval command to set the autosave interval. By default. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. database files and configuration files. the auto-save interval is 1440 minutes. Run the autosave type command to select the type of a file that is saved automatically. If the auto-save function is disabled. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Saving data frequently affects the system performance. and the interval of saving the changed configuration data is 30 minutes. You can run the save command to save the system data in real time regardless of whether the auto-save function is enabled. go to step 3. l If the auto-save at intervals is selected.. If the auto-save function is enabled. Table 1-17 Default configuration of the auto-save function Parameter Default Value Parameters of auto-save at intervals l Switch of auto-save at intervals: off l Auto-save interval: 1440 minutes l Interval of changing configuration data: 30 minutes Parameters of auto-save at preset time l Switch of auto-save at preset time: off l Auto-save time: 00:00:00 Procedure Step 1 Run the display autosave configuration command to query the status of the auto-save function. It is recommended that you set the autosave interval to 1440 minutes or longer. the auto-save function is disabled. Files that can be automatically saved include three types: data files. Step 3 Configure the auto-save parameters. configuration files. Step 4 Configure the type of the file. Table 1-17 lists the default configuration of the auto-save function. l If the auto-save at preset time is selected. run the autosave interval on command to enable the function of auto-save at intervals. 69 . you must run the autosave time off or autosave interval off command to disable the other auto-save function. By default. Therefore. run the autosave time on command to enable the function of auto-save at preset time. the auto-save time is 00:00:00. NOTE Auto-save at intervals and auto-save at preset time conflict with each other. l If the auto-save at preset time is selected. Step 2 Enable the function of auto-save. By default. proceed to step 2. l If the auto-save at intervals is selected. run the autosave time command to set the autosave time.

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Result
The configuration of the auto-save function is the same as the actual data plan.

Example
To enable the function of auto-save at intervals, and set the interval to 1600 minutes, do as
follows:
huawei#autosave interval on
System autosave interval switch: on
Autosave interval: 1440 minutes
Autosave type: data
System autosave modified configuration switch: on
Autosave interval: 30 minutes
Autosave type: data
huawei#autosave interval
{ configuration<K>|time<U><10,10080>|value<E><on,off> }:1600
Command:
autosave interval 1600
System autosave interval switch: on
Autosave interval: 1600 minutes
Autosave type: data

1.3.19 Saving the Data
This topic describes how to save the data in the flash memory to prevent data loss in case of
unexpected restart.

Precautions
l

During the command running, the system displays the corresponding prompt. Do not power
off or restart the system before the saving process is complete. Otherwise, the data in the
flash memory may be damaged.

l

Saving the data frequently affects the system performance.

Procedure
Step 1 In the privilege mode, run the save command to save the database file and the configuration file
of the current system in the flash memory.
----End

Result
When the data is saved successfully, the system displays the corresponding prompt.

Example
To save the database file and the configuration file to the flash memory manually, do as follows:
huawei#save
{ <cr>|configuration<K>|data<K> }:
Command:
save
huawei#

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

70

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

It will take several minutes to save configuration file, please wait...
huawei#
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
huawei#
The data is being saved, please wait a moment...

1.3.20 Backing Up System Files
When the first deployment or upgrade is complete, you need to back up the database file and
the configuration file so that the system can be easily recovered in case of a fault.

Prerequisites
If the maintenance Ethernet port is used to back up the system file, ensure that:
l

The Ethernet port of the maintenance terminal must be connected to the maintenance
Ethernet port on the MA5600T using a crossover cable. In addition, the IP address of the
maintenance terminal and the IP address of the maintenance Ethernet port on the device
must be in the same subnet.

l

The application program that is used for backing up the system file is installed on the
maintenance terminal, such as the TFTP, SFTP, or FTP program. In this topic, the TFTP
program is considered as an example.

Procedure
Step 1 Run the TFTP program on the maintenance terminal, and set the path for saving the backup files.
By default, the backup files are saved to the installation path of the TFTP software.
NOTE

The system supports a system backup using either the serial port or the maintenance Ethernet port. The
backup using the serial port uses the Xmodem protocol, and the backup using the maintenance Ethernet
port uses the TFTP, SFTP, or FTP protocol. For details about the configuration of Xmodem/TFTP/SFTP/
FTP, see Contacting Huawei for Assistance.

Step 2 In the privilege mode, run the save command to save the data.
Step 3 In the privilege mode, run the backup data command to back up the database file.
Step 4 In the privilege mode, run the backup configuration command to back up the configuration
file.
----End

Result
After the backup is completed, you can locate the files backed up in the path that you set.

Example
To back up the database file to the TFTP server (IP address: 10.10.1.2) using TFTP, and name
the file 2009070101.txt, do as follows:
huawei#backup data tftp 10.10.1.2 2009070101.txt

To back up the configuration file to the TFTP server (IP address: 10.10.1.2) using TFTP, and
name the file 2009070102.txt, do as follows:
huawei#backup configuration tftp 10.10.1.2 2009070102.txt

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

71

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

1.4 Interconnection Commissioning
The MA5600T provides multiple interfaces for interconnection. This topic describes the
interconnection commissioning of the MA5600T.

1.4.1 Commissioning the Interconnection with the NMS
The MA5600T provides the function of interconnecting with the network management system,
with which the administrator can maintain and manage the MA5600T using the NMS. This topic
considers the iManager NMS Network Management System as an example to describe how to
perform the interconnection commissioning between the NMS and the MA5600T in the inband
mode and the outband mode.

Commissioning Inband Network Management
This topic describes how to implement the inband network management on the MA5600T using
the upstream port (inband network management port). This enables the NMSto maintain the
MA5600T using this management channel. In the inband network management mode, the service
channel of the device is used to transmit the management information. The network is flexible
and requires no additional devices, which helps save the cost for carriers. This network, however,
is difficult to maintain.

Service Requirements
In the network as shown in Figure 1-34, the service requirements are as follows:
l

The MA5600T provides the inband network management using the upstream port.

l

The upstream port of the GIU board on the MA5600T is used as the inband network
management port.

l

A static route is used between the MA5600T and the NMS.

l

SNMP V3 is used (more reliable than V1 and V2, providing network security and access
control management functions).

Figure 1-34 Example network for the inband network management

Figure 1-35 shows the flowchart for commissioning the inband network management.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

72

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Figure 1-35 Flowchart for commissioning the inband network management

Procedure
l

Commission the inband network management on the device.
1.

Configure the IP address of the inband network management port.
The upstream port (inband network management port) is 0/17/0, the VLAN ID is 1000,
the VLAN type is standard VLAN, and the IP address is 10.50.1.10/24.
huawei(config)#vlan 1000 standard
huawei(config)#port vlan 1000 0/17 0
huawei(config)#interface vlanif 1000
huawei(config-if-vlanif1000)#ip address 10.50.1.10 255.255.255.0
huawei(config-if-vlanif1000)#quit
NOTE

If the packet transmitted from the upstream port is untagged, run the native-vlan command to
configure the native VLAN of the upstream port to be the same as the VLAN of the upstream
port.

2.

Add a route for the inband network management.
Use the static route. The destination IP address is 10.10.1.0/24 (the network segment
to which the NMS belongs), and the gateway IP address is 10.50.1.1/24 (the IP address
of the gateway of the MA5600T).
huawei(config)#ip route-static 10.10.1.0 24 10.50.1.1

3.

Set the SNMP parameters.
a.

Issue 01 (2012-01-18)

Configure the SNMP user, group, and view.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

73

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

The user name is user1, the group name is group1, the user authentication mode
is MD5, the authentication password is authkey123, the user encryption mode
is des56, the encryption password is prikey123, the read and write view names
are hardy, and the view includes the internet subtree.
huawei(config)#snmp-agent usm-user
authentication-mode md5 authkey123
huawei(config)#snmp-agent group v3
write-view hardy
huawei(config)#snmp-agent mib-view

b.

v3 user1 group1
privacy-mode des56 prikey123
group1 privacy read-view hardy
hardy include internet

(Optional) Set the ID and contact means of the administrator.
The contact means of the administrator is HW-075528780808.
huawei(config)#snmp-agent sys-info contact HW-075528780808

c.

(Optional) Set the location of the device.
The location of the device is Shenzhen_China.
huawei(config)#snmp-agent sys-info location Shenzhen_China

d.

(Optional) Configure the engine ID of the SNMP entity.
The engine ID of the SNMP entity is set to 0123456789.
NOTE

The context engine ID of the SNMP must be the same as that on the NMS.
huawei(config)#snmp-agent local-engineid 0123456789

e.

Set the SNMP version.
The SNMP version is SNMP V3.
NOTE

The SNMP version must be the same as the SNMP version set on the NMS.
huawei(config)#snmp-agent sys-info version v3

4.

Enable the function of sending traps.
On the MA5600T, enable the function of sending traps to the NMS.
huawei(config)#snmp-agent trap enable standard

5.

Configure the IP address of the destination host for the traps.
The host name is huawei, the IP address of the host is 10.10.1.10/24 (IP address of
the NMS), the trap parameter name is ABC, the SNMP version is V3, the parameter
security name is user1 (when the SNMP V3 is used, the parameter security name is
the USM user name), and the traps are authenticated and encrypted.
huawei(config)#snmp-agent target-host trap-hostname huawei
address 10.10.1.10 trap-paramsname ABC
huawei(config)#snmp-agent target-host trap-paramsname
ABC v3 securityname user1 privacy

6.

Configure the IP address of the VLAN interface as the source address for sending
traps.
Enable the forwarding of the SNMP packets from the Layer 3 interface of VLAN 1000
of the MA5600T.
huawei(config)#snmp-agent trap source vlanif 1000

7.

Save the data.
huawei(config)#save

l

Commission the inband network management on the NMS.
1.

Configure the gateway of the route from the NMS server to network segment
10.50.1.0/24 to 10.10.1.1.
– In the Solaris OS, do as follows:

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

74

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Run the route add 10.50.1.0 10.10.1.1 command to add a route.
Run the netstat -r command to query the information about the current routing
table.
– In the Windows OS, do as follows:
Run the route add 10.50.1.0 mask 255.255.255.0 10.10.1.1 command to add a
route.
Run the route print command to query the information about the current routing
table.
NOTE

When the IP address of the network management port and the IP address of the NMS are in
the same network segment, you need not configure the routing information.

2.

Set the SNMP parameters.
a.

Choose Administration > NE Communicate Parameter > Default Access
Protocol Parameters from the main menu.

b.

On the NE Access Parameters tab page, click Reset. In the dialog box that is
displayed, click the corresponding tab, and then click Add.

c.

Choose SNMP v3 Parameter, set the SNMP parameters in the lower pane, as
shown in Figure 1-36.

Figure 1-36 Set the SNMP parameters

After selecting corresponding protocols in Priv Protocol and Auth Protocol,
click
next to the parameter, and set the passwords of data encryption protocol
and authentication protocol, as shown in Figure 1-37.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

75

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Figure 1-37 Set the password

NOTE

NE User, Context Engine ID, Priv Protocol and password, and Auth Protocol and
password must be the same as those configured on the MA5600T. You can run the display
snmp-agent usm-user command to query the device user, data encryption protocol, and
authentication protocol on the MA5600T and run the display snmp-agent localengineid command to query the context engine ID on the MA5600T.

3.

d.

Click OK.

e.

Select the added SNMP parameters. Click OK.

f.

In the dialog box that is displayed, click Yes to test the set SNMP parameters.

g.

The NMS displays the Loading dialog box. After the testing is complete, click
OK.

Add a device.
a.

In the Physical Root navigation tree on the Main Topology tab page, right-click
and choose New > NE from the shortcut menu.

b.

In the dialog box that is displayed, choose Access NE > Access NE from the
main menu.

c.

In the dialog box that is displayed, set the required parameters, as shown in
Figure 1-38.
IP address is 10.50.1.10, Device Name is huawei, SNMP Parameters is SNMP
V3:default.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

76

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

Figure 1-38 Add device

4.

Click OK. The system prompts a message indicating that several seconds or some 10
minutes are required for uploading the device data. After the related data is read, the
system automatically refreshes and displays the device icon.

----End

Result
You can maintain and manage the MA5600T using the NMS.

Configuration File
The following describes the script for commissioning the inband network management on the
device.
vlan 1000 standard
port vlan 1000 0/17 0
interface vlanif 1000
ip address 10.50.1.10 255.255.255.0
quit
ip route-static 10.10.1.0 24 10.50.1.1
snmp-agent usm-user v3 user1 group1 authentication-mode md5 authkey123 privacy-mode
des56 prikey123
snmp-agent group v3 group1 privacy read-view hardy write-view hardy
snmp-agent mib-view hardy include internet
snmp-agent sys-info contact HW-075528780808
snmp-agent sys-info location Shenzhen_China
snmp-agent sys-info version v3

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

77

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

1 Commissioning

snmp-agent trap enable standard
snmp-agent target-host trap-hostname huawei address 10.10.1.10 trap-paramsname ABC
snmp-agent target-host trap-paramsname ABC v3 securityname user1 privacy
snmp-agent trap source vlanif 1000
save

Commissioning Outband Network Management
This topic describes how to implement the outband network management on the MA5600T using
the local maintenance Ethernet port (outband network management port). This enables the
U2000 to maintain the MA5600T using this management channel. In the outband network
management mode, a non-service channel is used to transmit the management information. With
the use of the non-service channel, the management channel is separated from the service
channel, which is more reliable than in the inband network management mode.

Service Requirements
In the network as shown in Figure 1-39, the service requirements are as follows:
l

The MA5600T provides the outband network management channel using the local
maintenance Ethernet port.

l

A static route is used between the MA5600T and the NMS.

l

SNMP V3 is used (more reliable than V1 and V2, providing network security and access
control management functions).

Figure 1-39 Example network for the outband network management

Figure 1-40 shows the flowchart for commissioning the outband network management on the
device.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

78

The destination IP address is 10. a.0. huawei(config)#ip route-static 10.11. the user encryption mode Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.255. the IP address of the maintenance Ethernet port (ETH port on the control board) is 10.50. NOTE By default.255. the authentication password is authkey123.255.50.104. Configure the IP address of the maintenance Ethernet port.1/24 (the IP address of the gateway of the MA5600T). Use the static route. 1.255.0 huawei(config-if-meth0)#quit 2.10. Add a route for the outband network management. Configure the SNMP user. 79 .0 24 10. and the gateway IP address is 10..10 255.1 3.1. huawei(config)#interface meth 0 huawei(config-if-meth0)#ip address 10.50.10.1.1. group.1.0/24 (the network segment to which the U2000 belongs).1. Ltd. the user authentication mode is MD5.10/24.2.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-40 Flowchart for commissioning the outband network management on the device Procedure l Commission the outband network management on the device. Set the SNMP parameters. and view.50. the group name is group1.1. The user name is user1. The IP address of the local maintenance Ethernet port (outband network management port) of the MA5600T is 10. and the subnet mask is 255.

The host name is huawei. the SNMP version is V3. (Optional) Set the location of the device. huawei(config)#save l Commission the outband network management on the NMS. do as follows: Run the route add 10. 80 .10. – In the Solaris OS. the trap parameter name is ABC. huawei(config)#snmp-agent trap enable standard 5. the parameter security name is user1 (when the SNMP V3 is used.10. huawei(config)#snmp-agent sys-info contact HW-075528780808 c. The contact means of the administrator is HW-075528780808.10 trap-paramsname ABC huawei(config)#snmp-agent target-host trap-paramsname ABC v3 securityname user1 privacy 6.50. NOTE The SNMP version must be the same as the SNMP version set on the NMS. v3 user1 group1 privacy-mode des56 prikey123 group1 privacy read-view hardy hardy include internet (Optional) Set the ID and contact means of the administrator. 1. The SNMP version is SNMP V3. On the MA5600T. The engine ID of the SNMP entity is set to 0123456789. Save the data. Enable the function of sending traps.1. Set the IP address of the maintenance Ethernet port as the source IP address for sending traps. NOTE The context engine ID of the SNMP must be the same as that on the NMS.10/24 (IP address of the NMS).1. the source address of the traps is meth 0. Configure the IP address of the destination host for the traps.10.1. The location of the device is Shenzhen_China. huawei(config)#snmp-agent sys-info version v3 4.10. huawei(config)#snmp-agent trap source meth 0 7.50. the read and write view names are hardy. and the view includes the internet subtree.1.0 10. the IP address of the host is 10. Configure the gateway of the route from the NMS server to network segment 10. huawei(config)#snmp-agent sys-info location Shenzhen_China d. huawei(config)#snmp-agent local-engineid 0123456789 e.. huawei(config)#snmp-agent target-host trap-hostname huawei address 10. huawei(config)#snmp-agent usm-user authentication-mode md5 authkey123 huawei(config)#snmp-agent group v3 write-view hardy huawei(config)#snmp-agent mib-view b.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning is des56. Set the SNMP version. enable the function of sending traps to the NMS.1.0/24 to 10. That is.1 command to add a route. (Optional) Configure the engine ID of the SNMP entity. and the traps are authenticated and encrypted. Ltd.1.1. the encryption password is prikey123. Set the SNMP packets to be forwarded from the maintenance Ethernet port of the MA5600T. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the parameter security name is the USM user name).

you need not configure the routing information. NOTE When the IP address of the network management port and the IP address of the NMS are in the same network segment.1. Figure 1-41 Set the SNMP parameters After selecting corresponding protocols in Priv Protocol and Auth Protocol. next to the parameter. In the dialog box that is displayed. – In the Windows OS. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. c. set the SNMP parameters in the lower pane. as shown in Figure 1-41. a.255. Choose SNMP v3 Parameter. and set the passwords of data encryption protocol click and authentication protocol.1. and then click Add. as shown in Figure 1-42. do as follows: Run the route add 10. Choose Administration > NE Communicate Parameter > Default Access Protocol Parameters from the main menu. 81 .10.0 10. 2.1 command to add a route.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Run the netstat -r command to query the information about the current routing table. Run the route print command to query the information about the current routing table..0 mask 255. Set the SNMP parameters. Ltd. b. On the NE Access Parameters tab page.255.50. click Reset. click the corresponding tab.

choose Access NE > Access NE from the main menu. The NMS displays the Loading dialog box. and Auth Protocol and password must be the same as those configured on the MA5600T. Device Name is huawei. SNMP Parameters is SNMP V3:default. c. Click OK. right-click and choose New > NE from the shortcut menu. After the testing is complete. Click OK. In the dialog box that is displayed. Priv Protocol and password. f. In the Physical Root navigation tree on the Main Topology tab page. In the dialog box that is displayed.50. as shown in Figure 1-43.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-42 Set the password NOTE NE User. You can run the display snmp-agent usm-user command to query the device user. set the required parameters. IP address is 10. and authentication protocol on the MA5600T and run the display snmp-agent localengineid command to query the context engine ID on the MA5600T. Select the added SNMP parameters. Add a device. a. 3. click OK.. Ltd. In the dialog box that is displayed. b. Context Engine ID.1. 82 .10. click Yes to test the set SNMP parameters. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. g. d. data encryption protocol. e.

----End Result You can maintain and manage the MA5600T using the NMS.50.255.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-43 Add device 4. The system prompts a message indicating that several seconds or some 10 minutes are required for uploading the device data.0 quit ip route-static 10. Click OK.1 snmp-agent usm-user v3 user1 group1 authentication-mode md5 authkey123 privacy-mode des56 prikey123 snmp-agent group v3 group1 privacy read-view hardy write-view hardy snmp-agent mib-view hardy include internet snmp-agent sys-info contact HW-075528780808 snmp-agent sys-info location Shenzhen_China snmp-agent sys-info version v3 snmp-agent trap enable standard Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 83 . Ltd. the system automatically refreshes and displays the device icon..10 255.255. After the related data is read.1.10. Configuration File The following describes the script for commissioning the outband network management on the device.1. interface meth 0 ip address 10.0 24 10.1.50.

The Layer 3 interface IP address is 10.50. The VLAN ID is 2. Ltd.1. l By interconnecting with the router. see the related configuration guide.. 84 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning snmp-agent target-host trap-hostname huawei address 10. the MA5600T can be interconnected with the upperlayer device by configuring a static route on the MA5600T. Figure 1-44 Example network for commissioning the interconnection with the router Procedure Step 1 Configure a VLAN.4. and this IP address must be in the same network segment as the gateway IP address (IP address of the router port that is connected to the MA5600T).1. Service Requirements In the network as shown in Figure 1-44. huawei(config)#vlan 2 smart Step 2 Add an upstream port to the VLAN. run the native-vlan command to configure the native VLAN of the upstream port to be the same as the VLAN of the upstream port. Upstream port 0/17/0 is added to VLAN 2.10/24.10. NOTE For details about how to configure a router. huawei(config)#port vlan 2 0/17 0 NOTE If the packet transmitted from the upstream port is untagged. and the VLAN type is smart VLAN. Step 3 Configure the IP address of the Layer 3 interface.10 trap-paramsname ABC snmp-agent target-host trap-paramsname ABC v3 securityname user1 privacy snmp-agent trap source meth 0 save 1. the service requirements are as follows: l The MA5600T uses the GIU board for upstream transmission. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.2 Commissioning the Interconnection with the Router This topic describes how to check whether the MA5600T can normally communicate with the router and whether the MA5600T can access the upper-layer device using the router.

0 24 10. l The DBA profile is used to limit the user rate to the fixed 10 Mbit/s bandwidth. l After the management channel between the MA5600T and the GPON MDU is set up.50.10. you can ping IP address 10.1.3 Commissioning the Management Channel Between the OLT and the GPON MDU This topic describes how to commission the management channel between the MA5600T and the GPON MDU to ensure that you can log in to the GPON MDU using the MA5600T at the CO to remotely maintain and manage the GPON MDU.10 255.1.50. you can log in to the MDU using port 0/4/0 connected to the MDU to remotely maintain and manage the MDU. the service requirements are as follows: l A GPON port on the MA5600T is connected to 128 MDUs using an optical splitter. NOTE The following considers MDU 0 as an example for commissioning the management channel between the OLT and the GPON MDU.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10. huawei(config)#save ----End Result After the MA5600T is interconnected with the router successfully.1.1.10 255. huawei(config)#ip route-static 10.50.255. and the next-hop IP address is gateway IP address 10.255.255.4. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.1 save 1.1.0 huawei(config-if-vlanif2)#quit Step 4 Add a static route.1.50. The destination IP address is 10.0 quit ip route-static 10.10.. Configuration File vlan 2 smart port vlan 2 0/17 0 interface vlanif 2 ip address 10.1.12 from the MA5600T.1 Step 5 Save the data.255. 85 . Service Requirements In the network as shown in Figure 1-45.1. Ltd.1.0 24 10.0/24.1.10.50.10.

86 . Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-45 Example network for commissioning the management channel between the OLT and the GPON MDU Figure 1-46 shows the flowchart for commissioning the management channel between the OLT and the GPON MDU.. Ltd.

and the VLAN type is smart VLAN. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-46 Flowchart for commissioning the management channel between the OLT and the GPON MDU Procedure Step 1 Create a VLAN. 87 . The VLAN ID is 20. Ltd..

huawei(config)#interface gpon 0/4 huawei(config-if-gpon-0/4)#ont add 0 0 sn-auth 32303131B39FD641 snmp ontlineprofile-id 5 Step 7 Configure the management IP address of the MDU. huawei(config)#interface vlanif 20 huawei(config-if-vlanif20)#ip address 192. huawei(config)#dba-profile add profile-id 12 type1 fix 10240 Step 5 Configure an MDU line profile. each of which provides typical values for traffic parameters. the DBA profile uses the default name DBA-profile_12. Ltd. and MDU profile 5 is bound to MDU 0.168.168. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the SN is 32303131B39FD641.100 255. and type5 (fixed bandwidth+assured bandwidth+maximum bandwidth). Here. the bandwidth type is type1 (fixed bandwidth).1. 88 .. and the ID of the native VLAN to which the MDU port belongs is 20. huawei(config)#ont-lineprofile gpon profile-id 5 huawei(config-gpon-lineprofile-5)#tcont 1 dba-profile-id 12 huawei(config-gpon-lineprofile-5)#gem add 0 eth tcont 1 huawei(config-gpon-lineprofile-5)#gem mapping 0 0 vlan 20 huawei(config-gpon-lineprofile-5)#commit huawei(config-gpon-lineprofile-5)#quit Step 6 Add an MDU.100/24. type4 (maximum bandwidth). huawei(config)#port vlan 20 0/17 0 Step 3 Configure the IP address of the Layer 3 interface. type1 (fixed bandwidth). l By default. the method of adding an MDU offline is considered as an example. the management protocol is SNMP.255. and then run the ont confirm command to confirm the auto-discovered MDU. NOTE l The bandwidth type and the attribute of the DBA profile must be compatible with the service to be carried. the actual bandwidth is 960 kbit/s. namely. MDU 0 is connected to GPON port 0.255. and the mapping mode is VLAN mapping. the MDU authentication mode is the SN authentication. l The value of the bandwidth you input when adding the DBA profile rounds down to the nearest integer multiple of 64. The management IP address is 192. The DBA profile ID is 12.1. type2 (assured bandwidth). l You can run the display dba-profile command to query the information about the DBA profile. NOTE You can add an MDU in the following two ways: confirming an auto-discovered MDU and adding an MDU offline.200/24. Upstream port 0/17/0 on the GIU board is added to VLAN 20. For example. and the user rate is the fixed 10 Mbit/s bandwidth. if the input bandwidth value is 1022 kbit/s.168.0 huawei(config-if-vlanif20)#quit Step 4 Add a DBA profile.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning huawei(config)#vlan 20 smart Step 2 Add an upstream port to the VLAN. The Layer 3 IP address is 192. the service type is ETH. l The system supports five DBA profile types. GEM port 0 is bound to T-CONT 1. type3 (assured bandwidth+maximum bandwidth). By default. The MDU line profile ID is 5. the system provides DBA profiles 1 to 9.1. You can also run the port ont-auto-find command to enable the function of auto-discovering an MDU. T-CONT 0 is bound with DBA profile 1. T-CONT 1 is bound with DBA profile 12.

10 mask 255.1..101.168.10/24.255.1. huawei(config)#service-port vlan 20 gpon 0/4/0 ont 0 gemport 0 multi-service uservlan 20 Step 10 Save the data.168.0 quit dba-profile add profile-id 12 type1 fix 10240 ont-lineprofile gpon profile-id 5 tcont 1 dba-profile-id 12 gem add 0 eth tcont 1 gem mapping 0 0 vlan 20 commit quit interface gpon 0/4 ont add 0 0 sn-auth 32303131B39FD641 snmp ont-lineprofile-id 5 ont ipconfig 0 0 static ip-address 192.255.101 quit service-port vlan 20 gpon 0/4/0 ont 0 gemport 0 multi-service user-vlan 20 save Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the SNMP version is SNMP V2C.255.200 mask 255. the port is 162.10 162 private huawei(config)#interface gpon 0/4 huawei(config-if-gpon-0/4)#ont snmp-profile 0 0 profile-id 10 huawei(config-if-gpon-0/4)#ont snmp-route 0 0 ip-address 10. Configuration File vlan 20 smart port vlan 20 0/17 0 interface vlanif 20 ip address 192.101 huawei(config-if-gpon-0/4)#quit Step 9 Add a service port to the VLAN.200 mask 255. Ltd.1.1.100 255.1. the read community name is public.1.10 162 private interface gpon 0/4 ont snmp-profile 0 0 profile-id 10 ont snmp-route 0 0 ip-address 10.255. and the write community name is private.10. you can remotely maintain and manage the MDU using telnet 192.10. That. the parameter security name is user1 (the parameter security name is the write community name).10 mask 255.255.10.0 next-hop 192. Configure the SNMP profile 10.1.1.168.200. the gateway IP address is 192.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning huawei(config-if-gpon-0/4)#ont ipconfig 0 0 static ip-address 192.0 next-hop 192.1.10.168.1.255.168.168.1. 89 .255.0 vlan 20 huawei(config-if-gpon-0/4)#quit Step 8 Set the SNMP parameters.255. the IP address of the NMS is 10. huawei(config)#save ----End Result After the commissioning is complete.168.0 vlan 20 quit snmp-profile add profile-id 10 v2c public private 10.255.1.255. huawei(config)#snmp-profile add profile-id 10 v2c public private 10.10.

90 .. you can log in to the MDU using port 0/4/0 connected to the MDU to remotely maintain and manage the MDU. Figure 1-47 Example network for commissioning the management channel between the OLT and the EPON MDU Figure 1-48 shows the flowchart for commissioning the management channel between the OLT and the EPON MDU. l After the management channel between the MA5600T and the EPON MDU is set up.4 Commissioning the Management Channel Between the OLT and the EPON MDU This topic describes how to commission the management channel between the MA5600T and the EPON MDU to ensure that you can log in to the EPON MDU using the MA5600T at the CO to remotely maintain and manage the EPON MDU.4. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. NOTE The following considers MDU 0 as an example to commission the management channel between the OLT and the EPON MDU.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning 1. Service Requirements In the network as shown in Figure 1-47. Ltd. the service requirements are as follows: l An EPON port on the MA5600T is connected to 64 MDUs using a 2-level splitter.

Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. 91 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-48 Flowchart for commissioning the management channel between the OLT and the EPON MDU Procedure Step 1 Create a VLAN. and the VLAN type is smart VLAN. Ltd. The VLAN ID is 20.

255. and the user rate is the assured 10 Mbit/s bandwidth).168. The management IP address is 192. The DBA profile ID is 12. You can also run the port ont-auto-find command to enable the MDU auto-find function. huawei(config)#interface vlanif 20 huawei(config-if-vlanif20)#ip address 192.168. huawei(config)#ont-lineprofile epon profile-id 13 huawei(config-epon-lineprofile-13)#llid dba-profile-id 12 huawei(config-epon-lineprofile-13)#commit huawei(config-epon-lineprofile-13)#quit Step 6 Add an MDU. Here. type3 (assured bandwidth+maximum bandwidth). l You can run the display DBA-profile command to query the information about the DBA profile. and the ID of the native VLAN to which the MDU port belongs is 20. huawei(config-if-epon-0/4)#ont ipconfig 0 0 ip-address 192.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning huawei(config)#vlan 20 smart Step 2 Add the upstream port to the created VLAN. l The system supports fix DBA profile types. 92 . l By default. and type5 (fixed bandwidth+assured bandwidth+maximum bandwidth). T-CONT 0 is bound to DBA profile 1.100 255. and MDU 0 is bound to MDU profile 13. MDU line profile 13 is bound to DBA profile 12.255.1. huawei(config)#port vlan 20 0/17 0 Step 3 Configure the IP address of the Layer 3 interface. NOTE l The bandwidth type and the attribute of the DBA profile must be compatible with the service to be carried.1. the method of adding an MDU offline is considered as an example. namely. huawei(config)#interface epon 0/4 huawei(config-if-epon-0/4)#ont add 0 0 mac-auth 0000-0010-0101 snmp ont-lineprofile-id 13 Step 7 Configure the management IP address of the MDU.100/24. NOTE You can add an MDU in the following two ways: confirming an auto-discovered MDU and adding an MDU offline. and then run the ont confirm command to confirm an auto-found MDU..200/24.168. type1 (fixed bandwidth).200 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the DBA profile name uses the default name DBA-profile_12. and the MAC address for the MDU authentication is 0000-0010-0101. the systems provides DBA profiles 1 to 9.168. each of which provides typical values for traffic parameters. Configure the IP address of the Layer 3 interface to 192. huawei(config)#DBA-profile add profile-id 12 type2 assure 10240 Step 5 Configure an MDU line profile. MDU 0 is connected to EPON port 0. Add the upstream port to VLAN 20. type4 (maximum bandwidth). Ltd. By default.1. the management protocol is SNMP.1. type2 (assured bandwidth).0 huawei(config-if-vlanif20)#quit Step 4 Configure a DBA profile. the bandwidth type is type2 (assured bandwidth.

1.0 vlan 20 quit snmp-profile add profile-id 10 v2c public private 10. huawei(config)#service-port vlan 20 epon 0/4 ont 0 multi-service user-vlan 20 Step 10 Save the data. huawei(config)#save ----End Result After the commissioning is complete.255.0 vlan 20 huawei(config-if-epon-0/4)#quit Step 8 Set the SNMP parameters.10/24.10 mask 255.1.255.200 mask 255.255. huawei(config)#snmp-profile add profile-id 10 v2c public private 10. the parameter security name is user1 (the parameter security name is the write community name). Ltd.1.1.101.168.0 next-hop 192.0 next-hop 192.10.168.10 mask 255.10.1.5 Commissioning the Management Channel Between the OLT and the GPON ONT This topic describes how to commission the GPON OLT to ensure that the service configuration and centralized management of the GPON ONTs are performed on the GPON OLT using the ONT Management and Control Interface (OMCI) protocol.1. the port is 162.255.255. and the write community name is private. 93 .1. the IP address of the NMS is 10.168. the SNMP version is SNMP V2C..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning mask 255.10.4.255. the read community name is public.1.1.168. you can remotely maintain and manage the MDU by telnet 192.0 quit DBA-profile add profile-id 12 type2 assure 10240 ont-lineprofile epon profile-id 13 llid dba-profile-id 12 commit quit interface epon 0/4 ont add 0 0 mac-auth 0000-0010-0101 snmp ont-lineprofile-id 13 ont ipconfig 0 0 static ip-address 192.255.168. Configure the SNMP profile 10.255.10.200 using MA5600T.10 162 private interface gpon 0/4 ont snmp-profile 0 0 profile-id 10 ont snmp-route 0 0 ip-address 10.10. the gateway IP address is 192.101 quit service-port vlan 20 epon 0/4 ont 0 gemport 0 multi-service user-vlan 20 save 1.168. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.101 huawei(config-if-epon-0/4)#quit Step 9 Add a service port to the VLAN.1. Configuration File vlan 20 smart port vlan 20 0/17 0 interface vlanif 20 ip address 192.10 162 private huawei(config)#interface epon 0/4 huawei(config-if-epon-0/4)#ont snmp-profile 0 0 profile-id 10 huawei(config-if-epon-0/4)#ont snmp-route 0 0 ip-address 10.255.100 255. That.1.255.

l The DBA profile is used to ensure the maximum bandwidth of 10Mbit/s and the traffic profile is used to limit subscriber rates.. NOTE The following considers ONT 0 as an example for commissioning the management channel between the OLT and the GPON ONT. the service requirements are as follows: l A GPON port on the MA5600T is connected to 128 ONTs using an optical splitter. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l On the MA5600T. Ltd. Figure 1-49 Example network for commissioning the management channel between the OLT and the GPON ONT Figure 1-50 shows the flowchart for commissioning the management channel between the OLT and the GPON ONT. you can configure ONTs at different locations in a centralized manner.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Service Requirements In the network as shown in Figure 1-49. 94 .

the DBA profile uses the default name DBA-profile_12. each of which provides typical values for traffic parameters. the actual bandwidth is 960 kbit/s. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and type5 (fixed bandwidth+assured bandwidth+maximum bandwidth). the bandwidth type is type1 (fixed bandwidth).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-50 Flowchart for commissioning the management channel between the OLT and the GPON ONT Procedure Step 1 Add a DBA profile. The DBA profile ID is 12. For example. 95 . l The system supports five DBA profile types. NOTE l The bandwidth type and the attribute of the DBA profile must be compatible with the service to be carried. type4 (maximum bandwidth). and the user rate is the fixed 10 Mbit/s bandwidth. Ltd. type1 (fixed bandwidth). l By default.. By default. the system provides DBA profiles 1 to 9. l You can run the display dba-profile command to query the information about the DBA profile. type2 (assured bandwidth). huawei(config)#dba-profile add profile-id 12 type1 fix 10240 Step 2 Add an ONT line profile. l The value of the bandwidth you input when adding the DBA profile rounds down to the nearest integer multiple of 64. namely. if the input bandwidth value is 1022 kbit/s. type3 (assured bandwidth+maximum bandwidth). T-CONT 0 is bound with DBA profile 1.

96 . the SN is 323031314D4B2041. huawei(config)#ont-lineprofile gpon profile-id 5 huawei(config-gpon-lineprofile-5)#tcont 1 dba-profile-id 12 huawei(config-gpon-lineprofile-5)#gem add 0 eth tcont 1 huawei(config-gpon-lineprofile-5)#gem mapping 0 0 vlan 20 huawei(config-gpon-lineprofile-5)#commit huawei(config-gpon-lineprofile-5)#quit Step 3 Add an ONT service profile. the service type is ETH. NOTE The port capability set in the ONT service profile must be the same as the actual ONT capability set.168..0 quit dba-profile add profile-id 12 type1 fix 10240 ont-lineprofile gpon profile-id 5 tcont 1 dba-profile-id 12 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning The ONT line profile ID is 5. You can also run the port ont-auto-find command to enable the function of auto-discovering an ONT. the ONT authentication mode is the SN authentication. ONT 0 is connected to GPON port 0. Ltd.100 255.1. run the ont deactivate command to deactivate the ONT that is in the activated state). huawei(config)#ont-srvprofile gpon profile-id 10 huawei(config-gpon-srvprofile-10)#ont-port eth 4 pots 2 huawei(config-gpon-srvprofile-10)#port vlan eth 1-4 20 huawei(config-gpon-srvprofile-10)#commit huawei(config-gpon-srvprofile-10)#quit Step 4 Add an ONT. and then run the ont confirm command to confirm the auto-discovered ONT. the quantity of Ethernet ports on the ONT is 4. T-CONT 1 is bound with DBA profile 12.255. the quantity of POTS ports on the ONT is 2. Here. Configuration File vlan 20 smart port vlan 20 0/17 0 interface vlanif 20 ip address 192. huawei(config)#save ----End Result After the commissioning is complete. and Ethernet ports 1-4 are added to VLAN 20. GEM port 0 is bound to T-CONT 1. huawei(config)#interface gpon 0/4 huawei(config-if-gpon-0/4)#ont add 0 0 sn-auth 323031314D4B2041 omci ontlineprofile-id 5 ont-srvprofile-id 10 huawei(config-if-gpon-0/4)#quit Step 5 Save the data. The ONT service profile ID is 10. the method of adding an ONT offline is considered as an example. the management protocol is OMCI. and ONT line profile 5 and ONT service profile 10 are bound to ONT 0.255. NOTE You can add an ONT in the following two ways: confirming an auto-discovered ONT and adding an ONT offline. and the mapping mode is VLAN mapping. you can maintain and manage the ONT on the MA5600T (For example.

4. Service Requirements In the network as shown in Figure 1-51. NOTE The following considers ONT 0 as an example to commission the management channel between the OLT and the EPON ONT.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning gem add 0 eth tcont 1 gem mapping 0 0 vlan 20 commit quit interface gpon 0/4 ont add 0 0 sn-auth 32303131B39FD641 snmp ont-lineprofile-id 5 ont ipconfig 0 0 static ip-address 192. and Maintenance (OAM) protocol.168.255.1.6 Commissioning the Management Channel Between the OLT and the EPON ONT This topic describes how to commission the EPON OLT to ensure that the service configuration and centralized management of the EPON ONTs are performed on the EPON OLT using the Operation. Administration. l On the MA5600T. 97 . you can configure ONTs at different locations in a centralized manner.200 mask 255. Ltd. l The DBA profile uses the assured bandwidth with the maximum bandwidth of 10 Mbit/s and limits traffic using the traffic profile.255. Figure 1-51 Example network for commissioning the management channel between the OLT and the EPON ONT Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the service requirements are as follows: l An EPON port on the MA5600T is connected to 64 ONTs using an optical splitter.0 vlan 20 quit service-port vlan 20 gpon 0/4/0 ont 0 gemport 0 multi-service user-vlan 20 save 1..

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-52 shows the flowchart for commissioning the management channel between the OLT and the EPON ONT. Figure 1-52 Flowchart for commissioning the management channel between the OLT and the EPON ONT Procedure Step 1 Configure a DBA profile. the systems provides DBA profiles 1 to 9. each of which provides typical values for traffic parameters. the bandwidth type is type2 (assured bandwidth. type3 (assured bandwidth+maximum bandwidth). l You can run the display dba-profile command to query the information about the DBA profile. NOTE l The bandwidth type and the attribute of the DBA profile must be compatible with the service to be carried. namely. and the user rate is the assured 10 Mbit/s bandwidth).. l By default. the DBA profile name uses the default name DBA-profile_12. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd. type1 (fixed bandwidth). and type5 (fixed bandwidth+assured bandwidth+maximum bandwidth). 98 . l The system supports fix DBA profile types. type4 (maximum bandwidth). type2 (assured bandwidth). The DBA profile ID is 12. T-CONT 0 is bound to DBA profile 1. By default.

Ltd. and ONT line profile 13 and ONT service profile 13 are bound to ONT 0. NOTE You can add an ONT in the following two ways: confirming an auto-discovered ONT and adding an ONT offline. and Ethernet ports 1-4 are add to VLAN 20.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning huawei(config)#dba-profile add profile-id 12 type2 assure 10240 Step 2 Configure an ONT line profile. the management protocol is OAM. huawei(config)#ont-lineprofile epon profile-id 13 huawei(config-epon-lineprofile-13)#llid dba-profile-id 12 huawei(config-epon-lineprofile-13)#commit huawei(config-epon-lineprofile-13)#quit Step 3 Configure an ONT service profile. the operator can maintain and manage the ONT on the MA5600T. huawei(config)#interface epon 0/4 huawei(config-if-epon-0/4)#ont add 0 0 mac-auth 0000-0010-0101 oam ont-lineprofile-id 13 ont-srvprofile-id 13 huawei(config-if-epon-0/4)#quit Step 5 Save the data. NOTE The port capability set in the ONT service profile must be the same as the actual ONT capability set. Configuration File dba-profile add profile-id 12 type2 assure 10240 ont-lineprofile epon profile-id 13 llid dba-profile-id 12 commit quit ont-srvprofile epon profile-id 13 ont-port eth 4 pots 2 port vlan eth 1 20 commit Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. the operator can run the ont deactivate command to deactivate an activated ONT. The ONT service profile ID is 13. the method of adding an ONT offline is considered as an example. huawei(config)#save ----End Result After commissioning. ONT 0 is connected to EPON port 0. You can also run the port ont-auto-find command to enable the ONT auto-find function. 99 . and the MAC address for the MDU authentication is 0000-0010-0101. huawei(config)#ont-srvprofile epon profile-id 13 huawei(config-epon-srvprofile-13)#ont-port eth 4 pots 2 huawei(config-epon-srvprofile-13)#port vlan eth 1 20 huawei(config-epon-srvprofile-13)#commit huawei(config-epon-srvprofile-13)#quit Step 4 Add an ONT. the number of POTS ports on the ONT is 2. Here. ONT line profile 13 is bound to DBA profile 12. For example. and then run the ont confirm command to confirm an auto-found ONT. the number of Ethernet ports on the ONT is 4.

l The patch status of the active and standby control boards must be consistent with the hardware environment. 100 . the system prohibits performing forced switchover by running the active/standby switchover command. the active/standby switchover is classified into the normal switchover and forced switchover. A normal switchover does not cause links to break or boards to reset. l Forced switchover: Refers to the active/standby switchover that is performed when the data is not synchronized sufficiently. l When the communication between the active and standby control boards fails or the standby control board is faulty.. or backed up. The following data might be synchronized insufficiently: – Configuration data. l If the data of the active and standby control boards is not completely synchronized. Prerequisites l An active control board and a standby control board must be configured on the device.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning quit interface epon 0/4 ont add 0 0 mac-auth 0000-0010-0101 oam ont-lineprofile-id 13 ont-srvprofile-id 13 quit save 1. the system prohibits the active/standby switchover. Ltd. you need to verify the maintainability and reliability of the device after completing the stand-alone commissioning and interconnection commissioning. the system prohibits the active/standby switchover. saved. Context Classification of the active/standby switchover: According to the status of the data synchronization. Other forced Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l Normal switchover: Refers to the active/standby switchover that is performed when the data is synchronized sufficiently.1 Checking the System Switchover After the active/standby switchover is performed. 1. and the cables must be connected correctly on the boards.5. the system prohibits the active/standby switchover.5 Maintenance and Management Commissioning To ensure the stability of the MA5600T. the services of the active control board are switched to the standby control board. l When the data is being loaded. This ensures that the services run in the normal state. Precautions NOTE Run the display data sync state command to query the data synchronization status of the active and standby control boards. When the configuration data is not fully synchronized.

. such as manually resetting the active board or removing the active control board. huawei(config)#system switch-over Are you sure to switch over? (y/n)[n]:y 1. Ltd. it is recommended that you do not perform the forced switchover. ----End Result When the ACT LED on the original standby control board is on. It is found that the system runs in the normal state. Therefore. huawei# Configuration file had been saved successfully Note: The configuration file will take effect after being activated huawei# The data is being saved. such as manually resetting the active control board or removing the active control board.2 Checking Alarms and Events This topic describes how to check the alarm and event reporting function of the device. 101 . the system can return to the normal state in a short period. when the configuration data is not fully synchronized. – Basic data... but they may cause service boards to reset. You can choose to reset the system. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. alarms. log in to the system using this control board. perform the active/standby switchover. and the original connections. please wait a moment. In this manner. After the switchover. huawei#save { <cr>|configuration<K>|data<K> }: Command: save huawei# It will take several minutes to save configuration file. Other forced switching methods. Step 2 Run the system switch-over command to perform the active/standby switchover. When the basic data is not fully synchronized.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning switching methods. the system prohibits performing forced switchover by running the active/standby switchover command. and logs are not lost. – Dynamic data. Procedure Step 1 Run the save command to save the data.. the system permits performing forced switchover by running the active/standby switchover command. please wait. When certain dynamic data is not fully synchronized. Example After the data is saved.5. the on-going services continue to run in the normal state.. neither reset the system nor affect the database. cause loss of basic data or the system to reset.

Perform the active/standby switchover of the control boards. Querying Alarms and Events This topic describes how to query history alarms and events using the maintenance terminal. the new alarm or event Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Check whether the corresponding alarm or event is generated on the maintenance terminal. Table 1-18 Operations for verifying the alarm and event function Operation Description Remove a service board. Remove the fan tray from the shelf. Check whether the corresponding alarm or event is generated on the maintenance terminal..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Verifying the Alarm and Event Function This topic describes how to verify the alarm and event function by triggering various alarms and events through the related operations. If the record table is full. Insert the optical fiber back into the optical port. Close the cabinet door. 102 . Check whether the corresponding recovery alarm or event is generated on the maintenance terminal. Check whether the corresponding alarm or event is generated on the maintenance terminal. Log in to the system. Check whether the corresponding alarm or event is generated on the maintenance terminal. Check whether the corresponding recovery alarm or event is generated on the maintenance terminal. Check whether the corresponding recovery alarm or event is generated on the maintenance terminal. Insert the service board back into the slot. Context Up to 1900 latest fault alarms and recovery alarms. Verifying Operation Table 1-18 lists the operations for verifying the alarm and event function. Insert the optical fiber back into the optical port. Remove the optical fiber connected to an optical port. Check whether the corresponding recovery alarm or event is generated on the maintenance terminal. Check whether the corresponding recovery alarm or event is generated on the maintenance terminal. and 1900 event alarms can be saved in the system. Insert the fan tray back into the shelf. Remove the optical fiber connected to an optical port when an ONT is online. Check whether the corresponding alarm or event is generated on the maintenance terminal. Ltd. Open the cabinet door. and a new alarm or event is generated. and run the display event history command to check whether the active/ standby switchover event history exists.

Query events by event SN display event history eventsn sn [ detail | list ] Query events by event ID display event history eventid id [ detail | list | start-number number] Query events by event type display event history eventtype type [ detail | list | start-number number] Query events by event class display event history eventclass class [ detail | list | startnumber number] Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. You can query the records that have been overwritten in the NMS database. Table 1-20 Commands for querying history events Issue 01 (2012-01-18) To… Run the Command. Table 1-19 lists the commands for querying history alarms... Query alarms by alarm SN display alarm history alarmsn sn [ detail | list ] Query alarms by alarm ID display alarm history alarmid id [ detail | list | start-number number] Query alarms by alarm type display alarm history alarmtype type [ detail | list | startnumber number] Query alarms by alarm class display alarm history alarmclass class [ detail | list | startnumber number] Query alarms by alarm level display alarm history alarmlevel level [ detail | list | startnumber number] Query alarms by alarm time display alarm history alarmtime start start-date start-time end end-date end-time [ start-number number ] [ detail | list | startnumber number] Query alarms by alarm parameter display alarm history alarmparameter { frameid/slotid/portid | frameid/slotid | frameid | vlanif vlanif } [ detail | list ] Query all the latest alarms display alarm history all [ detail | list ] Table 1-20 lists the commands for querying history events.. The CLI provides multiple ways to query history alarms and events. 103 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning overwrites the oldest record in the record table. Ltd.. Table 1-19 Commands for querying history alarms To… Run the Command.

Current Percent: 86 764 2009-08-21 10:17:29 The system resources usage recovers from the overload state to the normal state Resource Name: CPU. ----End Result You can query the alarm or event triggered by the operation you have performed. 104 .process. Current Percent: 86 714 2009-08-20 15:04:35 The system resources usage recovers from the overload state to the normal state Resource Name: CPU. Example To query the history environment alarms by alarm type..environment> }:environment { <cr>|detail<K>|list<K>|start-number<U><1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning To… Run the Command. Current Percent: 70 765 2009-08-21 10:17:29 The system resources usage exceeds the threshold Resource Name: CPU.1900>||<K> }:list { <cr>||<K> }: Command: display alarm history alarmtype environment list -----------------------------------------------------------------------AlarmSN Date&Time Alarm Name/Para -----------------------------------------------------------------------777 2009-08-21 10:18:29 The system resources usage recovers from the overload state to the normal state Resource Name: CPU.equipment. do as follows: huawei>display alarm history alarmtype { type<E><communication. Current Percent: 86 704 2009-08-20 15:03:35 The system resources usage recovers from Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co... Ltd. Query events by event level display event history eventlevel level [ detail | list | startnumber number] Query events by event time display event history eventtime start start-date start-time end enddate end-time [ start-number number ] [ detail | list | startnumber number] Query events by event parameter display event history eventparameter { frameid/slotid/portid | frameid/slotid | frameid | vlanif vlanif } [ detail | list ] Query all the latest events display event history all [ detail | list ] Procedure Step 1 Perform an operation (such as inserting and removing a board) to generate an alarm or event. Step 2 Run the display alarm history command to query history alarms. Step 3 Run the display event history command to query history events. Current Percent: 72 705 2009-08-20 15:03:35 The system resources usage exceeds the threshold Resource Name: CPU.service.

3 Configuring a Log Host Logs can function as important references for system The log host is used for recording logs. SlotID: 96. Backup type: Host data.. do as follows: huawei>display event history { all<K>|eventclass<K>|eventid<K>|eventlevel<K>|eventparameter<K>|eventsn<K>|eve nttime<K>|eventtype<K> }:eventtime { start<K> }:start { start-date<D><yyyy-mm-dd> }:2009-08-24 { start-time<T><hh:mm:ss> }:16:00:00 { end<K> }:end { end-date<D><yyyy-mm-dd> }:2009-08-24 { end-time<T><hh:mm:ss> }:18:00:00 { <cr>|detail<K>|list<K>|start-number<U><1. and the start date is 2009-08-24. l The log host must be installed with the FTP or TFTP software. IP: 10.5. Backup type: Host data.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning the overload state to the normal state ---.More ( Press 'Q' to break ) ---- 1. which are useful for the device maintenance and fault location.42. State: Log on 35344 2009-08-24 17:58:47 Change of Maintenance User's State User name: test01. 105 . Log mode: Telnet. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.42. Ltd. and must be able to receive and save the logs reported by the MA5600T.71.More ( Press 'Q' to break ) ---- To query the history events by event date. Log mode: Telnet. Backup Object: ---. Failure cause: Failed to transfer the file 35345 2009-08-24 17:58:52 Change of Maintenance User's State User name: test01. and the end time is 18:00:00. Figure 1-53 shows the example network for configuring a log host. State: Log off 35343 2009-08-24 17:58:24 Backing up files starts from the host to the maintenance terminal FrameID: 0.1900>||<K> }:list { <cr>||<K> }: Command: display event history eventtime start 2009-08-24 16:00:00 end 2009-0824 18:00:00 list -----------------------------------------------------------------------EventSN Date&Time Event Name/Para -----------------------------------------------------------------------35346 2009-08-24 17:59:40 Backing up files fails from the host to the maintenance terminal FrameID: 0.71.55. Context l The log host is always installed on the NMS station and uses the NMS VLAN to communicate with the MA5600T. the star time is 16:00:00. IP: 10. the end date is 2009-08-24. Backup Object: Active control board.55. Position: -1. Position: -1. Network Topology The log host resides in the NMS station and is connected to the upstream port of the MA5600T in the IP network. SlotID: 96.

.1. IP address of the gateway: 10.50.20/24 Flowchart Figure 1-54 shows the flowchart for configuring a log host.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-53 Example network for configuring a log host Data Plan Table 1-21shows the data plan for configuring a log host.1.1/24 Log host IP address: 10. 106 . Table 1-21 Data plan for configuring a log host Item Data Layer 3 interface VLAN: 10 Data Layer 3 interface VLAN: 0/17/0 IP address of the Layer 3 interface: 10. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10/24. Ltd.1.10.50.

Step 3 Configure the IP address of the Layer 3 interface. and this IP address must be in the same network segment as the gateway IP address (IP address of the switch port that is connected to the MA5600T).255. huawei(config)#vlan 10 standard Step 2 Add upstream port to VLAN.10 255..1.0 huawei(config-if-vlanif10)#quit Step 4 Add the log host.1. run the native-vlan command to configure the native VLAN of the upstream port to be the same as the VLAN of the upstream port.10/24.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-54 Flowchart for configuring a log host Procedure Step 1 Create a VLAN. Add upstream ports 0/17/0 on the GIU board to VLAN 10. and the VLAN attribute is Standard.50. Ltd. The Layer 3 IP address is 10. 107 . huawei(config)#port vlan 10 0/17 0 NOTE If the packet transmitted from the upstream port is untagged. huawei(config)#interface vlanif 10 huawei(config-if-vlanif10)#ip address 10. The VLAN ID is 10.50. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.255.

10 0.1.0 quit packet-filter inbound ip-group 3010 port loghost activate name huawei save Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0.10.255.20 24 10.1 acl 3010 rule deny ip source any destination 10.0.0. The system sends log information only to the activated log hosts. Configuration File vlan 10 standard port vlan 10 0/17 0 interface vlanif 10 ip address 10.10.20 0.0. huawei(config)#loghost activate name huawei Step 8 Save the data. the IP address or name of a log host must be unique in the system.0 huawei(config-acl-adv-3010)#rule permit ip source 10. The packets without authorization are not allowed to access the Layer 3 interface.1.0.20/24.50. 108 .10.20 huawei ip route-static 10.0 huawei(config-acl-adv-3010)#quit huawei(config)#packet-filter inbound ip-group 3010 port 0/17/0 NOTE The port aggregation configurations cannot be configured on the upstream port 0/17/0 with ACL rules.50.1.1.1. huawei(config)#ip route-static 10.10.10.20 0.0.0.255.1.10.20 24 10. l The IP address or name can uniquely identify a log host.1.0. Filter the packets that passes using the Layer 3 interface.50.10 0.10 0.10.0.1. The destination IP address is 10.10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning l The IP address and name of the log host is 10. Ltd. Only the IP packet from the log host is allowed to access the Layer 3 interface.10. huawei(config)#save ----End Result l You can query the logs on the log server.0.1.1.. huawei(config)#acl 3010 huawei(config-acl-adv-3010)#rule deny ip source any destination 10.10 0. l The logs record the operation commands executed on the system. huawei(config)#loghost add 10.10.1.0.20 and huawei respectively. and the next-hop IP address is gateway IP address 10.0 destination 10.1.50.20 huawei Step 5 Add the static route to the log host.1. They are the same as the commands queried on the MA5600T.0 destination 10.10.1.10 255.50. Step 7 Activate the log host.0 rule permit ip source 10.0.0 quit loghost add 10.1 Step 6 Configure the ACL rule (optional).10.1. Therefore.50.

Script Overview The basic configuration achieved by loading a script includes. Table 1-22 Script data plan Item Data PAIC power card Shelf IDs/slot IDs: 0/19 and 0/20 FAN l SN: 0 l Sub-node ID: 1 (default) l Name: FAN l Fan speed adjustment mode: automatic CITB card l SN: 1 l Sub-node ID: 15 (default) l Name: CITB Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.6 Supplementary Information This topic provides the commissioning supplementary information.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning 1. which facilitates the commissioning of the basic functions and services of the device.6 Loading the Script. you can log in to the MA5600T using the maintenance terminal in the management center to commission the basic functions of the device. This ensures that the device is functioning properly. transmission mode setting. but is not limited to: l Adding a power card l Configuring the environment monitoring unit (including the FAN and the CITB card) l Configuring the route protocol NOTE For details about how to load a script. After this example script is configured. including script making.4 Planning Data to make a commissioning script and then configure the basic data of the device by loading the script.6. you can collect the information such as the data plan according to 1. Example Script Table 1-22 lists the data plan of an example script. and default software settings. Ltd.3. see 1. 1..1 Making a Script Before the commissioning. 109 .2.

1.10 24 quit ip route-static 10.2 Configuring the File Transfer Mode This topic describes how to configure the file transfer mode of the FTP.1 save 1.10.50.6.50.10/24 The following displays the commands that need to be included in the script according to the preceding data plan..1/24 l IP address of the target network segment: 10. the FTP server and the MA5600T can communicate to transfer files in the FTP mode.10/24 l Gateway IP address: 10. CAUTION It is necessary to press Enter after each command in the script. Xmodem and TFTP.1. 110 .0 24 10.1. Ltd.10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Item Data Route protocol l Upstream port: 0/17/0 1 Commissioning l Management VLAN ID: 100.1.50. type: standard VLAN l IP address of the Layer 3 interface of the management VLAN: 10.1. After the configuration. Configuring the FTP Transfer Mode This topic describes how to configure the FTP transfer mode for transferring (uploading or downloading) files through the inband or outband Ethernet port of the MA5600T.SFTP. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.50. Prerequisites l Issue 01 (2012-01-18) The Ethernet port of the FTP server is directly connected to the inband or outband Ethernet port of the MA5600T. enable config board add 0/19 H801PAIC board add 0/20 H801PAIC emu add 0 FAN 0 1 FAN interface emu 0 fan speed mode automatic quit emu add 1 h801citx 0 15 h801citx vlan 100 standard port vlan 100 0/17 0 interface vlanif 100 ip address 10.1.

) On the MA5600T.20. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. – Connect to the outband Ethernet port (Upstream port) through the direct cable.. password.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning – Connect to the inband Ethernet port (Maintenance port) through the crossover cable. run the file-server auto-backup data command to configure the FTP user name. Step 4 (Optional. 111 . and Materials l Crossover cable l Direct cable Impact on System None Precautions Make sure that the crossover cable is used to directly connect the FTP server to the MA5600T. huawei(config)#file-server auto-backup data primary 10.) On the MA5600T. and ensure that the Ethernet port of the FTP server and the inband or outband Ethernet port of the MA5600T can ping each other. run the ftp set command to set the FTP user name and password. Procedure Step 1 On the FTP server. Meters. if the Ethernet port of the FTP server is directly connected to the MA5600T. In other cases.1 ftp path test user User Name(<=40 chars):huawei User Password(<=40 chars):huawei//The input is not displayed on the CLI. run the FTP application and set related parameters. Step 3 (This is step is used for setting the FTP user attributes for the manual file transfer. After running the FTP application.10.com in the MA5600T system. this step is required when the function of database file auto-backup is used. Step 2 On the FTP server. the IP address of this Ethernet port and the IP address of the inband or outband Ethernet port of the MA5600T must be in the same subnet. Tools. l You have logged in to the MA5600T through Telnet from the console (maintenance terminal). For example. NOTE By default. and password. Configure the Ethernet port IP address of the FTP server according to the IP address planning in the specific networking. and port ID. Ltd. configure the IP address of its Ethernet port. and have entered the global config mode. a straight through cable is used. set the path for saving the file. huawei(config)#ftp set User Name(<=40 chars):huawei User Password(<=40 chars):huawei//The input is not displayed on the CLI. the FTP user name is anonymous and the password is anonymous@huawei. FTP user name.

. Prerequisites l The Ethernet port of the SFTP server is directly connected to the inband or outband Ethernet port of the MA5600T. In other cases. and have entered the global config mode. l In the FTP file transfer mode. and ensure that the Ethernet port of the SFTP server and the inband or outband Ethernet port of the MA5600T can ping each other. and Materials l Crossover cable l Direct cable Impact on System None Precautions Make sure that the crossover cable is used to directly connect the SFTP server to the MA5600T. configure the IP address of its Ethernet port. Step 2 On the SFTP server. and make sure that the settings at both ends are the same. you also need to set the FTP user name and password on the FTP client (such as the MA5600T). – Connect to the inband Ethernet port (Maintenance port) through the crossover cable. Configuring the SFTP Transfer Mode This topic describes how to configure the SFTP transfer mode for transferring (uploading or downloading) files through the inband or outband Ethernet port of the MA5600T. 112 . if the Ethernet port of the SFTP server is directly connected to the MA5600T. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Tools. the IP address of this Ethernet port and the IP address of the inband or outband Ethernet port of the MA5600T must be in the same subnet. Apart from setting the user name and password on the FTP server. Meters. the SFTP server and the MA5600T can communicate to transfer files in the SFTP mode. run the SFTP application and set related parameters.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Reference l Any PC that runs the FTP software can serve as an FTP server. l You have logged in to the MA5600T through Telnet from the console (maintenance terminal). a straight through cable is used. After the configuration. Procedure Step 1 On the SFTP server. Ltd. For example. the user name and the password must be authenticated. Configure the Ethernet port IP address of the SFTP server according to the IP address planning in the specific networking. – Connect to the outband Ethernet port (Upstream port) through the direct cable.

Ltd. Apart from setting the user name. or port ID. 113 . Meters. and port ID on the SFTP server. password. Listening Port(0--65535):22 NOTE The MA5600T system does not have default SFTP user name.20. Prerequisites You must be logged in to the MA5600T from the console (also called maintenance terminal) through the serial port. and port ID. Step 4 (Optional. password. or port ID. the console and the MA5600T can communicate with each other normally and transfer files in Xmodem mode. and must enter the global config mode. SFTP user name. l In the SFTP file transfer mode. and make sure that the settings at both ends are the same. password. password. The port ID is 22 by default. and port ID.1 sftp path test port 22 user User Name(<=40 chars):huawei User Password(<=40 chars):huawei//The input is not displayed on the CLI. Then.) On the MA5600T. configure the Xmodem file transfer mode according to this operation guide. To upload or download files through the maintenance serial port on the MA5600T.. password. this step is required when the function of database file auto-backup is used. run the ssh sftp set command to set the SFTP user name. the user name and the password must be authenticated. and Materials RS-232 serial port cable (used for logging in to the MA5600T from the console through the serial port) Impact on the System None Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. huawei(config)#ssh sftp set User Name(<=40 chars):huawei User Password(<=40 chars):huawei//The input is not displayed on the CLI. and port ID on the SFTP client (such as the MA5600T).) On the MA5600T.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning After running the SFTP application. you also need to set the SFTP user name. run the file-server auto-backup data command to configure the SFTP user name. Configuring Xmodem File Transfer Mode This topic describes how to configure the Xmodem file transfer mode. huawei(config)#file-server auto-backup data primary 10. password. ----End Reference l Any PC that runs the SFTP software can serve as an SFTP server. and port ID. Step 3 (This is step is used for setting the SFTP user attributes for the manual file transfer.10. NOTE The MA5600T system does not have default SFTP user name. password. set the path for saving the file. Tools.

l Telnet users are prohibited from transferring files in Xmodem mode. reconfigure the baud rate on the MA5600T to 9600 bit/s: huawei(config)#baudrate 9600 Step 3 Open the HyperTerminal on the console to configure the baud rate of the serial port on the console to be the same as the baud rate on the MA5600T. Ltd. 114 . l The Xmodem transfer mode is applicable to only the active control board. l The baud rate of the serial port on the MA5600T must be the same as the baud rate of the serial port on the console.) Run the baudrate command on the MA5600T to configure the baud rate of the serial port on the MA5600T. l It is recommended to transfer files through other modes as much as possible.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Precautions NOTE l The speed of transferring files in Xmodem mode through the serial port is limited.. the system does not support file transfer in the Xmodem mode for large-size files such as program packet files and configuration files. even if file transfer in the Xmodem mode is supported. huawei(config)#display baudrate Current active serial baudrate: 9600 bps Step 2 (This step is optional but is required when you reconfigure the baud rate of the serial port. Procedure Step 1 Query the baud rate of the serial port on the MA5600T. The high baud rate can increase the transmission speed. Therefore. such as TFTP. For example. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

a straight through cable is used. run the TFTP application and set related parameters. In other cases. Configure the Ethernet port IP address of the TFTP server according to the IP address planning in the specific networking. Step 2 On the TFTP server. an interface as shown in Figure 1-55 is displayed. – Connect to the inband Ethernet port (Maintenance port) through the crossover cable. – Connect to the outband Ethernet port (Upstream port) through the direct cable. Tools. In the Server interfaces drop-down list. Ltd. Procedure Step 1 On the TFTP server. After the configuration.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning ----End Configuring the TFTP Transfer Mode This topic describes how to configure the TFTP transfer mode for transferring (uploading or downloading) files through the inband or outband Ethernet port of the MA5600T. 1. the IP address of this Ethernet port and the IP address of the inband or outband Ethernet port of the MA5600T must be in the same subnet. if the Ethernet port of the TFTP server is directly connected to the MA5600T. the TFTP server and the MA5600T can communicate to transfer files in the TFTP mode. Prerequisites l The Ethernet port of the TFTP server is directly connected to the inband or outband Ethernet port of the MA5600T. For example. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Issue 01 (2012-01-18) After the TFTP application is run on the TFTP server. Meters. and Materials l Crossover cable l Direct cable Impact on System None Precautions Make sure that the crossover cable is used to directly connect the TFTP server to the MA5600T. and have entered the global config mode. and ensure that the Ethernet port of the TFTP server and the inband or outband Ethernet port of the MA5600T can ping each other.. select the IP address that is set in step 1. configure the IP address of its Ethernet port. l You have logged in to the MA5600T through Telnet from the console (maintenance terminal). 115 .

Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. click Settings. 116 . 3. In the interface as shown in Figure 1-55. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-55 TFTP main interface 2.. In the dialog box that is displayed. click Browse to select the path for saving the file. as shown in Figure 1-56.

– Whether the entered name of the file to be transferred is correct. Ltd.6. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.3 Software Package Settings This topic provides the default software package settings of the MA5600T. – Whether the TFTP application is run on the TFTP server. 117 . If the TFTP server has multiple IP addresses.. select the correct one. – Whether the TFTP file transfer function has been enabled through the command. 1. l The IP address in the Server interfaces drop-down list is the IP address of the TFTP server. – Whether the path is correctly set in the TFTP application. The TFTP application can identify the IP address automatically. – Whether the TFTP server can ping the inband or outband Ethernet port of the MA5600T (run the Ping command).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Figure 1-56 Setting TFTP parameters ----End Reference l Any PC that runs the TFTP software can serve as a TFTP server. check the following items: – Whether the selected IP address of the TFTP server is correct. l If the TFTP file transfer fails.

118 . Ltd. Table 1-23 Factory defaults of a DBA profile Profile Index Profile Factory Default 1 Profile-name dba-profile_1 Profile-ID 1 type 1 Bandwidth compensation No Fix(kbps) 5120 Assure(kbps) 0 Max(kbps) 0 bind-times 0 Profile-name dba-profile_2 Profile-ID 2 type 1 Bandwidth compensation No Fix(kbps) 1024 Assure(kbps) 0 Max(kbps) 0 bind-times 0 Profile-name dba-profile_3 Profile-ID 3 type 4 Bandwidth compensation No Fix(kbps) 0 Assure(kbps) 0 Max(kbps) 32768 bind-times 0 Profile-name dba-profile_4 Profile-ID 4 2 3 4 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Factory Defaults of a DBA Profile The following table lists the factory defaults of a DBA profile on the MA5600T.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Profile Index 5 6 7 Issue 01 (2012-01-18) 1 Commissioning Profile Factory Default type 1 Bandwidth compensation No Fix(kbps) 1024000 Assure(kbps) 0 Max(kbps) 0 bind-times 0 Profile-name dba-profile_5 Profile-ID 5 type 1 Bandwidth compensation No Fix(kbps) 32768 Assure(kbps) 0 Max(kbps) 0 bind-times 0 Profile-name dba-profile_6 Profile-ID 6 type 1 Bandwidth compensation No Fix(kbps) 102400 Assure(kbps) 0 Max(kbps) 0 bind-times 0 Profile-name dba-profile_7 Profile-ID 7 type 2 Bandwidth compensation No Fix(kbps) 0 Assure(kbps) 32768 Max(kbps) 0 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 119 .. Ltd.

Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Profile Index 8 9 1 Commissioning Profile Factory Default bind-times 0 Profile-name dba-profile_8 Profile-ID 8 type 2 Bandwidth compensation No Fix(kbps) 0 Assure(kbps) 102400 Max(kbps) 0 bind-times 0 Profile-name dba-profile_9 Profile-ID 9 type 3 Bandwidth compensation No Fix(kbps) 0 Assure(kbps) 32768 Max(kbps) 0 bind-times 65536 Factory Defaults of a GPON ONT Line Profile The following table lists the factory defaults of a GPON ONT line profile on the MA5600T. Table 1-24 Factory defaults of a GPON ONT line profile Issue 01 (2012-01-18) Parameter Factory Default FEC upstream switch Disable OMCC encrypt switch Off QoS mode PQ Mapping mode VLAN Tr069 management Disable <T-CONT 0> DBA Profile-ID: 1 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. 120 .

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Parameter Factory Default Binding times 0 Factory Defaults of a GPON ONT Service Profile The following table lists the factory defaults of a GPON ONT service profile on the MA5600T. Ltd.. Table 1-25 Factory defaults of a GPON ONT service profile Parameter Port-type Factory Default POTS ETH Issue 01 (2012-01-18) Portnumber 0 0 TDM 0 MOCA 0 CATV 0 TDM port type E1 TDM service type TDMoGem MAC learning function switch Enable ONT transparent function switch Disable Multicast forward mode Unconcern Multicast forward VLAN - Multicast mode Unconcern Upstream IGMP packet forward mode Unconcern Upstream IGMP packet forward VLAN - Upstream IGMP packet priority - Native VLAN option Concern Port-type or Port type IPHOST Port-ID or Port ID 1 Dscp-mapping-table-index 0 Service-type Translation Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 121 .

122 .. Table 1-26 GPON ONT alarm profile Issue 01 (2012-01-18) Profile Index Profile Parameter Factory Default 1 alarmprofile_ 1 GEM port loss of packets threshold 0 GEM port misinserted packets threshold 0 GEM port impaired blocks threshold 0 Ethernet FCS errors threshold 0 Ethernet excessive collision count threshold 0 Ethernet late collision count threshold 0 Too long Ethernet frames threshold 0 Ethernet buffer (Rx) overflows threshold 0 Ethernet buffer (Tx) overflows threshold 0 Ethernet single collision frame count threshold 0 Ethernet multiple collisions frame count threshold 0 Ethernet SQE count threshold 0 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Parameter Factory Default Index 1 S-VLAN 1 S-PRI - C-VLAN 1 C-PRI - ENCAP - S-PRI POLICY - Binding times 0 Factory Defaults of a GPON ONT Alarm Profile The following table lists the factory defaults of a GPON ONT alarm profile on the MA5600T.

. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Profile Index Profile 1 Commissioning Parameter Factory Default Ethernet deferred transmission count threshold 0 Ethernet internal MAC Tx errors threshold 0 Ethernet carrier sense errors threshold 0 Ethernet alignment errors threshold 0 Ethernet internal MAC Rx errors threshold 0 PPPOE filtered frames threshold 0 MAC bridge port discarded frames due to delay threshold 0 MAC bridge port MTU exceeded discard frames threshold 0 MAC bridge port received incorrect frames threshold 0 CES general error time threshold 0 CES severely time threshold 0 CES bursty time threshold 0 CES controlled slip time threshold 0 CES unavailable time threshold 0 Drop events threshold 0 Undersize packets threshold 0 Fragments threshold 0 Jabbers threshold 0 Failed signal of ONU threshold (Format:1e-x) 3 Degraded signal of ONU threshold (Format:1e-x) 4 Default settings of a EPON ONT line profile The following table lists the default settings of a EPON ONT line profile on the MA5600T. 123 . Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1 Commissioning Table 1-27 EPON ONT line profile Parameter Name Default FEC switch Disable Encrypt type off DBA Profile-ID 9 Traffic-table-index 6 Dba-threshold - Binding times 0 Default settings of a EPON ONT service profile The following table lists the default settings of a EPON ONT service profile on the MA5600T. Table 1-29 Factory defaults of the H801CITB card Issue 01 (2012-01-18) Parameter Factory Default Sub-node 20 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd. 124 . Table 1-28 EPON ONT service profile Parameter Name Default Port-type Portnumber POTS ETH TDM 0 0 0 TDM type E1 Multicast fast leave switch Unconcern Ring check switch Unconcern Binding times 0 Factory Defaults of Environment Monitoring Units The following tables Table 1-29. Table 1-30 list the factory defaults of environment monitoring units on the MA5600T.

11: Thief. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Parameter Factory Default Digital parameters CITB digital parameter IDs 1 Commissioning l Allocated by default (unchangeable) – 0: FAN – 1: load fuse l User-defined IDs – 2-8: allocated to other extended digital sensors. 10: Thief. 14: Fire. 5: Load fuse. 12: Wiring. 18: Odor 19: Air-condition. 16: Water. 3: Battery voltage. 125 . 4: Battery fuse. Definitions of user-defined alarm indexes 1: AC voltage. 6: Rectifier. 13: Fan. 7: DC power. 2: AC switch. 8: Room door. 15: Fog. 17: Diesel. 9: Room door.. 20: Arrester Table 1-30 Factory defaults of the FAN Issue 01 (2012-01-18) Parameter Factory Default Sub-node 1 Fan speed adjustment mode Automatic Report fan alarm Permit Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2 Basic Configurations

2

Basic Configurations

About This Chapter
Basic configurations mainly include certain common configurations, public configurations, and
pre-configurations in service configurations. There is no obvious logical relation between basic
configurations. You can perform basic configurations according to actual requirements.
2.1 Configuring the License Function
With the license platform enabled, the license server performs license control on the function
entries and resource entries supported by the MA5600T and provides customized services for
users.
2.2 Configuring Alarms
Alarm management includes the following functions: alarm record, alarm setting, and alarm
statistics. These functions help you to maintain the device and ensure that the device works
efficiently.
2.3 Configuring the Network Time
Configuring the NTP protocol to keep the time of all devices in the network synchronized, so
that the Background Information implement various service applications based on universal
time, such as the network management system and the network accounting system.
2.4 Adding Port Description
After the description of a physical port on the board is added, the description facilitates
information query in system maintenance.
2.5 Configuring the Attributes of an Upstream Ethernet Port
This topic describes how to configure the attributes of a specified Ethernet port so that the system
communicates with the upstream device in the normal state.
2.6 Configuring a VLAN
Configuring VLAN is a prerequisite for configuring a service. Hence, before configuring a
service, make sure that the VLAN configuration based on planning is complete.
2.7 Configuring a VLAN Service Profile
Integrate VLAN-related configurations into the VLAN service profile so that all attributes take
effect immediately after the VLAN service profile is bound to the VLAN. This increases the
configuration efficiency.
2.8 Configuring the User Security
Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

126

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2 Basic Configurations

Configuring the security mechanism can protect operation users and access users against user
account theft and roaming or from the attacks from malicious users.
2.9 Configuring System Security
This topic describes how to configure the network security and protection measures of the system
to protect the system from malicious attacks.
2.10 Configuring the ACL
This topic describes the type, rule, and configuration of the ACL on the MA5600T.
2.11 Configuring QoS
This topic describes how to configure quality of service (QoS) on the MA5600T.
2.12 Configuring AAA
This topic describes how to configure the AAA on the MA5600T, including configuring the
MA5600T as the local and remote AAA servers.
2.13 Configuring ANCP
Access Node Control Protocol (ANCP) is used to implement the functions such as topology
discovery, line configuration, and L2C OAM on the user ports. The MA5600T establishes an
ANCP session according to the GSMP communication IP address configured in the network
access server (NAS).

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

127

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2 Basic Configurations

2.1 Configuring the License Function
With the license platform enabled, the license server performs license control on the function
entries and resource entries supported by the MA5600T and provides customized services for
users.

Prerequisites
The license platform must be enabled.

Application Context
The license platform provides the registration mechanism for the service modules of the
MA5600T. During system initialization, the service modules need to register for the controlled
resource entries or the controlled function entries. After the system starts to work, based on the
controlled entries that are registered, the license client management module obtains the
authentication information about the license controlled entries of the MA5600T from the license
server.
When a service module is configured through the command line interface (CLI) or NMS, the
device checks whether the resource entries of the service module or the function entries of the
service module are overloaded.
l

If overload occurs, the system quits the service configuration and displays a prompt of
insufficient license resources.

l

If overload does not occur, the system allows the user to continue configuring and using
the service. When the service configuration is deleted, the system automatically releases
the license resources occupied by the service configuration.

Background Information
l

The MA5600T adopts the network license solution, that is, a license server is deployed in
the network. In this case, each MA5600T is like a license client, and the licenses of all the
clients are managed by the license server in a centralized manner.

l

In the management scope of the license server (generally a region or a city), each product
has only one license file that is stored on the license server. The resources of the product
that are controlled by the license are defined by the license file. Because one license server
can manage multiple products, multiple license files can be stored on one license server.

Precautions
If you need to use the license function supported by the MA5600T, be sure to consider the
deployment of the license server in network planning.

Procedure
Step 1 Configure the interface that is for communicating with the license server.
1.

Run the vlan command to create a VLAN.

2.

Run the port vlan command to add an upstream port to the VLAN.

3.

(Optional) Run the native-vlan command to configure the default VLAN of the upstream
port.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

128

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2 Basic Configurations

Whether the native VLAN needs to be set for the upstream port depends on whether the
upper-layer device connected to the upstream port supports packets carrying a VLAN tag.
The setting on the MA5600T must be the same as that on the upper-layer device.
4.

Run the ip address command to configure the IP address of the VLAN L3 interface so that
the IP packets in the VLAN are forwarded by using this IP address.

5.

Run the ip route-static command to configure the static route to the license server.

Step 2 Run the license esn command to configure the ESN of the device.
Each client of the license server is uniquely identified by the ESN. The ESN should be configured
if the user enables the license function. The ESN can be the NMS IP address of the device or
the IP address of the VLAN L3 interface.
Step 3 Run the license server command to configure the license server.
If the user enables the license function, configure the IP address and TCP port ID of the license
server so that the license server can communicate with the client.
Step 4 Run the display license info command to query the communication status between the device
and the license server.
----End

Example
To configure smart VLAN ID of the MA5600T to 10, configure the IP address of the L3 interface
to 10.10.10.10/24, configure the MA5600T to communicate with the license server (IP address:
10.20.20.2/24) through port 0/17/0, and configure the TCP port ID to 10010, do as follows:
huawei(config)#vlan 10 smart
huawei(config)#port vlan 10 0/17/0
huawei(config)#interface vlanif 10
huawei(config-if-vlanif10)#ip address 10.10.10.10 24
huawei(config-if-vlanif10)#quit
huawei(config)#ip route-static 10.20.20.0 24 10.10.10.1
huawei(config)#license esn 10.10.10.10
huawei(config)#license server ipaddress 10.20.20.2 tcpport 10010

2.2 Configuring Alarms
Alarm management includes the following functions: alarm record, alarm setting, and alarm
statistics. These functions help you to maintain the device and ensure that the device works
efficiently.

Background Information
An alarm refers to the notification of the system after a fault is detected. After an alarm is
generated, the system broadcasts the alarm to the terminals, mainly including the NMS and
command line interface (CLI) terminals.
Alarms are classified into fault alarm and recovery alarm. After a fault alarm is generated at a
certain time, the fault alarm lasts till the fault is rectified to clear the alarm.
You can modify the alarm settings according to your requirements. The settings are alarm
severity, alarm output mode through the CLI and alarm statistics switch.
Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

129

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2 Basic Configurations

When managing alarms on the GUI through the NMS, you can set filtering criteria to mask
unimportant alarms and events. Such filtering function facilitates the focus of the important
alarms and eliminates the load of the NMS.

Procedure
l

You can run the alarm active clear command to clear the alarms that are not recovered in
the system.
– When an active alarm lasts a long time, you can run this command to clear the alarm.
– Before clearing an alarm, you can run the display alarm active command to query the
currently active alarms.

l

Run the alarm alarmlevel command to configure the alarm level.
– Alarm levels are critical, major, minor, and warning.
– Parameter default indicates restoring the alarm level to the default setting.
– You can run the display alarm list command to query the alarm level.
– The system specifies the default (also recommended) alarm level for each alarm. Use
the default alarm level unless otherwise required.

l

Run the alarm jitter-proof command to configure the alarm jitter-proof function and the
jitter-proof period.
– To prevent a fault alarm and its recovery alarm from being displayed frequently, you
can enable the alarm jitter-proof function to filter alarms in the system.
– After the alarm jitter-proof function is enabled, the alarm in the system is not reported
to the NMS immediately but is reported to the NMS after an alarm jitter-proof period.
– If an alarm is recovered in an alarm jitter-proof period, the alarm is not reported to the
NMS.
– You can run the display alarm jitter-proof command to check whether the alarm jitterproof function is enabled and whether the alarm jitter-proof period is set.
– By default, the alarm jitter-proof function is disabled. You can determine whether to
enable the function according to the running of the device.

l

Run the (undo) alarm output command to set or shield the output of alarms to the CLI
terminal.
– Setting the output mode of alarms does not affect the generating of alarms. The alarms
generated by the system are still recorded. You can run the display alarm history
command to query the alarms that are shielded.
– When the new output mode of an alarm conflicts with the previous mode, the new output
mode takes effect.
– The output mode of the recovery alarm is the same as the output mode of the fault alarm.
When the output mode of the fault alarm is set, the system automatically synchronizes
the output mode of its recovery alarm. The reverse is also applicable.

l

Run the alarm-event statistics period command to set the alarm statistics collection
period.
– You can use the statistical result of alarms and events to locate a problem in the system.
– You can run the display alarm statistics command to query the alarm statistical record.

l

Issue 01 (2012-01-18)

Run the display alarm configuration command to query the alarm configuration according
to the alarm ID. The alarm configuration that you can query includes the alarm ID, alarm
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

130

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2 Basic Configurations

name, alarm class, alarm type, alarm level, default alarm level, number of parameters, CLI
output flag, conversion flag, and detailed alarm description.
l

Run the display alarm statistics command to query the alarm statistical record.
– When you need to know the frequency in which one alarm occurs within a time range,
and to know the working conditions of the device and analyze the fault that may exist,
run this command.
– Currently, you can query the alarm statistics in the current period and previous period
in the system.

l

Run the trap filter alarm condition command to filter alarms that the device reports to
the NMS through traps.
The filtering criteria can be alarm ID, alarm severity, alarm type, subrack ID, subrack ID/
slot ID, subrack ID/slot ID/port ID, VLAN interface, and NE.
To reduce alarms and avoid alarm storms, the system does not send alarms of some ONTs
to the NMS. To query the filtering criteria of alarms and events in the system, run the
display trap filter command.

l

In FTTH scenarios, you can configure the ONT alarm policy profile to configure alarms
for different service policies.
1.

Create an ONT alarm policy profile.
Run the ont-alarm-policy command to create an ONT alarm policy profile.
The system supports a maximum number of 16 alarm policy profiles. The default
alarm policy profile is profile 0.
It is recommended that you configure different alarm policies for VIP and common
users.

2.

Configure attributes of the ONT alarm policy profile.
Run the alarm filter command to configure the control function of each alarm of the
profile.
Run the commit command to save the configuration.
Run the display ont-alarm-policy command to query attributes of the ONT alarm
policy profile.

3.

Bind the ONT to the ONT alarm policy profile.
Run the ont alarm-policy command to bind the ONT to the ONT alarm policy profile
so that the PON board can control whether to send the ONT alarm information.
During ONT adding or confirmation, the system binds the ONT to the default ONT
alarm policy profile 0.

----End

Example
Assume the following configurations: The output of all alarms at level warning is shielded to
the CLI terminal, the alarm jitter-proof function is enabled, the alarm jitter-proof period is set
to 15s, the level of alarms with IDs 0x0a310021 and 0x2e314021 are modified to critical, do as
follows:
huawei(config)#undo alarm output alarmlevel warning
huawei(config)#alarm jitter-proof on

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

131

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2 Basic Configurations

huawei(config)#alarm jitter-proof 15
huawei(config)#alarm alarmlevel 0x0a310021 critical
huawei(config)#alarm alarmlevel 0x2e314021 critical

To mask the online and offline alarm of the ONT (alarm IDs 0x2e11a00b and 0x2e12a00b) so
that normal operations are not affected by too many alarms, do as follows:
huawei(config)#undo alarm output alarmid 0x2e11a00b
huawei(config)#undo alarm output alarmid 0x2e12a00b

To create ONT alarm policy profile 10, filter the following alarms, and bind this profile to GPON
ONT 1 connected to port 0/3/0, do as follows:
l

0x2e112003 (The signal degrade of ONTi (SDi) occurs)

l

0x2e112004 (The signal fail of ONTi (SFi) occurs)

l

0x2e112006 (The loss of frame of ONTi (LOFi) occurs)

l

0x2e313015 (The hardware of the ONT is faulty)

l

0x2e313016 (The ONT switches to the standby battery)

l

0x2e313017 (The standby battery of the ONT is lost)

l

0x2e313018 (The standby battery of the ONT cannot be charged)

l

0x2e313019 (The voltage of the standby battery of the ONT is too low)

l

0x2e31301a (The shell of the ONT is opened)

l

0x2e313024 (The loss of signals occurs on the ethernet port of the ONT)

l

0x2e313025 (No signal is received in the video UNI of the ONT)

l

0x2e31302a (The E1/T1 port loss of signal (LOS) occurs at the ONT)

huawei(config)#ont-alarm-policy policy-id 10
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#alarm filter
huawei(config-ont-alarm-policy-10)#commit
huawei(config-ont-alarm-policy-10)#quit
huawei(config)#interface gpon 0/3
hauwei(config-if-gpon-0/3)#ont alarm-policy 0 1

0x2e112003
0x2e112004
0x2e112006
0x2e313015
0x2e313016
0x2e313017
0x2e313018
0x2e313019
0x2e31301a
0x2e313024
0x2e313025
0x2e31302a

policy-id 10

2.3 Configuring the Network Time
Configuring the NTP protocol to keep the time of all devices in the network synchronized, so
that the Background Information implement various service applications based on universal
time, such as the network management system and the network accounting system.

Background Information
Introduction to the NTP Protocol:
l

Issue 01 (2012-01-18)

The Network Time Protocol (NTP) is an application layer protocol defined in RFC 1305,
which is used to synchronize the times of the distributed time server and the client. The
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

132

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2 Basic Configurations

RFC defines the structures, arithmetics, entities and protocols used in the implementation
of NTP.
l

NTP is developed from the time protocol and the ICMP timestamp message protocol, with
special design on the aspects of accuracy and robustness.

l

NTP runs over UDP with port number as 123.

l

Any local system that runs NTP can be time synchronized by other clock sources, and also
act as a clock source to synchronize other clocks. In addition, mutual synchronization can
be done through NTP packets exchanges.

NTP is applied to the following situations where all the clocks of hosts or routers in a network
need to be consistent:
l

In the network management, an analysis of log or debugging information collected from
different routers needs time for reference.

l

The charging system requires the clocks of all devices to be consistent.

l

Completing certain functions, for example, timing restart of all the routers in a network
requires the clocks of all the routers be consistent.

l

When several systems work together on the same complicate event, they have to take the
same clock for reference to ensure correct implementation order.

l

Incremental backup between the backup server and clients requires clocks on them be
synchronized.

When all the devices on a network need to be synchronized, it is almost impossible for an
administrator to manually change the system clock by command line. This is because the work
load is heavy and clock accuracy cannot be ensured. NTP can quickly synchronize the clocks
of network devices and ensure their precision.
There are four NTP modes: server/client, peer, broadcast and multicast modes. The MA5600T
supports all these modes.

Default Configuration
Table 2-1 provides the default configuration for NTP.
Table 2-1 Default configuration for NTP

Issue 01 (2012-01-18)

Parameter

Default Value

NTP-service authentication
function

Disable

NTP-service authentication
key

None

The maximum allowed
number of sessions

100

Clock stratum

16

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

133

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

2 Basic Configurations

2.3.1 (Optional) Configuring NTP Authentication
This topic describes how to configure NTP authentication to improve the network security and
prevent unauthorized users from modifying the clock.

Prerequisites
Before configuring the NTP client/server mode, make sure that the network interface and the
routing protocol of the MA5600T are configured so that the server and the client are reachable
to each other at the network layer.

Background Information
In certain networks that have strict requirements on security, enable NTP authentication when
running the NTP protocol. Configuring NTP authentication is classified into configuring NTP
authentication on the client and configuring NTP authentication on the server.

Precautions
l

If NTP authentication is not enabled on the client, the client can synchronize with the server,
regardless of whether NTP authentication is enabled on the server.

l

If NTP authentication is enabled, a reliable key should be configured.

l

The configuration of the server must be the same as that of the client.

l

When NTP authentication is enabled on the client, the client can pass the authentication if
the server is configured with the same key as that of the client. In this case, you need not
enable NTP authentication on the server or declare that the key is reliable.

l

The client synchronizes with only the server that provides the reliable key. If the key
provided by the server is unreliable, the client does not synchronize with the server.

l

The flow of configuring NTP authentication is as follows: start->enable NTP
authentication->configure the reliable NTP authentication key->declare the reliable key>end.

Procedure
Step 1 Run the ntp-service authentication enable command to enable NTP authentication.
Step 2 Run the ntp-service authentication-keyid command to set an NTP authentication key.
Step 3 Run the ntp-service reliable authentication-keyid command to declare that the key is reliable.
----End

Example
To enable NTP authentication, set the NTP authentication key as aNiceKey with the key number
42, and then define key 42 as a reliable key, do as follows:
huawei(config)#ntp-service authentication enable
huawei(config)#ntp-service authentication-keyid 42 authentication-mode md5 aNice
Key
huawei(config)#ntp-service reliable authentication-keyid 42

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

134

In the broadcast mode. and the client listens to the broadcast packets sent from the server and synchronizes the local clock according to the received broadcast packets. the clock synchronization fails. the client exchanges NTP packet whose mode fields are set to 3 (client mode) and 4 (server mode) with the server to estimate the network delay between the client and the server. continues to listen to the incoming broadcast packets. the server periodically broadcasts clock synchronization packets through a specified port.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations 2. 135 . with the mode field set to 5 (indicating the broadcast mode). Prerequisites Before configuring the NTP broadcast mode.3. After receiving the first broadcast packet. 2.255. you should configure both the NTP server and the NTP client.2 Configuring the NTP Broadcast Mode This topic describes how to configure the MA5600T for clock synchronization in the NTP broadcast mode. The clock stratum of the synchronizing device must be higher than or equal to that of the synchronized device. Ltd. The client then enters the broadcast client mode. as shown in Figure 2-1. Procedure Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Otherwise. and synchronizes the local clock according to the incoming broadcast packets. The client listens to the broadcast packets sent from the server. Figure 2-1 NTP broadcast mode Precautions 1. After the configuration is completed.255.255. the server periodically sends clock synchronization packets to the broadcast address 255. make sure that the network interface and the routing protocol of the MA5600T are configured so that the server and the client are reachable to each other at the network layer.. Background Information In the broadcast mode. l Configure the NTP broadcast server host.

Run the ntp-service authentication-keyid command to set an NTP authentication key. In the global config mode. Run the vlan command to create a VLAN. and then enter the VLAN interface mode to configure the L3 interface. c. Ltd. b. and specify the key ID for the server to send packets to the client. b. and then enter the VLAN interface mode to configure the L3 interface. Run the ntp-service reliable authentication-keyid command to declare that the key is reliable. Add a VLAN L3 interface. Add a VLAN L3 interface. and specify the stratum of the master NTP clock. Run the ntp-service refclock-master command to configure the local clock as the master NTP clock. run the interface vlan command to create a VLAN interface. Issue 01 (2012-01-18) a. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. b. (Optional) Configure NTP authentication. Run the ntp-service reliable authentication-keyid command to declare that the key is reliable.. 2. l a. run the interface vlan command to create a VLAN interface. In the global config mode. Run the ntp-service broadcast-server command to configure the NTP broadcast server mode of the host. c.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations 1. 4. 3. Run the ntp-service authentication enable command to enable NTP authentication. In certain networks that have strict requirements on security. b. 136 . it is recommended that you enable NTP authentication when running the NTP protocol. The configuration of the server must be the same as that of the client. In certain networks that have strict requirements on security. a. 1. Run the vlan command to create a VLAN. d. Run the port vlan command to add an upstream port to the VLAN so that the user packets carrying the VLAN tag are transmitted upstream through the upstream port. (Optional) Configure NTP authentication. c. Run the ip address command to configure the IP address and subnet mask of the VLAN interface so that the IP packets in the VLAN can participate in the L3 forwarding. Run the ntp-service authentication enable command to enable NTP authentication. Run the port vlan command to add an upstream port to the VLAN so that the user packets carrying the VLAN tag are transmitted upstream through the upstream port. 2. Configure the NTP broadcast client host. The configuration of the server must be the same as that of the client. it is recommended that you enable NTP authentication when running the NTP protocol. Run the ntp-service authentication-keyid command to set an NTP authentication key. a. c.

----End Example Assume the following configurations: MA5600T_S uses the local clock as the master NTP clock on stratum 2 and works in the NTP broadcast mode. The client listens to the multicast packets sent from the server. the server periodically sends clock synchronization packets to the multicast address configured by the user. and synchronizes the local clock according to the incoming multicast packets.3 Configuring the NTP Multicast Mode This topic describes how to configure the MA5600T for clock synchronization in the NTP multicast mode.10.10. After the configuration is completed. To perform these configurations. 2 Basic Configurations Run the ip address command to configure the IP address and subnet mask of the VLAN interface so that the IP packets in the VLAN can participate in the L3 forwarding.10 24 huawei(config-if-vlanif2)#ntp-service broadcast-server huawei(config-if-vlanif2)#quit 2.1 is used if the multicast address is not configured. and the client listens to the multicast packets sent from the server and synchronizes the local clock according to the received multicast packets. On MA5600T_S: huawei(config)#ntp-service refclock-master 2 huawei(config)#vlan 2 standard huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10.10. the server periodically multicasts clock synchronization packets through a specified port. 137 . On MA5600T_C: huawei(config)#vlan 2 standard huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10. continues to listen to the incoming multicast packets.10. After receiving the first multicast packet. broadcasting clock synchronization packets periodically through IP address 10. The mode field of clock synchronization packet is set to 5 (multicast mode). Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the client exchanges NTP packet whose mode fields are set to 3 (client mode) and 4 (server mode) with the server to estimate the network delay between the client and the server. make sure that the network interface and the routing protocol of the MA5600T are configured so that the server and the client are reachable to each other at the network layer.20 24 huawei(config-if-vlanif2)#ntp-service broadcast-client huawei(config-if-vlanif2)#quit 2.10.10.3. Run the ntp-service broadcast-client command to configure a host as the NTP broadcast client. Ltd. as shown in Figure 2-2.10. The client then enters the multicast client mode.10/24 of the L3 interface of VLAN 2.. and MA5600T_C functions as the NTP client. The default NTP multicast address 224.0.1. Prerequisites Before configuring the NTP multicast mode. Background Information In the multicast mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide d. 3. do as follows: 1.10. listening to the broadcast packets sent from the server through IP address 10.20/24 of the L3 interface of VLAN 2 and synchronizing with the clock on the broadcast server.

Run the ntp-service authentication enable command to enable NTP authentication. Run the port vlan command to add an upstream port to the VLAN so that the user packets carrying the VLAN tag are transmitted upstream through the upstream port. The clock stratum of the synchronizing device must be higher than or equal to that of the synchronized device. c. b. Issue 01 (2012-01-18) a. Add a VLAN L3 interface. In the global config mode. 138 . d. Ltd. The configuration of the server must be the same as that of the client. b. Run the ntp-service authentication-keyid command to set an NTP authentication key.. Procedure 1. and specify the stratum of the master NTP clock. 3. 2. (Optional) Configure NTP authentication. Otherwise. it is recommended that you enable NTP authentication when running the NTP protocol. 2. Run the ip address command to configure the IP address and subnet mask of the VLAN interface so that the IP packets in the VLAN can participate in the L3 forwarding. In certain networks that have strict requirements on security. a. Run the ntp-service reliable authentication-keyid command to declare that the key is reliable.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Figure 2-2 NTP multicast mode Precautions 1. l Configure the NTP multicast server host. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. c. and then enter the VLAN interface mode to configure the L3 interface. Run the vlan command to create a VLAN. run the interface vlan command to create a VLAN interface. In the multicast mode. the clock synchronization fails. Run the ntp-service refclock-master command to configure the local clock as the master NTP clock. you should configure both the NTP server and the NTP client.

10.10. Run the ntp-service reliable authentication-keyid command to declare that the key is reliable.10.20 24 huawei(config-if-vlanif2)#ntp-service multicast-client huawei(config-if-vlanif2)#quit Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Run the ntp-service multicast-client command to configure a host as the NTP multicast client.10. Run the port vlan command to add an upstream port to the VLAN so that the user packets carrying the VLAN tag are transmitted upstream through the upstream port. Run the vlan command to create a VLAN. c. b. a. a. 2.10/24 of the L3 interface of VLAN 2. 1. To perform these configurations. Run the ntp-service authentication enable command to enable NTP authentication.10.10. The configuration of the server must be the same as that of the client. In certain networks that have strict requirements on security. multicasting clock synchronization packets periodically through IP address 10. Ltd. b. Add a VLAN L3 interface.10 24 huawei(config-if-vlanif2)#ntp-service multicast-server huawei(config-if-vlanif2)#quit 2. it is recommended that you enable NTP authentication when running the NTP protocol. 139 . d.10. do as follows: 1. (Optional) Configure NTP authentication.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4. ----End Example Assume the following configurations: MA5600T_S uses the local clock as the master NTP clock on stratum 2 and works in the NTP multicast mode. In the global config mode. and MA5600T_C functions as the NTP client. On MA5600T_S: huawei(config)#ntp-service refclock-master 2 huawei(config)#vlan 2 standard huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10. run the interface vlan command to create a VLAN interface.20/24 of the L3 interface of VLAN 2 and synchronizing with the clock on the multicast server. Configure the NTP multicast client host. c.10. Run the ntp-service authentication-keyid command to set an NTP authentication key. 3. l 2 Basic Configurations Run the ntp-service multicast-server command to configure the NTP multicast server mode of the host. and then enter the VLAN interface mode to configure the L3 interface. listening to the multicast packets sent from the server through IP address 10. Run the ip address command to configure the IP address and subnet mask of the VLAN interface so that the IP packets in the VLAN can participate in the L3 forwarding.. and specify the key ID for the server to send packets to the client. On MA5600T_C: huawei(config)#vlan 2 standard huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10.

After receiving the packet. Run the vlan command to create a VLAN. 1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations 2. the server automatically enters the server mode and sends a response packet with the mode field set to 4 (server mode). 140 . as shown in Figure 2-3. and then enter the VLAN interface mode to configure the L3 interface.3. 2. 3. Otherwise. the client sends a synchronization packet to the server. 2. and synchronizes with the preferred server. The clock stratum of the synchronizing device must be lower than or equal to that of the synchronized device. run the interface vlan command to create a VLAN interface. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. After receiving the response from the server. Background Information In the client/server mode. In the client/server mode.4 Configuring the Unicast NTP Client This topic describes how to configure the MA5600T as the NTP client to synchronize with the NTP server in the network. Ltd. Procedure Step 1 Add a VLAN L3 interface. In the global config mode. Run the port vlan command to add an upstream port to the VLAN so that the user packets carrying the VLAN tag are transmitted upstream through the upstream port. with the mode field set to 3 (client mode). you need to configure only the client. Figure 2-3 NTP client/server mode Precautions 1. Prerequisites Before configuring the NTP client/server mode. and need not configure the server.. the clock synchronization fails. the client filters and selects the clock. make sure that the network interface and the routing protocol of the MA5600T are configured so that the server and the client are reachable to each other at the network layer.

the other MA5600T (IP address of the L3 interface of VLAN 2: 10.10. the source IP address of the NTP packets is configured as the primary IP address of the specified interface.10.20.10. 141 .1) functions as the NTP client. Other unauthorized packets are not allowed to access the L3 interface. Filter the packets that pass through the L3 interface.10.20. l After the source interface of the NTP packets is specified by source-interface. and specify the IP address of the remote server that functions as the local timer server and the interface for transmitting and receiving NTP packets. In the peer mode. and the passive peer need not be Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.20.10. Run the rule command to classify traffic according to the source IP address.0. ip-address is a unicast address.0 huawei(config-acl-adv-3050)#quit huawei(config)#packet-filter inbound ip-group 3050 port 0/17/0 2.20 source-interface vlanif 2 huawei(config)#acl 3050 huawei(config-acl-adv-3050)#rule deny ip source any destination 10.. the NTP server responds to the request packet. configure only the active peer. and make the configuration take effect. or the IP address of a local clock. l You can run the ntp-service unicast-server command for multiple times to configure multiple servers.10 0. ----End Example Assume the following configurations: One MA5600T functions as the NTP server (IP address: 10. do as follows: huawei(config)#vlan 2 standard huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10. NOTE l In this command.5 Configuring the NTP Peer This topic describes how to configure the MA5600T for clock synchronization in the NTP peer mode.10 0. type of the protocol over IP.20/24). destination IP address. l When the clock stratum of the server is higher than or equal to that of the client. 3. It is recommended to use the ACL rules for the system that has high requirements on security. To perform these configurations. the NTP client sends the clock synchronization request packet through the VLAN L3 interface to the NTP server.10. which cannot be a broadcast address.0.20.0 huawei(config-acl-adv-3050)#rule permit ip source 10. Step 2 Run the ntp-service unicast-server command to configure the NTP unicast server mode. l A server can function as a time server to synchronize other devices only after its clock is synchronized. Ltd.0.10.20 0.20. and ACL rules are configured to allow only IP packets from the clock server to access the L3 interface.10.0. and features or protocol of the packet. Then. Run the acl adv-acl-numbe command to create an ACL.0.3.10/24. a multicast address. Step 3 (Optional) Configure the ACL rules.0. the client selects the best server according to clock priorities. 2 Basic Configurations Run the ip address command to configure the IP address and subnet mask of the VLAN interface so that the IP packets in the VLAN can participate in the L3 forwarding. Run the packet-filter command to configure an ACL filtering rule for a specified port. the client does not synchronize with the server. allowing or forbidding the data packets that meet related conditions to pass. 2.0 destination 10.20. 1.10. Only the IP packet from the clock server is allowed to access the L3 interface. gateway IP address: 10.10 24 huawei(config-if-vlanif2)#quit huawei(config)#ntp-service unicast-server 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4.10.

the passive peer automatically works in the passive mode and sends a response packet with the mode field set to 2 (passive peer). Ltd. and specify the stratum of the master NTP clock. The peer with a higher clock stratum is synchronized by the peer with a lower clock stratum. Issue 01 (2012-01-18) Run the ntp-service refclock-master command to configure the local clock as the master NTP clock. Procedure Step 1 Configure the NTP active peer. Figure 2-4 NTP peer mode Precautions 1. 1. as shown in Figure 2-4. the active peer and the passive peer exchange NTP packets whose mode fields are set to 3 (client mode) and 4 (server mode). Then. The active peer and the passive peer can synchronize with each other. the active peer and the passive peer can synchronize with each other. 2. the clock on a lower stratum is used. the active peer sends a clock synchronization packet to the passive peer. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the peer mode is set up. In the peer mode. 142 . Through packet exchange. In the peer mode. with the mode field of the packet set to 1 (active peer). After receiving the packet. you need to configure the NTP mode only on the active peer. Prerequisites Before configuring the NTP peer mode.. make sure that the network interface and the routing protocol of the MA5600T are configured so that the server and the client are reachable to each other at the network layer. Background Information In the peer mode. If both the clock of the active peer and that of the passive peer are synchronized.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations configured. The peers determine clock synchronization according to the clock stratum instead of according to whether the peer is an active peer.

and specify the IP address of the remote server that functions as the local timer server and the interface for transmitting and receiving NTP packets. Step 2 Run the display port desc command to query port description.10. Run the vlan command to create a VLAN. 1. Prerequisites A board must be added to the system. the other MA5600T (IP address: 10. NOTE l In this command. Step 2 Add a VLAN L3 interface. and the peer with a higher clock stratum is synchronized by the peer with a lower clock stratum.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2.10/24) and works on clock stratum 4. run the interface vlan command to create a VLAN interface. which cannot be a broadcast address. the description facilitates information query in system maintenance. To perform these configurations. l After the source interface of the NTP packets is specified by source-interface.10. 143 .10. used to identify a port on a board in a slot of a shelf.10 24 huawei(config-if-vlanif2)#quit 2. In the global config mode. 4. Run the port vlan command to add an upstream port to the VLAN so that the user packets carrying the VLAN tag are transmitted upstream through the upstream port. Run the ip address command to configure the IP address and subnet mask of the VLAN interface so that the IP packets in the VLAN can participate in the L3 forwarding. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 2. the source IP address of the NTP packets is configured as the primary IP address of the specified interface. and then enter the VLAN interface mode to configure the L3 interface. run the port desc command to add port description. a multicast address. 2 Basic Configurations Run the ntp-service unicast-peer command to configure the NTP peer mode.10. ----End Example Assume the following configurations: One MA5600T functions as the NTP active peer (IP address of the L3 interface of VLAN 2: 10. Port description is a character string.. or the IP address of a reference clock. Procedure Step 1 In the global config mode.4 Adding Port Description After the description of a physical port on the board is added.10. the passive peer responds to the request packet.20/24) functions as the NTP passive peer. do as follows: huawei(config)#ntp-service refclock-master 4 huawei(config)#ntp-service unicast-peer huawei(config)#vlan 2 standard huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10. ip-address is a unicast address. 3. Ltd. the active peer sends a clock synchronization request packet through the VLAN L3 interface to the passive peer.10.

you can configure the port rate. This plan can present the user terminal location and the connection between the user terminal and the device. building 01 of community A. Table 2-2 Default settings of the attributes of an Ethernet port Parameter Default Setting (Optical Port) Default Setting (Electrical Port) Auto-negotiation mode of the port Disabled Enabled Port rate l FE optical port: 100 Mbit/s NA l GE optical port: 1000 Mbit/s NOTE After the auto-negotiation mode of the port is disabled. "Community ID-building ID-floor ID" indicates the physical location where the user terminal is deployed.5 Configuring the Attributes of an Upstream Ethernet Port This topic describes how to configure the attributes of a specified Ethernet port so that the system communicates with the upstream device in the normal state. which facilitates query in maintenance. Assume that the user terminal that is connected to port 0/2/0 of the MA5600T is deployed in floor 1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Example Plan the format of user port description as "community ID-building ID-floor ID/shelf ID-slot ID-port ID". l 10GE optical port: 10000 Mbit/ s Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. To add port description according to the plan.. Prerequisites The board in the GIU slot must be in position and must work in the normal state. do as follows: huawei(config)#port desc 0/2/0 description A-01-01/0-2-0 huawei(config)#display port desc 0/2/0 -----------------------------------------------------------F/ S/ P IMA Group Port Description -----------------------------------------------------------0/ 2/ 0 A-01-01/0-2-0 ------------------------------------------------------------ 2. Ltd. Background Information The MA5600T should be interconnected with the upstream device through the Ethernet port. pay attention to the consistency of port attributes. and shelf ID-slot ID-port ID" indicates the physical port on the local device that is connected to the user terminal. Therefore. 144 . Default Configuration Table 2-2 lists the default settings of the attributes of an Ethernet port.

Pay attention to the following points: – Make sure that the rate of the Ethernet port is the same as that of the interconnected port on the peer device. Network cable adaptation mode Not supported Flow control Disabled l FE electrical port: auto l GE electrical port: normal Disabled Procedure l Configure the physical attributes of an Ethernet port. Run the duplex command to set the duplex mode of the Ethernet port. 1. – After the auto-negotiation mode is disabled. read only NA NOTE After the auto-negotiation mode of the port is disabled. After the port rate is set successfully. – The auto-negotiation mode should be disabled. 145 . The duplex mode of an Ethernet port can be full-duplex.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Parameter Default Setting (Optical Port) Default Setting (Electrical Port) Duplex mode Full-duplex. In this case. 4. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Run the mdi command to configure the network cable adaptation mode of the Ethernet port to match the actual network cable. the port automatically negotiates with the peer port for the rate and working mode of the Ethernet port. (Optional) Set the auto-negotiation mode of the Ethernet port. 2. This prevents communication failure. Run the speed command to set the rate of the Ethernet port. – The auto-negotiation mode should be disabled. Ltd. (Optional) Configure the network cable adaptation mode of the Ethernet port. half-duplex. The network adaptation modes are as follows: – normal: Specifies the adaptation mode of the network cable as straight through cable. the network cable connecting to the Ethernet port must be a straight-through cable. Run the auto-neg command to set the auto-negotiation mode of the Ethernet port. In this case. This prevents communication failure. the network cable connecting to the Ethernet port must be a crossover cable. 3. Pay attention to the following points: – Make sure that the ports of two interconnected devices work in the same duplex modes. or auto negotiation. (Optional) Set the rate of the Ethernet port. you can configure the duplex mode. – across: Specifies the adaptation mode of the network cable as crossover cable. the rate and working mode of the port are in the forced mode (adopt default values or are set through command lines). You can enable or disable the auto-negotiation mode: – After the auto-negotiation mode is enabled. (Optional) Set the duplex mode of the Ethernet port.. the port works at the set rate.

not supporting auto-negotiation function. Application Context VLAN application is specific to user types. When the flow of an Ethernet port is heavy.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations – auto: Specifies the adaptation mode of the network cable as auto-sensing. Pay attention to the following points: – If the peer device does not support flow control. and data analysis. Run the flow-control command to enable flow control on the Ethernet port. the network cable type of the port cannot be configured to auto. Flow control should be supported on both the local and peer devices. generally. Hence. enable flow control on the local device. Ltd. copy the traffic of a certain port to the other port and output the traffic for traffic observation.. l Mirror the Ethernet port. l Configure flow control on the Ethernet port. 146 . network fault diagnosis.6 Configuring a VLAN Configuring VLAN is a prerequisite for configuring a service. Run the mirror port command to mirror the Ethernet port. flow control is disabled. before configuring a service. – If the peer device supports flow control. with supporting flow control. run this command to control the flow to prevent network congestion. ----End Example Ethernet port 0/17/0 is an electrical port. – If the Ethernet electrical port works in forced mode (auto-negotiation mode disabled). The network cable can be a straight through cable or crossover cable. Prerequisites The VLAN to be added should not exist in the system. Pay attention to the following points: – The Ethernet optical port does not support the network cable adaptation mode. the attribute is as follows: The port rate is 1000 Mbit/ s in duplex mode. For details on the VLAN application. disable flow control on the local device. By default. do as follows: huawei(config)#interface 0/17 huawei(config-if-0/17)#auto-neg 0 disable huawei(config-if-0/17)#speed 0 1000 huawei(config-if-0/17)#duplex 0 full huawei(config-if-0/17)#flow-control 0 2. see Table 2-3. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. generally. When the system is faulty. make sure that the VLAN configuration based on planning is complete. which may cause the loss of data packets.

that is. Reserved VLAN of the system VLAN ID range: 4079-4093 You can run the vlan reserve command to modify the VLAN reserved by the system. Default Configuration Table 2-4 lists the default parameter settings of VLAN. Table 2-4 Default parameter settings of VLAN Issue 01 (2012-01-18) Parameter Default Setting Remarks Default VLAN of the system VLAN ID: 1 Type: smart VLAN You can run the defaultvlan modify command to modify the VLAN type but cannot delete the VLAN.. the scenario of upstream transmission through a single VLAN. 147 . VLAN type: smart 1:1 scenario. that is. where the outer VLAN tag identifies a service and the inner VLAN tag identifies a user. the scenario of upstream transmission through double VLANs. where the services of multiple subscribers are converged to the same VLAN. Ltd. The service of each user is indicated by a unique S +C.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Table 2-3 VLAN application and planning User Type Application Scenario VLAN Planning l Household user N:1 scenario. VLAN type: smart Applicable only to the transparent transmission service of a commercial user. Default attribute of a new VLAN Common - VLAN forwarding mode VLAN+MAC - Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. VLAN type: smart l Commercial user of the Internet access service Commercial user of the transparent transmission service VLAN attribute: common VLAN forwarding mode: by VLAN+MAC Attribute: stacking VLAN forwarding mode: by S+C VLAN attribute: QinQ VLAN forwarding mode: by VLAN+MAC or S+C.

however. 148 . The traffic streams of these ports. a MUX VLAN can identify an access user.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Procedure Step 1 Create a VLAN. Standard VLAN. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Table 2-5 VLAN types and application scenarios Issue 01 (2012-01-18) VLAN Type Configuration Command VLAN Description Application Scenario Standard VLAN To add a standard VLAN. are isolated from each other. MUX VLANs are applicable to xDSL or GPON service access. VLANs of different types are applicable to different scenarios. One MUX VLAN contains only one xDSL service port or GPON service port. Only available to Ethernet ports and specifically to network management and subtending. In addition. Smart VLAN To add a smart VLAN.. the traffic streams of different VLANs are also isolated. For example. MUX VLAN To add a MUX VLAN. Ethernet ports in a standard VLAN are interconnected with each other but Ethernet ports in different standard VLANs are isolated from each other. Run the vlan to create a VLAN. run the vlan vlanid standard command. Smart VLANs can be applied in residential communities to provide xDSL or GPON service access. One smart VLAN provides access for multiple subscribers and thus saves VLAN resources. One VLAN may contain multiple xDSL service ports or GPON service ports. The traffic streams in different VLANs are isolated from each other. Hence. MUX VLANs can be used to distinguish users. run the vlan vlanid smart command. Ltd. One-toone mapping can be set up between a MUX VLAN and an access user. run the vlan vlanid mux command.

The super VLAN is based on layer 3. A sub-VLAN must be a smart VLAN or MUX VLAN. Table 2-6 VLAN attributes and application scenarios Issue 01 (2012-01-18) VLA N Attri bute Configuration Command VLAN Type VLAN Description Application Scenario Com mon The default attribute for a new VLAN is "common". Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. smart VLAN. Through an ARP proxy. run the vlan vlan-list command. Super VLANs save IP addresses and improve the utilization of IP addresses. 149 . run the vlan vlanid to end-vlanid command. One super VLAN contains multiple sub-VLANs. A VLAN with the common attribute can function as a common layer 2 VLAN or function for creating a layer 3 interface. You can run the vlan attrib command to configure the attribute of the VLAN. The default attribute for a new VLAN is "common". l To add VLANs with inconsecutive IDs in batches. Ltd. Applicable to the N:1 access scenario.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations VLAN Type Configuration Command VLAN Description Application Scenario Super VLAN To add a super VLAN. You can run the supervlan command to add a sub-VLAN to a specified super VLAN. For a super VLAN. Step 2 (Optional) Configure the VLAN attribute. MUX VLAN. or super VLAN. The VLAN with this attribute can be a standard VLAN. the subVLANs in a super VLAN can be interconnected at layer 3. run the vlan vlanid super command. subVLANs must be configured.. Configure the attribute according to VLAN planning. NOTE l To add VLANs with consecutive IDs in batches.

The packets from Applicable to the a QinQ VLAN enterprise private contain two line scenario. In the case of a stacking VLAN. the VLAN with a Layer 3 interface. that is. 150 . smart VLAN or MUX VLAN. The packets from a stacking VLAN contain two VLAN tags. Application Scenario Applicable to the 1:1 access scenario for the wholesale service or extension of VLAN IDs. The attribute of a sub VLAN. Ltd. and the default VLAN of the system cannot be set to VLAN Stacking. and the default VLAN of the system cannot be set to QinQ VLAN. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the VLAN with an L3 interface.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Issue 01 (2012-01-18) 2 Basic Configurations VLA N Attri bute Configuration Command VLAN Type VLAN Description QinQ VLA N To configure QinQ as the attribute of a VLAN. run the stacking label command. VLA N Stacki ng To configure stacking as the attribute of a VLAN. run the vlan attrib vlanid stacking command. to configure the inner tag of the service port.. The VLAN with this attribute can be a standard VLAN. the number of access users is increased. On the upper-layer network in the L2 working mode. VLAN tags. The upper-layer BRAS authenticates the access users according to the two VLAN tags. The attribute of a sub VLAN. that is. inner VLAN tag from the private network and outer VLAN tag from the MA5600T. In this manner. Through the outer VLAN. run the vlan attrib vlanid q-in-q command. inner VLAN tag and outer VLAN tag from the MA5600T. The VLAN with this attribute can only be a smart VLAN or MUX VLAN. an L2 VPN tunnel can be set up to transparently transmit the services between private networks. a packet can be forwarded directly by the outer VLAN tag and MAC address mode to provide the wholesale service for ISPs.

To configure VLAN description. to configure the VLAN forwarding policy. Run the forwarding command to configure the VLAN forwarding policy. Ltd. To configure such a VLAN. l In the VLAN service profile configuration mode. A service port is added to VLAN 50. Step 4 (Optional) Configure the VLAN forwarding policy. to configure the VLAN forwarding policy. You can configure VLAN description to facilitate maintenance. run the vlan forwarding command. 3. l In the global config mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations NOTE l To configure attributes for the VLANs with consecutive IDs in batches. description needs to be configured for easy maintenance. run the vlan desc command. For the VLAN. do as follows: 1. The default VLAN forwarding mode is VLAN+MAC in the system. The default VLAN forwarding policy is VLAN+MAC in the system. The outer VLAN tag 50 of the stacking VLAN identifies the access device and the inner VLAN tag 10 identifies the user with access to the device. vlan-connect corresponds to the S+C forwarding policy. Run the commit command to validate the profile configuration. The configuration of the VLAN service profile takes effect only after execution of this command. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile created in 4.1. MAC address aging. run the vlan attrib vlan-list command. The general VLAN description includes the usage and service information of the VLAN. and MAC address spoofing and attacks. 2. Run the quit command to quit the VLAN service profile mode. do as follows: huawei(config)#vlan 50 smart huawei(config)#vlan attrib 50 stacking huawei(config)#service-port vlan 50 gpon 0/4/0 ont 1 gemport 126 rx-cttr 6 tx-cttr 6 huawei(config)#stacking label vlan 50 baselabel 10 huawei(config)#vlan desc 50 description stackingvlan/label10 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. You can configure the VLAN forwarding policy in either the global config mode or VLAN service profile configuration mode. Step 3 (Optional) Configure VLAN description. 4. 151 . Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode. which ensures higher security by solving the problems of insufficiency in the MAC address space.. ----End Example Assume that a stacking VLAN with ID of 50 is to be configured for extension of the VLAN. run the vlan attrib vlanid to endvlanid command. l To configure attributes for the VLANs with inconsecutive IDs in batches. 5.

the L2 BPDUs of the private network can be transmitted transparently over the public network. l Run the pitp command to configure the PITP function to implement authentication of bound user account and access port. Modifying the feature parameters relevant to the VLAN does not take effect. Ltd. Prerequisite l The VLAN to which the VLAN service profile is bound must be created. the configuration commands that are independent of the VLAN take effect. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l Run the bpdu tunnel command to configure the BPDU transparent transmission switch. Step 2 Configure parameters of the VLAN service profile. unknown unicast packets. The MA5600T supports two forwarding modes: VLAN+MAC address (vlan-mac) and S+C (vlan-connect). Two policies namely forward and discard are supported. When the profile does not exist. For the VLAN. do as follows: huawei(config)#vlan huawei(config)#vlan huawei(config)#vlan huawei(config)#vlan 100 smart attrib 100 q-in-q desc 100 description qinqvlan/forhuawei forwarding 100 vlan-connect 2.7 Configuring a VLAN Service Profile Integrate VLAN-related configurations into the VLAN service profile so that all attributes take effect immediately after the VLAN service profile is bound to the VLAN. running this command means to directly enter the configuration mode of this service profile. The system forwarding policy differs according to different VLAN forwarding modes. other parameter adopt the control parameters of the profile. Two modes namely. Run the vlan service-profile command create a VLAN service profile or enter the configuration mode of the VLAN service profile. l Run the forwarding command to configure the VLAN forwarding mode. l After a VLAN service profile is bound to a VLAN. When the profile already exists. l Run the packet-policy command to configure the forwarding policy for the broadcast packets.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Assume that a QinQ VLAN with ID of 100 is to be configured for an enterprise user to ensure higher security and the VLAN forwarding policy is S+C. 152 . Procedure Step 1 Create a VLAN service profile. To configure such a VLAN. l Run the pppoe mac-mode command to configure the MAC address allocation mode of the PPPoE user. regarding the parameters whose Committed state is NotConfig. description needs to be configured for easy maintenance. and unknown multicast packets in the VLAN. After transparent transmission is enabled.. The VLAN service profile contains VLAN-related configurations. This increases the configuration efficiency. single-mac and multi-mac are supported. running this command means to create a VLAN service profile and enter the configuration mode of the service profile. You can select them according to your requirements.

The packet can be transmitted upstream through the device only when the source IP address of the packet is the same as the bound IP address. Ltd. After the anti-IP spoofing function is enabled. l Run the dhcp option82 command to configure the DHCP option 82 feature. NOTE After the configuration is completed. Otherwise. the packets are discarded. l Run the user-bridging command to configure the bridging function of the VLAN service profile. l Run the security anti-ipspoofing command to configure the anti-IP spoofing function. l Run the security anti-macspoofing command to configure the anti-MAC spoofing function. VMAC is disabled. l Run the vmac command to enable or disable VMAC. After the transparent transmission switch is enabled. Run the vlan bind service-profile command to bind the configured VLAN service profile to a specified VLAN. the system automatically and dynamically binds the MAC address to the traffic stream.. After the binding. the server ID proxy function and lease time proxy function will be enabled. After the anti-MAC spoofing function is enabled. l Run the vmac aging-mode command to configure the VMAC aging mode. l Run the igmp mismatch command to configure the mismatch IGMP policy of the VLAN. By default. the traffic stream can be upstream transmitted through the device. supports the transparent and discard policies. After the bridging function is enabled. run the commit command to make the configuration take effect.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations l Run the rip tunnel command to configure the RIP L2 transparent transmission switch. ----End Example Add VLAN service profile 3 and bind it to VLAN 100. l Run the dhcp mode command to switch between the DHCP L2 forwarding mode and the L3 forwarding mode. the VLAN-level feature control switch is based on the configuration of the VLAN service profile. When the source MAC address of the traffic stream is the same as the bound MAC address. l Run the vtp-cdp tunnel command to configure the VTP/CDP packet transparent transmission switch. VTP/CDP packets are transparently transmitted based on the VLAN. Step 3 Bind the VLAN service profile to the VLAN. Otherwise. l Run the dhcp proxy command to configure the DHCP proxy function. After the switch is enabled. l Run the commit command to commit the current parameter configuration of the VLAN service profile. Independent configuration commands for VLANbased features are no longer effective. 153 . the packet is discarded. The profile parameters are planned as follows: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. NOTE L2 interoperation is available only to the SCUN control board. two users in the same VLAN can directly communicate with each other at L2. RIP packets can be transparent transmitted at L2 based on VLAN on the MA5600T without running the RIP protocol. which can be common aging or DHCP-based aging. After the DHCP proxy function is enabled. the system automatically and dynamically binds the IP address to the user.

Table 2-7 Default settings of the user security mechanism Parameter Default Setting Remarks PITP Global function: disabled The PITP function can be enabled only when the functions at all levels are enabled.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations l VLAN forwarding mode VLAN+MAC address (vlan-mac) l BPDU transparent transmission: enabled l Unknown multicast packet: discarded Adopt the default values for other parameters. thus protecting the user account against theft and roaming. Ltd. l Anti-IP spoofing: It is a countermeasure taken by the system to prevent a user from attacking the system with a forged IP address.. l IP address binding: The IP address of the user is bound to the corresponding service port for authenticating the user. After the BRAS obtains the user physical location information. l Anti-MAC spoofing: It is a countermeasure taken by the system to prevent a user from attacking the system with a forged MAC address. huawei(config)#vlan service-profile profile-id 3 huawei(config-vlan-srvprof-3)#forwarding vlan-mac huawei(config-vlan-srvprof-3)#bpdu tunnel enable huawei(config-vlan-srvprof-3)#packet-policy multicast discard huawei(config-vlan-srvprof-3)#commit huawei(config-vlan-srvprof-3)#quit huawei(config)#vlan bind service-profile 100 profile-id 3 2. thus ensuring the security of the authentication. l DHCP option 82: The user physical location information is added to the option 82 field in the DHCP request sent by the user. thus protecting the user account against theft and roaming. the BRAS binds the information to the user account for authentication.8 Configuring the User Security Configuring the security mechanism can protect operation users and access users against user account theft and roaming or from the attacks from malicious users. thus preventing the access of illegal users. Table 2-7 lists the default settings of the user security mechanism. l MAC address binding: The MAC address is bound to the service port. Port-level function: enabled VLAN-level function: enabled Service-port-level function: enabled Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Background Information The user security mechanism includes: l PITP: The purpose of the PITP feature is to provide the user physical location information for the upper-layer authentication server. The information is used by the upper-layer authentication server for authenticating the user. 154 .

PITP is applicable to the networking of a standalone 0/4/0 and the networking of subtended MA5600Ts. Port-level function: enabled VLAN-level function: enabled Service-port-level function: enabled Anti-IP spoofing Global function: disabled Service-port-level function: enabled VLAN-level function: enabled Anti-MAC spoofing Global function: disabled VLAN-level function: disabled Service-port-level status: enabled By default.1 Configuring Anti-Theft and Roaming of User Account Through PITP Policy Information Transfer Protocol (PITP) is mainly used for the user PPPoE dialup access. and PC2 is connected to the MA5600T through a subtended device) for the dialup access. l In the networking of a standalone MA5600T: Two PCs (PC1 and PC2) are connected to different ports of the MA5600T for the dialup access. 155 . the PPPoE+ mode (also called the PITP P mode) and the VBAS mode (also called the PITP V mode).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Parameter Default Setting Remarks DHCP option 82 Global function: disabled The DHCP option 82 function can be enabled only when the functions at all levels are enabled. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. l In the networking of subtended MA5600Ts: Two PCs (PC1 and PC2) are connected to different MA5600Ts (PC1 is connected to the MA5600T. The anti-IP spoofing function can be enabled only when the functions at all levels are enabled.8. The principles in the two scenarios are similar. thus protecting the user account against theft and roaming. The BRAS binds the user account to the user's physical port information reported by the MA5600T. When the user of PC2 dials up by using the user account of PC1. PITP has two modes. PITP can be used for transferring the user physical port information and protecting the user account against theft and roaming. 2. Ltd. It is a protocol defined for transferring policy information between the access device and the Broadband Remote Access Server (BRAS) through L2 P2P communication. After the BRAS obtains the user port information. the BRAS binds the user account to the user port. The anti-MAC spoofing function can be enabled only when the functions at all levels are enabled. up to eight MAC addresses can be bound. Application Context PITP is used for providing the user port information for the BRAS. The user dials up from PC1 by using the corresponding user account. the BRAS discovers that the user account does not match the physical port information and thus rejects the dialup access request of PC2.

run the raio-format pitp-vmode command to configure the RAIO format. l Run the raio-mode mode pitp-vmode command to configure the RAIO mode in the PITP V mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Default Configuration Table 2-8 lists the default settings related to PITP. l Run the raio-mode mode pitp-pmode command to configure the RAIO mode in the PITP P mode. cntel. In the case of the user-defined RAIO format. regardless of whether the traffic stream has learned the VPI/VCI or not. you must configure RAIO.35 as the VPI/VCI of the tag. When the auto-sensing traffic stream is configured. l RID: identifies the access information about the user. The PITP function is enabled only when it is enabled at all the four levels. and userdefine modes. Ltd. Before using the PITP function. the configured format applies to all access modes. configure the circuit ID (CID) and the remote ID (RID). 156 . l In the PITP P mode. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. In this mode. the PITP V mode currently supports only the common. Step 2 Configure the PITP function. The global PITP function has higher priority over the port-level and service-port-level PITP functions. the configured format applies to only this access mode. Select a corresponding keyword for configuring the RAIO format according to the PITP mode. If the access mode is selected. fill in 8191. Table 2-8 Default settings related to PITP Parameter Default Setting PITP function Global function: disabled Port-level function: enabled VLAN-level function: enabled Service-port-level function: enabled PITP sub-option 90 Disabled User-side PPPoE packet carrying the vendor tag information Disabled Procedure Step 1 Configure the relay agent information option (RAIO). If the access mode is not selected. you need to run the raio-format command to configure the RAIO format. The CID format and RID format in the PITP V mode are the same: l CID: identifies the attribute information about the device. The PITP function can be enabled or disabled at four levels. l In the PITP V mode. The PITP P mode supports all the RAIO modes. run the raio-format pitp-pmode command to configure the RAIO format. user-defined: indicates the user-defined mode.

this function is disabled. If this function is enabled. the tag of the PADI packet contains only the information about the user port of the MxU. e. shelf ID. If this function is disabled. – When this function is enabled. NOTE The Ethernet protocol type of the PITP V mode must be configured when the PITP V mode is disabled. l Run the pitp permit-forwarding service-port command to set whether the service port allows the user-side PPPoE packet carrying the vendor tag information. By default. 157 . 2.3. the port-level PITP function is enabled. Then. the PADI packet (PITP P mode) cannot be transmitted. run the pitp enable vmode command to enable global PITP V mode. Ltd. and port ID to the PPPoE + upstream PADI and PADR packets to generate new packets. Run the quit command to quit the VLAN service profile mode. that is. When the PITP function is enabled only on the MxU. tagged packets are discarded. the user-side PPPoE packet carrying the vendor tag information is not allowed. d. VLAN-level PITP function: 4.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1. pay attention to the following points: 1. a function (through the pitp permit-forwarding service-port command) is used to choose which tag the PADI packet carries. – When this function is disabled. That is.a. the tag of the PADI packet contains only the information about the PON port of the OLT. a. By default. Run the commit command to make the profile configuration take effect. When the PITP function is applied to the OLT+MxU network. c. The PON board of the OLT can be connected to the terminals such as the ONT and the MxU. When the PITP function is enabled only on the OLT. By default. Certain PON ports Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Generally. the global PITP function is disabled. If the PITP function is enabled on both the OLT and the MxU. The system adds a tag containing the device name. the PITP function of the VLAN is enabled. In the PITP V mode. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode. By default. Service-port-level PITP function: Run the pitp service-port command to enable the service-port-level PITP function.. Step 3 Configure the optional attributes of PITP. subscribers connected to the MxU fail to dial the number. Run the pitp enable command to enable the PITP function of the VLAN. 2. run the pitp vmode ether-type command to set the Ethernet protocol type to be the same as that of the BRAS. The configuration of the VLAN service profile takes effect only after this command is executed. 2 Basic Configurations Global PITP function: Run the pitp enable pmode command to enable global PITP P mode. the service-port-level PITP function is enabled. Port-level PITP function: Run the pitp port or pitp board command to configure the portlevel PITP function. 3. the PITP function is enabled on the OLT in the global mode. b. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile configured in 2. the tag of the PADI packet contains only the information about the PON port of the OLT. slot ID. By default. tagged packets are forwarded. 3.

regardless of how many subscribers are connected to the MDU. For the OLT. 0x8500. and enable the PITP V mode of service port 0.VCI l CID format for the Ethernet access mode: shelf ID/slot ID/port ID:VLAN ID l CID format for the xPON access mode: shelf ID/slot ID/port ID:ONT ID. including the activation bandwidth.VLAN ID To enable the PITP P mode of service port 1 under port 0/4/0. The PPPoE+ mode supports reporting the sub-option 90 line parameters. the MDUs are connected to multiple subscribers.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations are connected to ONUs. to differentiate subscribers connected to the MDU.VCI l CID/RID format for the Ethernet access mode: shelf ID/slot ID/port ID:VLAN ID l CID/RID format for the xPON access mode: shelf ID/slot ID/port ID:ONT ID. ----End Example Assume the following configuration: l RAIO mode: user-defined mode l CID format for the ATM access mode: shelf ID/slot ID/port ID:VPI. By default. Ltd.vci huawei(config)#raio-format pitp-vmode eth anid eth frame/slot/port:vlanid huawei(config)#raio-format pitp-vmode xpon anid xpon frame/slot/port:ontid. For example. the PITP V mode does not support reporting the line parameters. The configuration of PITP sub-option 90 takes effect only in the PITP P mode. do as follows: huawei(config)#raio-mode user-defined pitp-pmode huawei(config)#raio-format pitp-pmode cid atm anid atm frame/slot/port:vpi. however. 158 . Enable or disable PITP sub-option 90 according to actual requirements.vlanid huawei(config)#pitp vmode ether-type 0x8500 huawei(config)#pitp enable vmode huawei(config)#pitp port 0/4/0 enable huawei(config)#pitp service-port 0 enable Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.vlanid huawei(config)#raio-format pitp-pmode rid atm plabel huawei(config)#raio-format pitp-pmode rid eth plabel huawei(config)#raio-format pitp-pmode rid xpon plabel huawei(config)#pitp enable pmode huawei(config)#pitp port 0/4/0 enable huawei(config)#pitp service-port 1 enable Assume the following configuration: l RAIO mode: user-defined mode l CID/RID format for the ATM access mode: shelf ID/slot ID/port ID:VPI. In this case..vci huawei(config)#raio-format pitp-pmode cid eth anid eth frame/slot/port:vlanid huawei(config)#raio-format pitp-pmode cid xpon anid xpon frame/slot/ port:ontid. in the FTTB application. do as follows: huawei(config)#raio-mode user-defined pitp-vmode huawei(config)#raio-format pitp-vmode atm anid atm frame/slot/port:vpi. an MDU is one subscriber. you need to enable the PITP function on the MDU.VLAN ID To set the Ethernet protocol type of VBRAS packets to be the same as that of the upper-layer BRAS. PITP sub-option 90 is disabled. l Run the pitp sub-option90 command to configure PITP sub-option 90. that is.

In either mode. and VCI. mainly configure the RID in the CID. 159 . slot ID. the configured format is valid to all access modes. For details about the RAIO format. see the raioformat command. Background Information The option 82 field contains the circuit ID (CID).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations 2. Before using the DHCP function. you must configure the RAIO. port ID. – CID identifies the attribute information of the device. and sub-option 90 field (optional).8. l Select dhcp-option 82 as the corresponding mode. – RID identifies the access information of the user. so as to prevent theft and roaming of the user account. To configure the user-defined format. If the access mode is not selected. which provides the information such as the user shelf ID. anti-theft and roaming of user accounts through DHCP option 82 can be configured. Ltd. and the configurations are the same. Run the raio-mode command to set the RAIO mode. The MA5600T can work in the L2 DHCP forwarding mode or L3 DHCP forwarding mode. The RAIO is the short form for relay agent information option. If the access mode is selected. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l In the user-defined mode. you need to run the raio-format command to configure the RAIO format. VPI. Table 2-9 Default settings related to DHCP option 82 Parameter Default Setting Status of the DHCP option 82 function Global status: disabled Port-level status: enabled VLAN-level status: enabled Service-port-level status: enabled Status of the DHCP sub-option 7 function Disabled Status of the DHCP sub-option 90 function Disabled Procedure Step 1 Configure the RAIO. and select dhcp-option 82 as the corresponding mode.2 Configuring Anti-Theft and Roaming of User Accounts Through DHCP DHCP improves the user authentication security by adding the user physical location information to the option 82 field of the DHCP request packets initiated by the user. remote ID (RID). the configured format is valid to only this access mode.. Table 2-9 lists the default settings related to DHCP option 82.

Enable or disable the sub-option function according to your requirements.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Step 2 (Optional) Set the service port to allow or prohibit the user-side DHCP packets that carry the option 82 information. The DHCP option 82 function can be enabled or disabled at four levels. By default. By default. is supported. The system adds the device name. Run the dhcp sub-option90 command to enable or disable the sub-option 90 function. slot ID. By default. Service port level: Run the dhcp option82 service-port command to enable the DHCP option 82 function for a service port. In the DHCP mode. b. the DHCP option 82 function is disabled globally. Step 4 (Optional) Enable or disable the sub-option function. 1. the DHCP option 82 function for a board or port is enabled. tagged packets are forwarded. 3. d. Assume that: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the DHCP option 82 function is enabled. 2. By default. 160 . Run the dhcp sub-option7 command to enable or disable the sub-option 7 function. tagged packets are dropped. sub-option 81 to sub-option 91 in sub-option 9 need to be filled. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode. Ltd. Port level: Run the dhcp option82 board or dhcp option82 port command to enable the DHCP option 82 function for a board or port. By default. Run the dhcp option82 command to enable the DHCP option 82 function. ----End Example To enable the DHCP option 82 function. By default. a. including reporting the activation bandwidth. In the DHCP option 82 mode. VLAN level: 4. e. Run the commit command to make the profile configuration take effect. If the service port is set to allow the packets carrying the option 82 information.a to the VLAN. and port ID to the option 82 field of DHCP packets to generate new packets. the DHCP option 82 function is disabled globally. Run the quit command to quit the VLAN service profile mode. 1. the sub-option 90 function is disabled. By default. shelf ID. c. The DHCP option 82 function takes effect only when it is enabled at all four levels.. Run the vlan bind service-profile command to bind the VLAN service profile created in 3. reporting the sub-option 90 line parameters. The configuration of the VLAN service profile takes effect only after you run this command. Run the dhcp option82 command to enable the DHCP option 82 function on the port. Step 3 Enable or disable the DHCP option 82 function. l Run the dhcp-option82 permit-forwarding service-port command to set the service port to allow or prohibit the DHCP packets that carry the option 82 information. the DHCP option 82 function for a service port is enabled. System level: Run the dhcp option82 command to enable the DHCP option 82 function globally. If the service port is set to prohibit the packets carrying the option 82 information. 2.3. the sub-option 7 function is disabled.

the global function is disabled. Run the security anti-ipspoofing command to configure the VLAN-level function. When anti-IP spoofing is enabled.3 Configuring Anti-IP Spoofing This topic describes how to configure IP address binding and anti-IP spoofing to prevent malicious users from attacking the device or authorized users by forging the IP addresses of authorized users. configure the IP address binding. To permit only the users of certain IP addresses to access the system so that illegal users cannot access the system by using the IP addresses of legal users.vlanid l RID format for all access modes: label of the service port do as follows: huawei(config)#raio-mode user-defined dhcp-option 82 huawei(config)#raio-format dhcp-option 82 cid eth anid eth frame/slot/subslot/ port:vlanid huawei(config)#raio-format dhcp-option 82 cid xpon anid xpon frame/slot/subslot/ port:ontid.. Then. the user cannot go online through this port by using other IP addresses. Procedure l Configure the IP address binding. a user port is bound to an IP address after the user goes online. Background Information IP address binding refers to binding an IP address to a service port. Run the bind ip command to bind an IP address to a service port. thus preventing illegal users from stealing the IP address of legal users. and any user cannot go online through other ports by using this IP address. – Global function: Run the security anti-ipspoofing command to configure the global function. l Configure anti-IP spoofing.8. the service port permits only the packet whose source IP address is the bound address to go upstream. After the binding. 161 . and discards the packets that carry other source IP addresses. Anti-IP spoofing is to dynamically trigger the IP address binding. the VLAN-level function is enabled.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations l RAIO mode: user-defined mode l CID format for the ETH access mode: shelf ID/slot ID/sub slot ID/port ID: vlanid l CID format for the xPON access mode: shelf ID/slot ID/sub slot ID/port ID: ontid. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode. The anti-IP spoofing function is enabled only when it is enabled at all the three levels.vlanid huawei(config)#raio-format dhcp-option 82 rid eth splabel huawei(config)#raio-format dhcp-option 82 rid xpon splabel huawei(config)#dhcp option 82 enable 2. Ltd. The anti-IP spoofing function can be enabled or disabled at three levels. By default. – VLAN-level function: Issue 01 (2012-01-18) 1. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 2. By default.

After the binding.1. Anti-MAC spoofing is mainly applied to PPPoE and DHCP access users. VMAC adopts the trusty virtual MAC address allocated by the MA5600T to replace the source MAC addresses of terminal users and prevents untrusty MAC addresses from entering the network. this user goes offline. the service of this user is interrupted.1. the service-port-level function is enabled. By default. The major function of anti-MAC spoofing is to prevent illegal users from forging the MAC address of legal users. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Background Information MAC address binding refers to binding a MAC address to a service port. that is. the binding between a service port and a MAC address is implemented through setting a static MAC address entry of a port and setting the maximum number of learnable MAC addresses to 0. NOTE When anti-IP spoofing is enabled after a user is already online. service port 2 permits only the packet whose source IP address is 10. Instead. do as follows: huawei(config)#security anti-ipspoofing enable huawei(config)#vlan service-profile profile-id 2 huawei(config-vlan-srvprof-2)#security anti-ipspoofing enable Info: Please use the commit command to make modifications take effect huawei(config-vlan-srvprof-2)#commit huawei(config-vlan-srvprof-2)#quit huawei(config)#vlan bind service-profile 10 profile-id 2 huawei(config)#security anti-ipspoofing service-port 1 enable 2. The purpose is to ensure that the service of legal users is not affected. Only the user who goes online after anti-IP spoofing is enabled can have the IP address bound. The configuration of the VLAN service profile takes effect only after this command is executed. 5. anti-MAC duplicate.1. Run the commit command to make the profile configuration take effect. only the user whose MAC address is the bound MAC address can access the network through the service port. The MA5600T does not support the direct binding of a MAC address.245.4 Configuring Anti-MAC Spoofing This topic describes how to configure MAC address binding. Ltd. the IP address of this user is not bound by the system. and virtual MAC (VMAC) address to prevent malicious users from attacking the device or authorized users by forging the MAC addresses of authorized users. thus preventing MAC address conflict and MAC address spoofing from malicious users.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations 3..1.1. and the user needs to go online again. ----End Example To bind IP address 10.8. 162 . 4.1.245 to service port 2. Run the quit command to quit the VLAN service profile mode. – Service-port-level function: Run the security anti-ipspoofing service-port command to configure the service-port-level function. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile configured in 1.245 To enable anti-IP spoofing for service port 1 in service VLAN 10. do as follows: huawei(config)#bind ip service-port 2 10. anti-MAC spoofing. As a result.

2. By default. – Global function: Run the security anti-macspoofing command to configure the global function. 2. – You can configure the VLAN-level function in either of the following two modes: – In the global config mode: Run the security anti-macspoofing vlan command to configure the VLAN-level function. the VLAN-level function is disabled. the global function is disabled. Run the mac-address static command to add a static MAC address. NOTE When anti-MAC spoofing is enabled after a user is already online. 163 . to limit the maximum number of the PCs that can access the Internet through one account. By default. Procedure l Configure the MAC address binding. Run the mac-address max-mac-count command to set the maximum number of learnable MAC addresses to 0. the MAC address of this user is not bound by the system. l Configure anti-MAC spoofing. 3. 4.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations The anti-MAC-duplicate function does not allow dynamic MAC addresses to be duplicated before they are aged. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. it is recommended that you enable this function. that is. As a result. Only the user who goes online after anti-MAC spoofing is enabled can have the MAC address bound. this user goes offline. the user that goes online first will not be affected. CAUTION To ensure device security. Run the quit command to quit the VLAN service profile mode. By default. In this way. when MAC address conflicts occur between different users.. Run the security anti-macspoofing command to configure the VLAN-level function. and the user needs to go online again. The anti-MAC spoofing function can be enabled or disabled at three levels. up to eight MAC addresses can be bound. – In the VLAN service profile: 1. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile configured in 1. – Service-port-level function: Run the security anti-macspoofing max-mac-count command to configure the maximum number of MAC addresses that can be bound to the service port. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode. 1. Ltd. The configuration of the VLAN service profile takes effect only after this command is executed. By default. the VLAN-level function is disabled. This parameter is to limit the maximum number of the MAC addresses that can be learned through one account. Run the commit command to make the profile configuration take effect. 5. The anti-MAC spoofing function is enabled only when it is enabled at all the three levels. the service of this user is interrupted.

Configure the MAC address allocation mode at the VLAN service profile level. To enable VMAC. 19 bits in total. 1. The relationship between user MAC address and device VMAC address is N:1. VMAC can be enabled only when dslam-id is in the range of 0x0000-0x7FFFF. By default. the value of the reserved bits must be in the range of [0x0. VMAC fails to be enabled. To limit the number of VMAC addresses on each port. – Run the pppoa mac-mode command to configure the MAC address allocation mode for PPPoA users. the number of VMAC addresses on each port is 32. 164 . run the vlan service-profile command to enter the VLAN service profile mode. (Optional) Run the vmac reserved-bits command to configure the reserved bits of the VMAC address. (Optional) Run the vmac port-vmac-count command to configure the number of VMAC addresses on each port. The DSLAM ID is bits 21-39 of the VMAC address. l IPoA does not supports obtaining the MAC address through VMAC and supports obtaining the MAC address from the MAC address pool only. a. Configure the global MAC address allocation mode. NOTE l If VMAC is disabled. the PPPoA and IPoA MAC addresses are obtained from the configured MAC address pool (by running the mac-pool command). the xPoA/xPoE MAC allocation mode can be set to multi-MAC only. – Run the pppoe mac-mode command to configure the MAC address allocation mode for PPPoE users. The MAC address allocation mode has two levels: global level and VLAN service profile level. The device uses a unique VMAC address to replace the MAC address of a single user. By default. The device uses a unique VMAC address to replace the MAC addresses of a group of users. b. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. The xPoE/xPoA MAC address can be allocated in two modes: single-MAC or multiMAC (default). Run the vmac dslam-id command to configure the DSLAM ID. a. – Multi-MAC: Also called 1:1 VMAC. When VMAC is enabled: – Single-MAC: Also called N:1 VMAC.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l 2 Basic Configurations Configure 1:1 VMAC or N:1 VMAC. 2. When VMAC is enabled. the value is 0x0. Otherwise. (Optional) Configure the mode for allocating MAC addresses to xPoE/xPoA users. a. Configure VMAC-related attributes. Issue 01 (2012-01-18) In the global config mode. This command is used to set the value of the reserved bits (bits 47-42) in the VMAC address generating format.0x3F]. NOTE The uniqueness of the DSLAM ID must be ensured by the configuration engineer to prevent allocating the same VMAC address to two DSLAMs. The VMAC value is made up of the value of reserved bits and other bits. c. b. run this command. Ltd. The relationship between user MAC address and device VMAC address is 1:1.

the packets transmitted from other ports will be discarded if the packets carry the same MAC address. Run the vmac enable command to enable VMAC. Run the vlan service-profile command to enter the VLAN service profile mode. In the global config mode. 165 . Run the vmac enable command to enable VMAC at the VLAN service profile level. ----End Example To bind static MAC address 1010-1010-1010 to service port 1. do as follows: huawei(config)#vlan service-profile profile-id 2 huawei(config-vlan-srvprof-2)#pppoe mac-mode multi-mac huawei(config-vlan-srvprof-2)#vmac enable huawei(config-vlan-srvprof-2)#commit huawei(config-vlan-srvprof-2)#quit huawei(config)#vlan bind service-profile 10 profile-id 2 To enable anti-MAC duplicate so that the user that goes online first will not be affected when MAC address conflicts occur between different users. 1. service port 1 permits only the packet whose source MAC address is 1010-1010-1010. that is. b. huawei(config)#security anti-macspoofing enable huawei(config)#security anti-macspoofing vlan 10 enable huawei(config)#security anti-macspoofing max-mac-count service-port 2 7 To enable global VMAC.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide b. do as follows: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Configure the anti-MAC-duplicate function. Run the security anti-macduplicate command to enable anti-MAC duplicate. c. After VMAC is enabled. run the vmac enable command to enable VMAC. do as follows: huawei(config)#mac-address static service-port 1 1010-1010-1010 huawei(config)#mac-address max-mac-count service-port 1 0 To enable anti-MAC spoofing for VLAN 10. l a. l When anti-MAC duplicate and anti-MAC spoofing are enabled. l By default. d. the anti-MAC-duplicate function is disabled. the VMAC address is generated according to the DSLAM ID. anti-MAC spoofing is preferred and anti-MAC duplicate does not take effect.. Run the display security config command to query the configuration. and set the maximal number of MAC address bound to service port 2 (related to VLAN 10) to 7. 2 Basic Configurations Run the pppoe mac-mode command to configure the MAC address allocation mode for PPPoE users. Enable VMAC. 2. Run the commit command to commit the configuration. enable VMAC for VLAN service profile 2 to which VLAN 10 is bound. and port ID. Ltd. slot ID. and set the maximum number of learnable MAC addresses to 0. 3. VMAC can be enabled globally or at the VLAN service profile level. and configure 1:1 VMAC for PPPoE users in VLAN 10. After the anti-MAC-duplicate function is enabled and before the dynamic MAC address learned by the system is aged. NOTE l Only the SCUN board supports the anti-MAC-duplicate function.

System security includes the following items: l ACL/Packet filtering firewall l Blacklist l Anti-DoS attack l Anti-ICMP/IP attack l Source route filtering l Source MAC address filtering l User-side ring network detection l Allowed/Denied address segment The following common inappropriate configurations affect the system security: l The ring network detection and anti-address spoofing functions are not enabled. Background Information With the system security feature. the network may be attacked. The access rights are not strictly limited when the ACL is configured. Preventive methods or measures: – Run the ring check command to enable the function of checking user-side ring networks. – When configuring the ACL. 166 .9 Configuring System Security This topic describes how to configure the network security and protection measures of the system to protect the system from malicious attacks.. thus threatening the system security. the MA5600T can be protected against the attacks from the network side or user side. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd. If the antiaddress spoofing function is not enabled. an unauthorized user may forge the MAC address of an authorized user to send PPPoE or DHCP control packets. Preventive methods or measures: – Use a private network address to manage the device. Thus. – Run the security anti-macspoofing enable command to enable the anti-MAC spoofing. l Use a public network address to manage the device. and thus the MA5600T can run stably in the network. apply the minimum authorization principle.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations huawei(config)#security anti-macduplicate enable huawei(config)#display security config Anti-ipspoofing function : Anti-dos function : Anti-macspoofing function : Anti-ipattack function : Anti-icmpattack function : Source-route filter function : Anti-macduplicate function : PPPoE Overall Aging Time(sec) : PPPoE Aging Period (sec) : ARP detect mode : Anti-dos control-packet policy: disable disable disable disable disable disable enable 360 90 dummy deny 2.

Table 2-10 Default settings of system security Parameter Default Setting Firewall blacklist Disabled Anti-DoS attack Disabled Anti-ICMP attack Disabled Anti-IP attack Disabled Source route filtering Disabled User-side ring network detection Disabled 2. When a device is attacked by packets.1. Configure an ACL rule2. firewall actively adds an entry to the blacklist and then filters the packets from this IP address. Ltd. do as follows: Issue 01 (2012-01-18) 1.1 to go through a port in the inbound direction.9. Table 2-10 lists the default settings of system security. 2.1 Configuring Firewall Configuring system firewall can control the packets that go through the management port of the device so that unauthorized operators cannot access the system through the inband or outband channel.1.. Background Information Firewall includes the following items: l Blacklist: The blacklist function can be used to screen the packets sent from a specific IP address. l Packets accessing the management interface of the device are not controlled. For example. A major feature of the blacklist function is that entries can be dynamically added or deleted.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations – Configure the permitted IP address segment. IP addresses other than have been specified are not permitted to access the device through the management port.1. l ACL/Packet filtering firewall: Configure an ACL to filter data packets. the system is busy and the services cannot be provided in the normal state.1. use the ACL to implement the packet filtering function. When firewall detects the attack attempt of a specific IP address according to the characteristics of packets. which allows the packets with source IP address 1. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Configure an ACL rule1. to allow only the packets from source IP address 1. Preventive methods or measures: Run the firewall packet-filter command to apply the firewall packet filtering rule on the interface to filter packets received on the interface and prevent packet attacks. and add only the necessary management IP address segment. which denies all packets.1 to pass. To set a port to allow only one type of packets to go through. 167 .

the system checks the firewall blacklist first. the higher the priority. – – l Issue 01 (2012-01-18) Configure the firewall blacklist function by using advanced ACLs. 2. 1.. Procedure l Configure firewall blacklist. 4. l Run the firewall packet-filter command to activate an ACL. Run the firewall blacklist item command to add the source IP addresses of untrusted packets to the blacklist. Run the firewall blacklist enable acl-number acl-number command to enable the firewall blacklist function. NOTE The firewall blacklist function only takes effect to the service packets that are sent from the user side. Only advanced ACLs can be used when the black list function is enabled. 2 Basic Configurations Run the firewall packet-filter command. or both. Run the quit command to return to the global config mode. The earlier the execution priority of the sub-rules in one ACL is configured. For the sub-rules in one ACL. the execution priority is implemented by software. When two modes are configured. CAUTION To ensure device security. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 2. l Run the packet-filter command to activate an ACL. and then matches ACLs. Choose either mode. firewall must be configured. the range of the ACL ID is 3000-3999. NOTE On the MA5600T.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3. 3. Run the rule(adv acl) command to create an advanced ACL. the higher the priority. This is to control the packets that go through the management port of the device. 168 . and bind rule2 first and then rule1 to the inbound direction. In two modes. the execution priorities on the sub-rules in one ACL are different. Two modes are supported: configuring firewall blacklist by using ACLs or by adding the source IP addresses of untrusted packets. the execution priority is implemented by hardware. Configure the firewall blacklist function by adding the source IP addresses of untrusted packets. The later the execution priority of the sub-rules in one ACL is configured. Run the firewall blacklist enable command to enable the firewall blacklist function. an ACL can be activated in two modes. Therefore. This mode is mainly applied to the NMS. 1. Configure the firewall (filtering packets based on the ACL). the priority of the firewall blacklist function is higher than the priority of ACLs. Run the acl command to create an ACL. That is. Ltd. For the sub-rules in one ACL.

25.10. By default.168. 3. run the interface vlanif command to enter the VLANIF mode configure the firewall packet filtering rules for a VLAN interface.18 timeout 100 huawei(config)#firewall blacklist enable To add the IP addresses in network segment 10.0 to access the maintenance Ethernet port with IP address 172.255 destination 10.9. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations 1. Therefore.10. Run different commands to create different types of ACLs. Run the quit command to return to the global config mode. Run the interface meth command to enter the METH mode to configure the firewall packet filtering rules for an METH interface. and configuring the source route filtering and source MAC address filtering functions can prevent malicious users' attack on the system.. Run the acl command to create an ACL. – Basic ACL: Run the rule(basic acl) command.10. so as to improve system security. the range of the ACL ID is 2000-3999. ----End Example To add IP address 192. 6.28 0 huawei(config-acl-adv-3001)#quit huawei(config)#firewall enable huawei(config)#interface meth 0 huawei(config-if-meth0)#firewall packet-filter 3001 inbound ACL applied successfully 2. do as follows: huawei(config)#acl 3001 huawei(config-acl-adv-3001)#rule 5 deny icmp source 172.25.0.16.255 destin ation 172. 169 .168.0 0. – Advanced ACL: Run the rule(adv acl) command.18 to the firewall blacklist with the aging time of 100 min. To filter the packets of a port based on the basic ACL.10. do as follows: huawei(config)#acl 3000 huawei(config-acl-adv-3000)#rule deny ip source 10.28 on the device. do as follows: huawei(config)#firewall blacklist item 192. 2. 4. Run the firewall packet-filter command to apply firewall packet filtering rules to an interface.0.0.10.0 0. Only basic ACLs and advanced ACLs can be used when packet filtering by firewall is configured.16. enable the firewall blacklist function. Ltd. the firewall blacklist function is disabled.0 to the firewall blacklist and bind ACL 3000 to these IP addresses.10.25.2 Configuring Anti-Attack Enabling anti-DoS attack and anti-ICMP/IP attack.10.20 0 huawei(config-acl-adv-3000)#quit huawei(config)#firewall blacklist enable acl-number 3000 To deny the users in network segment 172. Run the firewall enable command to enable the firewall blacklist function.0. 5.25.10.16.16.

. protocol packets are directly discarded in the case of a DoS attack. With global anti-DoS attack enabled. run the security anti-dos enable command to enable the global anti-DoS function. when the system receives attack packets from a user port. before allowing protocol packets to be sent to the CPU. the system can process ring networks to prevent ring networks from affecting services. CAUTION When you run this command. When global anti-DoS attack is disabled. Ltd. the system deletes the blacklist. the protocol packets are always sending to the CPU. By default. Procedure – Run the security anti-dos enable command to enable global anti-DoS attack. If a malicious user (PC1) sends a large number of protocol control packets to Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. This is to prevent the user-side device from pinging the VLAN interface of the MA5600T. By default. Therefore. l Source route filtering: indicates the defensive measures taken by the system to filter the IP packets that are sent by the user and carry the routing option field. the packet rate cannot exceed the preset value. When the anti-DoS function is enabled. l Anti-ICMP attack: indicates the defensive measures taken by the system to drop the ICMP packets sent from the user-side device to the MA5600T. the system generates an anti-DoS attack alarm if the rate exceeds the preset value. If sending protocol packets to the CPU is allowed. Application scenario: Two PCs (PC1 and PC2) are connected to the network through the MA5600T. the system adds the user port to the blacklist. l Anti-IP attack: indicates the defensive measures taken by the system to drop the IP packets sent from the user-side device to the MA5600T. – Run the security anti-dos control-packet policy command to configure the protocol packet processing policy in the case of a DoS attack.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Background Information The MA5600T supports the following measures to prevent malicious users' attack on the system. l Source MAC address filtering: indicates the defensive measures taken by the system to filter the packets that are sent by the user and carry certain source MAC addresses. Configure whether to allow protocol packets to be sent to the CPU in the case of a DoS attack. the rate threshold for sending protocol packets to the CPU is 63 pps. and the exceeded packets are discarded. If the anti-DoS function is disabled. l Anti-DoS attack: indicates the defensive measures taken by the system to receive only a certain number of control packets sent from a user. the system does not check whether the anti-DoS function is enabled. l User-side ring network check: indicates the defensive measures taken by the system to check user-side ring networks. Choose measures according to actual requirements. the system does not perform the antiDoS check. 170 . l Configure anti-DoS attack. – Run the security anti-dos control-packet rate command to configure the rate threshold for sending protocol packets to the CPU. If sending protocol packets to the CPU is allowed. In this way.

routes are dynamic and application does not control route selection. In this case. Application scenario: In general. or the user name and password for logging in to the device. the user may log in to the device through telnet to randomly change the configurations of the device. l Configure the MAC address filtering function. directly drop the userside ICMP packets if the IP address of the VLAN interface on the MA5600T is its destination IP address. To implement anti-ICMP attack. 171 . Application scenario: Two PCs (PC1 and PC2) are connected to the network through the MA5600T. shield the attack port or suppress the protocol packet sending to protect the MA5600T from being attacked. The entries for the statically configured MAC addresses are of a higher priority than that of the dynamically learned MAC addresses. enable the source route filtering function. Then the MA5600T performs validity check on IP packets and drops the packets that match the source route options. With this feature. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Run the security source-route enable command to enable the source route filtering function. and then the MA5600T is unable to process the services of another user (PC2). l Enable anti-IP attack. the CPU usage of the MA5600T will be over high. the services of the user (PC1) that obtains the upper-layer DHCP information through the same VLAN interface will be abnormal. To prevent the preceding cases. set the MAC address of the networkside as the MAC address to be filtered. This function is mainly used to filter the packets that carry the routing information and are reported to the L3 switch. When PC2 sends a large number of ICMP packets to the VLAN interface. To prevent the two preceding cases. causing the device to fail to process normal services. Application scenario: When a PC sends the packets with the address of VLAN x as the destination IP address to VLANIF x. The sender can add the routing information to IP packets through the source route to perform route selection. The MAC addresses that are dynamically learned by the host and the source MAC addresses that are statically configured by running the security mac-filter source command share the four entries for source MAC addresses on the board. the device needs to implement anti-IP attack. To implement anti-DoS attack. l Configure anti-ICMP attack.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations attack the CPU of the MA5600T. The anti-IP attack is used to prevent user-side IP packets from attacking the L3 interface of the device or to prevent illegal users from logging in to the device through telnet. AntiICMP attack is mainly used to prevent the user-side device from pinging the VLAN interface of the MA5600T. Run the security anti-icmpattack enable command to enable anti-ICMP attack. when a user knows the address of VLAN x. packets go along a specific route in the network according to the intention of the sender.. Ltd. Run the security mac-filter command to enable the MAC address filtering function. it may send a large number of packets to attack the device. the device drops the packets with the address of the device interface as the destination IP address to prevent the user from attacking the device. Application scenario: To prevent users from forging the MAC address of the network-side device. Run the security anti-ipattack enable command to enable anti-IP attack. or forging certain renowned MAC addresses. l Enable the source route filtering function.

CAUTION To ensure device security. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l 2 Basic Configurations Configure the function of checking user-side ring networks. enable anti-IP attack function. This prevents the users of illegal IP address segments from logging in to the system. the function of checking user-side ring networks is disabled. do as follows: huawei(config)#security anti-dos enable huawei(config)#security anti-dos control-packet policy deny huawei(config)#security anti-ipattack enable huawei(config)#ring check enable 2. Procedure l Issue 01 (2012-01-18) Configure the permitted/denied IP address segment for the access through Telnet. ----End Example To enable the global anti-DoS attack function. l To delete an address segment. and the users of the denied IP address segment cannot access the device. discard protocol packets in the case of a DoS attack. it is recommended that you enable this function. you only need to enter the start address of the address segment. ensure that the start address does not repeat an existing start address. and only the user whose IP address is in the permitted address segment and is not in the denied address segment can access the device. and the function of checking user-side ring networks. l It is recommended that the permitted IP address segment and the denied IP address segment should not overlap. l When adding an address segment.. Ltd. CAUTION l To ensure the device security. That is.9. By default.3 Preventing the Access of Illegal Users Only the users of the permitted IP address segment can access the device. Run the ring check enable command to enable the function of checking user-side ring networks. thus safeguarding the system. 172 . apply the minimum authorization principles. Background Information l Each firewall can be configured with up to 10 address segments. IP addresses other than have been specified are not permitted to access the device through the management port. configure the permitted IP address segment. and add only the necessary management IP address segment.

Run the sysman ip-refuse telnet command to configure the IP address segment that is forbidden to access the device through Telnet. 3.10.1-10. By default.20. By default.10. 1. Run the sysman ip-access telnet command to configure the IP address segment that is permitted to access the device through Telnet. 2.1-10. By default.1-10.10. do as follows: huawei(config)#sysman ip-access ssh 10. the corresponding data packets are permitted to pass or prohibited from passing Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Configure the permitted/denied IP address segment for the access through SNMP (NMS). rule.10. Ltd. Run the sysman ip-access snmp command to configure the IP address segment that is permitted to access the device through SNMP.20. After the specific objects are identified.10.20. ----End Example To enable the firewall function for the access through Telnet.10.20. and permit only the users of the IP address segment 10. Background Information An access control list (ACL) is used to filter certain packets by a series of preset rules.5. and configuration of the ACL on the MA5600T. the firewall function of the system is disabled.10. 3. Run the sysman ip-refuse snmp command to configure the IP address segment that is forbidden to access the device through SNMP.254 huawei(config)#sysman firewall telnet enable To enable the firewall function for the access through SSH. 2.20.20. Run the sysman firewall snmp enable command to enable the firewall function for the access through SNMP.1 10.254 to log in to the device through SNMP.20. and permit only the users of the IP address segment 10.5.10. do as follows: huawei(config)#sysman ip-access telnet 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l l 2 Basic Configurations 1.10 Configuring the ACL This topic describes the type. Run the sysman ip-access ssh command to configure the IP address segment that is permitted to access the device through SSH. In this manner.254 to log in to the device through Telnet. Run the sysman firewall ssh enable command to enable the firewall function for the access through SSH.20.254 huawei(config)#sysman firewall snmp enable 2.254 to log in to the device through SSH.10. 3.. Run the sysman ip-refuse ssh command to configure the IP address segment that is forbidden to access the device through SSH.254 huawei(config)#sysman firewall ssh enable To enable the firewall function for the access through SNMP. do as follows: huawei(config)#sysman ip-refuse snmp 10. and permit only the users of the IP address segment 10.10.1 10. 2. the objects that need to be filtered can be identified. Configure the permitted/denied IP address segment for the access through SSH. the firewall function of the system is disabled.5.5.10.10. 1. the firewall function of the system is disabled.1 10. Run the sysman firewall telnet enable command to enable the firewall function for the access through Telnet. 173 .

– If the rules of an ACL are activated one by one. destination IP address. the advanced ACL contains more accurate. and destination MAC address. and are issued to the routing interface or firewall. l When an arrival traffic stream matches two or more ACL rules. TCP destination port. type of the protocol over IP. Link layer ACL 4000-4999 A link-layer ACL allows definition of rules according to the link-layer information such as the source MAC address.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations according to the preset policy. Once the rule with a smaller rule ID matches the packets. Advanced ACL 3000-3999 The rules of an advanced ACL are defined according to the source IP address. It is irrelative to the activation sequence. User-defined ACL 5000-5999 The rules of a user-defined ACL are defined according to any 32 bytes of the first 80 bytes in the L2 data frame for analyzing and processing data packets. the rule with smaller rule ID has a higher priority. and are issued to the physical port: – If the rules of an ACL are activated at the same time. Table 2-11 lists the ACL types. The ACL-based traffic filtering process is a prerequisite for configuring the QoS or user security. That is. and flexible rules. The rules are used to match the packets based on rule ID in an ascending order. Table 2-11 ACL types Type Value Range Feature Basic ACL 2000-2999 The rules of a standard ACL are only defined according to the L3 source IP address for analyzing and processing data packets. its subsequent rules are not used. link-layer protocol type. Compared with the basic ACL. the rule with larger rule ID has a higher priority.. – If the rules are all user-defined rules or non-user-defined rules. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. VLAN ID. – An ACL rule is valid only when it is within the period of time range. – If the rules are all user-defined rules or non-user-defined rules. the rule activated later has higher priority over the one activated earlier. the matching sequence is as follows: – The priority of a user-defined rule is higher than the priority of all non-user-defined rules. – If the rules are issued to the port from different ACLs. abundant. 174 . the rules with a larger rule ID are invalid. and ICMP message type). and features of the protocol (including TCP source port. and the data is processed accordingly. the rule activated later has higher priority over the one activated earlier. Ltd.

Procedure Step 1 (Optional) Set a time range.10. Huawei provides the following suggestions on its configuration: l It is recommended that you define a general rule. run the rule command to create a basic ACL rule. Check whether ACL rules occupy too many resources. Run the time-range command to create a time range. which can be used when an ACL rule is created. To create an ACL rule with a specified ID. 2. l time-range: Indicates the keyword of the time range during which the ACL rule will be effective. Ltd. l permit: Indicates the keyword for allowing the data packets that meet related conditions to pass. and then enter the ACL mode. so that each packet has a matching traffic rule that determines to forward or filter the unspecified packet. such as permit any or deny any. In this case.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Precautions Because the ACL is flexible in use. To prevent the failure of enabling other service functions due to insufficient hardware resources. Step 3 Configure a basic ACL rule. the hardware resources are limited and may be insufficient. perform the following steps: 1. 175 . The number of a basic ACL can only be in the range of 2000-2999. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 2. Context l The number of a basic ACL is in the range of 2000-2999.. If ACL rules occupy too many resources. l deny: Indicates the keyword for discarding the data packets that meet related conditions.1 Filtering Packets by a Basic ACL This topic is applicable to the scenario where the device needs to classify traffic for packets according to the source IP address. If you fail to enable a protocol module. in each ACL. Step 2 Create a basic ACL. l A basic ACL is only defined according to the L3 source IP address for analyzing and processing data packets. Run the acl command to create a basic ACL. it is recommended you enable the protocol module first and then activate ACL rules in the data configuration. l The activated ACL rules share the hardware resources with the protocol modules (such as DHCP module and IPoA module) . In the acl-basic mode. and then configure and enable the protocol module. The parameters are as follows: l rule-id: Indicates the ACL rule ID. use this parameter. deactivate or delete the unimportant or temporarily unused ACL configurations.

which can be used when an ACL rule is created. see Configuring Traffic Management Based on ACL Rules. Context The number of an advanced ACL is in the range of 3000-3999.0. see Configuring the Firewall.2. destination port of the TCP. such as source port of the TCP. For details.2. An advanced ACL can classify traffic according to the following information: l Protocol type l Source IP address l Destination IP address l Source port ID (source port of the UDP or TCP packets) l Destination port ID (destination port of the UDP or TCP packets) l ICMP packet type l Precedence value: priority field of the data packet l Type of service (ToS) value: ToS field of the data packet l Differentiated services code point (DSCP) value: DSCP of the data packet Procedure Step 1 (Optional) Set a time range. and features for protocol. Run the time-range command to create a time range.10.2.2. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. protocol type over IP. ----End Example To configure that from 00:00 to 12:00 on Fridays. Ltd.0. You need to run other commands to activate the ACL.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Step 4 Activate the ACL. only an ACL gets generated but it will not be functional. For details. port 0/4/0 on the MA5600T receives only the packets from 2.2 Filtering Packets by an Advanced ACL This topic describes how to classify traffic for the data packets according to the source IP address. and ICMP type of the data packets.2 0. After an ACL is configured. and discards the packets from other addresses. Some common commands are as follows: l Run the packet-filter command to activate an ACL. l Perform the QoS operation. destination IP address..0 time-range time1 huawei(config-acl-basic-2000)#rule deny time-range time1 huawei(config-acl-basic-2000)#quit huawei(config)#packet-filter inbound ip-group 2000 port 0/4/0 huawei(config)#save 2. do as follows: huawei(config)#time-range time1 00:00 to 12:00 fri huawei(config)#acl 2000 huawei(config-acl-basic-2000)#rule permit source 2. l Run the firewall packet-filter command to activate an ACL.2. 176 .

The parameters are as follows: l rule-id: Indicates the ACL rule ID.1p priority Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Context The number of a link layer ACL is in the range of 4000-4999. A link layer ACL can classify traffic according to the following link layer information: l Protocol type over Ethernet l 802. Ltd. see 2.10.10. The number of an advanced ACL can only be in the range of 3000-3999.4 Configuring Traffic Management Based on ACL Rules.10. and destination MAC address.11.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Step 2 Create an advanced ACL.101. l permit: Indicates the keyword for allowing the data packets that meet related conditions to pass..10.10. l deny: Indicates the keyword for discarding the data packets that meet related conditions.3 Filtering Packets by a Link-layer ACL This topic describes how to classify traffic according to the link layer information such as source MAC address. l time-range: Indicates the keyword of the time range during which the ACL rules are effective.101 0 huawei(config-acl-basic-3001)rule 2 deny tcp destination 10. For details. l Run the firewall packet-filter command to activate an ACL. Step 3 Configure a rule of the advanced ACL. ----End Example Assume that the service board of the MA5600T resides in slot 1 and belongs to a VLAN.1 Configuring Firewall. 177 . In the acl-adv mode. You need to run other commands to activate the ACL. l Perform the QoS operation. do as follows: huawei(config)#acl 3001 huawei(config-acl-basic-3001)rule 1 deny icmp destination 10. Step 4 Activate the ACL. After an ACL is configured. source VLAN ID. To prohibit the ICMP (such as ping) and telnet operations from the user side to the VLAN interface on the device. use this parameter. To create an ACL rule with a specified ID.10.10. see 2.101 0 destination-port eq telnet huawei(config-acl-basic-3001)quit huawei(config)#packet-filter inbound ip-group 3001 rule 1 port 0/1/0 huawei(config)#packet-filter inbound ip-group 3001 rule 2 port 0/1/0 huawei(config)#save 2. Run the acl command to create an advanced ACL. For details. run the rule command to create an ACL rule. and then enter the acl-adv mode. only an ACL is generated and the ACL does not take effect. and the IP address of the VLAN L3 interface is 10. L2 protocol type. Some common commands are as follows: l Run the packet-filter command to activate an ACL.9.

l permit: Indicates the keyword for allowing the data packets that meet related conditions to pass. Step 3 Configure a link layer ACL rule. VLAN ID 12.10. l deny: Indicates the keyword for discarding the data packets that meet related conditions. and destination MAC address 00e0-fc11-4141 to pass. Some common commands are as follows: l Run the packet-filter command to activate an ACL. The number of a link layer ACL can only be in the range of 4000-4999. l Perform the QoS operation. Step 2 Create a link layer ACL. Run the time-range command to create a time range. use this parameter. ----End Example To create a link layer ACL rule that allows data packets with protocol type 0x8863 (pppoecontrol message).11. source MAC address 2222-2222-2222. To create an ACL rule with a specified ID. Ltd. see 2. You need to run other commands to activate the ACL. and then enter the acl-link mode. In the acl-link mode. For details. Run the acl command to create a link layer ACL. CoS 1.. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. which can be used when an ACL rule is created. After an ACL is configured. only an ACL is generated and the ACL does not take effect.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l VLAN ID l Source MAC address l Destination MAC address 2 Basic Configurations Procedure Step 1 (Optional) Set a time range. The parameters are as follows: l rule-id: Indicates the ACL rule ID. Step 4 Activate the ACL. do as follows: huawei(config)#acl 4001 huawei(config-acl-link-4001)rule 1 permit type 0x8863 cos 1 source 12 2222-2222-2222 0000-0000-0000 destination 00e0-fc11-4141 0000-0000-0000 huawei(config-acl-basic-4001)quit huawei(config)#save 2.4 Filtering Packets by a User-defined ACL This topic describes how to classify traffic according to any 32 bytes of the first 80 bytes of a L2 data frame. l time-range: Indicates the keyword of the time range during which the ACL rule is effective. 178 .4 Configuring Traffic Management Based on ACL Rules. run the rule command to create a link layer ACL rule.

Context The number of a user-defined ACL must be in the range of 5000-5999. A user-defined ACL rule can be created according to any 32 bytes of the first 80 bytes of a L2 data frame Figure 2-5 First 64 bytes of a data frame Table 2-12 lists the meaning of the letters and their offset values. Be sure to make a data plan according to the format of the L2 data frame. Table 2-12 Description of letters and their offset values Issue 01 (2012-01-18) Letter Description Offset Lette r Description Offset A Destination MAC address 0 L IP check sum 28 B Source MAC address 6 M Source IP address 30 C VLAN tag 12 N Destination IP address 34 D: Protocol type 16 O TCP source port 38 E IP version number 18 P TCP destination port 40 F Type of service 19 Q Serial number 42 G Length of the IP packet 20 R Acknowledgement field 46 H ID 22 S IP header length and reserved bit 50 I Flags 24 T Reserved bit and flags bit 51 J7 Time to live 26 U Window size 52 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 179 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Prerequisites Configuring a user-defined ACL requires a deep understanding of the L2 data frame structure. Ltd..

After an ACL is configured. l non-ipoe: Indicates that the Ethernet packet header encapsulates a non-IP packet. l time-range: Indicates the keyword of the time range during which the ACL rule will be effective. To create an ACL rule with a specified ID. it specifies the byte from which the AND operation begins. It is a positive mask. Step 2 Create a user-defined ACL. use this parameter. l rule-mask: Indicates the mask of the user-defined rule. Run the time-range command to create a time range. including the IP packet without VLAN tag. With the header of the packet as the reference point. In a user-defined ACL. l offset: Indicates the offset. used to perform the AND operation with the data packets for extracting the information of the data packets. Step 4 Activate the ACL. you can use the two parameters of rule mask and offset to extract any bytes from the first 80 bytes of the data frame. The number of a user-defined ACL can only be in the range of 5000-5999. In the acl-user mode. and then enter the acl-user mode. l deny: Indicates the keyword for discarding the data packets that meet related conditions. l rule-string: Indicates the character string of the user-defined rule.. the data frame matching the rule is filtered for related processing. The number of characters in the string must be an even number. Run the acl command to create a user-defined ACL. l permit: Indicates the keyword for allowing the data packets that meet related conditions to pass. and non-IP packet with multiple VLAN tags. and IP packet with two VLAN tags. Procedure Step 1 (Optional) Set a time range.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Letter Description Offset Lette r Description Offset K Protocol ID ("6" represents TCP and "17" represents UDP) 27 V Other 54 NOTE The offset value of each field is the offset value in data frame ETH II+VLAN tag. You need to run other commands to activate the ACL. After the comparison with the user-defined rule. it extracts a character string from the packets. The parameters are as follows: l rule-id: Indicates the ACL rule ID. Some common commands are as follows: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. non-IP packet with two VLAN tags. which can be used when an ACL rule is created. including the non-IP packet without VLAN tag. 180 . Ltd. The character string is in hexadecimal notation. run the rule command to create an ACL rule. Together with the rule mask. l ipoe: Indicates that the Ethernet packet header encapsulates an IP packet. Step 3 Configure the user-defined ACL rule. only an ACL gets generated but it will not be functional. IP packet with one VLAN tag. non-IP packet with one VLAN tag.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations l Run the packet-filter command to activate an ACL.4 Configuring Traffic Management Based on ACL Rules. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. do as follows: Figure 2-6 QinQ packet format huawei(config)#acl 5001 huawei(config-acl-user-5001)#rule 1 permit 8100 ffff 16 NOTE The type value of a QinQ packet varies with different vendors. make the QoS plan for networkwide services before making the configuration solution. 181 . In this example. "0a" refers to the value of the inner tag field of the QinQ packet.11. As shown in Figure 2-6. the offset of this type value should be 16 bytes. Huawei adopts the default 0x8100. Background Information Configuring QoS in the system can provide different quality guarantees for different services. Ltd.11 Configuring QoS This topic describes how to configure quality of service (QoS) on the MA5600T. huawei(config-acl-user-5001)#quit huawei(config)#traffic-priority inbound user-group 5001 cos 5 port 0/3/0 2. the second byte of the inner tag field is a part of the VLAN ID. QoS does not have a unified service model. For details. which is exactly the value of the inner VLAN ID (VLAN 10). l Perform the QoS operation. To change the CoS priority in the outer VLAN tag (VLAN ID: 10) to 5. see 2. Therefore.. huawei(config-acl-user-5001)#rule 10 permit 0a ff 19 NOTE "19" indicates the ADN operation after an offset of 19 bytes with the header of the packet as the base. ----End Example Assume that the packet sent from port 0/3/0 to the MA5600T is the QinQ packet containing two VLAN tags.

the MA5600T supports hierarchical quality of service (HQoS) and ACL-based traffic management. the MA5600T supports rate limit on the Ethernet port and traffic suppression on inbound broadcast packets and unknown (multicast or unicast) packets.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations On the MA5600T. In addition to the preceding key points.. you need to bind an IP traffic profile to the service port and manage the traffic of the service port through the traffic parameters defined in the profile. You can run the display traffic table command to query the traffic parameters of the default traffic profiles. through the configuration of queue scheduling. the ACL can be used to implement flexible traffic classification (see 2. Ltd. When configuring a service port.6 Creating a GPON Service Port. Configuring Traffic Management Based on Service Port This topic describes how to configure traffic management based on service port. Traffic management can be implemented based on the following three granularities: l Based on service port NOTE For details on configuring traffic classification.11. and then QoS can be implemented for traffic streams. l Queue scheduling For the service packets that are already configured with traffic management. l Based on port+CoS l Based on port+VLAN In addition. l ACL-based traffic management In the scenario where users have flexible requirements on implementing QoS for traffic streams. Background Information Traffic management based on service port is implemented by creating an IP traffic profile and then binding the IP traffic profile when creating the service port. thus implementing QoS inside the system. l HQoS Two levels of traffic management is supported: for HQoS users and for the HQoS user group.1 Configuring Traffic Management This topic describes how to configure traffic management on the MA5600T. Overview The MA5600T supports traffic management for the inbound and outbound traffic streams of the system. the service packets can be placed into queues with different priorities. l Issue 01 (2012-01-18) The system has seven default IP traffic profiles with the IDs of 0-6.10 Configuring the ACL). see Creating an xDSL Service Port or 4. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 2. the key points for implementing QoS are as follows: l Traffic management Configuring traffic management can limit the traffic for a user service or user port. 182 .

for the packets whose rate is equal to or lower than CIR. the system calculates the other three parameters based on the formula.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l 2 Basic Configurations It is recommended that you use the default traffic profiles. After the configuration is completed.1p priority in the VLAN tag of the outbound packet. l The system marks the service packets with colors according to the CIR and PIR parameters.1p priority in the VLAN tag of the outbound packet. Ltd. the system marks them as green (allowed to pass). That is.1p priority specified in the traffic profile bound to the traffic stream. you are recommended to configure only CIR. l user-tos: Copy the ToS priority in the VLAN tag of the packet to the 802. l user-inner-cos: Copy the 802. NOTE "Outbound" (upstream) in this document refers to the direction from the user side to the network side.1p priority in the outer VLAN tag of the packet to the 802. the system marks them as yellow (allowed to pass). 183 .. To be specific.1p priority of the packet. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l Tag-In-Ingress-Package: For the downstream packets.1p priority in the inner VLAN tag (CTag) of the packet to the 802. yellow packets that do not exceed the bandwidth can also pass. and "inbound" (downstream) refers to the direction from the network side to the user side. l Local-Setting: It is the local priority. and the other three parameters are optional. A new IP traffic profile is created only when the default traffic profiles cannot meet the requirements. Thus. and yellow packets that exceed the bandwidth are dropped. Priority policies The priority policies are classified into the following three types: l user-cos: Copy the 802.1p priority in the VLAN tag of the outbound packet. green packets are allowed to pass. the system drops such packets. the system performs scheduling according to the 802. For the packets whose rate is higher than CIR and lower than PIR. If you configure only CIR. The system schedules the packet by the priority that the ingress packet. Table 2-13 lists the traffic parameters defined in the IP traffic profiles. Table 2-13 Traffic parameters defined in the IP traffic profiles Item Parameter Description Parameters of two rate three color management CIR: committed information rate CBS: committed burst size PIR: peak information rate PBS: peak burst size NOTE l CIR is mandatory. For the packets whose rate is higher than PIR. Scheduling policies There are three types of scheduling policies: l Tag-In-Package: The system performs scheduling according to the 802.

The following is a detailed description: l The traffic management parameters must contain at least CIR. Check whether an existing traffic profile meets the planned traffic management parameters. create an IP traffic profile.1p priority of the packet is adopted as the priority of the outbound packet. If a proper traffic profile does not exist in the system. If the user-side packet does not carry a priority. which must be assigned with a value. To add traffic profile 9 with these settings.1p priority of the outbound packet is 6..1p priority of the packet (a value in the range of 0-7).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Procedure Step 1 Run the display traffic table command to query whether there is a proper traffic profile in the system. user-inner-cos. the specified default 802. the specified default 802.1p priority (the 802.1p priority of the packet is adopted as the priority of the outbound packet. – If the priority of the user-side packet is copied according to user-cos. If the user-side packet does not carry a priority.1p priority of the packet. l (Optional) Enter keyword inner-priority to set the inner 802. user-inner-cos. see Table 2-13. ----End Example Assume that the CIR is 2048 kbit/s. – If the priority of the user-side packet is copied according to user-cos. and the scheduling policy of the inbound packet is Tag-In-Package. you need to enter the default 802.1p priority in the CTag) of the packet. l Keyword priority must be entered to set the outer 802. Ltd. and scheduling policy to confirm the index of the traffic profile to be used. 184 . do as follows: huawei(config)#traffic table ip index 9 cir 2048 priority 6 priority-policy tag-InPackage Create traffic descriptor record successfully -----------------------------------------------TD Index : 9 TD Name : ip-traffic-table_9 Priority : 6 Copy Priority : Mapping Index : CTAG Mapping Priority: CTAG Mapping Index : CTAG Default Priority: 0 Priority Policy : tag-pri CIR : 2048 kbps CBS : 67536 bytes PIR : 4096 kbps Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. you need to enter the default 802. priority policy.1p priority of the packet (a value in the range of 0-7). or user-tos. Two options are available for setting the priority policy: – Enter a value in the range of 0-7 to specify a priority for the packet. For details about the scheduling policies. Step 2 Run the traffic table ip command to create a traffic profile. Two options are available for setting the priority policy: – Enter a value in the range of 0-7 to specify a priority for the packet. The usage of this command is complicated. or user-tos. l Keyword priority-policy must be entered to specify a scheduling policy for the inbound packet. 802. Step 3 Run the service port command to bind a proper traffic profile.

Prerequisites A proper IP traffic profile must be created and the index of the IP traffic profile to be used must be confirmed. 185 .1p priorities on a port.1p priority for the port. or GPON mode.. l port-cos: Indicates traffic management based on port+CoS. l If service ports are configured on the board. the system supports traffic management based on service ports.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations PBS : 133072 bytes Referenced Status : not used -----------------------------------------------huawei(config)#display traffic table ip index 9 -----------------------------------------------TD Index : 9 TD Name : ip-traffic-table_9 Priority : 6 Copy Priority : Mapping Index : CTAG Mapping Priority: CTAG Mapping Index : CTAG Default Priority: 0 Priority Policy : tag-pri CIR : 2048 kbps CBS : 67536 bytes PIR : 4096 kbps PBS : 133072 bytes Referenced Status : not used ------------------------------------------------ Configuring Traffic Management Based on Port+CoS This topic describes how to configure traffic management based on port+CoS so that different IP traffic profiles can be specified for the traffic streams that have different 802. the traffic management mode of the board cannot be changed. see Configuring Traffic Management Based on Service Port. and bind an IP traffic profile to the traffic streams that meet the specified 802. Procedure Step 1 According to the type of the board to be configured. Step 3 Run the car-port command to specify the 802. By default. Step 2 Run the car-mode port-cos command to configure the traffic management mode of the service board to traffic management based on port+CoS. Ltd..1p priority. The configured traffic management mode has the following two options: l service-port: Indicates traffic management based on service port (default). pay attention to the following points: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. When traffic management based on port+CoS is selected for a board. enter the EPON. For the configuration method. The configured traffic management mode is valid to all the ports on the board. Background Information l Traffic management based on service ports conflicts with traffic management based on port +CoS.

and the service with the highest CoS priority is ensured first. each service can hold a burst of the total user bandwidth. you can bind the corresponding traffic profile in the inbound/ outbound direction according to a CoS value of a port on the board. and Internet access service of each user share a total user bandwidth. l For an 8-port EPON board. Ltd. ----End Example To configure GEM port 130 on port 0 of the GPON board in slot 0/4. The multicast bandwidth is determined by the bandwidth of demanded programs. IPTV service.. do as follows: huawei(config)#interface vdsl 0/4 huawei(config-if-vdsl-0/4)#car-mode port-cos huawei(config-if-vdsl-0/4)#car-port 0 cos 3 inbound 3 outbound 3 huawei(config-if-vdsl-0/4)#display car-mode The CAR mode of the board : port-cos huawei(config-if-vdsl-0/4)#display car-port 0 ---------------------------------------------Port CoS Inbound-index Outbound-index ---------------------------------------------0 3 3 3 ---------------------------------------------- Configuring User-based Rate Limitation In the user-based rate limitation. the VoIP. the VoIP. IPTV service. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. When there is no voice or IPTV service. 186 . the Internet access service can hold a burst of the total user bandwidth so that the total user bandwidth can be managed in a unified manner. When other services carry no traffic. and bind traffic profile 3 to the packets with priority 3. and Internet access service of each user share a total user bandwidth. All services of the user hold the total user bandwidth. and bind traffic profile 2 to the packets with priority 7. you can bind the corresponding traffic profile in the inbound/outbound direction according to a CoS value of a GEM port on the board. The total bandwidth of demanded programs cannot exceed the total user bandwidth.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations l For a non-xPON board. you can bind the corresponding traffic profile in the inbound/ outbound direction according to the CoS value of an LLID on the board. l For a GPON board. Background Information When the user uses the Triple play service. do as follows: huawei(config)#interface gpon 0/4 huawei(config-if-gpon-0/4)#car-mode port-cos huawei(config-if-gpon-0/4)#car-port 0 gemport 130 cos 0 inbound 2 outbound 2 huawei(config-if-gpon-0/4)#display car-mode The CAR mode of the board : port-cos huawei(config-if-gpon-0/4)#display car-port 0 gemport 130 ---------------------------------------------Port GEM port CoS Inbound-index Outbound-index ---------------------------------------------0 130 7 2 2 ---------------------------------------------- To configure port 0 of theVDSL2 board in slot 0/4.

3. – In the user-based rate limitation. – To ensure the user bandwidth. – The PIR is equal to the total user bandwidth. To perform such a configuration with the following parameters.1p priority 4.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Procedure l For PON access users. In the case that any two services carry no traffic. IPTV service. – One service port cannot be added to multiple rate-limited groups. 187 . 1. Ltd. the PIR of the rate-limited group must be equal to or larger than the sum of CIRs of all services in the rate-limited group. and Internet access service. and Internet access services. using the IP traffic profile created in Step 1. add service ports 100. Through the QoS strategy applied on the rate-limited group. 4. – In the IP traffic profile used by the rate-limited group.. 2. Run the car-group add-member service-port command to add service ports to the rate-limited group. do as follows: l Issue 01 (2012-01-18) Service port 100 of the Internet access service uses traffic profile 10. the PIR must be equal to or larger than the sum of CIRs of all services in other IP traffic profiles. the third service can hold a burst of the total user bandwidth. only service ports of the same ONT can be added to the same rate-limited group. and use traffic profile 30 to control traffic of rate-limited group 0. and Internet access service in a descending order. the third service can hold a burst of the total user bandwidth. IPTV. ----End Example Assume that under GPON port 0/4/1. add rate-limited group 0. the total user bandwidth is ensured on the basis that the committed information rate (CIR) and peak information rate (PIR) of each service are ensured. Run the car-group command to create the rate-limited group of service ports to manage the total user bandwidth of multiple services. 101. IPTV service. – The CoS priorities of services are VoIP. EPBC service boards support user-based rate limitation. Pay attention to the following points when adding service ports to the rate-limited group: – Only service ports of the same PON port can be added to the same rate-limited group. In the case that any two services carry no traffic. multiple service ports of a user are added to a ratelimited group. Set the total user bandwidth to 10 Mbit/s. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and 102 of the user to rate-limited group 0. Run the service-port command to create service ports of the VoIP. and each service is allowed to hold a burst of the total user bandwidth. – Only the GPBD. with the CIR 2 Mbit/ s and the 802. – A maximum of eight service ports can be added to a rate-limited group. Run the traffic table ip command to create an IP traffic profile to configure the CoS priority of each service and ensure the CIR and PIR. – For Type C and Type D. the user with the ONT 1 is provided with the VoIP.

Background Information l Rate limitation on an Ethernet port is valid only to the Ethernet board.. huawei(config)#traffic table ip index 10 cir 2048 pir 10240 priority 4 prioritypolicy local-Setting huawei(config)#service-port 100 vlan 2 gpon 0/4/1 ont 1 gemport 4 multi-service user-vlan 20 rx-cttr 10 tx-cttr 10 huawei(config)#traffic table ip index 11 cir 1024 pir 10240 priority 6 prioritypolicy local-Setting huawei(config)#service-port 101 vlan 2 gpon 0/4/1 ont 1 gemport 5 multi-service user-vlan 30 rx-cttr 11 tx-cttr 11 huawei(config)#traffic table ip index 12 cir off priority 5 priority-policy localSetting huawei(config)#service-port 102 vlan 2 gpon 0/4/1 ont 1 gemport 6 multi-service user-vlan 40 rx-cttr 12 tx-cttr 12 huawei(config)#traffic table ip index 30 cir 10240 pir 10240 priority 3 prioritypolicy local-Setting huawei(config)#car-group 0 inbound traffic-table index 30 outbound traffic-table index huawei(config)#car-group 0 add-member service-port 100-102 huawei(config)#display car-group 0 Command: display car-group 0 ---------------------------------------------------------------------------Inbound Outbound GroupID Member List Index Index ---------------------------------------------------------------------------0 100. l port: Indicates the shelf ID/slot ID/port ID. Ltd. l Traffic streams exceeding the specified rate are discarded.102 10 10 ---------------------------------------------------------------------------Total: 1 Configuring Rate Limitation on an Ethernet Port This topic describes how to configure rate limitation on a specified Ethernet port.101. l Service port 102 of the IPTV service uses traffic profile 12.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations l Service port 101 of the VoIP service uses traffic profile 11. The main parameters are as follows: l target-rate: Indicates the limited rate of the port.1p priority 5. in the unit of kbit/s. Prerequisites The Ethernet board must be configured in the system. Procedure Step 1 In the global config mode.1p priority 6. Step 2 You can run the display qos-info line-rate port command to query the configured rate limitation on the specified Ethernet port ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. with the packet rate not limited and the 802. run the line-rate command to configure rate limitation on a specified Ethernet port. 188 . with the CIR 1 Mbit/s and the 802.

Issue 01 (2012-01-18) Run the dba-profile add command to add a DBA profile. l Rate limitation on GPON services can be performed on the OLT and the ONT concurrently. for example. see Controlling the Traffic Matching an ACL Rule. 1. see Configuring Traffic Management Based on Service Port. rate limitation on GEM port is generally used to prevent a user from occupying bandwidth for a long time. rate-limiting downstream traffic by using an IP traffic profile and ACL rules. For details. NOTE l In the case of an MxU device. For details. Specifically. For details. If the priority of user packets is trustable (for example. Background Information l There are multiple methods of rate-limiting GPON services. l Which method of rate-limiting the ONT upstream bandwidth is used depends on the ONT capability. and Configuring Traffic Management Based on Port+CoS. a DBA profile is a best choice to rate-limit the ONT upstream traffic. – Performing rate limitation by configuring an ACL rule can control the traffic matching the ACL rule. priority queue (PQ) scheduling is generally used. l Perform rate limitation on the ONT. if an ONT supports various rate limitation methods and the ONT upstream traffic is small (for example. l Perform rate limitation on the OLT. the minimum rate prevails. 189 . do as follows: huawei(config)#line-rate 6400 port 0/17/0 huawei(config)#display qos-info line-rate port 0/17/0 line-rate: port 0/17/0: Line rate: 6400 Kbps Configuring GPON Rate Limitation This topic describes how to configure rate limitation for GPON services. thereby providing differentiated quality of service (QoS) for various GPON services. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. see MxU manuals. This reduces packet drop and at the same time complies with traffic features. rate-limiting the ONT upstream bandwidth by using a DBA profile. achieving the best bandwidth utilization. If more than one rate limitation modes are configured in the system. Procedure – Rate limitation using an IP traffic profile includes two modes. The DBA profile is used to schedule the ONT upstream bandwidth properly. Ltd. If a T-CONT carries upstream traffic for multiple users (for example. an enterprise user).. rate limitation can be performed on downstream traffic of a service port or a port by configuring an IP traffic profile.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Example To limit the rate of Ethernet port 0/17/0 to 6400 kbit/s. FTTB/FTTC service). The system limits the traffic of downstream packets on an ONT by using the shaping function and buffers the packets that exceed the limit (that is the PIR parameter in traffic profile ) and transmits them at a proper time (such as during periodic checks). l In the case of H805GPBD board. and rate-limiting the GEM port and GEM port traffic on an ONT. you can run the traffic-limit ont command to limit the traffic of downstream packets on a specified ONT. FTTH service).

The maximum traffic is determined by the DBA profile bound to the GEM port. The preceding four types of values need to be specified. Run the tcont command to bind a T-CONT to the DBA profile. Type5 Indicates the hybrid bandwidth. the system assigns the remaining bandwidth (if any) to the user bound with the DBA profile of Type4 (the assigned bandwidth does not exceed the maximum value). It is recommended that one service type use one T-CONT and different T-CONTs be planned with different bandwidth assurance types. its priority for obtaining the bandwidth is the lowest. 3. 2. the system does not assign any bandwidth. the system assigns the remaining bandwidth (if any) to the user bound with the DBA profile of Type3 (the assigned bandwidth does not exceed the non-assured bandwidth). Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Type2 Indicates the assured bandwidth. the scheduling mechanism of packets between multiple GEM ports depends on the default scheduling mechanism of the ONT. the QoS mode of the GPON ONT line profile (that is. After the DBA profile of Type1 is bound. the system assigns a specified bandwidth.. Services with a higher priority adopts Type1 or Type2 DBA profiles and services with a lower priority adopts Type3 or Type4 DBA profiles. Rate limitation is performed on a specified GEM port in the ONT upstream direction. the system meets the bandwidth requirements if the upstream traffic does not exceed a specified value. after assigning the fixed bandwidth. and then enter the GPON ONT line profile mode. Type3 Indicates the hybrid of assured bandwidth and non-assured bandwidth. If a T-CONT contains multiple GEM ports. The DBA profile of Type4 just specifies a maximum value. regardless of whether there is upstream traffic.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations A DBA profile supports five types (Type1 to Type5). That is. 190 . Ltd. To select the gem-car mode. set gem add to gem-car. 4. Generally. Table 2-14 shows the features of the DBA profile of each type. After the DBA profile of Type4 is bound. Type4 Indicates the best-effort bandwidth. The DBA profile of Type3 specifies an assured value and non-assured value. Table 2-14 The features of the DBA profile Profile Type Features Type1 Indicates the fixed bandwidth. The QoS mode includes: – gem-car: Indicates the rate limitation mode based on the GEM port of the T-CONT. After assigning the fixed bandwidth and assured bandwidth. Run the ont-lineprofile gpon command to add a GPON ONT line profile. the ONT scheduling mode) is priority queue (PQ). After the DBA profile of Type2 is bound. and non-assured bandwidth. When there is no upstream traffic. Run the qos-mode command to configure a QoS mode of the GPON ONT line profile to ensure that the QoS mode is the same as that of the GEM port. assured bandwidth. By default.

l The default IP traffic profile. traffic is scheduled in the T-CONT queue. l The priority of user packets is trustable. ----End Example Assume that: l A user under ONT 1 connected to GPON port0/4/1 requires 2 Mbit/s high-speed Internet access service. Rate limitation is performed on a specified traffic stream in the ONT upstream direction. Ltd. do as follows: huawei(config)#dba-profile add profile-id 10 type4 max 102400 huawei(config)#ont-lineprofile gpon profile-id 5 huawei(config-gpon-lineprofile-5)#tcont 1 dba-profile-id 10 huawei(config-gpon-lineprofile-5)#qos-mode Priority-queue huawei(config-gpon-lineprofile-5)#gem add 1 eth tcont 1 priority-queue 1 huawei(config-gpon-lineprofile-5)#mapping-mode vlan huawei(config-gpon-lineprofile-5)#gem mapping 1 2 vlan 10 huawei(config-gpon-lineprofile-5)#commit huawei(config-gpon-lineprofile-5)#quit huawei(config-if-gpon-0/4)#ont confirm 1 ontid 1 sn-auth 32303131B39FD641 snmp ont-lineprofile-id 5 huawei(config-if-gpon-0/4)#quit huawei(config)#service-port 101 vlan 100 gpon 0/4/1 ont 1 gemport 1 rx-cttr 5 txcttr 5 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the system supports eight (0-7) queues. namely IP traffic profile 5 is used for rate limitation on a GPON port. Run the commit command to make the profile configuration take effect.. Flow-car is more specific than gem-car. The scheduling mechanism depends on the default scheduling mechanism of the ONT. The maximum traffic is determined by the DBA profile to which the T-CONT is bound. Before configuring flow-car. make sure that the required traffic profile is created by running the traffic table ip command. l DBA profile 10 of Type4 is used and the maximum bandwidth in the ONT upstream direction is 100 Mbit/s. The configuration of the line profile takes effect only after you run this command. 5. After rate limitation based on traffic streams is performed. The maximum traffic is determined by the DBA profile bound to the traffic stream. To select the flow-car mode. The PQ scheduling mechanism is used. Traffic is scheduled based on PQ between multiple GEM ports in the ONT upstream direction. To select priority-queue mode. – priority-queue: Indicates the PQ mode based on the GEM port of the T-CONT. It is different the service port created by running the service-port command. with priority 1. set gem add to priorityqueue. Queue 7 has the highest priority and services of queue 7 are preferentially guaranteed. By default.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations – flow-car: Indicates the rate limitation mode based on traffic streams of a GEM port. NOTE The traffic stream in this topic refers to the service channel between an ONT and OLT. set gem mapping to flow-car. 191 . with CIR of 2048 kbit/s. To perform the preceding configurations.

Background Information l There are multiple methods of limiting the traffic of EPON services. 192 . NOTE This command can be executed only when it is supported by the ONT version. run the ont port attribute portid ontid eth ont-portid up-policing traffic-table-index command to limit the traffic of upstream packets on an ETH port. For details. l Rate limitation on EPON services can be performed on the OLT and the ONT concurrently. the minimum rate prevails.. For details. limiting downstream traffic by using an IP traffic profile and ACL rules. NOTE Rate limitation of the EPBA board cannot be performed on the OLT. After the DBA profile of Type1 is bound. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l Perform rate limitation on the ONT. Generally. l Perform rate limitation on the OLT. and limiting the ONT downstream bandwidth by using a traffic profile. Table 2-15 Features of DBA profiles Issue 01 (2012-01-18) Profile Type Feature Type1 Indicates the fixed bandwidth. see Configuring Traffic Management Based on Service Port and Configuring Traffic Management Based on Port+CoS – Performing rate limitation by configuring an ACL rule can control the traffic matching the ACL rule. Run the dba-profile add command to add a DBA profile. the system assigns a specified bandwidth. 1. refer to the corresponding manual of the ONT. Table 2-15 describes the features of the DBA profile of each type. Rate limitation for upstream packets – In the EPON mode. thereby providing differentiated quality of service (QoS) for various EPON services. – A DBA profile is used to dynamically assign the ONT upstream bandwidth and improve upstream bandwidth usage efficiency. Services with a higher priority use Type1 or Type2 DBA profiles and services with a lower priority use Type3 or Type4 DBA profiles. limiting the ONT upstream bandwidth by using a DBA profile. If more than one rate limitation modes are configured in the system. A DBA profile supports five types (Type1 to Type5). see Controlling the Traffic Matching an ACL Rule. For details. Procedure – Rate limitation using an IP traffic profile includes two modes. Ltd. for example.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Configuring EPON Rate Limitation This topic describes how to configure rate limitation for EPON services. regardless of whether there is upstream traffic or not.

the system meets the bandwidth requirements if the upstream traffic does not exceed a specified value. the system does not assign any bandwidth. 3. and non-assured bandwidth. NOTE This command can be executed only when it is supported by the ONT version. Type3 Indicates the hybrid of assured bandwidth and non-assured bandwidth. The configuration of a line profile takes effect only after you perform this operation. That is. Type4 Indicates the best-effort bandwidth. Run the commit command to make the parameters of the profile take effect. – In the EPON mode. the system assigns the remaining bandwidth (if any) to the user bound to the DBA profile of Type3 (the assigned bandwidth does not exceed the non-assured bandwidth). ----End Example Assume that: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. When the ont add command is executed to add an ONT. After assigning the fixed bandwidth and assured bandwidth. 4. When there is no upstream traffic.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Profile Type Feature Type2 Indicates the assured bandwidth. run the ont port attribute portid ontid eth ont-portid ds-policing traffic-table-index command to limit the traffic of downstream packets on an ETH port. 2. The DBA profile of Type4 just specifies a maximum value. bind the ONT line profile to the ONT. and then enter the ONT line profile mode. Run the ont-lineprofile epon command to add an ONT line profile.. refer to the corresponding manual of the ONT. 5. the system assigns the remaining bandwidth (if any) to the user bound to the DBA profile of Type4 (the assigned bandwidth does not exceed the maximum value). assured bandwidth. The DBA profile of Type3 specifies an assured value and non-assured value. its priority for obtaining the bandwidth is the lowest. Ltd. after assigning the fixed bandwidth. 193 . Type5 Indicates the hybrid bandwidth. For details. After the DBA profile of Type4 is bound. Run the llid command to bind an ONT to the DBA profile. After the DBA profile of Type2 is bound. The preceding four types of values must be all specified if this type of profile is used. Rate limitation for downstream packets – Run the llid ont-car command to bind an ONT to the traffic profile to limit the traffic of downstream packets on this ONT.

run the display traffic-suppress all command to query the thresholds of traffic suppression. – value: Indicates the index of the traffic suppression level. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. – multicast: Suppresses the unknown multicast traffic. Background Information Traffic suppression can be configured based on a board or based on the port on a board. l Use traffic profile 20 to limit the maximum downstream bandwidth of the ONT to 100 Mbit/s. l Use traffic profile 8 in the system for rate limitation on an EPON port. and unknown unicast packets received by the system. l Use DBA profile 10 of Type4 to limit the maximum upstream bandwidth of the ONT to 100 Mbit/s. l Issue 01 (2012-01-18) Configure traffic suppression based on the port on a board. Procedure l Configure traffic suppression based on a board. Run the traffic-suppress command to suppress the traffic of the board in a slot. To perform the preceding configurations.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations l A user under ONT 1 connected to EPON port 0/4/1 requires 2 Mbit/s high-speed Internet access service. with CIR of 2 Mbit/ s. 194 . Ltd. In the privilege mode. 1. 2. The main parameters are as follows: – broadcast: Suppresses the broadcast traffic. The index value is the value queried in step 1. do as follows: huawei(config)#dba-profile add profile-id 10 type4 max 102400 huawei(config)#traffic table ip index 20 cir 102400 priority 1 priority-policy tagIn-Package huawei(config)#ont-srvprofile epon profile-id 11 huawei(config-epon-srvprofile-11)#ont-port eth 4 pots 2 huawei(config-epon-srvprofile-11)#port vlan eth 1 10 huawei(config-epon-srvprofile-11)#commit huawei(config-epon-srvprofile-11)#quit huawei(config)#ont-lineprofile epon profile-id 5 huawei(config-epon-lineprofile-5)#llid dba-profile-id 10 ont-car 20 huawei(config-epon-lineprofile-5)#commit huawei(config-epon-lineprofile-5)#quit huawei(config)#interface epon 0/4 huawei(config-if-epon-0/4)#ont add 1 1 password-auth 0100000001 once-on no-aging oam ont-lineprofile-id 5 ont-srvprofile-id 11 huawei(config-if-epon-0/4)#quit huawei(config)#traffic table ip index 8 cir 2048 priority 1 priority-policy tag-InPackage huawei(config)#service-port 101 vlan 100 epon 0/4/1 ont 1 multi-service user-vlan 10 inbound traffic-table index 8 outbound traffic-table index 8 Configuring Traffic Suppression This topic describes how to configure traffic suppression. Query the thresholds of traffic suppression.. unknown multicast. The purpose of traffic suppression is to ensure the provisioning of the normal service of system users by suppressing the broadcast.

2 Basic Configurations According to the board configured in the system. Min bandwidth(kbps) Max bandwidth(kbps) Package number(pps) --------------------------------------------------------------------1 6 145 12 2 12 291 24 3 24 582 48 4 48 1153 95 5 97 2319 191 6 195 4639 382 7 390 9265 763 8 781 18531 1526 9 1562 37063 3052 10 3125 74126 6104 11 6249 148241 12207 12 12499 296483 24414 13 0 0 0 ----------------------------------------------------------------------------------------------------------------------------------------PortID Broadcast_index Multicast_index Unicast_index --------------------------------------------------------------------0 7 7 OFF 1 7 7 OFF 2 7 7 OFF 3 7 7 OFF --------------------------------------------------------------------huawei(config-if-scu-0/7)#traffic-suppress all broadcast value 12 huawei(config-if-scu-0/7)#display traffic-suppress all Traffic suppression ID definition: --------------------------------------------------------------------NO. 2. The main parameters are as follows: – broadcast: Suppresses the broadcast traffic. Ltd. do as follows: huawei(config)#interface scu 0/7 huawei(config-if-scu-0/7)#display traffic-suppress all Command: display traffic-suppress all Traffic suppression ID definition: --------------------------------------------------------------------NO. – multicast: Suppresses the unknown multicast traffic. – value: Indicates the index of the traffic suppression level. Run the traffic-suppress command to suppress the traffic of the port on a GIU or SCU board. 3. ----End Example To suppress the broadcast packets according to traffic suppression level 8 on port 0 on the SCU board in slot 0/7. – Run the interface eth command to enter the ETH mode. Min bandwidth(kbps) Max bandwidth(kbps) Package number(pps) Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 195 . enter one of the following modes: – Run the interface GIU command to enter the GIU mode..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1. Query the thresholds of traffic suppression. The index value is the value queried in step 2. – Run the interface SCU command to enter the SCU mode. Run the display traffic-suppress all command to query the thresholds of traffic suppression. – unicast: Suppresses the unknown unicast traffic.

run the early-drop mode pri-base command to configure the priority-based early drop. In the global config mode. Procedure l Configure the early drop mode. l Priority The system supports the global configuration of the early drop threshold for each CoS priority. thus differentiating the services with different priorities in the same queue. which is applicable to the dropping policy settings for the packets in the queue. 1. the packets are dropped according to the early drop thresholds of the priorities.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations --------------------------------------------------------------------1 6 145 12 2 12 291 24 3 24 582 48 4 48 1153 95 5 97 2319 191 6 195 4639 382 7 390 9265 763 8 781 18531 1526 9 1562 37063 3052 10 3125 74126 6104 11 6249 148241 12207 12 12499 296483 24414 13 0 0 0 ----------------------------------------------------------------------------------------------------------------------------------------PortID Broadcast_index Multicast_index Unicast_index --------------------------------------------------------------------0 12 OFF OFF 1 12 OFF OFF 2 12 OFF OFF 3 12 OFF OFF --------------------------------------------------------------------- 2. The packet priority serves as a criterion for dropping packets. Configuring Priority-based Early Drop The MA5600T can differentiate the services with different priorities in the same queue.. Background Information Early drop means that the system drops the packets that wait to enter the queue when congestion occurs. l (Optional) Configure the early drop threshold. The MA5600T supports early drop based on the following criteria: l Color The system drops the yellow packets when congestion occurs. if the packets of the specified service priority reach the threshold of the queue (the percentage of the queue depth). the system performs early drop according to the outer 802. Issue 01 (2012-01-18) Configure the early drop threshold. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Run the early-drop command to configure the mapping between service priorities and drop thresholds.2 Configuring Early Drop This topic describes how to configure early drop. After the configuration is completed. Ltd.11. This process occurs after traffic management. After configuration is successful.1p priorities of the packets. When congestion occurs in a queue. 196 .

the MA5600T can implement early drop based on the color of packets.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations subsequent packets of the same service priority will be dropped instead of entering the queue.. 2. ----End Example To set the early drop threshold of the packet with CoS value 0 to 40. and CoS values 3 and 4 to 80. do as follows: huawei(config)#early-drop mode pri-base huawei(config)#early-drop cos0 40 cos2 60 cos3 80 cos6 80 {<cr>|cos1<k>|cos4<k>|cos5<k>|cos7<k>}: Command: early-drop cos0 40 cos2 60 cos3 80 cos6 80 huawei(config)#display early-drop -----------------------Priority Threshold -----------------------0 40 1 100 2 60 3 80 4 100 5 100 6 80 7 100 ------------------------ The following figure shows the implementation of the early drop as configured. Ltd. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 197 . When congestion occurs. the yellow packets are dropped. You can run the display early-drop command to query the configured early drop threshold. CoS value 2 to 60. Configuring Color-based Early Drop According to the parameters in the IP traffic profile. Query the configured early drop threshold.

and w0 in descending order) for resource acquisition. Configured Weight Actual Weight (for Port Supporting Eight Queues) Actual Weight (for Port Supporting Four Queues) 7 W7 W7 - 6 W6 W6 - Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Procedure l Configure the early drop mode. l WRR The system supports WRR for eight queues.11. ----End 2. and PQ+WRR. According to the CIR and PIR parameters in the IP traffic profile. and the packets between the CIR and PIR bandwidth are marked as yellow. and yellow packets that exceed the bandwidth are dropped.3 Configuring the Queue Scheduling A queue is an unit based on which packets are scheduled in a physical port. After the queue scheduling is configured. In the WRR mode. the system marks packets with colors. Table 2-16 lists the mapping between the configured weight and the actual weight of queues. After the configuration is completed. queues are scheduled in turn to ensure that each queue can be scheduled. weighted round robin (WRR). By default. w4. l PQ The PQ gives preference to packets in a queue with a higher priority. Ltd. yellow packets that do not exceed the bandwidth can also pass. w5. the packets in a queue with a lower priority can be transmitted. 198 . w2. green packets are allowed to pass. run the early-drop mode color-base command to configure the color-based early drop. The packets within the CIR bandwidth are marked as green. In the global config mode. the packet of the priority service can be processed in time when network congestion occurs. Each queue has a weight value (w7. Background Information The MA5600T supports three queue scheduling modes: priority queuing (PQ). Table 2-16 Mapping between the configured weight and the actual weight of queues Issue 01 (2012-01-18) Queue No. w3. Configuring the Queue Scheduling Mode This topic describes how to configure the queue scheduling mode for ensuring that packets in the queue with a higher priority can be processed in time in case of congestion. w1. w6. When a queue with a higher priority is empty.. the PQ mode is used.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Queue No. ----End Example To configure WRR scheduling. When the specified WRR value is 0. 0 indicates that the PQ mode is used and 255 indicates that the queue is not used. and 10 respectively. – The queue scheduled by PQ should be a queue that has a higher priority. 10. Here. do as follows: huawei(config)#queue-scheduler wrr 10 10 20 20 10 10 10 10 huawei(config)#display queue-scheduler Queue scheduler mode : WRR --------------------------------Queue Scheduler Mode WRR Weight --------------------------------0 WRR 10 1 WRR 10 2 WRR 20 3 WRR 20 4 WRR 10 5 WRR 10 6 WRR 10 7 WRR 10 --------------------------------- Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 20. Step 2 Run the display queue-scheduler command to query the configuration of the queue scheduling mode. Ltd. with the weight values of the eight queues as 10. 10. The weight sum of all queues must be 0 or 100 (excluding the queue with weight 255). the queue is scheduled by PQ. 10. – The weight sum of queues scheduled by WRR must be equal to 100. Procedure Step 1 Run the queue-scheduler command to configure the queue scheduling mode. 199 .. Configured Weight Actual Weight (for Port Supporting Eight Queues) Actual Weight (for Port Supporting Four Queues) 5 W5 W5 - 4 W4 W4 - 3 W3 W3 W7+W6 2 W2 W2 W5+W4 1 W1 W1 W3+W2 0 W0 W0 W1+W0 Wn: Indicates the weight of queue n. l PQ+WRR – The system supports PQ for some queues and WRR for the other queues. 10. 20.

Ltd. with the weight values of the six queues as 20. 10.1p Priority This topic describes how to configure the mapping between the queue and the 802.1p priority is as listed in Table 2-17.1p priority Issue 01 (2012-01-18) Queue Number Actual Queue Number (Port Supporting Eight Queues) Actual Queue Number (Port Supporting Four Queues) 802.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations To configure PQ+WRR scheduling. 10. Table 2-17 Mapping between the queue and the 802. and 10 respectively.1p priority so that packets with different 802.1p priorities are mapped to the specified queues based on the configured mapping. 20. the mapping between the queue and the 802.. This enhances the flexibility of mapping packets to queues. 200 . Background Information l The configuration is valid to all the service boards in the system. do as follows: huawei(config)#queue-scheduler wrr 20 20 10 30 10 10 0 0 huawei(config)#display queue-scheduler Queue scheduler mode : WRR --------------------------------Queue Scheduler Mode WRR Weight --------------------------------0 WRR 20 1 WRR 20 2 WRR 10 3 WRR 30 4 WRR 10 5 WRR 10 6 PQ -7 PQ ---------------------------------- Configuring the Mapping Between the Queue and the 802. l By default. 30.1p Priority 7 7 3 7 6 6 3 6 5 5 2 5 4 4 2 4 3 3 1 3 2 2 1 2 1 1 0 1 0 0 0 0 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

Step 2 Run the display cos-queue-map command to query the mapping between the 802. thus to improve the flexibility of QoS. and the more capable is the queue in processing burst packets. the larger the buffer space.1p priority 0 to queue 0. ----End Example To map 802. The greater the queue depth. and the other 802.1p priorities to queue 6..1p priority and the queue.1p priority 1 to queue 2. 802. The queue depth of the port is allocated on a percentage basis. do as follows: huawei(config)#cos-queue-map cos0 0 cos1 2 cos2 6 cos3 6 cos4 6 cos5 6 cos6 6 cos7 6 huawei(config)#display cos-queue-map CoS and queue map: -----------------------CoS Queue ID -----------------------0 0 1 2 2 6 3 6 4 6 5 6 6 6 7 6 ------------------------ Configuring the Queue Depth This topic describes how to configure the queue depth (the queue buffer space) to re-allocate buffer space to the queues.1p priority and the queue.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Procedure Step 1 Run the cos-queue-map command to configure the mapping between the 802. 201 . Table 2-18 lists the default queue depths of the system. Background Information The queue depth determines the capability of a queue for processing burst packets. Table 2-18 Queue depth allocation Issue 01 (2012-01-18) Queue Number Queue Depth (Port Supporting Eight Queues) Actual Queue Number (Port Supporting Four Queues) 7 L7 (default: 6) - 6 L6 (default: 25) - 5 L5 (default: 12) - Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd.

10. 10. and process the traffic that exceeds the limit. ----End Example To set the queue depths to 20. Procedure Step 1 Run the queue-buffer command to configure the queue depth of the service board.4 Configuring Traffic Management Based on ACL Rules The ACL can be used to implement flexible traffic classification according to user requirements. After traffic classification based on ACL rules is completed. The sum of all the queue depths must be equal to 100. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 10. 20. you can perform QoS for the traffic streams. Ltd. 10.11. 202 . and 10. Step 2 Run the display queue-buffer command to query the queue depth of the current service board.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Queue Number Queue Depth (Port Supporting Eight Queues) Actual Queue Number (Port Supporting Four Queues) 4 L4 (default: 12) - 3 L3 (default: 13) L7+L6 (default: 31) 2 L2 (default: 13) L5+L4 (default: 24) 1 L1 (default: 6) L3+L2 (default: 26) 0 L0 (default: 13) L1+L0 (default: 18) Ln: Indicates the depth of queue n. do as follows: huawei(config)#queue-buffer 20 20 10 10 10 10 10 10 huawei(config)#display queue-buffer -----------------------Queue Depth size ratio -----------------------0 20 1 20 2 10 3 10 4 10 5 10 6 10 7 10 ------------------------ 2. 10. such as adding the DSCP tag or dropping the packet directly. Controlling the Traffic Matching an ACL Rule This topic describes how to control the traffic matching an ACL rule on a specified port..

or 802. Procedure Step 1 Run the traffic-limit command to control the traffic matching an ACL rule on a specified port. do as follows: huawei(config)#traffic-limit inbound ip-group 2001 512 exceed remark-dscp af1 port 0/4/0 //"af1" represents a dscp type: Assured Forwarding 1 service (10). and the port for traffic limit is working in the normal state.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Prerequisite The ACL and the rule of the ACL are configured. Background Information l Issue 01 (2012-01-18) The traffic statistics are only valid to permit rules of an ACL. DSCP. 203 . huawei(config)#display qos-info traffic-limit port 0/4/0 traffic-limit: port 0/4/0: Inbound: Matches: Acl 2001 rule 5 running Target rate: 512 Kbps Exceed action: remark-dscp af1 Adding a Priority Tag to the Traffic Matching an ACL Rule This topic describes how to add a priority tag to the traffic matching an ACL rule on a specified port so that the traffic can obtain the service that match the specified priority. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. use this parameter.. The priority tag type can be ToS. l The limited traffic must be an integer multiple of 64 kbit/s. Prerequisite The ACL and the rule of the ACL are configured. l remark-dscp value: To set the DSCP priority for the traffic that exceeds the limited value. Run this command to set the action to be taken when the traffic received on the port exceeds the limited value. Background Information l The traffic statistics are only effective for the permit rules of an ACL. and the port for traffic limit is working in the normal state. ----End Example To limit the traffic that matches ACL 2001 received on port 0/4/0 to 512 kbit/s. Step 2 Run the display qos-info traffic-limit port command to query the traffic limit information on the specified port. and add the DSCP priority tag (af1) to packets that exceed the limit. Two options are available: l drop: Drop the traffic that exceeds the limited value. Ltd.1p.

do as follows: huawei(config)#traffic-statistic inbound ip-group 2001 port 0/17/0 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. do as follows: huawei(config)#traffic-priority inbound ip-group 2001 dscp af1 local-precedence 0 port 0/4/1 huawei(config)#display qos-info traffic-priority port 0/4/1 traffic-priority: port 0/4/1: Inbound: Matches: Acl 2001 rule 5 running Priority action: dscp af1 local-precedence 0 Enabling the Statistics Collection of the Traffic Matching an ACL Rule This topic describes how to enable the statistics collection of the traffic matching an ACL rule. Therefore. Procedure Step 1 Run the traffic-statistic command to enable the statistics collection of the traffic matching an ACL rule on a specified port. Background Information The traffic statistics are only valid to permit rules of an ACL. Prerequisite The ACL and the rule of the ACL are configured. they cannot be configured at the same time. and the DSCP priority and local priority of the traffic are 10 (af1) and 0 respectively. Procedure Step 1 Run the traffic-priority command to add a priority tag to the traffic matching an ACL rule on a specified port. 204 .. Step 2 Run the display qos-info traffic-priority port command to query the configured priority. thus analyzing and monitoring the traffic. ----End Example To add a priority tag to the traffic that matches ACL 2001 received on port 0/4/1. and the port for traffic statistics is working in the normal state.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l 2 Basic Configurations The ToS and the DSCP priorities are mutually exclusive. ----End Example To enable the statistics collection of the traffic that matches ACL 2001 received on port 0/17/0. Step 2 Run the display qos-info traffic-mirror port command to query the statistics information about the traffic matching an ACL rule on a specified port. Ltd.

You can monitor the traffic of the mirroring source port by analyzing the traffic that passes the mirroring destination port. After this operation is executed successfully. 205 . ----End Example To mirror the traffic that matches ACL 2001 received on port 0/4/1 to port 0/17/0. l The system supports only one mirroring destination port and the mirroring destination port must be the upstream port. Prerequisite The ACL and the rule of the ACL are configured. the original port does not forward the traffic matching the ACL rule.. Background Information l The traffic statistics are only valid to permit rules of an ACL. Procedure Step 1 Run the traffic-mirror command to enable the mirroring of the traffic matching an ACL rule on a specified port. Mirroring does not affect packet receipt and transmission on the mirroring source port. l The destination mirroring port cannot be an aggregation port. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and the port for traffic mirroring is working in the normal state. Ltd. but the specified port forwards the traffic. do as follows: huawei(config)#traffic-mirror inbound ip-group 2001 port 0/4/1 to port 0/17/0 huawei(config)#display qos-info traffic-mirror port 0/4/1 traffic-mirror: port 0/4/1: Inbound: Matches: Acl 2001 rule 5 Mirror to: port 0/17/0 running Enabling the Redirection of the Traffic Matching an ACL Rule This topic describes how to redirect the traffic matching an ACL rule on a specified port. Step 2 Run the display qos-info traffic-mirror port command to query the mirroring information about the traffic matching an ACL rule on a specified port.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations huawei(config)#display qos-info traffic-statistic port 0/17/0 traffic-statistic: port 0/17/0: Inbound: Matches: Acl 2001 rule 5 0 packet running Enabling the Mirroring of the Traffic Matching an ACL Rule This topic describes how to mirror the traffic matching an ACL rule on a port to a specified port.

certain rights are authorized to the user if the user passes authentication.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Prerequisites The ACL and the rule of the ACL are configured. do as follows: huawei(config)#traffic-redirect inbound ip-group 2001 port 0/17/0 to port 0/17/1 huawei(config)#display qos-info traffic-redirect port 0/17/0 traffic-redirect: port 0/17/0: Inbound: Matches: Acl 2001 rule 5 running Redirected to: port 0/17/1 2.1x. In the process that a user accesses network resources. 802. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. or Admin Telnet (associating the user name and the password with the domain name) mode. l Authorization: Determines what network resources a user can access. and the port for redirection is working in the normal state. VLAN. l Accounting: Records the original data about the user accessing network resources. PPPoE. ISDN. Procedure Step 1 Run the traffic-redirect command to redirect the traffic matching an ACL rule on a specified port. and accounting. Context l The traffic statistics are only valid to permit rules of an ACL. The upstream ports support only redirection of the traffic matching the ACL rule to ports on the board of the same type. l Currently. ----End Example To redirect the traffic that matches ACL 2001 received on port 0/17/0 to port 0/17/1. Ltd. Application Context AAA is generally applied to the users that access the Internet in the PPPoA. the service ports support only redirection of the traffic matching the ACL rule to upstream ports. 206 . including configuring the MA5600T as the local and remote AAA servers.12 Configuring AAA This topic describes how to configure the AAA on the MA5600T. and the original data about the user accessing network resources is recorded. WLAN. Background Information AAA refers to authentication. Step 2 Run the display qos-info traffic-redirect port command to query the redirection information about the traffic matching an ACL rule on a specified port. authorization. l Authentication: Checks whether a user is allowed to access network resources. through AAA.

and is connected to the HWTACACS server through the HWTACACS protocol. that is. Uses UDP for transmission. except their header. In this case. thus implementing the AAA.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations NOTE In the existing network. Applicable to security control. Supports authorization of the configuration commands on the router. Encrypts only the password field of the authenticated packets. l The MA5600T functions as the client of a remote AAA server. Table 2-19 Differences between HWTACACS and RADIUS Issue 01 (2012-01-18) HWTACACS RADIUS Uses TCP to realize more reliable network transmission. Applicable to accounting. l The MA5600T functions as the client of a remote AAA server. Concurrent processing of authentication and authorization. Figure 2-7 shows an example network of the AAA application. Table 2-19 lists the differences between HWTACACS and RADIUS. the MA5600T functions as the client of a remote AAA server. Separated authorization and authentication. The local AAA does not support accounting. the MA5600T functions as a local AAA server. The RADIUS protocol. does not support authorization. 207 .. Ltd. the local AAA needs to be configured. thus implementing the AAA. Does not support the authorization of the configuration commands on the router. that is. and is connected to the RADIUS server through the RADIUS protocol. however.1x and Admin Telnet correspond to the local AAA. Figure 2-7 Example network of the AAA application The preceding figure shows that the AAA function can be implemented on the MA5600T in the following three ways: l The MA5600T functions as a local AAA server. PPPoE corresponds to the remote AAA. 802. Encrypts the body of HWTACACS packets. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

Run the quit command to return to the AAA mode.net). 1. but cannot be deleted. l In the user name format userid@domain-name (for example. Step 4 Configure a local user.12. and the other domain names cannot exceed 20 characters. The authentication scheme is newscheme.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations 2. 1. huawei20041028@huawei. Run the quit command to return to the AAA mode. NOTE You can refer an authentication scheme in a domain only after the authentication scheme is created. 208 . ----End Example User1 in the isp domain adopts the local server for authentication.1 Configuring the Local AAA This topic describes how to configure the local AAA so that the user authentication can be performed locally. Run the authentication-scheme command to add an authentication scheme. which does not depend on the external server. In the domain mode. It can be modified. In the AAA mode. run the authentication-scheme command to reference the authentication scheme. 2. Procedure Step 1 Configure the AAA authentication scheme. Run the aaa command to enter the AAA mode. run the local-user password command to create a local AAA user. NOTE l A domain is a group of users of the same type. Ltd. l The local AAA supports only authentication. l The domain name for user login cannot exceed 15 characters. the password is a123456. Background Information l The local AAA configuration is simple. The system supports up to 16 authentication schemes. In the AAA mode. NOTE l The authentication scheme specifies how all the users in an Internet service provider (ISP) domain are authenticated. 4. run the domain command to create a domain. 2. Step 2 Create a domain. Run the authentication-mode local command to configure the authentication mode of the authentication scheme. "userid" indicates the user name for authentication and "domain-name" followed by "@" indicates the domain name. l The system has a default authentication scheme named default. Step 3 Refer the authentication scheme. do as follows: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 3. 1..

Ltd.12.2 Configuring the Remote AAA (RADIUS Protocol) The MA5600T is interconnected with the RADIUS server through the RADIUS protocol to implement authentication and accounting. and returns the required data to the NAS. The RADIUS protocol specifies the means of transmitting the user information and accounting information between the NAS and the RADIUS server. 209 . Generally. – In actual networking. l Specification: – For the MA5600T. To make the essential parameters take effect. l The RADIUS attribute list defines the attribute parameters for interaction between the MA5600T and the RADIUS server. – The RADIUS server receives the connection requests of users sent from the NAS. the NAS forwards the user authentication and accounting information to the RADIUS server.. l Principle of RADIUS: – When a user tries to access another network (or some network resources) by setting up a connection to the NAS through a network. the RADIUS server group should be referenced in a certain domain.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations huawei(config)#aaa huawei(config-aaa)#authentication-scheme newscheme Info: Create a new authentication scheme huawei(config-aaa-authen-newscheme)#authentication-mode local huawei(config-aaa-authen-newscheme)#quit huawei(config-aaa)#domain isp Info: Create a new domain huawei(config-aaa-domain-isp)#authentication-scheme newscheme huawei(config-aaa-domain-isp)#quit huawei(config-aaa)#local-user user1 password a123456 2. authenticates the user account and password contained in the user data. Table 2-20 describes the parameters. a RADIUS server group can be any of the following: – An independent RADIUS server – A pair of primary/secondary RADIUS servers with the same configuration but different IP addresses – The following lists the attributes of a RADIUS server template: – IP addresses of primary and secondary servers – Shared key – RADIUS server type l The configuration of the RADIUS protocol defines only the essential parameters for the information exchange between the MA5600T and the RADIUS server. It is a distributed information interaction protocol with the client-server structure. Background Information l What is RADIUS: – Radius is short for the remote authentication dial-in user service. – The authentication and accounting requests of users can be passed on to the Radius server through a network access server (NAS). it is used to manage a large number of distributed dial-in users. – Radius implements the user accounting by managing a simple user database. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the RADIUS is configured based on each RADIUS server group.

7 Framed-Protocol The value of this parameter is fixed to 1 (PPP) because ITU-T RFC 2856 does not define 802.1x for this parameter. the MA5600T supports only 802. and LAT. 5 NAS-Port Indicates the user access port. This parameter is valid only for CHAP authentication. 4 NAS-IP-Address Indicates the IP address of the access device. use the bound interface address. 2 Password Indicates the user password for authentication. or DHCP access users for RADIUS authentication. L2TP. The valid types are Telnet. Ltd. If the RADIUS server group is bound to an interface address.. otherwise. 14 Login-IP-Host Indicates the host IP address of a login user.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Table 2-20 RADIUS attribute list Issue 01 (2012-01-18) Parameter Code Parameter Name Description 1 User-Name Indicates the user name for authentication. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The format of this parameter is four-digit slot ID + two-digit card number + five-digit port number + 21-digit VLAN ID. TCP Clear. 210 . The value of this parameter is 2 (frame) for access users and is 6 for telnet management users. Currently. Rlogin. PortMaster (proprietary). use the address of the interface where packets are sent. 15 Login-Service Indicates the login service type. This parameter is valid only for PAP authentication. 6 Service-Type Indicates the user service type. 3 Challenge-Password Indicates the user password for authentication.1x access users but not PPP.

the subsequent access request packet sent by the device to the RADIUS server must also contain this parameter of the same value as that is contained in the access challenge packet. 40 Acct-Status-Type Indicates the charging packet type. 211 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Parameter Code Parameter Name Description 24 State If the access challenge packet that the RADIUS server sends to a device contains this parameter. l 1: charging start packet l 2: charging stop packet l 3: real-time charging packet 41 Issue 01 (2012-01-18) Acct-Delay-Time Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 32 NAS-Identifier Indicates the host name of the device. It is the user re-authentication time in the EAP challenge packet. Indicates the time for generating a charging packet in the unit of second.. 27 Session-Timeout Indicates the available remaining time in the unit of second. 31 Calling-Station-Id Allows the NAS to send the calling number. The valid modes are reauthentication and forcing users to go offline. For a standard RADIUS server. 29 Termination-Action Indicates the service termination mode. a device can use the Class attribute to represent the CAR parameter. 25 Class If the access accept packet sent by the RADIUS server to a device contains this parameter. the subsequent charging request packet sent by the device to the RADIUS server must also contain this parameter of the same value. Ltd.

or Gbyte. The connection numbers for the charging start packet. l User Error(17): The user authentication fails or times out. Mbyte. l Lost Carrier(2): The handshake fails. such as the EAPOL detection fails. kbyte. The valid values are as follows: l User-Request(1): The user actively goes offline.. Mbyte. and charging stop packet of the same connection must be the same. Ltd. or Gbyte. Mbyte. or Gbyte. real-time charging packet. The specific unit can be configured using commands. 45 Acct-Authentic Indicates the user authentication mode. l 1: RADIUS authentication l 2: local authentication 46 Acct-Session-Time Indicates the time for a user to go online in the unit of second. 48 Acct-Output-Packets Indicates the number of downstream packets. kbyte. Indicates the number of upstream bytes in the unit of 4Gbyte. 43 Acct-Output-Octets Indicates the number of downstream bytes in the unit of byte. 212 . kbyte. 49 Terminate-Cause Indicates the user connection interruption cause. 44 Acct-Session-Id Indicates the charging connection number. The specific unit can be configured using commands. 47 Acct-Input-Packets Indicates the number of upstream packets.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Parameter Code Parameter Name Description 42 Acct-Input-Octets Indicates the number of upstream bytes in the unit of byte. 52 Issue 01 (2012-01-18) Acct-Input-Gigawords Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The specific unit can be configured using commands.

This parameter is valid only for CHAP authentication. kbyte. l 0: common user l 1: operator l 2: administrator l 3-15: common user Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The value ranges from 0 to 15. the following parameters are Huaweidefined attributes. 61 NAS-Port-Type Indicates the NAS port type. Starting from this row. 80 Message-Authenticator Verifies validity of packets between the RADIUS server and RADIUS client to prevent malicious attacks. 213 . Ltd. The specific unit can be configured using commands.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Parameter Code Parameter Name Description 53 Acct-Output-Gigawords Indicates the number of downstream bytes in the unit of 4Gbyte. After being delivered by the RADIUS server. Mbyte. this parameter is filled to suboption 7 in user DHCP packets by the MA5600T. NOTE The preceding parameters are RADIUS standard attributes. 79 EAP-Message Carries EAP packets. 55 Event-Timestamp Indicates the user online time in the unit of second. 26-29 Exec-Privilege Indicates the priority of operation users such as Telnet users. 88 Framed-Pool Indicates the name and address segment number of the address pool. 87 NAS-Port-Id Indicates the user access port number. 85 Acct-Interim-Interval Indicates the interval for realtime charging in the unit of second. The value is the absolute number of seconds counting from 1970-01-01 00:00:00.. The format of this parameter uses the format when DHCP option 82 is in common raio mode. 60 CHAP-Challenge Indicates the challenge field for CHAP authentication. or Gbyte.

3. 4. 214 . Run the aaa command to enter the AAA mode. It can be modified. The IP address and MAC address are separated by a space. l The system supports up to 16 authentication schemes. The system has a default accounting scheme named default. The system has a default accounting scheme named default. Step 3 Configure the RADIUS server template. Run the quit command to return to the AAA mode. that is. You can query the user level by the command display terminal user. 2. By default. NOTE l The accounting scheme specifies how all the users in an ISP domain are charged.B. Step 2 Configure the accounting scheme. run the accounting-scheme command to add an AAA accounting scheme. but cannot be deleted. Run the radius-server authentication command to configure the IP address and the UDP port ID of the RADIUS server for authentication. NOTE l The authentication scheme specifies how all the users in an ISP domain are authenticated. Ltd.C. It can only be modified. Run the authentication-scheme command to add an authentication scheme.D HH:HH:HH:HH:HH:HH. 1. 2. 1. Run the radius-server template command to create an RADIUS server template and enter the RADIUS server template mode. Run the accounting interim interval command to set the interval of real-time accounting. The format is A. 3. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Run the authentication-mode radius command to configure the authentication mode of the authentication scheme. 4. 1. l The system supports up to 128 accounting schemes. Run the quit command to return to the AAA mode. 2.. the real-time accounting is not performed. the interval is 0 minutes. In the AAA mode. Procedure Step 1 Configure the authentication scheme. NOTE There super level user can not be authenticated. 26-255 Product-ID Indicates the product name. but cannot be deleted.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Parameter Code Parameter Name Description 26-60 Ip-Host-Address Indicates the user IP address and MAC address that are contained in authentication and charging packets. 26-254 Version Indicates the software version of the access device. Run the accounting-mode radius command to configure the accounting mode.

NOTE l The RADIUS client (MA5600T) and the RADIUS server use the MD5 algorithm to encrypt the RADIUS packets. the maximum re-transmit time is 3.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations NOTE l To guarantee normal communication between the MA5600T and the RADIUS server. Run the radius-server shared-key command to configure the shared key of the RADIUS server. Run the radius-server accounting command to configure the IP address and the UDP port ID of the RADIUS server for accounting. and thus transmits the RADIUS request packets to another RADIUS server. l Make sure that the configuration of the RADIUS service port of the MA5600T is consistent with the port configuration of the RADIUS server. 4. and the other domain names cannot exceed 20 characters.. The MA5600T classifies a user into a domain according to the domain name. (Optional) Run the radius-server timeout command to set the response timeout time of the RADIUS server. Step 4 Create a domain. 5. and the part after @ is the domain name. If the RADIUS server does not respond within the response timeout time. the MA5600T re-transmits the request packets to the RADIUS to ensure that users can get corresponding services from the RADIUS server. They check the validity of the packets by setting the encryption key. 3. huawei20041028@huawei. In the user name format userid@domain-name (for example.net). 6. They can receive the packets from each other and can respond to each other only when their keys are the same. By default. the timeout time is 5s. l By default. Ltd. The domain name for user login cannot exceed 15 characters. make sure that the route between the RADIUS server and the MA5600T is in the normal state. 7. When the re-transmit time of the RADIUS request packets to a RADIUS server exceeds the maximum re-transmit time. the MA5600T considers that its communication with the RADIUS server is interrupted. By default. (Optional) Run the radius-server retransmit command to set the maximum re-transmit time of the RADIUS request packets. 8. Run the quit command to return to the global config mode. l If an RADIUS server group rejects the user name carrying the domain name. the RADIUS server considers that these users are the same because the names transmitted to the server are the same. By default. Otherwise. Run the (undo)radius-server user-name domain-included command to configure the user name (not) to carry the domain name when transmitted to the RADIUS server. The MA5600T sends the request packets to the RADIUS server. l An access user is named in the format of userid@domain-name. the RADIUS server group cannot be set or used in two or more domains. when some access users in different domains have the same user name. the user name of the RADIUS server carries the domain name. 215 . before configuring the IP address and UDP port of the RADIUS server. "userid" indicates the user name for authentication and "domain-name" followed by "@" indicates the domain name. the shared key of the RADIUS server is huawei. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. A domain is a group of users of the same type.

You can use an accounting scheme in a domain only after the accounting scheme is created. run the authentication-scheme command to use the authentication scheme. You can use an authentication scheme in a domain only after the authentication scheme is created. 2. On the HWTACACS server.67 1813 secondary huawei(config-radius-hwtest)#quit huawei(config)#aaa huawei(config-aaa)#domain isp huawei(config-aaa-domain-isp)#authentication-scheme newscheme huawei(config-aaa-domain-isp)#accounting-scheme newscheme huawei(config-aaa-domain-isp)#radius-server hwtest huawei(config-aaa-domain-isp)#quit Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.66. the authentication port ID is 1812. and other parameters adopt the default values.67 1812 secondary huawei(config-radius-hwtest)#radius-server accounting 10. In the domain mode.66. 2. accounting port ID 1813.66. To perform the preceding configuration.10. NOTE You can use a RADIUS server template in a domain only after the RADIUS server template is created.66. The accounting interval is 10 minutes. Run the quit command to return to the AAA mode..66.10.66 1813 huawei(config-radius-hwtest)#radius-server accounting 10. Step 7 Use the RADIUS server template.67 functions as the standby authenticationand accounting server. and HWTACACS server 10. run the accounting-scheme command to use the accounting scheme. 216 . do as follows: huawei(config)#aaa huawei(config-aaa)#authentication-scheme newscheme huawei(config-aaa-authen-newscheme)#authentication-mode radius huawei(config-aaa-authen-newscheme)#quit huawei(config-aaa)#accounting-scheme newscheme huawei(config-aaa-accounting-newscheme)#accounting-mode radius huawei(config-aaa-accounting-newscheme)#accounting interim interval 10 huawei(config-aaa-accounting-newscheme)#quit huawei(config)#radius-server template hwtest huawei(config-radius-hwtest)#radius-server authentication 10.66.10. run the radius-server template command to use the RADIUS server template.66 functions as the primary authenticationand accounting server.10. In the domain mode. Step 6 Use the accounting scheme. 1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 1.10. run the domain command to create a domain. Ltd. HWTACACS server 10.10. the authentication password is a123456.66 1812 huawei(config-radius-hwtest)#radius-server authentication 10. In the AAA mode. 2 Basic Configurations Step 5 Use the authentication scheme. ----End Example User1 in the isp domain adopts the HWTACACS protocol for authentication and accounting. Run the aaa command to enter the AAA mode. In the domain mode.

l The RADIUS server with the IP address 10. and the accounting port number is 1813. l The authentication port number is 1812.66.3 Configuration Example of the RADIUS Authentication and Accounting The MA5600T is interconnected with the RADIUS server through the RADIUS protocol to implement authentication and accounting. Networking Figure 2-8 shows an example network of the RADIUS Authentication and Accounting application.10.10. Service Requirements l The RADIUS server performs authentication and accounting for users in the ISP1 and ISP2 domains. Configure authentication scheme named newscheme (users are authenticated through RADIUS).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations 2. 217 . l Other parameters adopt the default settings.66.67 functions as the secondary server for authentication and accounting.. Figure 2-8 Example network of the RADIUS Authentication and Accounting application.12.66 functions as the primary server for authentication and accounting. Procedure Step 1 Configure the authentication scheme. Ltd. huawei(config)#aaa huawei(config-aaa)#authentication-scheme newscheme Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l The RADIUS server with the IP address 10.

66. Create RADIUS server template named hwtest with the RADIUS server 10. huawei(config)#radius-server template hwtacacs Note: Create a new server template huawei(config-radius-hwtacacs)#radius-server authentication 10. huawei(config-aaa-domain-isp1)#accounting-scheme newscheme Step 7 Use the RADIUS server template.66 as the primary authentication and accounting server. Configure accounting scheme named newscheme (users are authenticated through RADIUS). huawei(config-aaa-domain-isp1)#radius-server hwtacacs huawei(config-aaa-domain-isp1)#quit ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. huawei(config) #aaa huawei(config-aaa)#domain isp1 Info: Create a new domain Step 5 Use the authentication scheme. You can use an authentication scheme in a domain only after the authentication scheme is created. and the RADIUS server 10.66 1812 huawei(config-radius-hwtacacs)#radius-server authentication 10. huawei(config-aaa-domain-isp1)#authentication-scheme newscheme Step 6 Use the accounting scheme.10.67 1812 secondary huawei(config-radius-hwtacacs)#radius-server accounting 10.67 1813 secondary huawei(config-radius-hwtacacs)#quit Step 4 Create a domain. You can use a RADIUS server template in a domain only after the RADIUS server template is created.66.10.10. 218 .66..67 as the secondary authentication and accounting server. huawei(config-aaa)#accounting-scheme newscheme Info: Create a new accounting scheme huawei(config-aaa-accounting-newscheme)#accounting-mode radius huawei(config-aaa-accounting-newscheme)#accounting interim interval 10 huawei(config-aaa-accounting-newscheme)#quit huawei(config-aaa)#quit Step 3 Configure the RADIUS protocol.10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Info: Create a new authentication scheme huawei(config-aaa-authen-newscheme)#authentication-mode radius huawei(config-aaa-authen-newscheme)#quit Step 2 Configure the accounting scheme. Ltd. the interval is 10 minutes. You can use an accounting scheme in a domain only after the accounting scheme is created.10.10.66.66 1813 huawei(config-radius-hwtacacs)#radius-server accounting 10.66.66. Create a domain named isp1.

67 1813 secondary quit aaa domain isp1 authentication-scheme newscheme accounting-scheme newscheme radius-server hwtacacs quit 2.1 access users and management users. the NAS transmits Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Result User 1 in ISP 1 can pass authentication only if both the user name and password are correct.67 1812 secondary radius-server accounting 10.10.10.10.66 1812 radius-server authentication 10.12.66. Then. and accounting for the 802. authorization.66.4 Configuring the Remote AAA (HWTACACS Protocol) The MA5600T is interconnected with the HWTACACS server through the HWTACACS protocol to implement authentication. – HWTACACS is used for the authentication. 219 . the user starts to be accounted. HWTACACS implements multiple subscriber AAA functions through communications with the HWTACACS server in the client/server (C/S) mode. and then can log in to the MA5600T.66. When the remote user enters the user name. When the remote user connects to the corresponding port of the NAS. and accounting. authorization. Similar to the RADIUS protocol.66. Background Information l What is HWTACACS: – HWTACACS is a security protocol with enhanced functions on the base of TACACS (RFC1492).10. The working mode is as follows: – HWTACACS authentication. Configuration File aaa authentication-scheme newscheme authentication-mode radius quit accounting-scheme newscheme accounting-mode radius accounting interim interval 10 quit quit radius-server template radtest radius-server authentication 10. HWTACACS is a protocol through which the NAS (MA5600T) transmits the encrypted HWTACACS data packets to communicate with the HWTACACS database of the security server. and obtains the prompt of entering the user name from the daemon.. l Principle of HWTACACS: Adopting the client/server architecture. the NAS displays the message to the user. the NAS communicates with the daemon of the HWTACACS server. Ltd.66 1813 radius-server accounting 10. Then.

3. 2. Run the quit command to return to the AAA mode. In the AAA mode. the NAS transmits the password to the daemon. that is. 1. Ltd. the interval is 0 minutes. you need to use the HWTACACS server group in a domain. The system supports up to 16 authentication schemes. 1. 3. 3. Procedure Step 1 Configure the AAA authentication scheme. Run the accounting-mode hwtacacs command to configure the accounting mode. By default. run the authorization-scheme command to add an AAA authorization scheme. Run the quit command to return to the AAA mode. 2. the user can be authorized. but cannot be deleted. and displays the message to the user. To make these parameters take effect. By default. The system has a default accounting scheme named default. and then returns the accept or reject response of the authorization. the accounting is not performed. Run the authentication-mode local command to configure the authentication mode of the authentication scheme. 2. Step 2 Configure the AAA authorization scheme. Run the accounting interim interval command to set the interval of real-time accounting. Run the quit command to return to the global config mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations the user name to the daemon. 4. In the AAA mode. It can be modified. It can be modified. l The settings of an HWTACACS server template can be modified regardless of whether the template is bound to a server or not. 1. the NAS obtains the prompt of entering the password. After being authenticated. The accounting scheme specifies how all the users in an ISP domain are charged. but cannot be deleted. The system has a default authentication scheme named default. Run the authentication-scheme command to add an authentication scheme. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. run the accounting-scheme command to add an AAA accounting scheme.. – HWTACACS authorization. The NAS communicates with the daemon of the HWTACACS server. Then. Run the quit command to return to the AAA mode. the real-time accounting is not performed. 220 . 4. The system supports up to 128 accounting schemes. The authentication scheme specifies how all the users in an ISP domain are authenticated. Run the aaa command to enter the AAA mode. Step 3 Configure the AAA accounting scheme. 4. NOTE l The HWTACACS configuration only defines the parameters used for data exchange between the MA5600T and the HWTACACS server. After the remote user enters the password. The authorization scheme specifies how all the users in an ISP domain are authorized. Run the authorization-mode hwtacacs command to configure the authorization mode. Use the HWTACACS protocol to authenticate users.

the communication between the MA5600T and the current HWTACACS server is considered interrupted. and authorization servers can be configured.0. l Make sure that the HWTACACS server port of the MA5600T is the same as the port of the HWTACACS server. 2. before configuring the IP address and the UDP port of the HWTACACS server. 1. l By default.. You can select secondary to configure a secondary authentication server. 5. Ltd. an HWTACACS server group can be an independent HWTACACS server or a combination of two HWTACACS servers. l By default. NOTE l To ensure normal communication between the MA5600T and the HWTACACS server. 6. shared key.0. however. In actual networking scenarios. must be different from that of the secondary server. Each HWTACACS server template contains the primary/secondary server IP address. that is. the response timeout time of the HWTACACS server is 5s. (Optional) Run the hwtacacs-server shared-key command to configure the shared key of the HWTACACS server. 221 .0. a primary server and a secondary server with the same configuration but different IP addresses. They check the validity of the packets by configuring the encryption key. the HWTACACS server does not have a key. Run the hwtacacs-server authorization command to configure a primary authorization server. NOTE l If the HWTACACS server does not respond to the HWTACACS request packets within the timeout time. NOTE l The HWTACACS client (MA5600T) and the HWTACACS server use the MD5 algorithm to encrypt the HWTACACS packets. Run the hwtacacs-server authentication command to configure a primary authentication server. They can receive the packets from each other and can respond to each other only when their keys are the same. 4. run the hwtacacs-server accounting-stop-packet command to configure the re-transmission mechanism of the accounting-stop packets of the HWTACACS server. (Optional) Run the hwtacacs-server timer response-timeout to set the response timeout time of the HWTACACS server. You can select secondary to configure a secondary accounting server. 3. The configuration of the HWTACACS protocol of the MA5600T is on the basis of the HWTACACS server group. You can select secondary to configure a secondary authorization server. Run the hwtacacs-server accounting command to configure a primary accounting server. Run the hwtacacs-server template command to create an HWTACACS server template and enter the HWTACACS server template mode. Primary and secondary authentication. the configuration of primary and secondary servers will fail. Otherwise. accounting. make sure that the route between the HWTACACS server and the MA5600T is in the normal state.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Step 4 Configure the HWTACACS protocol. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Issue 01 (2012-01-18) (Optional) In the global config mode. The IP address of the primary server. 7. and HWTACACS server type. the IP addresses of the primary and secondary servers are both 0. By default.

the user name of the HWTACACS server carries the domain name. the MA5600T supports the re-transmission of the accounting-stop packets of the HWTACACS server. You can use an authentication scheme in a domain only after the authentication scheme is created. You can use an accounting scheme in a domain only after the accounting scheme is created. 1. This is to ensure that the users can be distinguished from each other in the accounting. run the accounting-scheme command to use the accounting scheme. Step 5 Create a domain. 2. A domain is a group of users of the same type. The domain name in the user name of the accounting request is. 222 .. In the AAA mode. Run the aaa command to enter the AAA mode. the re-transmit time of the accounting-stop packets of the HWTACACS server is 100. 9. however. l After the undo hwtacacs-server user-name domain-included command is executed. run the domain command to create a domain. Run the quit command to return to the global config mode. and the other domain names cannot exceed 20 characters. In the domain mode. run the authorization-mode command to use the authorization scheme. 8. huawei20041028@huawei. "userid" indicates the user name for authentication and "domain-name" followed by "@" indicates the domain name.net). You can use an HWTACACS server template in a domain only after the HWTACACS server template is created. l By default. Step 6 Use the authentication scheme. (Optional) Run the (undo)hwtacacs-server user-name domain-included command to configure the user name (not) to carry the domain name when transmitted to the HWTACACS server. 2. reserved. the domain name is deleted from the user name when the client sends authentication and authorization requests to the HWTACACS server. l By default. In the domain mode. In the user name format userid@domain-name (for example. run the authentication-scheme command to use the authentication scheme. Step 9 Use the HWTACACS server template. You can use an authorization scheme in a domain only after the authorization scheme is created. Step 7 Use the accounting scheme. In the domain mode. Ltd. Step 8 Use the authorization scheme.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations NOTE l To prevent the loss of the accounting packets. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 1. In the domain mode. Run the quit command to return to the AAA mode. The domain name for user login cannot exceed 15 characters. run the radius-server template command to use the HWTACACS server template.

66 functions as the primary server for authentication.10.10. l The HWTACACS server with the IP address 10. and accounting.10. Ltd.66. Service Requirements l The HWTACACS server performs authentication. Networking Figure 2-9 shows an example network of the HWTACACS authentication.66. and accounting.66 huawei(config-hwtacacs-hwtest)#hwtacacs-server accounting 10.10.12. and accounting.10.66. authorization. and accounting. the authentication password is a123456.67 functions as the secondary server for authentication.10.67 secondary huawei(config-hwtacacs-hwtest)#hwtacacs-server accounting 10. authorization. and accounting for 802. The accounting interval is 10 minutes.66.10. authorization. l Other parameters adopt the default settings. On the HWTACACS server.67 functions as the standby authentication.1X access user) The MA5600T is interconnected with the HWTACACS server through the HWTACACS protocol to implement authentication. do as follows: huawei(config)#aaa huawei(config-aaa)#authentication-scheme newscheme huawei(config-aaa-authen-newscheme)#authentication-mode hwtacacs huawei(config-aaa-authen-newscheme)#quit huawei(config-aaa)#authorization-scheme newscheme huawei(config-aaa-author-newscheme)#authorization-mode hwtacacs huawei(config-aaa-author-newscheme)#quit huawei(config-aaa)#accounting-scheme newscheme huawei(config-aaa-accounting-newscheme)#accounting-mode hwtacacs huawei(config-aaa-accounting-newscheme)#accounting interim interval 10 huawei(config-aaa-accounting-newscheme)#quit huawei(config)#hwtacacs-server template hwtest huawei(config-hwtacacs-hwtest)#hwtacacs-server authentication 10.10.66.66 functions as the primary authentication. To perform the preceding configuration.5 Configuration Example of the HWTACACS Authentication (802.66. and accounting server. authorization. l The user logs in to the server carrying the domain name.66.10.67 secondary huawei(config-hwtacacs-hwtest)#hwtacacs-server authorization 10. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 223 . and accounting server. authorization. the parameters adopt the default values. HWTACACS server 10.66. l The HWTACACS server with the IP address 10..66 huawei(config-hwtacacs-hwtest)#hwtacacs-server authentication 10.66.1X access users. authorization.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Example User1 in the isp domain adopts the HWTACACS protocol for authentication.66 huawei(config-hwtacacs-hwtest)#hwtacacs-server authorization 10.66. and HWTACACS server 10.67 secondary huawei(config-hwtacacs-hwtest)#quit huawei(config)#aaa huawei(config-aaa)#domain isp huawei(config-aaa-domain-isp)#authentication-scheme newscheme huawei(config-aaa-domain-isp)#authorization-scheme newscheme huawei(config-aaa-domain-isp)#accounting-scheme newscheme huawei(config-aaa-domain-isp)#hwtacacs-server hwtest huawei(config-aaa-domain-isp)#quit 2.10. authorization.

the interval is 10 minutes. Ltd. Configure authentication scheme named newscheme (users are authenticated through HWTACACS). Configure authorization scheme named newscheme (users are authorized through HWTACACS).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Figure 2-9 Example network of the HWTACACS authentication Procedure Step 1 Configure an authentication scheme. 224 . Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. huawei(config-aaa)#accounting-scheme newscheme huawei(config-aaa-accounting-newscheme)#accounting-mode hwtacacs huawei(config-aaa-accounting-newscheme)#accounting interim interval 10 huawei(config-aaa-accounting-newscheme)#quit huawei(config-aaa)#quit Step 4 Configure the HWTACACS protocol. Configure accounting scheme named newscheme (users are authenticated through HWTACACS). huawei(config)#aaa huawei(config-aaa)#authentication-scheme newscheme huawei(config-aaa-authen-newscheme)#authentication-mode hwtacacs huawei(config-aaa-authen-newscheme)#quit Step 2 Configure an authorization scheme. huawei(config-aaa)#authorization-scheme newscheme huawei(config-aaa-author-newscheme)#authorization-mode hwtacacs huawei(config-aaa-author-newscheme)#quit Step 3 Configure the accounting scheme.

In the local termination authentication.67 as the secondary authentication. Enable the 802. Create a domain named isp1.66. and the HWTACACS server 10. huawei(config)#dot1x huawei(config)#dot1x huawei(config)#dot1x huawei(config)#dot1x huawei(config)#dot1x huawei(config)#dot1x keepalive retransmit keepalive retransmit keepalive retransmit eap-end service-port eap-end service-port eap-end service-port 1 interval 20 service-port 1 1 interval 20 service-port 2 1 interval 20 service-port 3 1 2 3 Step 6 Create a domain.1X authentication.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Create HWTACACS server template named hwtest with the HWTACACS server 10.1X authentication for ports 1.66. 1.10. huawei(config-aaa-domain-isp1)#authorization-scheme newscheme Step 9 Use the accounting scheme. and 3.67 secondary huawei(config-hwtacacs-radtest)#quit Step 5 Configure the 802.10.10. Ltd.67 secondary huawei(config-hwtacacs-hwtest)#hwtacacs-server authorization 10. Enable the 802.66.1X parameters should be configured to be in the EAP termination mode.. huawei(config-aaa-domain-isp1)#accounting-scheme newscheme Step 10 Bind the HWTACACS server template.66.66.1X parameters. authorization and accounting server.1X global switch. You can use an authentication scheme in a domain only after the authentication scheme is created. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10.10. enable service-port service-port service-port dhcp-trigger 1 2 3 enable Configure an 802. huawei(config)#dot1x huawei(config)#dot1x huawei(config)#dot1x huawei(config)#dot1x huawei(config)#dot1x 2.66 as the primary authentication.10.66. The 802. Therefore. the DHCP-trigger authentication must be enabled.66 huawei(config-hwtacacs-radtest)#hwtacacs-server authentication 10.10. huawei(config)#hwtacacs-server template hwtest Create a new HWTACACS-server template huawei(config-hwtacacs-radtest)#hwtacacs-server authentication 10.66 huawei(config-hwtacacs-radtest)#hwtacacs-server accounting 10. The count of allowed handshake failure is 1 and the handshake interval is 20s.10. You can use an authorization scheme in a domain only after the authorization scheme is created. the 802.1X needs to be triggered by DHCP. You can use an accounting scheme in a domain only after the accounting scheme is created.66 huawei(config-hwtacacs-hwtest)#hwtacacs-server authorization 10. 225 . huawei(config) #aaa huawei(config-aaa)#domain isp1 Info: Create a new domain Step 7 Use the authentication scheme.66. huawei(config-aaa-domain-isp1)#authentication-scheme newscheme Step 8 Use the authorization scheme.67 secondary huawei(config-hwtacacs-radtest)#hwtacacs-server accounting 10.66. 2. authorization and accounting server.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations You can use a HWTACACS server template in a domain only after the HWTACACS server template is created.66. Ltd.10.10.67 secondary hwtacacs-server accounting 10. 226 .10. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10.67 secondary hwtacacs-server authorization 10.66.66 hwtacacs-server authorization 10.66.10.12. Configuration File aaa authentication-scheme newscheme authentication-mode hwtacacs quit authorization-scheme newscheme authorization-mode hwtacacs quit accounting-scheme newscheme accounting-mode hwtacacs accounting interim interval 10 quit quit hwtacacs-server template hwtest hwtacacs-server authentication 10.66.6 Configuration Example of HWTACACS Authentication (Management User) The MA5600T allows the management user of the device to log in to the system by the HWTACACS authentication mode.66.66 hwtacacs-server authentication 10.66. the user starts to be accounted. and then can log in to the MA5600T.10.66 hwtacacs-server accounting 10. Then.. huawei(config-aaa-domain-isp1)#hwtacacs-server hwtest ----End Result User 1 in ISP 1 can pass authentication only if both the user name and password are correct.67 secondary quit dot1x enable dot1x service-port 1 dot1x service-port 2 dot1x service-port 3 dot1x dhcp-trigger enable dot1x keepalive retransmit 1 interval 20 service-port 1 dot1x keepalive retransmit 1 interval 20 service-port 2 dot1x keepalive retransmit 1 interval 20 service-port 3 dot1x eap-end service-port 1 dot1x eap-end service-port 2 dot1x eap-end service-port 3 quit domain isp1 authentication-scheme newscheme authorization-scheme newscheme accounting-scheme newscheme hwtacacs-server hwtest 2.

.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Prerequisites l The route from the MA5600T to the HWTACACS server must be configured. Service Requirements l The HWTACACS server performs authentication for management user of domain isp1. Ltd. l The user logs in to the server carrying the domain name. Configure authentication scheme named login-auth (users are authenticated through HWTACACS). Figure 2-10 Example network of HWTACACS authentication Procedure Step 1 Configure the authentication scheme.10. l The HWTACACS server with the IP address 10. l The management user information (user name@domain and password) must be configured on the HWTACACS server.67 functions as the secondary server for authentication.66 functions as the primary server for authentication.66. huawei(config)#aaa huawei(config-aaa)#authentication-scheme login-auth Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l The HWTACACS server with the IP address 10. l Other parameters adopt the default settings. Networking Figure 2-10 shows an example network of HWTACACS authentication. 227 .10.66.

huawei(config-aaa-domain-isp1)#authentication-scheme login-auth Step 5 Bind the HWTACACS server template ma56t-login to the user.66 1812 huawei(config-hwtacacs-ma56t-login)#hwtacacs-server authentication 10. huawei(config)#aaa huawei(config-aaa)#domain isp1 Info: Create a new domain Step 4 Use the authentication scheme login-auth.66.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations huawei(config-aaa-authen-login-auth)#authentication-mode hwtacacs huawei(config-aaa-authen-login-auth)#quit Step 2 Configure the HWTACACS protocol. You can use a HWTACACS server template in a domain only after the HWTACACS server template is created.net).67 1812 secondary huawei(config-hwtacacs-ma56t-login)#quit Step 3 Create a domain named isp1.10.10.10. huawei(config)#hwtacacs-server template ma56t-login Create a new HWTACACS-server template huawei(config-hwtacacs-ma56t-login)#hwtacacs-server authentication 10. 228 . l The domain name for user login cannot exceed 15 characters.66 as the primary authentication server. Configuration File huawei(config)#aaa huawei(config-aaa)#authentication-scheme login-auth huawei(config-aaa-authen-login-auth)#authentication-mode hwtacacs huawei(config-aaa-authen-login-auth)#quit huawei(config-aaa)#quit huawei(config)#hwtacacs-server template ma56t-login Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and HWTACACS server 10.66.. the management user can log in to the MA5600T through Telnet. Ltd.66. and the other domain names cannot exceed 20 characters. huawei20041028@huawei. l In the user name format userid@domain-name (for example. Create HWTACACS server template named ma56t-login with HWTACACS server 10.66.67 as the secondary authentication server. After entering the user name and password specified on the HWTACACS server. the management user can successfully log in to the MA5600T.10. You can use an authentication scheme in a domain only after the authentication scheme is created. "userid" indicates the user name for authentication and "domain-name" followed by "@" indicates the domain name. huawei(config-aaa-domain-isp1)#hwtacacs-server ma56t-login ----End Result l When the HWTACACS server is reachable. the management user cannot log in to the MA5600T through Telnet by entering the user name and password specified on the HWTACACS server. NOTE l A domain is a group of users of the same type. l When the HWTACACS server is unreachable.

10. l After the TCP connection is created successfully between the MA5600T and the NAS. you must create a TCP connection between the MA5600T and the NAS. Therefore.66 1812 huawei(config-hwtacacs-ma56t-login)#hwtacacs-server authentication 10. an ANCP session is created between the MA5600T and the NAS.1s) Procedure Step 1 Run the ancp partition enable command to enable the ANCP partition function. The ANCP function takes effect only when the ANCP function in the ANCP session mode and ANCP session function of a port are enabled. l The default values of the ANCP parameters are as follows: Context – GSMP address for an ANCP session: 0. and oam – ANCP packet sending priority: highest level 6 – GSMP TCP communication port number on the NAS side in an ANCP session: 6068 – Interval for sending packets during the initial stage of an ANCP session: 10 (unit: 0.0. the MA5600T and the NAS need to use the ANCP ACK packets for heartbeat detection to maintain the ANCP session. and the MA5600T functions as the client of the TCP connection.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations huawei(config-hwtacacs-ma56t-login)#hwtacacs-server authentication 10.0 – ANCP session capability set: topology-discovery. l The MA5600T and the NAS use the TCP connection to carry an ANCP session. l The system must be connected to the network access server in the normal state.. line-config. After the ANCP session is created successfully. Ltd. The MA5600T establishes an ANCP session according to the GSMP communication IP address configured in the network access server (NAS).0. before creating the ANCP session.10.67 1812 secondary huawei(config-hwtacacs-ma56t-login)#quit huawei(config)#aaa huawei(config-aaa)#domain isp1 huawei(config-aaa-domain-isp1)#authentication-scheme login-auth huawei(config-aaa-domain-isp1)#hwtacacs-server ma56t-login huawei(config-aaa-domain-isp1)#quit huawei(config-aaa)#quit 2.13 Configuring ANCP Access Node Control Protocol (ANCP) is used to implement the functions such as topology discovery.1s) – Interval for sending packets during the ANCP session stage: 100 (unit: 0. line configuration.66. Step 2 Run the ancp port command to enable the ANCP function of a port. By default. Prerequisites l The system must work in the normal state. and L2C OAM on the user ports. 229 . The NAS functions as the server of the TCP connection. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.66. the ANCP partition function is disabled.

the GSMP communication IP address cannot be configured. Step 7 (Optional) Run the ancp capability command to configure the capability set of the ANCP session. l Supports line configuration. Step 6 Run the ancp ip command to configure the GSMP communication IP address for the ANCP session. 230 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations Step 3 (Optional) Run the ancp version command to configure the ANCP version. the three capabilities (topology discovery. l By default. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l The IP address configured here must be the same as the GSMP communication IP address configured on the NAS. and L2C OAM) are supported. l You can set the priority according to the actual requirements and network conditions. l The GSMP TCP communication port number on the MA5600T must be the same as that on the NAS. the ANCP version is draft-01.. the MA5600T responds to the line testing information that is sent by the NAS. the general query interval is 125s. When you select oam parameter. l Run the ancp port begin command to set the start port ID of the ANCP session. Step 8 (Optional) Run the ancp ancp-8021p command to set the priority for sending ANCP packets. Make sure that the start port ID of the ANCP session is the same as the start ID of the ports on the service board. l After an ANCP session is enabled. the MA5600T automatically reports the line parameters to the NAS. l The default value is all. Step 9 (Optional) Run the ancp nas-tcp-port command to set the GSMP TCP communication port number for the ANCP session on the NAS. When you select line-config parameter. l After an ANCP session is enabled. the priority for sending the ANCP packet of the ANCP session cannot be configured. l The configured ANCP version must be the same as that on the NAS. but it should to not be the same as the default IP address. the priority for sending the ANCP packet of the ANCP session cannot be configured. l Supports the preceding three types of capability. multicast IP address. l Supports topology discovery. that is. l By default. l Supports the OAM. the higher the priority. Ltd. l When an ANCP session is enabled. or broadcast IP address. the MA5600T responds to the line configuration that is sent by the NAS. the higher the reliability. Step 4 Run the ancp session command to enter the ANCP session mode. Step 5 (Optional) Run the ancp partition command to configure the ID of the partition associated with an ANCP session. the GSMP TCP communication port number is 6068. Step 10 (Optional) Run the ancp init-interval command to set the interval for sending packets during the establishment of the ANCP session. l By default. line configuration. When you select topology-discovery parameter. Step 11 (Optional) Run the ancp keep-alive command to set the interval for sending packets during the ACNP session so that the handshake messages can be sent to the peer end at the preset interval.

the priority for sending the ANCP packet of the ANCP session cannot be configured. ANCP version to draft-02. ANCP packet sending priority to 7. After the ANCP multicast CAC is enabled.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2 Basic Configurations l By default. the normal BTV CAC takes effect only when the ANCP CAC function of the ANCP session is disabled by running the ancp bandwidthCAC disable command. l After an ANCP session is enabled. l After an ANCP session is enabled. Step 15 Run the display ancp session command to query the information about the ANCP session. l After the ANCP multicast CAC function is enabled. huawei(config)#ancp partition enable huawei(config)#ancp port 0/5/1 partition 1 huawei(config)#ancp version draft-02 huawei(config)#ancp port begin 1 huawei(config)#ancp session 1 huawei(config-session-1)#ancp partition 1 huawei(config-session-1)#ancp ip 10. Step 12 (Optional) Run the ancp bandwidthCAC command to enable the ANCP multicast CAC. related parameters cannot be modified. After an ANCP session is enabled. l By default.10. Step 14 Run the quit command to quit the ANCP mode.10. In this case. the ANCP session is disabled. l Before an ANCP session is enabled.10 huawei(config-session-1)#ancp capability topology-discovery huawei(config-session-1)#ancp ancp-8021p 7 huawei(config-session-1)#ancp nas-tcp-port 6000 huawei(config-session-1)#ancp init-interval 20 huawei(config-session-1)#ancp keep-alive 70 huawei(config-session-1)#ancp bandwidthCAC enable huawei(config-session-1)#ancp enable huawei(config-session-1)#quit huawei(config)#display ancp session 1 Session config status Session running status Session diagnostic status GSMP version Issue 01 (2012-01-18) : : : : Enable Before syn phase 3 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10.. packet sending interval at the ANCP session creation phase to 2s. The system still performs CAC using the bandwidth issued by the ANCP CAC and the original BTV CAC does not take effect. if the ancp disable command is executed. Configure the partition ID of the ANCP session to 1. GSMP TCP communication port ID at the NSA side in the ANCP session to 6000. Step 13 Run the ancp enable command to enable the ANCP session. if the bandwidth of the demanded multicast program is larger than the available multicast bandwidth of the user. the interval is 10s. and packet sending interval at the ANCP session phase to 7s. its ANCP multicast CAC function cannot be enabled or disabled. start port ID to 1. related parameters can be modified.10. ANCP session capability set to topology-discovery. the ANCP will be disabled. ----End Example Consider configuring the ANCP topology discovery function of port 0/5/1 as an example. Ltd. 231 . l The ANCP multicast CAC function of only one session can be enabled at a time. the user can apply for the bandwidth resource of the unicast VOD program.10. GSMP communication address of the ANCP session to 10.

01s) Init interval(0.01) Topology report shaper interval(0.10 TopologyDiscovery 6000 20 70 1 Enable Disable 100 10 7 Disable Disable Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10.1s) Keepalive interval(0.1s) S-VLAN S-VLAN priority C-VLAN C-VLAN priority Session down send trap status Session up send trap status Issue 01 (2012-01-18) 2 Basic Configurations : : : : : : : : : : : : : : : : : : : : : : : : : 1 10. 232 .1s) PartitionID Bandwidth CAC status Line config roll default OAM threshold(0. Ltd.01s) Discontinuity time(0.10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide GSMP sub version AN name NAS name NAS IP Local IP AN instance NAS instance Config capabilities Negotiate capabilities NAS TCP port Startup time(0..

Ltd. Configuring DHCP relay is applicable to the scenario where users dynamically obtain IP addresses from the DHCP server through DHCP.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 3 Configuring L3 Features Configuring L3 Features About This Chapter L3 feature configurations include configurations of common L3 protocols and features.1 Configuring ARP Proxy for Interworking This topic describes how to configure the ARP proxy of the L3 interface so that users on isolated ports of the same broadcast domain or on ports of different broadcast domains can communicate with each other.3 Configuring the Route This topic describes the routing policy supported by the MA5600T and how to configure the routing protocol. There is no obvious logical relation between L3 feature configurations. 3. 3. 233 . the MA5600T proxy can implement certain functions of the DHCP server. the ARP request packets are limited in a VLAN. To reduce the network load. 3. You can perform L3 feature configurations according to actual requirements.. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.2 Configuring DHCP The MA5600T can implement DHCP relay and DHCP proxy on a network. In DHCP proxy.

254.0. After the ARP proxy function is enabled. PC1 and PC2 can communicate with each other.254/24 Sub VLAN VLAN ID: 10 VLAN type: smart VLAN Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. User packets can be forwarded in the L3 forwarding mode through the super VLAN interface. Table 3-1 Data plan for configuring the ARP proxy Item Data Super VLAN VLAN ID: 100 Sub VLAN: VLAN 10. and the interface is in the same subnet as PC1.0. and PC3 can communicate with PC1 and PC2. PC1 and PC2 are in sub VLAN 10. To reduce the network load.1 Configuring ARP Proxy for Interworking This topic describes how to configure the ARP proxy of the L3 interface so that users on isolated ports of the same broadcast domain or on ports of different broadcast domains can communicate with each other. communication between users on the same board. and PC3 is in sub VLAN 20. Figure 3-1 Example network of the ARP proxy Data Plan Table 3-1 provides the data plan for configuring the ARP proxy. VLAN 20 IP address: 10. Context After the ARP proxy function is enabled. including users in the same VLAN and in different VLAN can be implemented. PC2.0.. the ARP request packets are limited in a VLAN. and PC3. Ltd. The IP address of the super VLAN interface is 10. 234 . service ports are isolated.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features 3. Networking Figure 3-1 shows an example network of the ARP proxy.0.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features Item Data Sub VLAN VLAN ID: 20 VLAN type: MUX VLAN Upstream port Port: 0/17/0 VLAN: standard VLAN 30 IP address: 10.0. Figure 3-2 Flowchart for configuring the ARP proxy Procedure Step 1 Create a super VLAN. 235 ..1. huawei(config)#vlan 100 super Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.254/24 Configuration Flowchart Figure 3-2 shows the flowchart for configuring the ARP proxy. Ltd.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features Step 2 Create sub VLANs. Ltd. huawei(config)#save ----End Result l After the global ARP proxy function and the ARP proxy function of the super VLAN interface are enabled.0.254 24 NOTE The IP address of the L3 interface of the super VLAN must be in the same subnet with the IP address obtained by the PC1-PC3. l After the global ARP proxy function.1. huawei(config-if-vlanif100)#arp proxy enable subvlan 10 huawei(config-if-vlanif100)#quit NOTE Skip this step if you only want PCs in different VLANs to communicate with each other. huawei(config-if-vlanif100)#arp proxy enable 3. 3. huawei(config)#arp proxy enable 2. Configuring DHCP relay is applicable to the scenario where users dynamically obtain IP addresses from the DHCP Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Enable ARP proxy on the sub VLAN interface.0. PC1 and PC2 in the same VLAN can communicate with each other.. PC1 and PC3.254 24 NOTE The IP address of the L3 interface of the super VLAN must be in the same subnet with the IP address obtained by the PC. 236 . and add them to the super VLAN. 1. Enable the global ARP proxy on the VLAN interface. huawei(config)#service-port vlan 10 gpon 0/4/0 ont 1 gemport 1 rx-cttr 5 tx-cttr 5 huawei(config)#service-port vlan 10 gpon 0/4/0 ont 1 gemport 2 rx-cttr 5 tx-cttr 5 huawei(config)#service-port vlan 10 gpon 0/4/0 ont 1 gemport 3 rx-cttr 5 tx-cttr 5 Step 4 Configure the upstream port. Enable the ARP proxy function globally. huawei(config)#vlan 30 standard huawei(config)#port vlan 30 0/17 0 huawei(config)#interface vlanif 30 huawei(config-if-vlanif30)#ip address 10. Step 5 Configure an L3 Interface for the super VLAN huawei(config)#interface vlanif 100 huawei(config-if-vlanif100)#ip address 10. the ARP proxy function of the super VLAN interface. and that of the sub VLAN interface are enabled.2 Configuring DHCP The MA5600T can implement DHCP relay and DHCP proxy on a network. Step 7 Save the data.0. PC2 and PC3 in different VLANs can communicate with each other. huawei(config)#vlan 10 smart huawei(config)#vlan 20 mux huawei(config)#supervlan 100 subvlan 10 huawei(config)#supervlan 100 subvlan 20 Step 3 Configure the service ports of the sub VLANs. Step 6 Enable ARP proxy.

For the configuration related to the DHCP option 82 feature. Bind MAC address segments to DHCP server groups. and binds different DHCP option 60 domains to the corresponding DHCP server groups. the MA5600T works in the L2 DHCP relay mode. the MA5600T transparently transmits the DHCP packets initiated by the user and configurations are not required. the information related to the lease-time in the DHCP packets is modified by MA5600T so that the client can obtain a lease time. see 2. Ltd. Configure the DHCP option 60 mode as follows: Configure the working mode of the DHCP relay. In DHCP proxy. and binds different MAC address segments to the corresponding DHCP server group. This facilitates the lease-time management.2 Configuring Anti-Theft and Roaming of User Accounts Through DHCP. Define the MAC address segment.. In this mode. l The server ID proxy is a function for modifying option 54 field in DHCP packets so that the IP address of the DHCP server is unavailable to the client. This prevents the attacks initiated by the DHCP client to the DHCP server. That is. the MA5600T functions as a proxy to implement certain functions of the DHCP server. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Configure the DHCP server group. the MA5600T proxy can implement certain functions of the DHCP server. If the MA5600T works in the L3 mode. l MAC address segment mode The MA5600T differentiates users according to the MAC address segment of the user terminals. the DHCP server must support DHCP relay and you must perform corresponding configurations on the DHCP server. Background Information The MA5600T can work in the L2 DHCP relay mode or L3 DHCP relay mode to forward the DHCP packets exchanged between the user and the DHCP server. l DHCP option 60 mode The MA5600T differentiates the DHCP packets transmitted from the user terminal according to the DHCP option 60 field in the packets. Configure the DHCP server group. Configure the DHCP server group. Configure the MAC address segment mode as follows: Configure the working mode of the DHCP relay. Bind VLANs to DHCP server groups. l With the lease-time proxy. the MA5600T supports the DHCP proxy function in addition to the DHCP relay function. 237 . If the MA5600T works in the L3 DHCP relay mode. By default. Create DHCP option 60 field.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features server through DHCP. the MA5600T identifies the VLAN to which the user belongs and binds different VLANs to the corresponding DHCP server groups. Configure the DHCP standard mode as follows: Configure the working mode of the DHCP relay. A DHCP proxy can implement the functions of server ID proxy and lease-time proxy. The L3 DHCP relay mode can be classified into three working modes: l DHCP standard mode In this mode. This lease time is shorter than the lease time directly allocated by the DHCP server.8. NOTE The MA5600T supports the DHCP option 82 to ensure the security of the DHCP function. Bind DHCP option 60 domains to DHCP server groups.

Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Prerequisites A VLAN must be created. Choose one from the following two methods for configuring the DHCP forwarding mode: l In the global config mode. this configuration takes effect to only this VLAN. CAUTION The IP address of the DHCP server configured here must be the same as the IP address of the DHCP server in the network side. For details. Run the commit command to make the configuration parameters of the profile take effect. run the dhcp mode layer-3 standard command to configure the DHCP relay mode to standard L3 DHCP relay mode (layer-3. Step 2 Configure the DHCP server group. You can run the display dhcp-server all-group command to query the DHCP server groups that are already configured and select a DHCP server group number that is not used by the system. 1. The DHCP servers in the DHCP server group can work in the load balancing mode or active/standby mode. they work in the load balancing mode. (Optional) Run the dhcp server mode command to configure the working mode of the DHCP server. Step 3 Bind the VLAN to the DHCP server. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode. 238 . 2. The configuration of the VLAN service profile takes effect only after you run this command. 3. run the dhcp-server command to create a DHCP server group. 2. Run the quit command to quit the VLAN service profile mode. see 2. In the global config mode. 4. Procedure Step 1 Configure the DHCP forwarding mode. Up to four IP addresses can be entered. If keyword vlan is selected and vlanid is entered. standard).6 Configuring a VLAN. It identifies a server group.. l ip-addr: Indicates the IP address of the DHCP server in the DHCP server group. l igroup-number: Indicates the number of the DHCP server group. l Perform the following configuration in the VLAN service profile: 1. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile created in 1.1 Configuring the Standard DHCP Mode This topic is applicable to the scenario for specifying the corresponding DHCP server groups for different users of the VLAN (the VLAN that is used when the service ports are created).2.1. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features 3. By default. 5. Run the dhcp mode layer-3 standard command to configure the DHCP mode.

Enable the DHCP proxy function. this IP address is used as the source IP address for forwarding the IP packets in the VLAN at L3. the DHCP server ID proxy and the lease-time proxy are enabled. 3. run the interface vlanif command to create a VLAN L3 interface. Ltd. 2. or to configure the MA5600T to allocate a shorter lease time to the client (compared with the lease time directly allocated by the DHCP server). Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile created in 4. run the dhcp-server command to bind the DHCP server to the VLAN. 1. a route must exist between the VLAN L3 interface and the DHCP server.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features 1. the value of which is the number of the created DHCP server group. In the global config mode. d. In the VLANIF mode. configure the DHCP proxy. e. run the dhcp proxy lease-time command to configure the global proxy lease time. In the global config mode. Step 4 (Optional)Configure the DHCP proxy. l If the upper-layer device of the MA5600T is an L3 device. the IP address of the VLAN L3 interface and the IP address of the DHCP server can be in different subnets. Run the commit command to make the configuration parameters of the profile take effect. c. Run the dhcp proxy enable command to enable DHCP proxy. 2. a. see 3. Run the quit command to quit the VLAN service profile mode.3 Configuring the Route. After the configuration is completed. b. l Perform the configuration in the VLAN service profile.1. The proxy lease time configured here should be shorter than the lease time allocated by the DHCP server. 239 . In the VLANIF mode. run the dhcp proxy enable command to enable DHCP proxy. Run the vlan service-profile command to enter the VLAN service profile mode. Choose one from the following two methods for enabling DHCP proxy: l In the global config mode. To hide the IP address of the DHCP server (preventing attacks to the DHCP server from the client).. When DHCP proxy is enabled. For details. run the ip address command to configure the IP address of the VLAN L3 interface. The configuration of the VLAN service profile takes effect only after you run this command. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. This command requires parameter group-number. The VLAN ID must be the same as the ID of the VLAN described in the prerequisite. CAUTION l If only an L2 device exists between the MA5600T and the DHCP server. the IP address of the VLAN L3 interface should be in the same subnet as the IP address of the DHCP server. however.a.

the IP address of the primary server 10.1. Run the dhcp mode layer-3 option60 command to configure the DHCP mode. Prerequisites l A VLAN must be created.1.1. do as follows: huawei(config)#dhcp mode layer-3 standard huawei(config)#dhcp server mode backup 20 10 huawei(config)#dhcp-server 1 ip 10.1. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The service providers may use different relay IP addresses of the same DHCP server or different DHCP servers to allocate IP addresses to users.. confirm the option60 domain name of the user terminal.1. l Perform the configuration in the VLAN service profile: Issue 01 (2012-01-18) 1. If keyword vlan is selected and vlanid is entered. this configuration takes effect to only this VLAN. 240 .1. the maximum count of response timeout of 10.2 Configuring the DHCP Option60 Mode This topic is applicable to the scenario for specifying the corresponding DHCP servers for different option60 domain users. In the DHCP option60 mode.1.9 and the IP address of the secondary server 10. Procedure Step 1 Configure the DHCP forwarding mode. users are actually differentiated according to the domain information in the packet.1. with the maximum response time of 20s. Background Information When multiple services such as video multicast and IP telephone services are provisioned on the MA5600T.1. The option60 domain name and the DHCP server group to which the domain name is bound need to be configured beforehand. Choose one from the following two methods for configuring the DHCP forwarding mode: l In the global config mode.2.9 10. For details.1. the services are provided by different service providers. see 2.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features Example Assume that server group 1 contains two DHCP servers working in active/standby mode.10. Therefore. 2. run the dhcp mode layer-3 option60 command to configure the DHCP relay mode to L3 option60 mode (layer-3.101 24 huawei(config-if-vlanif2)#dhcp-server 1 3. configure the users to apply for IP addresses from the DHCP server in the DHCP option60 mode. l Before the configuration.6 Configuring a VLAN.10 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10. Ltd.101/24). In this mode. and different service types in the same VLAN can also be differentiated. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode.1. the DHCP server group is selected according to the character string (namely domain name) in the option60 of DHCP packets. option60). To bind server group 1 to users in VLAN 2 (with the IP address of the L3 interface 10.1.

Step 5 Configure the IP address of the gateway corresponding to the DHCP domain. run the interface vlanif command to create a VLAN L3 interface. 241 . By default. Run the quit command to quit the VLAN service profile mode. The configuration of the VLAN service profile takes effect only after execution of this command. Step 2 Configure the DHCP server group. they work in the load balancing mode. the DHCP clients belonging to the DHCP correspond to the DHCP server group. In the VLANIF mode. 2. run the dhcp domain command to create a DHCP domain. After the configuration is completed. In the global config mode. run the dhcp-server command to create a DHCP server group. this IP address is used as the source IP address for forwarding the IP packets in the VLAN at L3. run the ip address command to configure the IP address of the VLAN L3 interface. 1. The option60 domain name should be configured according to the type of the terminal connected to the device. Up to four IP addresses can be entered. l igroup-number: Indicates the number of the DHCP server group. Step 4 Bind the DHCP option60 domain to the DHCP server group.1. CAUTION The IP address of the DHCP server configured here must be the same as the IP address of the DHCP server in the network side. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the domain name must be msft. In the global config mode. and then enter the DHCP domain mode. Ltd. In the global config mode. 1. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile created in 1. The DHCP servers in the DHCP server group can work in the load balancing mode or active/standby mode. In the option60 domain mode.. Step 3 Create a DHCP option60 domain. The VLAN ID must be the same as the ID of the VLAN described in the prerequisite. run the dhcp-server command to bind the DHCP domain to the DHCP server group. (Optional) Run the dhcp server mode command to configure the working mode of the DHCP server. Run the commit command to make the profile configuration take effect. 5. After the configuration is completed. 4. It identifies a server group. For the DHCP client installed with the Windows 98/2000/XP/NT series of OSs.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features 3. l ip-addr: Indicates the IP address of the DHCP server in the DHCP server group. You can run the display dhcp-server all-group command to query the DHCP server groups that are already configured and select a DHCP server group number that is not used by the system. 2.

l If the upper-layer device of the MA5600T is an L3 device. In the VLANIF mode. different option60 domains can be configured with different gateways.10. Run the dhcp proxy enable command to enable DHCP proxy. l In VLAN service profile configuration mode. To hide the IP address of the DHCP server (preventing attacks to the DHCP server from the client).10. 242 . run the dhcp proxy lease-time command to configure the global proxy lease time. In the global config mode. 1. c. Ltd. configure the DHCP proxy. however. the DHCP server ID proxy and the lease-time proxy are enabled.a. Therefore.1.3 Configuring the Route. 3.10 and the IP address of the secondary server Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. or to configure the MA5600T to allocate a shorter lease time to the client (compared with the lease time directly allocated by the DHCP server). d. the IP address of the VLAN L3 interface should be in the same subnet as the IP address of the DHCP server. a route must exist between the VLAN L3 interface and the DHCP server. see 3. The IP address of the gateway must be a configured IP address of the VLAN interface. Step 6 (Optional) Configure the DHCP proxy. Enable the DHCP proxy function. the IP address of the VLAN L3 interface and the IP address of the DHCP server can be in different subnets. For details. Run the quit command to quit the VLAN service profile mode.. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile created in 6. b. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode. When DHCP proxy is enabled. run the dhcp proxy enable command to enable DHCP proxy. a. run the dhcp domain gateway command to configure the IP address of the gateway corresponding to the DHCP domain. to configure the VLAN forwarding policy. Under the same VLAN interface. Choose one from the following two methods for enabling DHCP proxy: l In the global config mode. ----End Example Assume that server group 2 contains two DHCP servers working in the load balancing mode. with the IP address of the primary server 10. The configuration of the VLAN service profile takes effect only after execution of this command.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features CAUTION l If only an L2 device exists between the MA5600T and the DHCP server. different DHCP servers can be selected according to the domain information in the packet. Run the commit command to make the profile configuration take effect. The proxy lease time configured here should be shorter than the lease time allocated by the DHCP server. e. do as follows: 2.

l igroup-number: Indicates the number of the DHCP server group. 1. The configuration of the VLAN service profile takes effect only after execution of this command. 2.11. If keyword vlan is selected and vlanid is entered.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features 10. Run the dhcp mode layer-3 mac-range command to configure the DHCP mode. The devices of each manufacturer have a fixed MAC address segment. Choose one from the following two methods for configuring the DHCP forwarding mode: l In the global config mode. Step 2 Configure the DHCP server group. Background Information In the networking.10 10. Prerequisites A VLAN must be created. see 2. For details. this configuration takes effect to only this VLAN. clients in this MAC address segment obtain IP addresses from the corresponding DHCP server. Run the quit command to quit the VLAN service profile mode. the IP address can be obtained from the DHCP server through DHCP relay in the MAC address segment mode.1/24).10.10..10. l Perform the following configuration in the VLAN service profile: 1. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile created in 1.1 3. 243 .11 huawei(config)#dhcp domain msft huawei(config-dhcp-domain-msft)#dhcp-server 2 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10.2.10. run the dhcp-server command to create a DHCP server group. 4.2.2. do as follows: huawei(config)#dhcp mode layer-3 Option60 huawei(config)#dhcp-server 2 ip 10.1. devices of various manufacturers may exist in the network. You can run the display dhcp-server all-group command to query the DHCP Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. In the global config mode. run the dhcp mode layer-3 mac-range command to configure the DHCP relay mode to L3 MAC address segment mode (layer-3. To bind server group 2 to users whose option60 domain name is msft in VLAN 2 (with the IP address of the L3 interface 10.1. It identifies a server group. mac-range). Run the commit command to make the profile configuration take effect.1 24 huawei(config-if-vlanif2)#dhcp domain msft gateway 10. Procedure Step 1 Configure the DHCP forwarding mode. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode.10.2.6 Configuring a VLAN.1. Ltd.10.1. After the configuration is completed. In this case. 5.3 Configuring the DHCP MAC Address Segment Mode This topic is applicable to the scenario for specifying the corresponding DHCP servers for users in different MAC address segments. The MA5600T can select the DHCP server based on the MAC address segment. 3.

In the MAC address segment mode. run the dhcp mac-range gateway command to configure the IP address of the gateway corresponding to the DHCP domain. run the mac-range mac-address-start to macaddress-end command to configure the MAC address range. 3. see 3.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features server groups that are already configured and select a DHCP server group number that is not used by the system. CAUTION l If only an L2 device exists between the MA5600T and the DHCP server. 244 . Step 3 Define the MAC address segment. 1. After the configuration is completed. however. It functions as a comment and has no other special meanings. In the VLANIF mode. the IP address of the VLAN L3 interface and the IP address of the DHCP server can be in different subnets. and then enter the MAC address segment mode. run the dhcp mac-range to create a MAC address segment. l If the upper-layer device of the MA5600T is an L3 device. For details. CAUTION The IP address of the DHCP server configured here must be the same as the IP address of the DHCP server in the network side. 2.3 Configuring the Route. 1. Step 4 Bind the DHCP server group to the MAC address segment. run the dhcp-server command to bind a DHCP server group to the MAC address segment. 2. this IP address is used as the source IP address for forwarding the IP packets in the VLAN at L3. l ip-addr: Indicates the IP address of the DHCP server in the DHCP server group. 2. the IP address of the VLAN L3 interface should be in the same subnet as the IP address of the DHCP server. By default. In the global config mode. The DHCP servers in the DHCP server group can work in the load balancing mode or active/standby mode. The VLAN ID must be the same as the ID of the VLAN described in the prerequisite. run the ip address command to configure the IP address of the VLAN L3 interface. range-name indicates the name of the MAC address segment. Issue 01 (2012-01-18) In the VLANIF mode. Step 5 Configure the IP address of the gateway corresponding to the MAC address segment. In the global config mode. (Optional) Run the dhcp server mode command to configure the working mode of the DHCP server. a route must exist between the VLAN L3 interface and the DHCP server.. run the interface vlanif command to create a VLAN L3 interface. Ltd. Up to four IP addresses can be entered. In the MAC address segment mode. they work in the load balancing mode. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

Enable the DHCP proxy function.1. Step 6 (Optional) Configure the DHCP proxy. Run the dhcp proxy enable command to enable DHCP proxy. To hide the IP address of the DHCP server (preventing attacks to the DHCP server from the client). Run the quit command to quit the VLAN service profile mode. a. with the IP address of the primary server 10. When DHCP proxy is enabled. The configuration of the VLAN service profile takes effect only after execution of this command. l Perform the configuration in the VLAN service profile: 2.10..10. Under the same VLAN interface. Run the commit command to make the profile configuration take effect. Ltd. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. To bind server group 2 to certain users (whose MAC address is in the range from 0000-0000-0001 to 0000-0000-0100) in VLAN 2.2.1 3. or to configure the MA5600T to allocate a shorter lease time to the client (compared with the lease time directly allocated by the DHCP server).11. 245 . e.2.10. run the dhcp proxy enable command to enable DHCP proxy.10. Choose one from the following two methods for enabling DHCP proxy: l In the global config mode.10. different DHCP servers can be selected according to the MAC address segment information in the packet.1. d.10 10. 1. the DHCP server ID proxy and the lease-time proxy are enabled. do as follows: huawei(config)#dhcp mode layer-3 mac-range huawei(config)#dhcp-server 2 ip 10. configure the DHCP proxy.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features The IP address of the gateway must be a configured IP address of the VLAN interface.a. Therefore.10. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile created in 6.10 and the IP address of the secondary server 10.10. The proxy lease time configured here should be shorter than the lease time allocated by the DHCP server. ----End Example Assume that server group 2 contains two DHCP servers working in the load balancing mode. run the dhcp proxy lease-time command to configure the global proxy lease time.1. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode.10. b.3 Configuring the Route This topic describes the routing policy supported by the MA5600T and how to configure the routing protocol. different MAC address segments can be configured with different gateways.1 24 huawei(config-if-vlanif2)#dhcp mac-range huawei gateway 10. c.11 huawei(config)#dhcp mac-range huawei huawei(config-mac-range-huawei)#mac-range 0000-0000-0001 to 0000-0000-0100 huawei(config-mac-range-huawei)#dhcp-server 2 huawei(config)#quit huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10. In the global config mode.

Configure the IP address of the L3 interface on MA5600T_A.30.0. Service Requirements l Consider two MA5600Ts with routing function enabled.1 Vlanif2 10.1. Save the data. Both of them are running the OSPF routing protocol.0.0.255 huawei(config-ospf-1-area-0.0. huawei(config)#router id 1.0 0.0.1 32 vlanif 2 10.1 4.0.0. and within area 0.0.0.1.10.0.1. Import static routes into the OSPF routing table to improve its capability of obtaining routes.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features 3.0.1 Vlanif2 10.2/16 Area 0 MA5600T_B 2.2.1 10.1 10.1 24 huawei(config-if-vlanif2)#quit 2.0.20. Configure the OSPF router ID on MA5600T_A.0.1 32 vlanif 2 10..0.0.2 Procedure Step 1 Configuring MA5600T_A.0.0. and MA5600T_B is configured with the routing filtering policy.1 32 vlanif 2 10.0.0.1 huawei(config)#ip route-static 40. l MA5600T_A imports static routes. huawei(config)#ospf hawei(config-ospf-1)#import-route static hawei(config-ospf-1)#quit 6.0. huawei(config)#ip route-static 20.0.0.2.0. namely MA5600T_A and MA5600T_B. Ltd. huawei(config)#ospf huawei(config-ospf-1)#area 0 huawei(config-ospf-1-area-0. Configure three static routes.1 huawei(config)#ip route-static 30. huawei(config)#save Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0.3.0)#network 10. Enable OSPF on MA5600T_A and specify the area ID to which the interface belongs. 246 . 1.0. huawei(config)#vlan 2 smart huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10.0.0. Figure 3-3 Example network for configuring the routing policy Static:10.0)#quit huawei(config-ospf-1)#quit 3.1 5.0.0.1.1/16 MA5600T_A 1.1 Configuration Example of the Routing Policy This topic provides an example for configuring a routing policy for imported routes.

0.0.0.0.0 are available. while the route from segment 30. After a filter is configured on MA5600T_B.1 ip route-static 40.0. Configuration File Configuration on MA5600T_A.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features Step 2 Configuring MA5600T_B.0)#quit huawei(config-ospf-1)#quit 4.255.1 ip route-static 30.0)#network 10.0. Ltd.0. routes from segments 20.0 and 40.2 24 huawei(config-if-vlanif2)#quit 2.0 0.0. parts of the three imported static routes are available while part of them is screened on MA5600T_B.1 32 vlanif 2 10.0.1.1 ospf import-route static quit save Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0.0.2. huawei(config)#acl 2000 huawei(config-acl-basic-2000)#rule deny source 30.0. Save the data.2.0.0.0. MA5600T_A and MA5600T_B run OSPF successfully.0.0. Configure the IP address of the L3 interface on MA5600T_B.255 quit quit router id 1. Enable OSPF on MA5600T_B and specify the area id to which the interface belongs.0..0.1 ip route-static 20.1.0 is screened.0 0. Configure the OSPF router ID of MA5600T_B.1 24 quit ospf area 0 network 10.0. 247 .0.0. huawei(config)#ospf huawei(config-ospf-1)#area 0 huawei(config-ospf-1-area-0.0. huawei(config)#vlan 2 smart huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 10.0. huawei(config)#router id 2.0.0.0. 1.0 255. 2.1 32 vlanif 2 10.1 32 vlanif 2 10.0.0.0.0.0 huawei(config-acl-basic-2000)#rule permit source any huawei(config-acl-basic-2000)#quit 3.0.0. vlan 2 smart port vlan 2 0/17 0 interface vlanif 2 ip address 10. huawei(config)#ospf uawei(config-ospf-1)#filter-policy 2000 import huawei(config-ospf-1)#quit 6.2 5.255. huawei(config)#save ----End Result 1.0. That is. Configure the ACL.0. and they can communicate well with each other. Filter imported routes.0.255 huawei(config-ospf-1-area-0.

2/24 1. MA5600T_B. Service Requirements In this example network.1.1.1/24 Procedure Step 1 Configure the IP address of the L3 interface.0 0.0.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features Configuration on MA5600T_B. and MA5600T_C have the routing function. huawei(config)#vlan 2 smart huawei(config)#port vlan 2 0/17 0 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0.0.1.1.5.0 255. Figure 3-4 Example network for configuring the static route PC_C 1.2/24 1.0.255.2 Configuration Example of the Static Route This topic describes how to manually add the static route to implement the interconnection between MA5600T. MA5600T_A.5. 248 .1.2.2.1/24 1.1/24 1.255.1.3.1.0.4. The configurations for the three MA5600T devices are the same.1/24 PC_B 1.3. It is expected that after the configuration. vlan 2 smart port vlan 2 0/17 0 interface vlanif 2 ip address 10. The configuration of the MA5600T is considered as an example.2/24 MA5600T_ A MA5600T_ B PC_A 1.2.1 24 acl 2000 rule deny source 30.1. Ltd. any two PCs can communicate with each other.1.1/24 MA5600T_ C 1.1.0 rule permit source any quit ospf area 0 network 10.2 ospf filter-policy 2000 import quit save 3.2/24 1.1.1..3.4.2.0.255 quit quit router id 2.2/24 1.0.0.

1 24 sub quit ip route-static 1.1.255. Step 4 Save the data. Service Requirements l MA5600T_A is subtended with MA5600T_B through port 0/17/1.0 255. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.4.2.255.0 1.1 huawei(config)#ip route-static 1.255.1. huawei(config)#ip route-static 1.3.5.1.255.2.1 24 sub huawei(config-if-vlanif2)#quit Step 2 Configure static routes.255. Configure static route for MA5600T_A.2 24 ip address 1.2 Step 3 Configure the host gateways. Configure the default gateway of Host B to 1.1.1.255.2.1.255.3 Configuration Example of RIP This topic provides an example for configuring RIP on the MA5600T.1.4.0 255.0 1.2.1.1.255.2.2 2.1.1. 1.2 3.1. and uses port 0/17/0 to transmit services in the upstream.0 255.0 255. huawei(config)#ip route-static 1. Configure the default gateway of Host A to 1. Configure static route for MA5600T_B.3. huawei#save ----End Result After the configuration. l RIP is enabled on MA5600T_A and MA5600T_B so that the administrator can access MA5600T_A and MA5600T_B through the RIP route.1.0 1.4. Configure static routes for MA5600T_C. 1.1.3. vlan 2 smart port vlan 2 0/17 0 interface vlanif 2 ip address 1.0 1.5.2 24 huawei(config-if-vlanif2)#ip address 1.1.255. Configure the default gateway of Host C to 1.1.2.0 1.1.1.1. Configuration File Configuration example of MA5600T_A.. 3.1.3.4. Besides.255.1. huawei(config)#ip route-static 1.5.255.255.0 255.1.2 ip route-static 1.2.1. Then. Ltd.0 255. 2.255.1 huawei(config)#ip route-static 1. 249 .255.0 1.1. an interconnection can be set up between all the hosts and between all the MA5600T devices.255. you can operate and maintain MA5600T_A and MA5600T_B.0 255.2 huawei(config)#ip route-static 1. it connects to the management center network through the WAN.0 255.255.0 1.5.1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 1.2.1.1 3.2.1.2.0 1.1.

5/22 Loopback interface address: 10.24.2/32 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.13. Table 3-2 Data plan for configuring RIP Item Data MA5600T_A Upstream port: 0/17/0 Administration VLAN: smart VLAN 100 IP address of the L3 interface in the administration VLAN: 10.2/26 Loopback interface address: 10.13.5/22 GE 10. Ltd.24.13.2.1/26 MA5600T_B Subtending port: 0/17/0 Administration VLAN: smart VLAN 10 IP address of the L3 interface in the administration VLAN: 10.1/32 Operation and maintenance 10.1/26 MA5600T_B Loopback ip 10.13.24.2/26 Data Plan Table 3-2 provides the data plan for configuring RIP.2/32 MA5600T_A Loopback ip 10.13.15.13.24.13.1 and 10.2.2.2.2 can be advertised through the L3 interface of VLAN 100..2. 250 .24.24. Only the routes with the IP addresses 10.15.1/32 RIP version: V2 RIP route filtering policy: filtering routes based on the IP address prefix list "abc".SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features Figure 3-5 Example network for configuring RIP Management Center Router 10.15.15.13.2. Subtending port: 0/17/1 Subtending administration VLAN: smart VLAN 10 IP address of the L3 interface in the subtending administration VLAN: 10.

2. huawei(config)#rip 1 huawei(config-rip-1)#network 10. 251 .24. Save the data. huawei(config)#save l Configure MA5600T_B. huawei(config)#vlan 10 smart huawei(config)#port vlan 10 0/17 0 huawei(config)#interface vlanif 10 huawei(config-if-vlanif10)#ip address 10. Configure the route filtering policy.15.0 huawei(config-rip-1)#network 10. Enable RIP on the subtending port. Only the route with the IP address 10. Enable RIP.2.24. huawei(config)#vlan 100 smart huawei(config)#port vlan 100 0/17 0 huawei(config)#interface vlanif 100 huawei(config-if-vlanif100)#ip address 10.2.5 22 huawei(config-if-vlanif100)#quit huawei(config)#interface loopBack 0 huawei(config-if-loopback0)#ip address 10.13.13.1 32 huawei(config)#ip ip-prefix abc permit 10.2. 1.24.13.2 can be advertised through the L3 interface of VLAN 10. Ltd.15. 1. huawei(config)#vlan 10 smart huawei(config)#port vlan 10 0/17 1 huawei(config)#interface giu 0/17 huawei(config-if-giu-0/17)#network-role 1 cascade huawei(config-if-giu-0/17)#quit huawei(config)#interface vlanif 10 huawei(config-if-vlanif10)#ip address 10.1 32 huawei(config-if-loopback0)#quit 2.0 huawei(config-rip-1)#quit 6.24.13. Procedure l Configure MA5600T_A.2.15.13.0 huawei(config-rip-1)#version 2 huawei(config-rip-1)#quit 3.2 32 huawei(config)#rip 1 huawei(config-rip-1)#filter-policy ip-prefix abc export vlanif 100 huawei(config-rip-1)#quit 4.13.24.13. Configure the RIP-supported L3 interface.1 26 huawei(config-if-vlanif10)#quit 5..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Item 3 Configuring L3 Features Data RIP version: V2 RIP route filtering policy: filtering routes based on the IP address prefix list "abc". huawei(config)#rip 1 huawei(config-rip-1)#network 10. Configure the subtending port.2 26 huawei(config-if-vlanif10)#quit huawei(config)#interface loopBack 0 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Configure the RIP-supported L3 interface. huawei(config)#ip ip-prefix abc permit 10.

and operate and maintain the two devices.2 32 huawei(config-if-loopback0)#quit 2. Ltd..24.2.0 huawei(config-rip-1)#version 2 huawei(config-rip-1)#quit 3. huawei(config)#ip ip-prefix abc permit 10.15.24. huawei(config)#save ----End Result The maintenance terminal of the administration center can access MA5600T_A and MA5600T_B.0 huawei(config-rip-1)#network 10.24. Enable RIP.15.15.2.2 26 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.1 32 quit rip 1 network 10.13.24.2 32 huawei(config)#rip 1 huawei(config-rip-1)#filter-policy ip-prefix abc export vlanif 10 huawei(config-rip-1)#quit 4. Save the data.1 26 quit rip 1 network 10. 252 .13.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features huawei(config-if-loopback0)#ip address 10.15.13.24.0 version 2 quit ip ip-prefix abc permit 10.2 32 rip 1 filter-policy ip-prefix abc export vlanif 100 quit vlan 10 smart port vlan 10 0/17 1 interface giu 0/17 network-role 1 cascade quit interface vlanif 10 ip address 10.2.13.2.2. Configure the route filtering policy.13.0 quit save Configuration on MA5600T_B vlan 10 smart port vlan 10 0/17 0 interface vlanif 10 ip address 10.13.5 22 quit interface loopBack 0 ip address 10.24.13.2. Configuration File Configuration on MA5600T_A vlan 100 smart port vlan 100 0/17 0 interface vlanif 100 ip address 10. huawei(config)#rip 1 huawei(config-rip-1)#network 10.13.2.13.0 network 10.1 32 ip ip-prefix abc permit 10.

4.2.2 MA5600T_C 3.3.13.1/24 192.4.2/24 192. 253 .4/24 192.13.3.2.24.1 MA5600T_D 4.1.1.13.2 32 rip 1 filter-policy ip-prefix abc export vlanif 10 quit save 3.1. MA5600T_C is configured with the second highest DR priority. Figure 3-6 Example network for configuring OSPF MA5600T_ A 1.0 version 2 quit ip ip-prefix abc permit 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features quit interface loopBack 0 ip address 10.1. and MA5600T_A realizes the broadcast of network link status for the DR.1.2.3.4 Configuration Example of OSPF This topic provides an example for configuring OSPF on the MA5600T.4 DR 192.1/24 - Priority: 100 - VLAN ID: 2 - Router ID: 1.3/24 BDR MA5600T_B 2.1. Table 3-3 Data plan for configuring OSPF Issue 01 (2012-01-18) Item Data Remarks MA5600T_A IP address of the L3 interface: 192.2. Ltd.1.15.0 network 10.3 Data Plan Table 3-3 provides the data plan for configuring OSPF.1. l MA5600T_A is configured with the highest designated router (DR) priority.1.2 32 quit rip 1 network 10.1 - Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Service Requirements l OSPF is enabled on the four MA5600Ts.1.1.2.1.1.1..

0.1.0.3/24 - Priority: 90 - VLAN ID: 2 - Router ID: 3.1. 254 .1 0.0.1.4 - MA5600T_C MA5600T_D Background Information l The native VLAN of each interface of the MA5600T must be configured to ensure a normal communication.0.2.1.0 0.1.1.1 3.3.4.0.2. Issue 01 (2012-01-18) Configure the OSPF priority.1.1.1. l The OSPF area IDs of the MA5600T devices must be consistent. Ltd.1.3. Procedure Step 1 Configure MA5600T_A.0.3 - IP address of the L3 interface: 192.4/24 - Priority: not configured Default: 1 VLAN ID: 2 - Router ID: 4.4.255 huawei(config-ospf-1-area-0.0.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features Item Data Remarks MA5600T_B IP address of the L3 interface: 192. Enable OSPF.0.2 - IP address of the L3 interface: 192. 1. huawei(config)#vlan 2 smart huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 192. huawei(config)#router id 1.0)#network 1.1 24 huawei(config-if-vlanif2)#quit 2.2/24 - Priority: 80 - VLAN ID: 2 - Router ID: 2.1. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0 huawei(config-ospf-1-area-0. Configure the OSPF Router ID.0.0)#quit huawei(config-ospf-1)#quit 4. Configure the IP address of the L3 interface.1.1.0)#network 192.. huawei(config)#ospf huawei(config-ospf-1)#area 0 huawei(config-ospf-1-area-0.0.1.

Enable OSPF.0)#network 192.1.0. Ltd.0. huawei(config)#vlan 2 mux huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 192. Save the data.1.0.0. 255 .3.0.0.0.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ospf dr-priority 100 huawei(config-if-vlanif2)#quit 5.0.255 huawei(config-ospf-1-area-0.1. huawei(config)#save Step 4 Configure MA5600T_D.0 huawei(config-ospf-1-area-0. 1.3.0 huawei(config-ospf-1-area-0.0)#network 192. Configure the OSPF Router ID.0.0.0 0.3 24 huawei(config-if-vlanif2)#quit 2.2. huawei(config)#save Step 2 Configure MA5600T_B. Configure the OSPF Router ID. Save the data.1.255 huawei(config-ospf-1-area-0.3 0.1.3.0)#quit huawei(config-ospf-1)#quit 4.1. 1. huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ospf dr-priority 90 huawei(config-if-vlanif2)#quit 5. huawei(config)#vlan 2 mux huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. huawei(config)#vlan 2 mux huawei(config)#port vlan 2 0/17 0 huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ip address 192.0)#quit huawei(config-ospf-1)#quit 4.0.2 24 huawei(config-if-vlanif2)#quit 2. 1.0. huawei(config)#router id 3. huawei(config)#ospf huawei(config-ospf-1)#area 0 huawei(config-ospf-1-area-0.0)#network 2.2 0.0.3.1.0.2.2 3. huawei(config)#router id 2. Configure the IP address of the L3 interface. huawei(config)#interface vlanif 2 huawei(config-if-vlanif2)#ospf dr-priority 80 huawei(config-if-vlanif2)#quit 5.0. Configure the IP address of the L3 interface. Save the data. Configure the IP address of the L3 interface.0.2.0.0.0 0. Enable OSPF. Configure the OSPF priority. Configure the OSPF priority.0.0. huawei(config)#ospf huawei(config-ospf-1)#area 0 huawei(config-ospf-1-area-0.2. huawei(config)#save Step 3 Configure MA5600T_C..0)#network 3.1.3 3.

0.1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 3 Configuring L3 Features huawei(config-if-vlanif2)#ip address 192.1.0.1 0. huawei(config)#save ----End Result Run the display ip routing-table command and you can find the learnt route table.1. Take MA5600T_A for example.1.0.0..1.1.0)#quit huawei(config-ospf-1)#quit 4.0)#network 4.4.255 huawei(config-ospf-1-area-0.0.4 0. 256 .0.1.0.0 quit quit interface vlanif 2 ospf dr-priority 100 quit save Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. huawei(config)#ospf huawei(config-ospf-1)#area 0 huawei(config-ospf-1-area-0.0.0 0. Configuration File Configuration on each MA5600T is similar.0 huawei(config-ospf-1-area-0.255 network 1.4 3. Enable OSPF. Ltd.0.0)#network 192.4 24 huawei(config-if-vlanif2)#quit 2. Hosts can communicate with each other.0.0. Save the data. vlan 2 smart port vlan 2 0/17 0 interface vlanif 2 ip address 192.4.0.0 0.0.0.1.4.1 ospf area 0 network 192.1. huawei(config)#router id 4.1.1.1.4. Configure the OSPF Router ID.1 24 quit router id 1.

FTTB can be further classified into FTTB+DSL and FTTB+LAN. Its coverage is from the CO device of the regional telecommunications room to the subscriber terminal. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and IPTV services. FTTC. The FTTx technology is mainly used for adopting optical network in the access network. l FTTB refers to fiber to the building. The ONU is placed in the cabinet at the curb. The optical network unit (ONU) or the optical network terminal (ONT) functions as the subscriber terminal. l FTTC refers to fiber to the curb. Internet access. These two modes respectively use the home gateway with an RJ-11 upstream port and the home gateway with a LAN upstream port to provide the voice. FTTC is mainly used to provide services for residential subscribers.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 4 Configuring the GPON Internet Access Service Configuring the GPON Internet Access Service About This Chapter The GPON broadband Internet access service is applicable to the scenario that provides users with the Internet access service through optical fibers. Ltd. 257 . The optical line terminal (OLT) functions as the CO device. l FTTH refers to fiber to the home. the MA5600T functions as an OLT and is connected to the ONT at lower layer through the ODN. Application Context GPON is mainly used in the FTTx solution. the MA5600T functions as an OLT and is connected to the MDU or ONUs of other types at lower layer through the ODN. FTTB. FTTC and FTTB are the same in configuration and differ from each other only in the networking mode. The networking mode for the service can be FTTH. In this networking scenario. This topic describes how to configure the Internet access service provided by the MA5600T through GPON. The ONU or MDU is connected to subscribers. In this networking scenario. It uses coaxial cables to transmit CATV signals or uses twisted pairs to transmit the voice and Internet access services. The ONT is connected to subscribers to provide the voice.. the MA5600T functions as an OLT and is connected to the MDU or outdoor cabinets for ONUs of other types at lower layer through the ODN. Internet access. and IPTV services. The ONU or MDU is connected to subscribers. In this networking scenario.

1. the user name and password for dial-up Internet access must be configured on the BRAS. – To enable the AAA function on the device. T-CONT ID It is recommended that you do not use T-CONT 0 to transmit services.1.12 Configuring AAA. VLAN planning The cooperation with the upper-layer device should be considered in the VLAN planning. Ltd.1. see 2.4 Configuring a GPON ONT Alarm Profile are already completed. For the identification purpose. – For an MDU or ONU. The upstream VLAN must be the same as that of the upperlayer device. 4. and 4.2 Configuring a GPON ONT Line Profile and 4. Generally. ONT service profile The ONT service profile must be the same as the actual capacity. 4. Table 4-1 Data plan for the GPON Internet access service Paramete r Data Remarks MA5600T Access rate Configure the data according to the user requirements.3 Configuring a GPON ONT Service Profile. 4. ONT Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Data Plan Before configuring the GPON Internet access service.2 Configuring a GPON ONT Line Profile. QoS policy Configure the data according to the QoS policy of the entire network.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Prerequisite l Configure the AAA function. – For an ONT.1. GEM port index - ONT line profile. l The GPON mode is already switched to the profile mode. a connection to the BRAS must be established. – If the AAA function is implemented by the BRAS. the priority of the Internet access service is lower than the priorities of the voice and video services.4 Configuring a GPON ONT Alarm Profile are already completed.1.. plan the data items as listed in Table 4-1. l The GPON profile for the Internet access service is already created. The BRAS should be capable of identifying the VLAN tag of the MA5600T in the upstream direction. 258 . Access port Configure the data according to the network planning.

Hence. you need to configure the user name and the password for each user on the BRAS.4 Configuring a GPON ONT The MA5600T provides end users with services through the ONT. 4. before configuring a service. 4. accounting scheme. 3. The LAN switch transparently transmits the service packets of the MA5600T on L2. - The VLAN ID must be the same as the upstream VLAN ID of the MA5600T. 4. 4. Authentication mode You can use the password authentication and the serial number authentication. You need to plan the ONTs connected to the MA5600T to facilitate management.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Paramete r Upperlayer LAN switch 4 Configuring the GPON Internet Access Service Data Remarks ONT index GPON supports a split ratio of up to 1:128.3 Configuring an Upstream Port This topic describes how to add an upstream port for an Internet access service to a VLAN. make sure that the VLAN configuration based on planning is complete. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd.2 Configuring a VLAN Configuring VLAN is a prerequisite for configuring a service. BRAS The BRAS performs the related configurations according to the authentication and accounting requirements for dialup users. Procedure 1.1 Configuring xPON Profiles Configuring an xPON profile is a prerequisite for configuring an xPON access service. 4.. you need to configure the corresponding IP address pool on the BRAS. This topic describes how to configure a DBA profile and an xPON ONT profile. 259 . 2. - If the BRAS is used to authenticate users. If the BRAS is used to allocate IP addresses. and authorization scheme bound to the domain) and specifies the RADIUS server. for example. configures the access user domain (including the authentication scheme. The MA5600T can manage the ONT and the ONT can work in the normal state only after the channel between the MA5600T and the ONT is available.

Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.6 Creating a GPON Service Port A service port is a service channel connecting the user side to the network side. a GPON port must be enabled first. 6. This topic describes how to enable a GPON port and configure related attributes of the port. To provision services. a service port must be created..5 Configuring a GPON Port To work normally and carry the service.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service 5. 4. 260 . 4. Ltd.

By default. Procedure Step 1 Add a DBA profile. These DBA profiles cannot be added or deleted. Step 2 Query a DBA profile.1 Configuring a DBA Profile A DBA profile defines the traffic parameters of xPON and can be bound to dynamically allocate the bandwidth and improve the usage of the upstream bandwidth. This topic describes how to configure a DBA profile and an xPON ONT profile. The system provides nine default DBA profiles numbered 1-9. NOTE l By default. the system adopts the closest multiple of 64 that is smaller than the value you enter. T-CONT is not bound to any DBA profile. If you enter a bandwidth value not of a multiple of 64. Hence. 261 .9 DBA profile. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. which define the typical values of traffic parameters. a DBA profile must be configured for TCONT.. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service 4. Run the display dba-profile command to query a DBA profile. LLID is bound to No. 4. Default Configuration Table 4-2 lists the default settings of the DBA profiles.1 Configuring xPON Profiles Configuring an xPON profile is a prerequisite for configuring an xPON access service. Context NOTE For the MA5600T. Run the dba-profile add command to add a DBA profile. l When you add a DBA profile. xPON indicates GPON and EPON collectively. the bandwidth value must be a multiple of 64.1. Table 4-2 Default settings of the DBA profiles Parameter Default Setting Remarks Default DBA profile ID in the system 1-9 You can run the display dbaprofile all command to query the parameter values of each default DBA profile.

Use the following two methods to bind a DBA profile. Ensure that 4. Table 4-3 Default settings of a GPON ONT line profile Parameter Default Setting QoS mode Priority-queue (PQ) scheduling mode Mapping mode supported by the ONT VLAN mapping mode Upstream FEC switch Disabled Procedure Step 1 Run the ont-lineprofile gpon command to add a GPON ONT line profile. and then enter the GPON ONT line profile mode.1. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. To add such a DBA profile.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Example Assume that the name and type of a DBA profile are "DBA_bandwidth" and "type3" respectively. An ONT must be bound to a GPON ONT line profile when its management mode is OMCI or SNMP. Ltd.1 Configuring a DBA Profile is completed before the configuration. Step 2 Bind the T-CONT with a DBA profile. directly enter the GPON ONT line profile mode to configure the related attributes of the ONT line.1.2 Configuring a GPON ONT Line Profile Configure a GPON ONT line profile and use it when adding an ONT. 262 . After adding a GPON ONT line profile. the line profile must be configured for the ONT. and that the bandwidth required by a user is 10 Mbit/s. Run the tcont command to bind the T-CONT with a DBA profile. Regardless of whether the ONT is in the OMCI or SNMP management mode. Default Configuration Table 4-3 lists the default settings of a GPON ONT line profile. do as follows: huawei(config)#dba-profile add profile-name DBA_10M type3 assure 10240 max 10240 huawei(config)#display dba-profile profile-name DBA_10M ----------------------------------------------------------------Profile-name : DBA_10M Profile-ID: 10 type: 3 Bandwidth compensation: No Fix(kbps): 0 Assure(kbps): 10240 Max(kbps): 10240 bind-times: 0 ----------------------------------------------------------------- 4. l In line profile mode: This method is applicable to the scenario where the DBA profile is stable and the terminals are of a single type.

and then decrease the fixed bandwidth and assured bandwidth of the bound DBA profile accordingly. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l If the sum of the fixed bandwidth and assured bandwidth of the bound DBA profile is larger than the remaining bandwidth of the GPON port. flow-car should be selected in the gem mapping command.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service l In GPON mode: This method is applicable to the scenario where the DBA profile changes frequently and the terminals are of different types. NOTE The service port here refers to the service channel from the ONT to the OLT. Run the gem add command to configure the binding relation between the GEM index and the T-CONT in the GPON ONT line profile. If you need to modify the profile. Select eth when the Ethernet service is carried. Run the tcont command to create a T-CONT. which is not bound with the DBA. Select tdm when the TDM service is carried. Ltd. Run the gem mapping command to set up the mapping between the GEM port and the ONTside service. By default. Ensure that 4. gem-car should be selected in the gem add command. Step 3 (Optional) Configure the QoS mode of the GPON ONT line profile. By default. 2. l gem-car: When this mode is selected. and the maximum traffic depends on the traffic profile bound to the service port. Step 4 Configure the binding relation between the GEM index and the T-CONT. and the maximum traffic depends on the traffic profile bound to the GEM port.1. In this case. you can run the display port info command to query the remaining bandwidth (Left guaranteed bandwidth (kbit/s)) of the GPON port beforehand. the QoS mode of the ONT line profile is the PQ scheduling mode. l priority-queue: When this mode is selected. The configuration suggestions for the OMCI T-CONT are as follows: l Do not modify the DBA profile bound to the T-CONT. The three QoS modes are as follows: l flow-car: When this mode is selected.1 Configuring a DBA Profile is completed before the configuration. A correct attribute should be selected for service-type based on the service type. Run the traffic table ip command to create a required traffic profile before the configuration. and the mapping between the GEM port and the service port are configured for the ONT. Run the tcont bind-profile command to bind the T-CONT with a DBA profile. That is. T-CONT 0 of an ONT is used by OMCI and is bound with DBA profile 1. The ONT can carry services only after the mapping between the GEM port and the T-CONT. 1. Queue 7 has the highest priority and the traffic of this queue must be ensured first.. ensure that the fixed bandwidth of the modified profile is not lower than 5 Mbit/s. the binding fails and the system displays a message "Failure: The bandwidth is not enough". priority-queue should be selected in the gem add command. The maximum traffic depends on the DBA profile bound to the corresponding T-CONT. Step 5 Configure the mapping between the GEM port and the ONT-side service. The system has eight default queues (0-7). and is different from the service port created by running the service-port command. After the configuration of a GPON ONT line profile is complete. ensure that the T-CONT does not carry any service. Run the qos-mode command to configure the QoS mode of the GPON ONT line profile so that the QoS mode is the same as the QoS mode of the GEM port. l Do not bind the GEM port with the T-CONT. 263 . enter the GPON mode.

----End Example Assume that the GEM index is 1. with T-CONT 1 and bound with DBA profile 12. l As a special port. run the mapping-mode command to configure the mapping mode supported by the ONT so that the mapping mode supported by the ONT is the same as the configured mapping mode between the GEM port and the ONT-side service. the mapping mode should be configured to port-vlan-priority in the mapping-mode command. all the parameters that are configured take effect when the profile is bound. create a channel for carrying the Ethernet service. the mapping mode should be configured to port-priority in the mapping-mode command. the mapping mode should be configured to port-vlan in the mapping-mode command. By default. the system inserts redundancy data into normal packets. That is. the IPHOST or E1 port is not restricted by the ONT mapping mode. That is. l The mapping modes of the ETH port and the MOCA port are as follows: – If the port is specified and then the VLAN is further specified. this switch is disabled. In this way. the GEM port is bound with T-CONT 1 and mapped to ETH 1 of the ONT. – If the port is specified and then the priority is further specified. do as follows: huawei(config)#ont-lineprofile gpon profile-id 5 huawei(config-gpon-lineprofile-5)#tcont 1 dba-profile-id 12 huawei(config-gpon-lineprofile-5)#qos-mode gem-car huawei(config-gpon-lineprofile-5)#gem add 1 eth tcont 1 gem-car 6 huawei(config-gpon-lineprofile-5)#mapping-mode port huawei(config-gpon-lineprofile-5)#gem mapping 1 0 eth 1 huawei(config-gpon-lineprofile-5)#commit huawei(config-gpon-lineprofile-5)#quit Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 264 . the port+priority mapping mode is used. The configuration of a line profile takes effect only after you perform this operation. the configuration takes effect on all ONTs bound with this profile immediately. and bind the GEM port with default traffic profile 6. the ONT supports the VLAN mapping mode. If this profile is already bound. the line has certain error tolerant function. Step 6 Configure the upstream FEC switch.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Before the configuration. Step 8 Run the quit command to return to the global configuration mode. the port+VLAN+priority mapping mode is used. Enabling the FEC function enhances the error tolerant capability of the line but occupies certain bandwidth. By default. determine whether to enable the FEC function based on the actual line planning.. That is. use the QoS policy of controlling the traffic based on GEM ports. Ltd. In the FEC check. Step 7 Run the commit command to make the parameters of the profile take effect. Run the fec-upstream command to configure the upstream FEC switch of the GPON ONT line profile. – If the port and the VLAN are specified and then the priority is further specified. but certain bandwidth resources are wasted. the port+VLAN mapping mode is used. NOTE If this profile is not bound. To add GPON ONT line profile 5. Therefore.

Run the port vlan command to configure the port VLAN of the ONT. Step 2 Configure the Internet access service. and then enter the GPON ONT service profile mode. directly enter the GPON ONT service profile mode to configure the related items. 265 .1. Step 3 Configure the voice service.3 Configuring a GPON ONT Service Profile The GPON ONT service profile provides a channel for configuring the service of the ONT managed in the OMCI mode. After adding a GPON ONT service profile. 2. Ltd. NOTE The voice service of the ONT is configured by issuing an XML file to the NMS and the OLT performs only transparent transmission. 1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service 4. You only need to run the service-port command to create a service port carrying the voice service.. you need not configure the service profile. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Table 4-4 Default settings of the GPON ONT service profile Parameter Default Setting Multicast mode of the ONT Unconcern (the OLT does not perform any processing) Mode for the ONT to process the VLAN tag of the multicast data packets Unconcern Source of the priority copied for the upstream packets on the ONT port Unconcern QinQ attribute for the Ethernet port of the ONT Unconcern Transparent transmission function of the ONT Disabled MAC address learning function of the ONT Enabled Procedure Step 1 Run the ont-srvprofile gpon command to add a GPON ONT service profile. To configure the service of the ONT (such as the MDU) managed in the SNMP mode. If the ONT management mode is the SNMP mode. The port capability set in the ONT service profile must be the same as the actual ONT capability set. Select the configuration items according to the service requirements. Run the ont-port eth command to configure the port capability set of the ONT. you need to log in to the ONT. The capability set plans various types of ports supported by the ONT. Default Configuration Table 4-4 lists the default settings of the GPON ONT service profile.

After this mode is selected. and then configure the VLAN ID that is switched to. Run the multicast mode command to configure the multicast mode of the ONT. Run the ont-port eth command to configure the port capability set of the ONT. 2. By default. l Igmp-snooping: IGMP snooping obtains the related information and maintains the multicast forwarding entries by listening to the IGMP packets in the communication between the user and the multicast router. Run the port vlan command to configure the port VLAN of the ONT. Run the port vlan command to configure the port VLAN of the ONT. 4. 3. Step 4 Configure the multicast service. the OLT does not process the VLAN tag of the multicast data packets. The port capability set in the ONT service profile must be the same as the actual ONT capability set. By default. l Copy-cos: Copy the priority. Issue 01 (2012-01-18) Run the transparent enable command to enable the transparent transmission function of the ONT. Run the port q-in-q eth ont-portid enable command to enable the QinQ function of the Ethernet port on the ONT. To switch the VLAN tag of the multicast packets. l Untag: Set the multicast forwarding mode not to contain the VLAN tag. Run the ont-port eth command to configure the port capability set of the ONT. 3. Run the ont-port pots command to configure the port capability set of the ONT. l Unconcern: indicates the unconcern forwarding mode. the QinQ function of the Ethernet port on the ONT is unconcerned.. select translation. l Olt-control: indicates the dynamic controllable multicast mode. the source of the priority copied for the upstream packets on the ONT Ethernet port is unconcerned. 1. After this mode is selected. To transparently transmit the VLAN tag of the multicast packets. Run the ont port native-vlan command to specify the priority of the port. select transparent.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service 1. l Unconcern: The source of the priority copied for the upstream packets on the Ethernet port of the ONT is not concerned. and the multicast mode on the OLT automatically matches the multicast mode on the ONT. 2. 4. the multicast mode of the ONT is unconcern. 266 . the multicast forwarding mode of the ONT is unconcern. After Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the OLT does not limit the multicast mode. By default. l assigned: Specifies the priority. A multicast forwarding entry can be created for the multicast join packet of the user only after the packet passes the authentication. Run the port vlan command to configure the port VLAN of the ONT. Run the port priority-policy command to configure the source of the priority copied for the upstream packets on the ONT port. but is not supported by the ONT. 5. Step 5 Configure the transparent LAN service (TLS). 1. The port capability set in the ONT service profile must be the same as the actual ONT capability set. This mode is supported by the MDU. By default. Ltd. l Unconcern: indicates the unconcern mode. l Tag: Set the multicast forwarding mode to contain the VLAN tag. Copy the priority from C-TAG. Run the multicast-forward command to configure the processing mode on the VLAN tag of the multicast data packets for the ONT. 2. the transparent transmission function of the ONT is disabled. By default. The port capability set in the ONT service profile must be the same as the actual ONT capability set.

Step 6 Configure the 1:1 (that is. 3. NOTE If this profile is not bound. If this profile is already bound. do as follows: huawei(config)#ont-srvprofile gpon profile-id 6 huawei(config-gpon-srvprofile-6)#ont-port eth 4 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l Unconcern: The source of the priority copied for the upstream packets on the Ethernet port of the ONT is not concerned. By default. The configuration of the service profile takes effect only after you perform this operation. the configuration takes effect on all ONTs bound with this profile immediately. Run the port vlan command to configure the port VLAN of the ONT. By default. the ONT supports four ETH ports. Run the ont port native-vlan command to specify the priority of the port. To add GPON ONT service profile 5. Run the service-port command to create a service port of the TLS type. To add GPON ONT service profile 6. l Copy-cos: Copy the priority. all the parameters that are configured take effect when the profile is bound. 2. Step 9 Run the quit command to return to the global config mode. Run the port priority-policy command to configure the source of the priority copied for the upstream packets on the ONT port. the ONT supports four ETH ports. Run the ont-port eth command to configure the port capability set of the ONT. the source of the priority copied for the upstream packets on the ONT Ethernet port is unconcerned. and the multicast mode of the ONT is the controllable multicast mode (you need to switch the multicast VLAN tag to 841 because the STB only supports carrying the VLAN tag of 841). Run the port q-in-q eth ont-portid enable command to enable the QinQ function of the Ethernet port on the ONT. Run the transparent disable command to disable the transparent transmission function of the ONT. the QinQ function of the Ethernet port on the ONT is unconcerned. l assigned: Specifies the priority..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service the transparent transmission function of the ONT is enabled. 5. This function is enabled by default. Select other-all for the multi-service type. Copy the priority from C-TAG. all packets (including service packets and protocol packets) are transparently transmitted by the ONT. Step 8 Run the commit command to make the parameters of the profile take effect. packets reported by the ONT must contain two VLAN tags) service. 1. ----End Example Assume that the profile is used for the Internet access service. and the VLAN ID of the ETH ports is 10. do as follows: huawei(config)#ont-srvprofile gpon profile-id 5 huawei(config-gpon-srvprofile-5)#ont-port eth 4 huawei(config-gpon-srvprofile-5)#port vlan eth 1-4 10 huawei(config-gpon-srvprofile-5)#commit huawei(config-gpon-srvprofile-5)#quit Assume that the profile is used for the multicast service. Step 7 Run the mac-learning command to configure the MAC address learning function of the ONT. 267 . The port capability set in the ONT service profile must be the same as the actual ONT capability set. Ltd. the VLAN ID of the ETH ports is 100. NOTE The service port for the TLS service must also be of the TLS type. 4.

After the alarm profile is configured and bound successfully. set the alarm threshold for the packet loss of the GEM port to 10. Background Information An ONT alarm profile defines a series of alarm thresholds that are used to monitor the performance of an activated ONT line. l The system contains a default alarm profile with the ID 1. and use the default value 0 for all other thresholds. ----End Example To add GPON ONT alarm profile 5. the NE is notified and an alarm is sent to the log server and the NMS. the ONT can directly use the profile when it is activated. and configure most of the performance parameters for various ONT lines as a profile. do as follows: huawei(config)#gpon alarm-profile add profile-id 5 { <cr>|profile-name<K> }: Command: > > > > > > > > > > > > > > > Issue 01 (2012-01-18) gpon alarm-profile add profile-id 5 Press 'Q' or 'q' to quit input GEM port loss of packets threshold (0~100)[0]: GEM port misinserted packets threshold (0~100)[0]: GEM port impaired blocks threshold (0~100)[0]: Ethernet FCS errors threshold (0~100)[0]: Ethernet excessive collision count threshold (0~100)[0]: Ethernet late collision count threshold (0~100)[0]: Too long Ethernet frames threshold (0~100)[0]: Ethernet buffer (Rx) overflows threshold (0~100)[0]: Ethernet buffer (Tx) overflows threshold (0~100)[0]: Ethernet single collision frame count threshold (0~100)[0]: Ethernet multiple collisions frame count threshold (0~100)[0]: Ethernet SQE count threshold (0~100)[0]: Ethernet deferred transmission count threshold (0~100)[0]: Ethernet internal MAC Tx errors threshold (0~100)[0]: Ethernet carrier sense errors threshold (0~100)[0]: Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Step 2 Run the display gpon alarm-profile command to query the alarm profile. All parameters in the default profile are set to 0. When the statistics result of a parameter reaches the alarm threshold. which indicates that no alarm is reported.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service huawei(config-gpon-srvprofile-6)#port vlan eth 1-4 100 huawei(config-gpon-srvprofile-6)#multicast mode olt-control huawei(config-gpon-srvprofile-6)#multicast-forward tag translation 841 huawei(config-gpon-srvprofile-6)#commit huawei(config-gpon-srvprofile-6)#quit 4.4 Configuring a GPON ONT Alarm Profile This topic describes how to add an alarm profile. which indicates that no alarm is reported..1. 10 30 268 . the default values of all alarm thresholds are 0. When an alarm profile is created. set the alarm threshold for the number of mis-transmitted packets to 30. l The MA5600T supports up to 50 alarm profiles. Ltd. This profile cannot be deleted but can be modified. Procedure Step 1 Run the gpon alarm-profile add command to add a GPON ONT alarm profile.

Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. x: 3~8)[3]: Degraded signal of ONT threshold(Format:1e-x. x: 4~9)[4]: Adding an Alarm profile succeeded Profile ID : 5 Profile name: alarm-profile_5 huawei(config)#display gpon alarm-profile profile-id 5 -------------------------------------------------------------Profile ID : 5 Profile name: alarm-profile_5 -------------------------------------------------------------GEM port loss of packets threshold: 10 GEM port misinserted packets threshold: 30 GEM port impaired blocks threshold: 0 Ethernet FCS errors threshold: 0 Ethernet excessive collision count threshold: 0 Ethernet late collision count threshold: 0 Too long Ethernet frames threshold: 0 Ethernet buffer (Rx) overflows threshold: 0 Ethernet buffer (Tx) overflows threshold: 0 Ethernet single collision frame count threshold: 0 Ethernet multiple collisions frame count threshold: 0 Ethernet SQE count threshold: 0 Ethernet deferred transmission count threshold: 0 Ethernet internal MAC Tx errors threshold: 0 Ethernet carrier sense errors threshold: 0 Ethernet alignment errors threshold: 0 Ethernet internal MAC Rx errors threshold: 0 PPPOE filtered frames threshold: 0 MAC bridge port discarded frames due to delay threshold: 0 MAC bridge port MTU exceeded discard frames threshold: 0 MAC bridge port received incorrect frames threshold: 0 CES general error time threshold: 0 CES severely time threshold: 0 CES bursty time threshold: 0 CES controlled slip time threshold: 0 CES unavailable time threshold: 0 Drop events threshold: 0 Undersize packets threshold: 0 Fragments threshold: 0 Jabbers threshold: 0 Failed signal of ONU threshold (Format:1e-x): 3 Degraded signal of ONU threshold (Format:1e-x): 4 -------------------------------------------------------------Binding Times: 0 -------------------------------------------------------------- 4. Hence. make sure that the VLAN configuration based on planning is complete. before configuring a service. Ltd. 269 .2 Configuring a VLAN Configuring VLAN is a prerequisite for configuring a service..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service > > > > > > > > > > > > > > > > > Ethernet alignment errors threshold (0~100)[0]: Ethernet internal MAC Rx errors threshold (0~100)[0]: PPPOE filtered frames threshold (0~100)[0]: MAC bridge port discarded frames due to delay threshold (0~100)[0]: MAC bridge port MTU exceeded discard frames threshold (0~100)[0]: MAC bridge port received incorrect frames threshold (0~100)[0]: CES general error time threshold(0~100)[0]: CES severely time threshold(0~100)[0]: CES bursty time threshold(0~100)[0]: CES controlled slip threshold(0~100)[0]: CES unavailable time threshold(0~100)[0]: Drop events threshold(0~100)[0]: Undersize packets threshold(0~100)[0]: Fragments threshold(0~100)[0]: Jabbers threshold(0~100)[0]: Failed signal of ONT threshold(Format:1e-x.

VLAN type: smart l Commercial user of the Internet access service Commercial user of the transparent transmission service VLAN attribute: common VLAN forwarding mode: by VLAN+MAC Attribute: stacking VLAN forwarding mode: by S+C VLAN attribute: QinQ VLAN forwarding mode: by VLAN+MAC or S+C. Table 4-5 VLAN application and planning User Type Application Scenario VLAN Planning l Household user N:1 scenario. see Table 4-5. where the services of multiple subscribers are converged to the same VLAN. that is. Type: smart VLAN Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the scenario of upstream transmission through double VLANs. that is. where the outer VLAN tag identifies a service and the inner VLAN tag identifies a user. the scenario of upstream transmission through a single VLAN. Application Context VLAN application is specific to user types. Default Configuration Table 4-6 lists the default parameter settings of VLAN.. VLAN type: smart Applicable only to the transparent transmission service of a commercial user. The service of each user is indicated by a unique S +C. 270 . Ltd. Table 4-6 Default parameter settings of VLAN Issue 01 (2012-01-18) Parameter Default Setting Remarks Default VLAN of the system VLAN ID: 1 You can run the defaultvlan modify command to modify the VLAN type but cannot delete the VLAN. VLAN type: smart 1:1 scenario.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Prerequisites The VLAN to be added should not exist in the system. For details on the VLAN application.

Smart VLAN To add a smart VLAN. Standard VLAN. Table 4-7 VLAN types and application scenarios Issue 01 (2012-01-18) VLAN Type Configuration Command VLAN Description Application Scenario Standard VLAN To add a standard VLAN. Only available to Ethernet ports and specifically to network management and subtending. Default attribute of a new VLAN Common - VLAN forwarding mode VLAN+MAC - Procedure Step 1 Create a VLAN. the traffic streams of different VLANs are also isolated. Run the vlan to create a VLAN.. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. One VLAN may contain multiple xDSL service ports or GPON service ports. One smart VLAN provides access for multiple subscribers and thus saves VLAN resources. 271 . In addition.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Parameter Default Setting Remarks Reserved VLAN of the system VLAN ID range: 4079-4093 You can run the vlan reserve command to modify the VLAN reserved by the system. run the vlan vlanid smart command. are isolated from each other. run the vlan vlanid standard command. however. Ltd. Ethernet ports in a standard VLAN are interconnected with each other but Ethernet ports in different standard VLANs are isolated from each other. Smart VLANs can be applied in residential communities to provide xDSL or GPON service access. VLANs of different types are applicable to different scenarios. The traffic streams of these ports.

One-toone mapping can be set up between a MUX VLAN and an access user. NOTE l To add VLANs with consecutive IDs in batches. Configure the attribute according to VLAN planning. run the vlan vlan-list command. 272 .. Super VLANs save IP addresses and improve the utilization of IP addresses. subVLANs must be configured. the subVLANs in a super VLAN can be interconnected at layer 3. Hence. One MUX VLAN contains only one xDSL service port or GPON service port. You can run the vlan attrib command to configure the attribute of the VLAN. One super VLAN contains multiple sub-VLANs. A sub-VLAN must be a smart VLAN or MUX VLAN. The traffic streams in different VLANs are isolated from each other. For a super VLAN. The super VLAN is based on layer 3. run the vlan vlanid super command. Ltd. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Super VLAN To add a super VLAN.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service VLAN Type Configuration Command VLAN Description Application Scenario MUX VLAN To add a MUX VLAN. The default attribute for a new VLAN is "common". For example. a MUX VLAN can identify an access user. l To add VLANs with inconsecutive IDs in batches. Through an ARP proxy. run the vlan vlanid to end-vlanid command. run the vlan vlanid mux command. MUX VLANs can be used to distinguish users. MUX VLANs are applicable to xDSL or GPON service access. Step 2 (Optional) Configure the VLAN attribute. You can run the supervlan command to add a sub-VLAN to a specified super VLAN.

Applicable to the N:1 access scenario. smart VLAN or MUX VLAN. run the vlan attrib vlanid q-in-q command. The VLAN with this attribute can be a standard VLAN. The packets from Applicable to the a QinQ VLAN enterprise private contain two line scenario. Through the outer VLAN. MUX VLAN. Ltd. VLAN tags. A VLAN with the common attribute can function as a common layer 2 VLAN or function for creating a layer 3 interface. The attribute of a sub VLAN.. smart VLAN.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Table 4-8 VLAN attributes and application scenarios Issue 01 (2012-01-18) VLA N Attri bute Configuration Command VLAN Type VLAN Description Application Scenario Com mon The default attribute for a new VLAN is "common". that is. an L2 VPN tunnel can be set up to transparently transmit the services between private networks. 273 . the VLAN with a Layer 3 interface. inner VLAN tag from the private network and outer VLAN tag from the MA5600T. and the default VLAN of the system cannot be set to QinQ VLAN. The VLAN with this attribute can be a standard VLAN. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. or super VLAN. QinQ VLA N To configure QinQ as the attribute of a VLAN.

the VLAN with an L3 interface. run the stacking label command. that is. vlan-connect corresponds to the S+C forwarding policy. run the vlan attrib vlanid stacking command. The VLAN with this attribute can only be a smart VLAN or MUX VLAN. The general VLAN description includes the usage and service information of the VLAN. Ltd. The packets from a stacking VLAN contain two VLAN tags. and the default VLAN of the system cannot be set to VLAN Stacking. run the vlan desc command. Step 4 (Optional) Configure the VLAN forwarding policy. Applicable to the 1:1 access scenario for the wholesale service or extension of VLAN IDs. To configure VLAN description. In the case of a stacking VLAN. In this manner. and MAC address spoofing and attacks. which ensures higher security by solving the problems of insufficiency in the MAC address space. You can configure VLAN description to facilitate maintenance. inner VLAN tag and outer VLAN tag from the MA5600T. the number of access users is increased. The attribute of a sub VLAN. l To configure attributes for the VLANs with inconsecutive IDs in batches. run the vlan attrib vlanid to endvlanid command.. Step 3 (Optional) Configure VLAN description. a packet can be forwarded directly by the outer VLAN tag and MAC address mode to provide the wholesale service for ISPs. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The upper-layer BRAS authenticates the access users according to the two VLAN tags. run the vlan attrib vlan-list command. MAC address aging. On the upper-layer network in the L2 working mode. to configure the inner tag of the service port. NOTE l To configure attributes for the VLANs with consecutive IDs in batches.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service VLA N Attri bute Configuration Command VLAN Type VLAN Description Application Scenario VLA N Stacki ng To configure stacking as the attribute of a VLAN. 274 .

Run the commit command to validate the profile configuration. A service port is added to VLAN 50. l In the VLAN service profile configuration mode. description needs to be configured for easy maintenance. To configure such a VLAN. 275 . Procedure Step 1 Configure an upstream port for the VLAN. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The configuration of the VLAN service profile takes effect only after execution of this command. to configure the VLAN forwarding policy. do as follows: huawei(config)#vlan huawei(config)#vlan huawei(config)#vlan huawei(config)#vlan 100 smart attrib 100 q-in-q desc 100 description qinqvlan/forhuawei forwarding 100 vlan-connect 4. The outer VLAN tag 50 of the stacking VLAN identifies the access device and the inner VLAN tag 10 identifies the user with access to the device. To configure such a VLAN. to configure the VLAN forwarding policy. Run the quit command to quit the VLAN service profile mode. Run port vlan command to add the upstream port to the VLAN. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile created in 4. 2. 5. Ltd. l In the global config mode. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode. description needs to be configured for easy maintenance.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service You can configure the VLAN forwarding policy in either the global config mode or VLAN service profile configuration mode. For the VLAN. ----End Example Assume that a stacking VLAN with ID of 50 is to be configured for extension of the VLAN. 3. The default VLAN forwarding mode is VLAN+MAC in the system. run the vlan forwarding command. 4. do as follows: 1. Run the forwarding command to configure the VLAN forwarding policy.1.. Step 2 Configure the attribute of the upstream port. The default VLAN forwarding policy is VLAN+MAC in the system.3 Configuring an Upstream Port This topic describes how to add an upstream port for an Internet access service to a VLAN. do as follows: huawei(config)#vlan 50 smart huawei(config)#vlan attrib 50 stacking huawei(config)#service-port vlan 50 gpon 0/4/0 ont 1 gemport 126 rx-cttr 6 tx-cttr 6 huawei(config)#stacking label vlan 50 baselabel 10 huawei(config)#vlan desc 50 description stackingvlan/label10 Assume that a QinQ VLAN with ID of 100 is to be configured for an enterprise user to ensure higher security and the VLAN forwarding policy is S+C. For the VLAN.

The MA5600T can manage the ONT and the ONT can work in the normal state only after the channel between the MA5600T and the ONT is available. Step 3 Configure redundancy backup for the uplink. For the two upstream ports. see 2. Ltd. Table 4-9 lists the default settings of the GPON ONT..2 Configuring the Uplink Redundancy Backup.1.4 Configuring a GPON ONT Alarm Profile are already completed. Background Information The MA5600T uses the ONT Management and Control Interface (OMCI) protocol to manage and configure the GPON ONT. When adding an ONT.1. The 0/17/0 and 0/17/1 need to be configured into an aggregation group for double upstream accesses. That is. For details.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service If the default attribute of the upstream port does not meet the requirement for interconnection of the upstream port with the upper-layer device. l For an MDU or ONU. do as follows: huawei(config)#port vlan 50 0/17 0 huawei(config)#port vlan 50 0/17 1 huawei(config)#interface giu 0/17 huawei(config-if-giu-0/17)#duplex 0 full huawei(config-if-giu-0/17)#duplex 1 full huawei(config-if-giu-0/17)#speed 0 100 huawei(config-if-giu-0/17)#speed 1 100 huawei(config-if-giu-0/17)#quit huawei(config)#link-aggregation 0/17 0 0/17 1 egress-ingress workmode lacp-static 4.1. you only need to bind the ONT with the corresponding service profile and line profile.5 Configuring the Attributes of an Upstream Ethernet Port.4 Configuring a GPON ONT The MA5600T provides end users with services through the ONT. the working mode is full-duplex (full) and the port rate is 100 Mbit/s.1. and 4. In the profile mode. The ONT does not need to save the configuration information locally. 276 . ----End Example Assume that the 0/17/0 and 0/17/1 upstream ports are to be added to VLAN 50. redundancy backup of the upstream ports needs to be configured. 4. you need to configure the attribute.3 Configuring a GPON ONT Service Profile.2 Configuring a GPON ONT Line Profile. 4. To configure such upstream ports. two upstream ports must be available.4 Configuring a GPON ONT Alarm Profile are already completed. To ensure reliability of the uplink.1. the related configuration of the GPON ONT is already integrated in the service profile and the line profile. 4. For configuration details. l For an ONT. and supports the offline configuration of the ONT. Prerequisites The GPON ONT profile is already created.2 Configuring a GPON ONT Line Profile and 4. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. see 8. This helps to provision services.

l SN authentication: The OLT detects the serial number (SN) reported by an ONT. the ONT auto discovery function of a GPON port is disabled. Ltd. The onceon authentication mode has high security. 277 . the system reports the SN and password of the auto discovery ONT and you can add an ONT according to the information reported by the system. no SN is allocated and password authentication is always used in subsequent authentications. it is applicable to adding ONTs in batches. – always-on: After first password authentication is passed. authentication is passed and the ONT goes online. Run the ont add command to add an ONT offline.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Table 4-9 Default settings of the GPON ONT Parameter Default Setting ONT auto-find function of a GPON port Disabled ONT status after an ONT is added Activated Default VLAN of the ONT port 1 Procedure Step 1 Run the interface gpon command to enter the GPON mode. When ONTs are added or confirmed. or run the ont confirm command to confirm the auto discovery ONT. This discovery mode is easy for future maintenance. After the function is enabled. the ONT goes online normally. In the always-on discovery mode.. the system provides three authentication modes: SN. This mode requires planning ONT passwords and does not require manually recording ONT SNs. NOTE An auto discovery ONT is in the auto discovery state. Step 2 Add a GPON ONT. an SN is automatically allocated and password+SN authentication is used in subsequent authentications. password. it is used to confirm auto discovery ONTs and is not applicable to adding ONTs in batches. The password authentication provides two discovery modes: always-on and once-on. Run the port portid ont-auto-find command to enable the auto discovery function of the ONT. If other users know the password. which requires more maintenance effort. 2. An ONT can go online only after the correct password and SN are entered. l Password authentication: The OLT detects the password reported by an ONT. If the password is consistent with the OLT configuration. l SN+password: The OLT detects the password and SN reported by an ONT. If the SN is consistent with the OLT configuration. the ONT needs to be configured again. the users will illegally have service permissions. The always-on discovery mode has lower security. This mode requires recording all ONT SNs. If the password and SN are consistent with the OLT configuration. Hence. – Once-on: After first password authentication is passed. The auto discovery ONT can work in the normal state only after it is confirmed or added. the ONT goes online Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Hence. After an ONT is replaced or the password is mistakenly changed. 1. By default. configuration is not required to be modified when an ONT is replaced and only the password is required. SN+password.

you need to configure the port VLAN of the ONT to be the same as the VLAN in the user tag. Run the ont activate command to activate the ONT. the ONT management mode is set to the OMCI mode. select the SNMP management mode. Run the ont ipconfig command to configure the management IP address of the ONT. (Optional) When the ONT management mode is the SNMP mode. b. the service is provisioned. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. c. l If the packets reported from a user (such a PC) to the ONT are untagged. installation engineers take ONTs to the users' houses. The IP address should not be in the same subnet for the IP address of the VLAN port. the default VLAN ID of the ONT port is 1. Run the ont alarm-profile command bind an alarm profile. l If the packets reported from a user to the ONT are tagged. By default. NOTE l If the ONU is an independent NE and is directly managed by the NMS through the SNMP management mode. Adding ONTs in offline mode is applicable to the batch deployment scenario. select the OMCI management mode. you only need to configure the parameters for the GPON line and the parameters for the management channel on the OLT. l Generally. Run the ont snmp-route command to configure a static route for the NMS server. Adding ONTs in auto discovery mode is applicable to the scenario where a small number of ONTs are added.4 Configuring a GPON ONT Alarm Profile is completed before the configuration. You only need to bind the ONU with a line profile. The packets are not tagged with the default VLAN of the port on the ONT but are reported to the OLT with the user tag. Configuring management channel parameters is not supported. the MAC address authentication mode is used to confirm the ONTs. you need to configure all parameters (including line parameters.1. This authentication mode has the highest security but it requires manually recording ONT SNs. After the ONTs go online. The ONT can transmit services only when it is in the activated state. You need to bind the ONT with a line profile and a service profile. For this mode. Ensure that 4. that is.. UNI port parameters. configure the IP address of the next hop. Run the ont snmp-profile command to bind the ONT with an SNMP profile. an installation engineer takes an ONT to the user's house and completes configurations. 278 . After the ONT goes online and passes authentication (generally the password authentication mode is used).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service normally. l If the ONU is not an independent NE and all its configuration data is issued by the OLT through OMCI. you need to configure the SNMP management parameters for the ONT. Run the ont port native-vlan command to configure the default VLAN for the ONT port. For this mode. Generally. Step 3 Configure the default VLAN (native VLAN) for the ONT port. the OLT confirms the ONTs one by one. Ltd. You need to bind the ONT with a line profile and a service profile. Step 5 Activate the ONT. Step 4 Bind an alarm profile. When a use subscribes to the service. All ONTs are added to the OLT to complete service provisioning beforehand. the packets are tagged with the default VLAN of the port on the ONT and then reported to the OLT. 3. When users subscribe to the service. and service parameters) that are required for the ONU on the OLT. The procedure is as follows: a. Run the snmp-profile add command to add an SNMP profile before the configuration.

and bind line profile 10 and service profile 10.0 gateway 10. Ltd.. do as follows: huawei(config)#snmp-profile add profile-id 1 v2c public private 10. the ONT is in the activated state by default.10.10.255. The step is required only when the ONT is in the deactivated state. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 279 .20.20. bind the ONU with line profile 4 that matches the ONU. set the discovery mode of password authentication to always-on. confirm this ONT according to the SN 3230313185885B41 automatically reported by the system. do as follows: huawei(config)#interface gpon 0/4 huawei(config-if-gpon-0/4)#ont add 0 password-auth lineprofile-id 10 ont-srvprofile-id 10 huawei(config-if-gpon-0/4)#ont add 1 password-auth lineprofile-id 10 ont-srvprofile-id 10 huawei(config-if-gpon-0/4)#ont add 2 password-auth lineprofile-id 10 ont-srvprofile-id 10 huawei(config-if-gpon-0/4)#ont add 3 password-auth lineprofile-id 10 ont-srvprofile-id 10 huawei(config-if-gpon-0/4)#ont add 4 password-auth lineprofile-id 10 ont-srvprofile-id 10 0100000001 always-on omci ont0100000002 always-on omci ont0100000003 always-on omci ont0100000004 always-on omci ont0100000005 always-on omci ont- To add an ONT that is managed by the OLT through the OMCI protocol.255.5.20 mask 255. and set the management VLAN to 100.100 4.20. ----End Example To add five ONTs in offline mode with password authentication mode (ONT passwords are 0100000001-0100000005). configure the NMS parameters for the ONU. do as follows: huawei(config)#interface gpon 0/4 huawei(config-if-gpon-0/4)#port 0 ont-auto-find enable huawei(config-if-gpon-0/4)#ont confirm 0 sn-auth 3230313185885B41 omci ontlineprofile-id 3 ont-srvprofile-id 3 To add an ONU that is managed as an independent NE and whose SN is known as 3230313185885641. and bind the ONT with line profile 3 and service profile 3 that match the ONT. This topic describes how to enable a GPON port and configure related attributes of the port.190 mask 255.10.0 next-hop 10.1 vlan 100 huawei(config-if-gpon-0/4)#ont snmp-profile 0 2 profile-id 1 huawei(config-if-gpon-0/4)#ont snmp-route 0 2 ip-address 10.255. Default Configuration Table 4-10 lists the default settings of the GPON port.5 Configuring a GPON Port To work normally and carry the service.10.20. a GPON port must be enabled first.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service After being added.255.53 161 huawei huawei(config)#interface gpon 0/4 huawei(config-if-gpon-0/4)#ont add 0 2 sn-auth 3230313185885641 snmp ontlineprofile-id 4 huawei(config-if-gpon-0/4)#ont ipconfig 0 2 static ip-address 10.20.

the laser of the GPON port is enabled and the GPON port is available. Run the port portid ont-password-renew command to configure the interval for renewing the ONT key. By default. CAUTION Disabling a PON port that carries services will cause the interruption of such services. By default. By default. To ensure the system security. Therefore. 280 ..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Table 4-10 Default settings of the GPON port Parameter Default Setting GPON port Enabled Downstream FEC function of the GPON port Disabled Compensation distance range of the GPON port ranging Minimum logical distance: 0 km. Determine whether to enable FEC according to the actual line planning. NOTE l FEC is to insert redundant data into normal packets so that the line has certain error tolerance. Step 3 Configure the downstream FEC function of the GPON port. l Run the undo shutdown command to enable the laser of the GPON port. The difference between the minimum logical distance and the maximum logical distance must not exceed 20 km. Step 4 Configure the renewal time of the ONT key. the ONT key renewal must be configured. run the shutdown command to disable the laser of the GPON port. l If a large number of ONTs are already online. and the maximum logical distance is 20 km. Step 2 Configure the laser of the GPON port. must be consumed. Run the port portid fec command to configure the FEC function of the GPON port. skip this step. Some bandwidth. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. In this case. l If the GPON port is not to be used. enabling FEC on the GPON port may cause certain ONTs to go offline. Enabling FEC enhances the error correction capability of the line but at the same time occupies certain bandwidth. it is suggested that FEC should not be enabled on a GPON port that connects to online ONTs. Ltd. Step 5 Configure the compensation distance in the ranging. Run the port range command to configure the compensation distance range of the GPON port ranging. the minimum logical distance is 0 km. however. the FEC function is disabled. maximum logical distance: 20 km Procedure Step 1 Run the interface gpon command to enter the GPON mode.

.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Step 6 (Optional) Configure the DBA calculation period on a GPON port basis. run the port dba bandwidth-assignment-mode command to configure the DBA mode on a GPON port. do as follows: huawei(config)#gpon dba bandwidth-assignment-mode min-loop-delay huawei(config)#interface gpon 0/4 huawei(config-if-gpon-0/4)#port dba bandwidth-assignment-mode 0 manual huawei(config-if-gpon-0/4)#quit huawei(config)#diagnose huawei(diagnose)%%gpon port dba calculate-period 0/4/0 4 4. DBA mode on GPON port 0/4/0 to manual. l For the TDM service. To enable the FEC function of GPON port 0/4/0. When a service port carries multiple services. In GPON board mode. modifying the DBA mode is not allowed on this GPON port. In this case. which means the global DBA mode is used as the bandwidth assignment mode for the GPON port. the DBA mode must be set to min-loop-delay. the DBA calculation period needs to be configured on a GPON port basis. Ltd. 1.6 Creating a GPON Service Port A service port is a service channel connecting the user side to the network side. the bandwidth assignment mode on the GPON port is not affected by the global DBA mode. the MA5600T supports the following modes of classifying traffic: l Issue 01 (2012-01-18) By user-side VLAN Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l By default. and DBA calculation period to 4. In diagnose mode. if the global DBA mode is modified by running the gpon dba bandwidth-assignment-mode command. To provision services. When different GPON ports provide different access services. the bandwidth delays on these ports are different. If the DBA mode on a GPON port is not default. Are you sure to execute this command? (y/n)[n]: y To set the global DBA mode to min-loop-delay. In this case. Background Information A service port can carry a single service or multiple services. 2. the DBA mode on a GPON port is default. run the gpon port dba calculate-period command to configure the DBA calculation period on the GPON port. and the maximum compensation distance of ranging is 15 km. a service port must be created. ----End Example Assume that the key renew interval of the ONT under the port is 10 hours. l If ONTs are configured on a GPON port. the bandwidth assignment mode on the GPON port is also modified. do as follows: huawei(config)#interface gpon 0/4 huawei(config-if-gpon-0/4)#port 0 fec enable huawei(config-if-gpon-0/4)#port 0 ont-password-renew 10 huawei(config-if-gpon-0/4)#port 0 range min-distance 10 max-distance 15 This command will result in the ONT's re-register in the port. the minimum compensation distance of ranging is 10 km. NOTE l The DBA calculation period on a GPON port can be configured only when the DBA mode is set to manual on this GPON port. 281 .

– Multi-service service port based on the user-side VLAN: Select multi-service user-vlan { untagged | user-vlanid | priority-tagged | otherall }.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service l By user-side service encapsulation mode l By VLAN+user-side packet priority l By VLAN+user-side service encapsulation mode Table 4-11 lists the default settings of a service port. user-side packets carry a tag and the value of user-vlanid must be the same as the tag carried in user-side packets.. There are seven default traffic profiles in the system with the IDs of 0-6. 282 . – user-vlanid: When user-vlanid is selected. – Single-service service port: By default. Step 2 Create a service port. Table 4-11 Default settings of a service port Parameter Default Setting Traffic profile ID 0-6 Administrative status of the service port Activated Maximum number of MAC addresses that are learned 1023 Procedure Step 1 Create a traffic profile. – untagged: When untagged is selected. run the display traffic table command to check whether the traffic profiles in the system meet the requirement. Ltd. Service ports are classified into single-service service ports and multi-service service ports. Multi-service service ports are generally used for the triple play service. which are mainly used in the QinQ transparent transmission Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. CVLAN. If no traffic profile in the system meets the requirement. – priority-tagged: When priority-tagged is selected. a service port is a single-service service port if you do not enter multiservice. that is. the VLAN tag is 0 and the priorities of user-side packets are 0-7. see Configuring Traffic Management Based on Service Port. Run the traffic table ip command to create a traffic profile. Before creating a service port. – other-all: When other-all is selected. You can choose to create a single service port or multiple service ports in batches according to requirements. user-side packets do not carry a tag. service ports for the transparent LAN service (TLS) are created. add a traffic profile that meets the requirement. For details about the traffic profile. l Run the service-port command to create a single service port.

create traffic profile 10. In general. One index maps one service port and the input of a large number of traffic parameters is not required. Either of them indicates the index of the traffic from the network side to the user side. l Run the service-port index adminstatus command to configure the administrative status of the service port. Ltd. l Run the multi-service-port command to create service ports in batches. the service VLAN ID is 1000. To configure such a user. NOTE l The system supports creating service ports by index.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service service for enterprises. By default. By default. the service is not provided for the user for the moment. An S-VLAN can only be a MUX VLAN or smart VLAN.1p): Select multi-service user-8021p user-8021p [ user-vlan user-vlanid ]. l Run the mac-address max-mac-count service-port command to configure the maximum number of MAC addresses learned by the service port to restrict the maximum number of PCs that can access the Internet by using a same account. Therefore. Step 3 Configure the attributes of the service port. l vlan indicates the S-VLAN. the access port and the corresponding service port of the user must be activated. 283 . do as follows: huawei(config)#traffic table ip index 10 cir 4096 priority 3 priority-policy loc al-Setting Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Then. All the traffic except known traffic in the system is carried over this channel. configure the purpose and related service information as the description of a service port. Configure the attributes of the service port according to requirements. A service port can be activated at two levels: port level and service port level. The ONT provides the Internet-access-only service with a rate of 4096 kbit/s for this user. a service port is in the activated state. tx-cttr is the same as inbound in terms of meanings and functions. – Multi-service service port based on VLAN + user-side service encapsulation mode (user-encap): Select multi-service user-vlan { untagged | user-vlanid | priority-tagged } userencap user-encap. During the creation of a service port. If it is not input. – Multi-service service port based on the user-side service encapsulation mode: Select multi-service user-encap user-encap. l rx-cttr is the same as outbound in terms of meanings and functions. Therefore. l Run the service-port desc command to configure the description of the service port. This user is not registered yet. the maximum number of MAC addresses learned by the service port is 1023. The query shows that there is no proper traffic profile in the system. Configure the description for a service port to facilitate maintenance. Plan an Internet access user. and only three users are allowed to use a same account for Internet access at the same time.. ----End Example Connect ONT 1 to GPON port 0/4/0 of the MA5600T. – Multi-service service port based on VLAN+user-side packet priority (802. the configuration of service ports is simplified. the system automatically adopts the smallest value. index indicates the index of the service port and it is optional. To provision services for a user. the index of the GEM port that carries the service is 126. The traffic profile bound to the service port is created in Step 1. Either of them indicates the index of the traffic from the user side to the network side.

Ltd. For subsequent service expansion. The Internet access service is required to be provided immediately. and the index of the GEM port that carries the service is 126. To configure such a user. the ONT provides the Internet access service for this user in the multi-service mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service Create traffic descriptor record successfully -----------------------------------------------TD Index : 10 TD Name : ip-traffic-table_10 Priority : 3 Mapping Priority : Mapping Index : CTAG Mapping Priority: CTAG Mapping Index : CTAG Default Priority: 0 Priority Policy : local-pri CIR : 4096 kbps CBS : 133072 bytes PIR : 8192 kbps PBS : 264144 bytes Referenced Status : not used -----------------------------------------------huawei(config)#service-port 5 vlan 1000 gpon 0/4/0 ont 1 gemport 126 inbound traffic-table index 10 outbound traffic-table index 10 huawei(config)#mac-address max-mac-count service-port 5 3 huawei(config)#service-port 5 adminstatus disable Connect ONT 2 to GPON port 0/4/0 of the MA5600T. 284 . The query shows that there is no proper traffic profile in the system. do as follows: huawei(config)#display traffic table ip from-index 0 { <cr>|to-index<K> }: Command: display traffic table ip from-index 0 ---------------------------------------------------------------------------TID CIR(kbps) CBS(bytes) PIR(kbps) PBS(bytes) Pri Copy-policy Pri-Policy ---------------------------------------------------------------------------0 1024 34768 2048 69536 6 tag-pri 1 2496 81872 4992 163744 6 tag-pri 2 512 18384 1024 36768 0 tag-pri 3 576 20432 1152 40864 2 tag-pri 4 64 4048 128 8096 4 tag-pri 5 2048 67536 4096 135072 0 tag-pri 6 off off off off 0 tag-pri ---------------------------------------------------------------------------Total Num : 7 huawei(config)#traffic table ip index 8 cir 8192 priority 4 priority-policy loca l-Setting Create traffic descriptor record successfully -----------------------------------------------TD Index : 8 TD Name : ip-traffic-table_8 Priority : 4 Mapping Priority : Mapping Index : CTAG Mapping Priority: CTAG Mapping Index : CTAG Default Priority: 0 Priority Policy : local-pri CIR : 8192 kbps CBS : 264144 bytes PIR : 16384 kbps PBS : 526288 bytes Referenced Status : not used -----------------------------------------------huawei(config)#service-port 10 vlan 1023 gpon 0/4/0 ont 2 gemport 126 multi- Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. The description of the service port is added to facilitate maintenance. Then. The user is differentiated based on the user-end VLAN. create traffic profile 8. S-VLAN ID is 1023. C-VLAN ID is 100. A commercial user requires the Internet access service with a rate of 8192 kbit/s to be provided.

Ltd..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 4 Configuring the GPON Internet Access Service service user-vlan 100 inbound traffic-table index 8 outbound traffic-table index 8 huawei(config)#service-port desc 10 description gpon/Vlanid:1023/uservlan:100 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 285 .

The FTTx technology is mainly used for adopting optical network in the access network. 286 .. or FTTO. This topic describes how to configure the Internet access service provided by the MA5600T through EPON. the MA5600T functions as an OLT and is connected to the MDU or ONUs of other types at lower layer through the ODN. FTTB. The networking mode for the service can be FTTH. The ONU is placed in the cabinet at the curb. Internet access. The ONT is connected to subscribers to provide the voice. or connected to Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 5 Configuring the EPON Internet Access Service Configuring the EPON Internet Access Service About This Chapter The EPON broadband Internet access service is applicable to the scenario of that provides subscribers with the Internet service through optical fibers. The optical network unit (ONU) or the optical network terminal (ONT) functions as the subscriber terminal. FTTC and FTTB are the same in configuration and differ from each other only in the networking mode. These two modes respectively use the home gateway with an RJ-11 upstream port and the home gateway with a LAN upstream port to provide the voice. FTTC. The Ethernet port of the ONU is connected to the LAN of subscribers so that subscribers can be directly connected to the Internet. and IPTV services. In this networking scenario. FTTB can be further classified into FTTB+DSL and FTTB+LAN. It uses coaxial cables to transmit CATV signals or uses twisted pairs to transmit the voice and Internet access services. In this networking scenario. and IPTV services. Ltd. Application Context EPON is mainly used in the FTTx solution. FTTC is mainly used to provide services for residential subscribers. l FTTC refers to fiber to the curb. Its coverage is from the CO device of the regional telecommunications room to the subscriber terminal. In this networking scenario. The ONU or MDU is connected to subscribers. The optical line terminal (OLT) functions as the CO device. l FTTH refers to fiber to the home. the MA5600T functions as an OLT and is connected to the outdoor cabinet of the MDU or ONU at lower layer through the ODN. the MA5600T functions as an OLT and is connected to the ONT at lower layer through the ODN. l FTTB refers to fiber to the building. The ONU or MDU is connected to subscribers. Internet access. l FTTO refers to fiber to the office.

and private line services. l The EPON profile that is used for the Internet access service is already created. Prerequisite l Configure the AAA function. Table 5-1 Data plan for the EPON Internet access service Item Data Remarks MA5600T Access rate Configure the data according to the user requirements. plan the data items as listed in Table 5-1. The BRAS should be capable of identifying the VLAN tag of the MA5600T in the upstream direction. see 2. – For an MDU or ONU. LLID - ONT index EPON supports a split ratio of up to 1:128. For the identification purpose. Generally. – For an ONT. QoS policy Configure the data according to the QoS policy of the entire network. Ltd. ONT Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 287 . Internet access. – If the AAA function is implemented by the BRAS. the priority of the Internet access service is lower than the priorities of the voice and video services. VLAN planning The cooperation with the upper-layer device should be considered in the VLAN planning. You need to plan the ONTs connected to the MA5600T to facilitate management. The ONU is connected to subscribers to provide the voice. Access port Configure the data according to the network planning.12 Configuring AAA.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service the headquarters or branch offices through VPN. Configuring the EPON ONT Line Profile is already completed. In this networking scenario. Configuring the EPON ONT Line Profile and Configuring the EPON ONT Service Profile are already completed. the user name and password for dial-up Internet access must be configured on the BRAS.. the MA5600T functions as an OLT and is connected to the ONU at lower layer through the ODN. The upstream VLAN must be the same as that of the upperlayer device. IPTV. a connection to the BRAS must be established. Data Plan Before configuring the EPON Internet access service. – To enable the AAA function on the device.

before configuring a service. 5.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Item Upperlayer LAN switch 5 Configuring the EPON Internet Access Service Data Remarks Authentication mode You can use the password authentication and the MAC address authentication. If the BRAS is used to allocate IP addresses. configures the access user domain (including the authentication scheme. 5. 2.1 Configuring an EPON ONT Profile EPON ONT profiles are classified into DBA profiles. 5. 5. Procedure 1. and authorization scheme bound to the domain) and specifies the RADIUS server. Ltd. 5. The MA5600T can manage the ONT and the ONT can work in the normal state only after the channel between the MA5600T and the ONT is available. Hence. 288 . 4. This topic describes how to enable an EPON port and configure the attributes for the port. you need to configure the user name and the password for each user on the BRAS. BRAS The BRAS performs the related configurations according to the authentication and accounting requirements for dialup users.5 Configuring an EPON User Port An EPON port can work in the normal state and transmit services only after it is enabled.4 Configure the EPON ONT The MA5600T provides end users with services through the ONT. 3. make sure that the VLAN configuration based on planning is complete. The LAN switch transparently transmits the service packets of the MA5600T on L2. 6.6 Creating an EPON Service Port Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. for example.3 Configuring an Upstream Port This topic describes how to add an upstream port for an Internet access service to a VLAN. you need to configure the corresponding IP address pool on the BRAS. 5. 5. accounting scheme. This topic describes how to configure these profiles. - The VLAN ID must be the same as the upstream VLAN ID of the MA5600T. line profiles and service profiles.2 Configuring a VLAN Configuring VLAN is a prerequisite for configuring a service. - If the BRAS is used to authenticate users.

you must configure the service port. Ltd.. To provide services. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 289 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service A service port is a service channel between the user side and the network side.

the system adopts the closest multiple of 64 that is smaller than the value you enter.1. the bandwidth value must be a multiple of 64. line profiles and service profiles. NOTE l By default. Step 2 Query a DBA profile. EPON ONT profiles are classified into line profiles and service profiles according to the EPON ONT parameters. Procedure Step 1 Add a DBA profile. which define the typical values of traffic parameters. a DBA profile must be configured for TCONT. T-CONT is not bound to any DBA profile. This topic describes how to configure these profiles. Hence.1 Configuring a DBA Profile A DBA profile defines the traffic parameters of xPON and can be bound to dynamically allocate the bandwidth and improve the usage of the upstream bandwidth. If you enter a bandwidth value not of a multiple of 64. 5. l When you add a DBA profile. The line profile is mandatory and the service profile is optional and dependent of service requirements. Set related attributes in line profile mode and service profile mode. 290 . By default.. Background Information In the profile mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service 5. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.9 DBA profile. The line profile is mainly used to configure the information related to DBA. Run the dba-profile add command to add a DBA profile. LLID is bound to No. Table 5-2 Default settings of the DBA profiles Parameter Default Setting Remarks Default DBA profile ID in the system 1-9 You can run the display dbaprofile all command to query the parameter values of each default DBA profile. These DBA profiles cannot be added or deleted. and directly bind the ONT to the line profile and service profile. Default Configuration Table 5-2 lists the default settings of the DBA profiles. The service profile is mainly used to configure the actual ONT capability and the parameters related to services. Ltd. The system provides nine default DBA profiles numbered 1-9.1 Configuring an EPON ONT Profile EPON ONT profiles are classified into DBA profiles.

directly enter the EPON ONT line profile mode to configure the related attributes of the ONT line.. 291 . Ensure that 4. ----End Example Assume that the name and type of a DBA profile are "DBA_bandwidth" and "type3" respectively. To add such a DBA profile.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service Run the display dba-profile command to query a DBA profile. Regardless of whether the ONT is in the OAM or SNMP management mode.1 Configuring a DBA Profile is completed before the configuration.1. and then enter the EPON ONT line profile mode. Use the following two methods to bind a DBA profile. the ONT needs to be bound with an EPON ONT line profile.2 Configuring an EPON ONT Line Profile Configure the EPON ONT line profile so that you can reference the profile when adding an ONT. Run the llid command to bind LLID with a DBA profile. the line profile must be configured for the ONT.1. Default Configuration Table 5-3 lists the default settings of the EPON ONT line profile. After adding an EPON ONT line profile. do as follows: huawei(config)#dba-profile add profile-name DBA_10M type3 assure 10240 max 10240 huawei(config)#display dba-profile profile-name DBA_10M ----------------------------------------------------------------Profile-name : DBA_10M Profile-ID: 10 type: 3 Bandwidth compensation: No Fix(kbps): 0 Assure(kbps): 10240 Max(kbps): 10240 bind-times: 0 ----------------------------------------------------------------- 5. Step 3 Bind LLID with a DBA profile. and that the bandwidth required by a user is 10 Mbit/s. Step 2 Bind LLID with a DBA profile. Ltd. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Table 5-3 Default settings of the EPON ONT line profile Parameter Default Setting DBA profile bound to LLID Profile ID: 9 Upstream FEC switch Disabled Procedure Step 1 Run the ont-lineprofile epon command to add an EPON ONT line profile. Regardless of whether the ONT is in the OAM or SNMP management mode.

Enabling the FEC function enhances the error tolerant capability of the line but occupies certain bandwidth. The terminal has its own default value for the queue threshold in the OAM management mode. the system inserts redundancy data into normal packets. the line has certain error tolerant function.1. Step 4 Configure the queue threshold of the DBA queue set.. Step 5 Configure the upstream FEC switch. 292 . you need to log in to the ONT. the ONT FEC function is disabled. If this profile is already bound. ----End Example To add EPON line profile 5 and bind LLID with DBA profile 1. Step 7 Run the quit command to return to the global config mode. To configure the service of the ONT (such as the MDU) managed in the SNMP mode. Run the llid command to bind LLID with a DBA profile. In this way. Run the ont llid command to bind LLID with a DBA profile. but certain bandwidth resources are wasted.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service l In line profile mode: This method is applicable to the scenario where the DBA profile is stable and the terminals are of a single type. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. enter the EPON mode. 1. 2. l In EPON mode: This method is applicable to the scenario where the DBA profile changes frequently and the terminals are of different types. After the configuration of a EPON ONT line profile is complete. You can use the default value and need not configure the threshold. In the FEC check. do as follows: huawei(config)#ont-lineprofile epon profile-id 5 huawei(config-epon-lineprofile-5)#llid dba-profile-id 1 huawei(config-epon-lineprofile-5)#commit huawei(config-epon-lineprofile-5)#quit 5. Therefore. Run the undo llid command to unbind the default DBA profile.3 Configuring an EPON ONT Service Profile The EPON ONT service profile provides a channel for configuring the service of the ONT managed in the OAM mode. Run the fec enable command to enable the upstream FEC function of the EPON ONT. Ensure that Adding a DBA Profile is completed before the configuration. Ltd. By default. Run the dba-threshold command to configure the queue threshold of the DBA queue set. determine whether to enable the FEC function based on the actual line planning. Step 6 Run the commit command to make the parameters of the profile take effect. all the parameters that are configured take effect when the profile is bound. NOTE If this profile is not bound. Ensure that Adding a DBA Profile is completed before the configuration. The configuration of a line profile takes effect only after you perform this operation. the configuration takes effect on all ONTs bound with this profile immediately.

run the ont port vlan command to configure the port VLAN of the ONT in the EPON mode. NOTE The voice service of the ONT is issued to the NMS for configuration through XML. Step 2 Configure the Internet access service. Therefore. The port capability set must be the same as the actual ONT capability set. By default. 2. 3. and then enter the EPON ONT service profile mode. 2. 1. Run the ont-port eth command to configure the port capability set of the ONT.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service Default Configuration Table 5-4 lists the default settings of the EPON ONT service profile. The capability set plans the number of various ports supported by the ONT. The capability set plans the number of various ports supported by the ONT. run the ont port vlan command to configure the port VLAN of the ONT in the EPON mode. Alternatively. If the ONT management mode is the SNMP mode. Run the port vlan command to configure the port VLAN of the ONT. Run the port vlan command to configure the port VLAN of the ONT. Select the configuration items according to the service requirements. Run the ont-port pots command to configure the port capability set of the ONT. Alternatively. The capability set plans the number of various ports supported by the ONT. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 2. 293 . Run the multicast mode command to configure the multicast mode and the quick leave mode of the ONT port. 1. The port capability set must be the same as the actual ONT capability set. Run the ont-port eth command to configure the port capability set of the ONT. 1. Step 3 Configure the voice service. The port capability set must be the same as the actual ONT capability set. run the ont port vlan command to configure the port VLAN of the ONT in the EPON mode. Ltd. the multicast mode is CTC and the quick leave mode is unconcern. directly enter the EPON ONT service profile mode to configure the related services. After adding an EPON service profile.. Step 4 Configure the multicast service. Alternatively. Table 5-4 Default settings of the EPON ONT service profile Parameter Default Setting Multicast mode of the ONT port CTC Quick leave mode of the ONT port Unconcern (the OLT does not perform any processing) Procedure Step 1 Run the ont-srvprofile epon command to add an EPON ONT service profile. and the OLT transparently transmits the service. you only need to run the service-port command to create a service port channel for carrying the voice service. Run the port vlan command to configure the port VLAN of the ONT. you need not configure the service profile.

the configuration takes effect on all ONTs bound with this profile immediately. l Igmp-snooping: IGMP snooping obtains the related information and maintains the multicast forwarding entries by listening to the IGMP packets in the communication between the user and the multicast router. To add EPON service profile 200. l Untag: Peel off the VLAN tag of the downstream multicast data packets. Demanding multicast programs on the ONT is based on the index of the multicast user. 4. the downstream data streams of the multicast VLAN are discarded by the ONT. l Transparent: Transparently transmit the multicast traffic streams without processing them. you need to configure the ONT multicast mode to a mode that is actually supported by the ONT. Run the port eth ont-portid multicast-tagstripe { untag | tag } command to configure the mode for processing the VLAN tag of the multicast data packets. l Ctc is a standard of China Telecom Corporation (CTC). when this multicast user demands a multicast program. If this profile is already bound.. Step 6 Run the quit command to return to the global config mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service If the ONT does not support the CTC mode. For example. do as follows: huawei(config)#ont-srvprofile epon profile-id 200 huawei(config-epon-srvprofile-200)#ont-port eth 4 huawei(config-epon-srvprofile-200)#port vlan eth 1 10 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. all the parameters that are configured take effect when the profile is bound. the multicast packets of this multicast user carry the VLAN 1 (index of the multicast user + 1) tag when transmitted from the ONT. and the VLAN ID of ONT port 1 is 10. NOTE If this profile is not bound. the ONT supports four ETH ports. 294 . Run the port multicast-vlan command to configure the multicast VLAN of the ONT port. CAUTION If the multicast VLAN of the ONT port is not configured. ----End Example Assume that the profile is used for the Internet access service. if the index of a multicast user connected to the ONT is 0. Ltd. l Tag: Transparently transmit the downstream multicast data packets. 5. Step 5 Run the commit command to make the parameters of the profile take effect. the VLAN ID of the service port to be created is the ID of the port where the ONT is located. The configuration of the service profile takes effect only after you perform this operation. The multicast VLAN must be consistent with the multicast VLAN on the OLT side. CAUTION If the multicast mode is the CTC mode.

To add EPON service profile 20.2 Configuring a VLAN Configuring VLAN is a prerequisite for configuring a service.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service huawei(config-epon-srvprofile-200)#commit huawei(config-epon-srvprofile-200)#quit Assume that the profile is used for the multicast service. Prerequisites The VLAN to be added should not exist in the system.. the scenario of upstream transmission through a single VLAN. For details on the VLAN application. before configuring a service. the scenario of upstream transmission through double VLANs. Table 5-5 VLAN application and planning User Type Application Scenario VLAN Planning l Household user N:1 scenario. where the outer VLAN tag identifies a service and the inner VLAN tag identifies a user. VLAN type: smart 1:1 scenario. where the services of multiple subscribers are converged to the same VLAN. that is. Ltd. and the multicast VLAN ID is 10. the ONT supports the IGMP snooping mode. VLAN type: smart l Commercial user of the Internet access service Issue 01 (2012-01-18) VLAN attribute: common VLAN forwarding mode: by VLAN+MAC Attribute: stacking VLAN forwarding mode: by S+C Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Application Context VLAN application is specific to user types. the VLAN ID of ONT port 1 is 100. do as follows: huawei(config)#ont-srvprofile epon profile-id 20 huawei(config-epon-srvprofile-20)#ont-port eth 4 huawei(config-epon-srvprofile-20)#port vlan eth 1 100 huawei(config-epon-srvprofile-20)#multicast mode igmp-snooping huawei(config-epon-srvprofile-20)#port eth 1 multicast-tagstripe tag huawei(config-epon-srvprofile-20)#port multicast-vlan eth 1 10 huawei(config-epon-srvprofile-20)#commit huawei(config-epon-srvprofile-20)#quit 5. Hence. that is. 295 . the ONT supports four ETH ports. make sure that the VLAN configuration based on planning is complete. see Table 5-5. The service of each user is indicated by a unique S +C. the VLAN tag of the multicast packets is transparently transmitted.

Table 5-7 VLAN types and application scenarios Issue 01 (2012-01-18) VLAN Type Configuration Command VLAN Description Application Scenario Standard VLAN To add a standard VLAN. Only available to Ethernet ports and specifically to network management and subtending. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Run the vlan to create a VLAN. Default Configuration Table 5-6 lists the default parameter settings of VLAN.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service User Type Application Scenario VLAN Planning Commercial user of the transparent transmission service Applicable only to the transparent transmission service of a commercial user. Ltd.. run the vlan vlanid standard command. Standard VLAN. VLAN type: smart VLAN attribute: QinQ VLAN forwarding mode: by VLAN+MAC or S+C. VLANs of different types are applicable to different scenarios. Reserved VLAN of the system VLAN ID range: 4079-4093 You can run the vlan reserve command to modify the VLAN reserved by the system. Default attribute of a new VLAN Common - VLAN forwarding mode VLAN+MAC - Procedure Step 1 Create a VLAN. Table 5-6 Default parameter settings of VLAN Parameter Default Setting Remarks Default VLAN of the system VLAN ID: 1 Type: smart VLAN You can run the defaultvlan modify command to modify the VLAN type but cannot delete the VLAN. Ethernet ports in a standard VLAN are interconnected with each other but Ethernet ports in different standard VLANs are isolated from each other. 296 .

Super VLAN To add a super VLAN. One super VLAN contains multiple sub-VLANs. You can run the supervlan command to add a sub-VLAN to a specified super VLAN. a MUX VLAN can identify an access user. One-toone mapping can be set up between a MUX VLAN and an access user. For example. are isolated from each other. Smart VLANs can be applied in residential communities to provide xDSL or GPON service access. run the vlan vlanid smart command. The traffic streams in different VLANs are isolated from each other.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Issue 01 (2012-01-18) 5 Configuring the EPON Internet Access Service VLAN Type Configuration Command VLAN Description Application Scenario Smart VLAN To add a smart VLAN. 297 . the subVLANs in a super VLAN can be interconnected at layer 3. One smart VLAN provides access for multiple subscribers and thus saves VLAN resources. For a super VLAN. Ltd. The traffic streams of these ports. MUX VLANs are applicable to xDSL or GPON service access. The super VLAN is based on layer 3. One VLAN may contain multiple xDSL service ports or GPON service ports. the traffic streams of different VLANs are also isolated.. Super VLANs save IP addresses and improve the utilization of IP addresses. however. subVLANs must be configured. MUX VLAN To add a MUX VLAN. Hence. A sub-VLAN must be a smart VLAN or MUX VLAN. Through an ARP proxy. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. In addition. run the vlan vlanid mux command. One MUX VLAN contains only one xDSL service port or GPON service port. run the vlan vlanid super command. MUX VLANs can be used to distinguish users.

The default attribute for a new VLAN is "common". inner VLAN tag from the private network and outer VLAN tag from the MA5600T. Through the outer VLAN. The VLAN with this attribute can be a standard VLAN. VLAN tags. run the vlan attrib vlanid q-in-q command. that is. and the default VLAN of the system cannot be set to QinQ VLAN.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service NOTE l To add VLANs with consecutive IDs in batches. Configure the attribute according to VLAN planning. Table 5-8 VLAN attributes and application scenarios Issue 01 (2012-01-18) VLA N Attri bute Configuration Command VLAN Type VLAN Description Application Scenario Com mon The default attribute for a new VLAN is "common". A VLAN with the common attribute can function as a common layer 2 VLAN or function for creating a layer 3 interface. run the vlan vlanid to end-vlanid command. smart VLAN or MUX VLAN. run the vlan vlan-list command. Step 2 (Optional) Configure the VLAN attribute.. The attribute of a sub VLAN. or super VLAN. The VLAN with this attribute can be a standard VLAN. The packets from Applicable to the a QinQ VLAN enterprise private contain two line scenario. smart VLAN. Ltd. l To add VLANs with inconsecutive IDs in batches. an L2 VPN tunnel can be set up to transparently transmit the services between private networks. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 298 . the VLAN with a Layer 3 interface. MUX VLAN. QinQ VLA N To configure QinQ as the attribute of a VLAN. You can run the vlan attrib command to configure the attribute of the VLAN. Applicable to the N:1 access scenario.

and the default VLAN of the system cannot be set to VLAN Stacking.. run the vlan attrib vlanid to endvlanid command. and MAC address spoofing and attacks. l To configure attributes for the VLANs with inconsecutive IDs in batches. In this manner.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service VLA N Attri bute Configuration Command VLAN Type VLAN Description Application Scenario VLA N Stacki ng To configure stacking as the attribute of a VLAN. which ensures higher security by solving the problems of insufficiency in the MAC address space. run the vlan desc command. Step 4 (Optional) Configure the VLAN forwarding policy. In the case of a stacking VLAN. To configure VLAN description. Ltd. to configure the inner tag of the service port. the number of access users is increased. MAC address aging. run the vlan attrib vlan-list command. The VLAN with this attribute can only be a smart VLAN or MUX VLAN. Applicable to the 1:1 access scenario for the wholesale service or extension of VLAN IDs. NOTE l To configure attributes for the VLANs with consecutive IDs in batches. that is. Step 3 (Optional) Configure VLAN description. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. run the vlan attrib vlanid stacking command. a packet can be forwarded directly by the outer VLAN tag and MAC address mode to provide the wholesale service for ISPs. The upper-layer BRAS authenticates the access users according to the two VLAN tags. The general VLAN description includes the usage and service information of the VLAN. The attribute of a sub VLAN. vlan-connect corresponds to the S+C forwarding policy. run the stacking label command. inner VLAN tag and outer VLAN tag from the MA5600T. The packets from a stacking VLAN contain two VLAN tags. You can configure VLAN description to facilitate maintenance. the VLAN with an L3 interface. 299 . On the upper-layer network in the L2 working mode.

A service port is added to VLAN 50. do as follows: huawei(config)#vlan 50 smart huawei(config)#vlan attrib 50 stacking huawei(config)#service-port vlan 50 gpon 0/4/0 ont 1 gemport 126 rx-cttr 6 tx-cttr 6 huawei(config)#stacking label vlan 50 baselabel 10 huawei(config)#vlan desc 50 description stackingvlan/label10 Assume that a QinQ VLAN with ID of 100 is to be configured for an enterprise user to ensure higher security and the VLAN forwarding policy is S+C. For the VLAN. The default VLAN forwarding mode is VLAN+MAC in the system. run the vlan forwarding command. description needs to be configured for easy maintenance. description needs to be configured for easy maintenance. Run the forwarding command to configure the VLAN forwarding policy. Run the commit command to validate the profile configuration. Run port vlan command to add the upstream port to the VLAN. 2. do as follows: huawei(config)#vlan huawei(config)#vlan huawei(config)#vlan huawei(config)#vlan 100 smart attrib 100 q-in-q desc 100 description qinqvlan/forhuawei forwarding 100 vlan-connect 5. Run the vlan service-profile command to create a VLAN service profile and enter the VLAN service profile mode. 300 . l In the VLAN service profile configuration mode. For the VLAN. to configure the VLAN forwarding policy. The outer VLAN tag 50 of the stacking VLAN identifies the access device and the inner VLAN tag 10 identifies the user with access to the device. 4. To configure such a VLAN. do as follows: 1. l In the global config mode. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 3.1. Run the quit command to quit the VLAN service profile mode. The default VLAN forwarding policy is VLAN+MAC in the system. Ltd. Step 2 Configure the attribute of the upstream port.. 5.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service You can configure the VLAN forwarding policy in either the global config mode or VLAN service profile configuration mode. to configure the VLAN forwarding policy. Procedure Step 1 Configure an upstream port for the VLAN. ----End Example Assume that a stacking VLAN with ID of 50 is to be configured for extension of the VLAN.3 Configuring an Upstream Port This topic describes how to add an upstream port for an Internet access service to a VLAN. The configuration of the VLAN service profile takes effect only after execution of this command. To configure such a VLAN. Run the vlan bind service-profile command to bind the VLAN to the VLAN service profile created in 4.

.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service If the default attribute of the upstream port does not meet the requirement for interconnection of the upstream port with the upper-layer device. you need to configure the attribute. the related configuration of the EPON ONT is already integrated in the service profile and the line profile. see 2. For configuration details. That is. The 0/17/0 and 0/17/1 need to be configured into an aggregation group for double upstream accesses. 301 . two upstream ports must be available.5 Configuring the Attributes of an Upstream Ethernet Port. Step 3 Configure redundancy backup for the uplink. Ltd. This helps to provision services and maintain terminals. ----End Example Assume that the 0/17/0 and 0/17/1 upstream ports are to be added to VLAN 50.2 Configuring the Uplink Redundancy Backup. Configuring the EPON ONT Line Profile is already completed. The MA5600T can manage the ONT and the ONT can work in the normal state only after the channel between the MA5600T and the ONT is available. redundancy backup of the upstream ports needs to be configured. For the two upstream ports.4 Configure the EPON ONT The MA5600T provides end users with services through the ONT. you only need to bind the ONT with the corresponding service profile and line profile. Prerequisites The EPON ONT profile is already created. Based on this mechanism. Background Information The MA5600T uses the OAM protocol to manage and configure the EPON ONT. Table 5-9 lists the default settings of the EPON ONT. the working mode is full-duplex (full) and the port rate is 100 Mbit/s. When adding an ONT. see 8. Configuring the EPON ONT Line Profile and Configuring the EPON ONT Service Profile are already completed. l For an ONT. For details. do as follows: huawei(config)#port vlan 50 0/17 0 huawei(config)#port vlan 50 0/17 1 huawei(config)#interface giu 0/17 huawei(config-if-giu-0/17)#duplex 0 full huawei(config-if-giu-0/17)#duplex 1 full huawei(config-if-giu-0/17)#speed 0 100 huawei(config-if-giu-0/17)#speed 1 100 huawei(config-if-giu-0/17)#quit huawei(config)#link-aggregation 0/17 0 0/17 1 egress-ingress workmode lacp-static 5. To ensure reliability of the uplink. In the profile mode. and supports the offline configuration of the ONT and the configuration recovery of the online ONT. l For an MDU or ONU. To configure such upstream ports. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the ONT need not save the configuration information locally.

In this case. You only need to bind the ONU with a line profile. When the ONT management mode is the SNMP mode. By default.. 3. Run the ont add command to add an ONT offline. Run the port portid ont-auto-find command to enable the auto-find function of the ONT. that is. Run the ont snmp-profile command to bind the ONT with an SNMP profile. l If the ONU is not an independent NE and all its configuration is managed by the OLT through the OAM protocol. the system reports the MAC address and password of the auto-find ONT and you can add an ONT according to the information reported by the system. For the ONU that supports the voice service. 302 . l Generally. or run the ont confirm command to confirm the auto-find ONT. Issue 01 (2012-01-18) Run the ont snmp-route command to configure a static route for the NMS server. NOTE l If the ONU is an independent NE and is directly managed by the NMS through the SNMP management mode. the ONT management mode is set to the OAM mode. you need not configure the management VLAN. you need to configure all parameters that are required for the ONU on the OLT. The procedure is as follows: a. Run the ont ipconfig command to configure the IP address of the ONT. You need to bind the ONU with the line profile and the service profile. Ltd. 4. For this mode. The auto-find ONT can work in the normal state only after it is confirmed or added.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service Table 5-9 Default settings of the EPON ONT Parameter Default Setting ONT auto-find function of an EPON port Disabled ONT status after an ONT is added Activated Default VLAN of the ONT port 1 Procedure Step 1 Run the interface epon command to enter the EPON mode. configure the IP address of the next hop. 1. You need to bind the ONT with a line profile and a service profile. select the SNMP management mode. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. b. you need to configure the SNMP management parameters for the ONT. Step 2 Add an EPON ONT. select the OAM management mode. NOTE An auto-find ONT is in the auto-find state. For the ONU that is managed as an independent NE. you need to configure both the IP address and the management VLAN for the ONT. you only need to configure the parameters for the EPON line and the parameters for the management channel on the OLT. the ONT auto-find function of an EPON port is disabled. Run the snmp-profile add command to add an SNMP profile before the configuration. you need to configure the IP address of the ONT for the voice service. After the function is enabled. 2. For this mode. The IP address should not be in the same subnet for the IP address of the VLAN port.

100 desc MA5620E 5.5 Configuring an EPON User Port An EPON port can work in the normal state and transmit services only after it is enabled.0 gateway 10. bind the ONU with line profile 2 that matches the ONU. Default Configuration Table 5-10 lists the default settings of an EPON user port. The packets are not tagged with the default VLAN of the port on the ONT but are reported to the OLT with the user tag. 303 . Run the ont port native-vlan command to configure the default VLAN for the ONT port. the default VLAN ID of the ONT port is 1. This topic describes how to enable an EPON port and configure the attributes for the port. l If the packets reported from a user to the ONT are tagged.10. ----End Example To add an ONT that is managed by the OLT through the OAM protocol.53 161 huawei huawei(config)#interface epon 0/4 huawei(config-if-epon-0/4)#ont add 0 2 mac-auth 0073-075B-C9FE snmp ontlineprofile-id 2 huawei(config-if-epon-0/4)#ont ipconfig 0 2 ip-address 10. do as follows: huawei(config)#interface epon 0/4 huawei(config-if-epon-0/4)#port 0 ont-auto-find enable huawei(config-if-epon-0/4)#ont confirm 0 mac-auth 0018-8256-3E47 oam ontlineprofile-id 1 ont-srvprofile-id 1 desc HG850e To add an ONU that is managed as an independent NE and whose MAC address is known as 0073-075B-C9FE. configure the NMS parameters for the ONU.20 mask 255.10.20.190 mask 255.255. you need to configure the port VLAN of the ONT to be the same as the VLAN in the user tag.255. the ONT is in the activated state by default.. Step 4 Activate the ONT.20. Ltd.255.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service Step 3 Configure the default VLAN (native VLAN) for the ONT port.20. do as follows: huawei(config)#snmp-profile add profile-id 1 v2c public private 10. and set the management VLAN to 31. and bind the ONT with line profile 1 and service profile 1 that match the ONT. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10. After being added.0 next-hop 10.5. Run the ont activate command to activate the ONT.20.10. confirm this ONT according to the MAC address 0018-8256-3E47 automatically reported by the system.20.255. The ONT can transmit services only when it is in the activated state. The step is required only when the ONT is in the deactivated state.1 manage-vlan 31 huawei(config-if-epon-0/4)#ont snmp-profile 0 2 profile-id 1 huawei(config-if-epon-0/4)#ont snmp-route 0 2 ip-address 10. the packets are tagged with the default VLAN of the port on the ONT and then reported to the OLT. l If the packets reported from a user (such a PC) to the ONT are untagged. By default.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service Table 5-10 Default settings of an EPON user port Parameter Default Setting EPON port Enabled Maximum registrable ONT distance 20 km Procedure Step 1 Run the interface epon command to enter the EPON mode. the ONT cannot be registered. Step 2 Enable or disabled an optical port.. Ltd. By default. run the port portid laser-switch off command to disable the laser of the port. 304 . this step is not required. do as follows: huawei(config)#interface epon 0/4 huawei(config-if-epon-0/4)#port 0 range max-distance 15 5.6 Creating an EPON Service Port A service port is a service channel between the user side and the network side. The default value is 20 km. CAUTION Ensure that the PON port does not carry any service before performing this operation. ----End Example To set the maximum registrable ONT distance under EPON 0/4 to 15 km. Step 3 Configure the maximum registrable ONT distance. Run the port portid range command to configure the maximum registrable ONT distance of the EPON port. Background Information A service port can carry a single service or multiple services. When a service port carries multiple services. If the ONT actual distance is larger than the preset maximum registrable distance. To provide services. the MA5600T supports the following modes of classifying traffic: l By user-side VLAN l By user-side service encapsulation mode Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the laser of an optical port is enabled and the optical port is available. you must configure the service port. In this case. l Run the port portid laser-switch on command to enable the laser of an optical port. l For an unneeded optical port.

which are mainly used in the QinQ transparent transmission Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. add a traffic profile that meets the requirement. run the display traffic table command to check whether the traffic profiles in the system meet the requirement. service ports for the transparent LAN service (TLS) are created. the VLAN tag is 0 and the priorities of user-side packets are 0-7. Service ports are classified into single-service service ports and multi-service service ports. Table 5-11 Default settings of a service port Parameter Default Setting Traffic profile ID 0-6 Administrative status of the service port Activated Maximum number of MAC addresses that are learned 1023 Procedure Step 1 Create a traffic profile. Ltd. There are seven default traffic profiles in the system with the IDs of 0-6. – untagged: When untagged is selected. a service port is a single-service service port if you do not enter multiservice. For details about the traffic profile. l Run the service-port command to create a single service port. – other-all: When other-all is selected. – Multi-service service port based on the user-side VLAN: Select multi-service user-vlan { untagged | user-vlanid | priority-tagged | otherall }. user-side packets carry a tag and the value of user-vlanid must be the same as the tag carried in user-side packets. user-side packets do not carry a tag. 305 .. If no traffic profile in the system meets the requirement. Before creating a service port. Run the traffic table ip command to create a traffic profile. – Single-service service port: By default. that is. CVLAN. – priority-tagged: When priority-tagged is selected. Multi-service service ports are generally used for the triple play service. see Configuring Traffic Management Based on Service Port. You can choose to create a single service port or multiple service ports in batches according to requirements. – user-vlanid: When user-vlanid is selected. Step 2 Create a service port.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service l By VLAN+user-side packet priority l By VLAN+user-side service encapsulation mode Table 5-11 lists the default settings of a service port.

During the creation of a service port. Therefore. l Run the service-port index adminstatus command to configure the administrative status of the service port. configure the purpose and related service information as the description of a service port. The query shows that there is a proper traffic profile.. Step 3 Configure the attributes of the service port. To provision services for a user. All the traffic except known traffic in the system is carried over this channel. the configuration of service ports is simplified.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service service for enterprises.1p): Select multi-service user-8021p user-8021p [ user-vlan user-vlanid ]. – Multi-service service port based on the user-side service encapsulation mode: Select multi-service user-encap user-encap. Configure the attributes of the service port according to requirements. Ltd. l Run the mac-address max-mac-count service-port command to configure the maximum number of MAC addresses learned by the service port to restrict the maximum number of PCs that can access the Internet by using a same account. Plan an Internet access user. ----End Example Connect ONT 1 to EPON port 0/4/1 of the MA5600T. Configure the description for a service port to facilitate maintenance. the service is not provided for the user for the moment. 306 . directly reference this traffic profile. If it is not input. This user is not registered yet. Either of them indicates the index of the traffic from the network side to the user side. a service port is in the activated state. the access port and the corresponding service port of the user must be activated. The ONT provides the Internet-access-only service with a rate of 2048 kbit/s for this user. the service VLAN ID is 100. To configure such a user. A service port can be activated at two levels: port level and service port level. Therefore. and only three users are allowed to use a same account for Internet access at the same time. index indicates the index of the service port and it is optional. In general. The traffic profile bound to the service port is created in Step 1. tx-cttr is the same as inbound in terms of meanings and functions. One index maps one service port and the input of a large number of traffic parameters is not required. – Multi-service service port based on VLAN + user-side service encapsulation mode (user-encap): Select multi-service user-vlan { untagged | user-vlanid | priority-tagged } userencap user-encap. NOTE l The system supports creating service ports by index. l rx-cttr is the same as outbound in terms of meanings and functions. An S-VLAN can only be a MUX VLAN or smart VLAN. l Run the multi-service-port command to create service ports in batches. Then. l vlan indicates the S-VLAN. l Run the service-port desc command to configure the description of the service port. – Multi-service service port based on VLAN+user-side packet priority (802. By default. Either of them indicates the index of the traffic from the user side to the network side. the maximum number of MAC addresses learned by the service port is 1023. the system automatically adopts the smallest value. do as follows: huawei(config)#display traffic table ip from-index 0 { <cr>|to-index<K> }: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. By default.

Ltd. do as follows: huawei(config)#display traffic table ip from-index 0 { <cr>|to-index<K> }: Command: display traffic table ip from-index 0 ---------------------------------------------------------------------------TID CIR(kbps) CBS(bytes) PIR(kbps) PBS(bytes) Pri Copy-policy Pri-Policy ---------------------------------------------------------------------------0 1024 34768 2048 69536 6 tag-pri 1 2496 81872 4992 163744 6 tag-pri 2 512 18384 1024 36768 0 tag-pri 3 576 20432 1152 40864 2 tag-pri 4 64 4048 128 8096 4 tag-pri 5 2048 67536 4096 135072 0 tag-pri 6 off off off off 0 tag-pri ---------------------------------------------------------------------------Total Num : 7 huawei(config)#traffic table ip index 9 cir 4096 priority 4 priority-policy loca l-Setting Create traffic descriptor record successfully -----------------------------------------------TD Index : 9 TD Name : ip-traffic-table_9 Priority : 4 Mapping Priority : Mapping Index : CTAG Mapping Priority: CTAG Mapping Index : CTAG Default Priority: 0 Priority Policy : local-pri CIR : 4096 kbps CBS : 133072 bytes PIR : 8192 kbps PBS : 264144 bytes Referenced Status : not used -----------------------------------------------huawei(config)#service-port 5 vlan 50 epon 0/4/1 ont 2 multi-service user-vlan 10 inbound traffic-table index 9 outbound traffic-table index 9 huawei(config)#service-port desc 5 description epon/Vlanid:50/uservlan/10 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 307 . The query shows that there is no proper traffic profile in the system. the ONT provides the Internet access service for this user in the multi-service mode. create traffic profile 9.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 5 Configuring the EPON Internet Access Service Command: display traffic table ip from-index 0 ---------------------------------------------------------------------------TID CIR(kbps) CBS(bytes) PIR(kbps) PBS(bytes) Pri Copy-policy Pri-Policy ---------------------------------------------------------------------------0 1024 34768 2048 69536 6 tag-pri 1 2496 81872 4992 163744 6 tag-pri 2 512 18384 1024 36768 0 tag-pri 3 576 20432 1152 40864 2 tag-pri 4 64 4048 128 8096 4 tag-pri 5 2048 67536 4096 135072 0 tag-pri 6 off off off off 0 tag-pri ---------------------------------------------------------------------------Total Num : 7 huawei(config)#service-port 4 vlan 100 epon 0/4/1 ont 1 inbound traffic-table index 5 outbound traffic-table index 5 huawei(config)#mac-address max-mac-count service-port 4 3 huawei(config)#service-port 4 adminstatus disable Connect ONT 1 to EPON port 0/4/1 of the MA5600T. The description of the service port is added to facilitate maintenance.. To configure such a user. The user is differentiated based on the user-end VLAN. S-VLAN ID is 50. and C-VLAN ID is 10. Then. A commercial user requires the Internet access service with a rate of 4096 kbit/s to be provided. The Internet access service is required to be provided immediately. For subsequent service expansion.

Both of them provide the function of forwarding multicast video data. which forwards data based on VLAN ID + multicast MAC address. the MA5600T is a multicast router that implements the router functions in the IGMP protocol. for the multicast router. The MA5600T differentiates multicast sources through VLANs. For the multicast user. It allocates a unique VLAN to each multicast source. the multicast application of the MA5600T is oriented to L2. the MA5600T is a multicast user. In this mode. Application Context The multicast feature of the MA5600T is mainly applicable to the live TV and near-video on demand (NVOD) multicast video services. l Issue 01 (2012-01-18) Statically configuring a multicast program library: Configure the program list before the users watch the video programs. the MA5600T supports statically configuring a multicast program library and dynamically generating a multicast program library. and then forwards the IGMP packets to the upper-layer multicast router. The program list and the authority profile.. In terms of multicast processing mode. processes the IGMP packets.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 6 Configuring the Multicast Service (PON) Configuring the Multicast Service (PON) About This Chapter This topic describes how to configure the GPON/EPON multicast service on the MA5600T in a single-NE network. 308 . the MA5600T supports IGMP proxy and IGMP snooping. Ltd. l IGMP proxy intercepts the IGMP packets between the user and the multicast router. and provides a platform for different ISPs to implement different multicast video services. need to be maintained Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. controls the multicast domain and the user authority based on VLANs. the authority profile can be used to control the multicast. In terms of multicast program configuration. but their processing mechanisms are different: l IGMP snooping obtains related information and maintains the multicast forwarding entries by listening to the IGMP packets in the communication between the user and the multicast router. A multicast program in the network is identified by VLAN ID + multicast IP address uniquely. however. Currently.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) according to the video service change. user multicast bandwidth management. l Dynamically generating a multicast program library: Dynamically generate the program list according to the programs demanded by the users. the program list need not be configured or maintained. 309 . The program host. IGMP packets are not discarded. upstream port bandwidth. Table 6-1 Data items planned for the multicast service Device Data Item Remarks MA5600T L2 multicast protocol - IGMP version - Multicast program configuration mode - Parameter values of the multicast protocol - Program list - User authentication policy - Program bandwidth. and multicast bandwidth management functions are supported. however. Upper-layer multicast router Configuration Flowchart Figure 6-1 shows the scheme of configuring the multicast service under GPON. Data Plan Before configuring the multicast video service. plan the data items as listed in Table 6-1. If the traffic with a high priority is suddenly overloaded and the service with a low priority is affected. Ltd. In this mode. program preview.. and user bandwidth - Multicast ONT - Multicast log policy - IGMP version The IGMP version of the upper-layer multicast router cannot be earlier than the IGMP version used by the MA5600T. the functions such as program management. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. MA5600Tprocesses and sends the IGMP packets first. program prejoin. and program prejoin are not supported.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) Figure 6-1 Scheme of configuring the multicast service under GPON Figure 6-2 shows the scheme of configuring the multicast service under EPON.. Ltd. 310 . Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

Ltd.. 311 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) Figure 6-2 Scheme of configuring the multicast service under EPON Default Configuration Table 6-2 lists the default configuration of the multicast service provided by the MA5600T. Table 6-2 Default configuration of the multicast service Issue 01 (2012-01-18) Feature Default Configuration Multicast protocol Disable Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

interval. multicast VLANs (MVLANs) are used to distinguish multicast ISPs. Generally. you can enable multicast bandwidth management. and the VLAN-based control of multicast domain and user right.2 Configuring the Multicast VLAN and the Multicast Program In the application of multicast service. 6. 7. 6. that is. Ltd. you need to configure the multicast interconnection data to forward the multicast traffic streams. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.1 Configuring Multicast Global Parameters The general parameters of L2 multicast protocols (including IGMP proxy and IGMP snooping) configured for a device are applicable to all the multicast VLANs on the device. 6. multicast protocols. and then control the bandwidth of a multicast user by setting the program bandwidth and the user bandwidth. 6. 4.. 6. 2. The purpose is to allow users to have an overview of a program in a controlled way. IGMP versions. 8.3 Configuring the Multicast EPON ONT When the device is connected downstream to an ONT or an MDU.5 Configuring a Multicast User This topic describes how to configure a multicast user and the related authority to provision the multicast service.6 (Optional) Configuring the Multicast Bandwidth To limit the multicast bandwidth of a user. and count of the user previews are controlled. connection admission control (CAC). you need to configure the multicast interconnection data for forwarding the multicast traffic streams.4 Configuring the Multicast GPON ONT When the MA5600T is connected with an ONT or an MDU.7 (Optional) Configuring Multicast Preview Multicast preview is an advertizing method provided by carriers for ISPs.8 (Optional) Configuring Program Prejoin In program prejoin. 6. thus shortening the waiting time of the user for requesting the program. a multicast VLAN is allocated to each multicast ISP for the VLAN-based management of multicast programs. 6. 6. 6.9 (Optional) Configuring the Multicast Logging Function Multicast log serves as a criterion for carriers to evaluate the viewership of multicast programs. the MA5600T receives in advance the multicast stream of a program from the upper-layer multicast router to the upstream port before a user sends a request to join a program. 9. the duration. 312 . 5. In other words.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) Feature Default Configuration IGMP version V3 Multicast program configuration mode Static configuration mode Multicast bandwidth management Enable Multicast preview Enable Multicast log switch Enable Multicast mode of the GPON ONT Unconcern Multicast forwarding mode of the GPON ONT Unconcern 1. 3. 6.

8s. and the policy of processing multicast packets. l Principle: The MA5600T periodically sends the general query packet to all online IGMP users. Table 6-3 lists the default settings of the multicast global parameters. you can modify the values according to the data plan. 313 . the MA5600T sends a group-specific query packet to the multicast group. the MA5600T periodically updates the multicast forwarding table and releases the bandwidth of the multicast user that has left the multicast group. Robustness variable (query times): 2 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) 6. If the MA5600T does not receive the response packet from the multicast user within a specified duration (Robustness variable x Group-specific query interval + Maximum response time of a group-specific query). for example. it regards the user as having left the multicast group and deletes the user from the multicast group. The description of a general query is as follows: l Purpose: A general query packet is periodically sent by the MA5600T to check whether there is any multicast user who leaves the multicast group without sending the leave packet. Context The multicast global parameters include general query. The group-specific query packet is used to check whether the multicast user has left the multicast group.1 Configuring Multicast Global Parameters The general parameters of L2 multicast protocols (including IGMP proxy and IGMP snooping) configured for a device are applicable to all the multicast VLANs on the device. switches to another channel. If the multicast user is not configured with the quick leave attribute. If the MA5600T does not receive the response packet from a multicast user within a specified time (Robustness variable x General query interval + Maximum response time of a general query). The description of a group-specific query is as follows: l Purpose: A group-specific query packet is sent by the MA5600T after a multicast user that is not configured with the quick leave attribute sends the leave packet. group-specific query. Based on the query result. l Principle: When a multicast user leaves a multicast group. Ltd. In the actual application. Table 6-3 Default settings of the multicast global parameters Parameter Default Value General query parameter Query interval: 125s Maximum response time: 10s Robustness variable (query times): 2 Group-specific query parameter Query interval: 1s Maximum response time: 0. it deletes the multicast user from the multicast group.. the user unsolicitedly sends a leave packet to the MA5600T.

unknown multicast packets are discarded.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) Parameter Default Value Policy of processing multicast packets IGMP packet: normal (IGMP packets are processed as controllable multicast) Unknown multicast packet: discard Procedure Step 1 In the global config mode. ----End Example To configure the multicast general query parameters by setting the query interval to 150s. 3. the robustness variable (query times) is 2. 2. Run the igmp proxy router gen-response-time command to set the maximum response time of the general query. do as follows: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 1. 314 . By default. By default. Step 2 Configure the general query parameters. The discard mode is adopted for unknown multicast packets. By default. 2. Run the igmp policy command to set the policy of processing IGMP packets. Run the igmp proxy router sp-response-time command to set the group-specific query interval. Run the igmp proxy router robustness command to set the robustness variable (query times) of the general query. the normal mode for processing IGMP packets is adopted.8s. The default values are adopted for multicast service and need not be modified. the maximum response time of the general query is 10s. In this mode. Step 5 Run the display igmp config global command to check whether the values of the multicast parameters are correct. Run the igmp proxy router sp-query-interval command to set the maximum response time of the group-specific query. the robustness variable (query times) is 2.. the maximum response time of the groupspecific query is 0. Step 4 Configure the policy of processing multicast packets. To control the forwarding of multicast packets when configuring other services. 3. 1. run the following commands to configure the policy. and number of queries to 3. In this mode. By default. IGMP packets are processed as controllable multicast. Step 3 Set the group-specific query parameters. the group-specific query interval is 1s. Run the igmp proxy router gen-query-interval command to set the general query interval. Run the igmp proxy router sp-query-number command to set the robustness variable (query times) of the group-specific query. By default. the general query interval is 125s. Ltd. run the btv command to enter the BTV mode. 1. 2. maximum response time to 20s. By default. By default. Run the multicast-unknown policy command to set the policy of processing unknown multicast packets.

In this case. Ltd.0 is used. 315 . maximum response time to 100s. and number of queries to 3.. The multicast VLAN can be different from the unicast VLAN. IGMP versions. multicast program. In this case. multicast VLANs (MVLANs) are used to distinguish multicast ISPs. only one multicast VLAN is allowed to have dynamically generated programs. the two VLANs use different service stream channels. the source IP address is the IP address of VLAN interface. including the L2 multicast protocol. the source IP address is the host IP address of the program.0. l If the host IP address is not configured. do as follows: huawei(config)#btv huawei(config-btv)#igmp proxy router sp-query-interval 200 huawei(config-btv)#igmp proxy router sp-response-time v3 100 huawei(config-btv)#igmp proxy router sp-query-number 3 6. a multicast VLAN is allocated to each multicast ISP for the VLANbased management of multicast programs. and the VLANbased control of multicast domain and user right. Generally. l If the IP address of the program VLAN interface is not configured. multicast protocols. and multicast upstream port. Context To create a multicast VLAN. One user port can be added to multiple multicast VLANs under the following restrictions: l Among all the multicast VLANs of a user port. a common VLAN must be created first.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) huawei(config)#btv huawei(config-btv)#igmp proxy router gen-query-interval 150 huawei(config-btv)#igmp proxy router gen-response-time v3 20 huawei(config-btv)#igmp proxy router robustness 3 To configure the multicast group-specific query parameters by setting the query interval to 200s.0.2 Configuring the Multicast VLAN and the Multicast Program In the application of multicast service. the default address 0. The multicast VLAN can be the same as the unicast VLAN. Table 6-4 lists the default settings of the multicast VLAN attributes. Table 6-4 Default settings of the multicast VLAN attributes Issue 01 (2012-01-18) Parameter Default Value Program matching mode enable (static configuration mode) Multicast upstream port mode default L2 multicast protocol off (multicast function disabled) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the two VLANs can share the same service stream channel. IGMP version. l One user port is not allowed to belong to multiple multicast VLANs that are in the IGMP v3 snooping mode. The source IP address in the multicast packets that are sent to the upper device by the OLT may be as follows: l If the IP address of the program VLAN interface is configured.

user multicast bandwidth management. The VLAN with S+C forwarding mode cannot be set as a multicast VLAN. NOTE When a user is bound to multiple right profiles.. Run the igmp program add [name name ] ip ip-addr [ sourceip ip-addr ] [ hostip ipaddr ] command to add a multicast program. however. By default. and bind the program to a right profile to implement program right management. forbidden. Ltd. the functions such as program management. 1. By default. the program list need not be configured or maintained. run the igmp profile add command to add a right profile. Step 2 Configure multicast programs. 2. You can run the igmp right-priority command to adjust the priorities of the four rights: watch. NOTE If the IGMP version of a multicast VLAN is v3. and set the VLAN type according to the actual application. For details on the VLAN configuration. program preview. In the BTV mode. the system adopts the static configuration mode. and the right profiles have different rights to a program.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) Parameter Default Value IGMP version v3 Priority of forwarding IGMP packets by the upstream port 6 Procedure Step 1 Create a multicast VLAN. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. preview. Run the igmp match mode disable command to set the dynamic generation mode. In this mode. In the BTV mode. and set the right to watch. 1. and idle. the program must be configured with a source IP address. 316 . If the IGMP version of a multicast VLAN is v2. the priorities of the four rights are forbidden > preview > watch > idle. the program must not be configured with a source IP address. Run the multicast-vlan command to set the created VLAN to a multicast VLAN. l Static configuration mode: Configure a program list for the multicast VLAN beforehand. 2. see Configuring VLAN. Add a right profile. 4. 3. l Dynamic generation mode: A program list is dynamically generated according to the programs requested by users. Run the vlan command to create a VLAN. Bind the program to the right profile. The multicast VLAN can be configured statically or generated dynamically. Run the igmp match mode enable command to set the static configuration mode. the right with the highest priority prevails. 1. and program prejoin are not supported. run the igmp profile command to bind the program to the right profile.

2. Step 4 Select the multicast mode. When the first user requests to join a program.. IGMP snooping and IGMP proxy are controlled separately. Users can request only the programs whose IP addresses are within the specified range. Step 5 Set the IGMP version. the MA5600T sends the user report packet to the network side and receives a corresponding multicast stream from the multicast router. 2. Ltd. after authenticating the user. If IGMP v3 is enabled on the MA5600T and the upper-layer multicast router switches to IGMP v2. the multicast packets that go upstream can be sent only by this port. IGMP v3 is enabled in the system. By default. By default. the multicast mode is disabled. If the MA5600T does not receive any more IGMP v2 packets within the preset IGMP v2 timeout time. l Run the igmp report-proxy enable command to enable the proxy of the snooping report packet. 1. Run the igmp match group command to configure the IP address range of the program group that can be dynamically generated. By default. The leave packets of the users that precede the last user are not sent by the MA5600T to the network side. the multicast packets that go upstream are sent by all the upstream ports. When the last user requests to leave the program. If the upper-layer and lower-layer devices in the network are IGMP v2 devices and cannot recognize the IGMP v3 packets. The packets of the multicast VLAN corresponding to the upstream port are forwarded and received by this upstream port. 317 . IGMP v3 is compatible with IGMP v2 in packet processing. In the BTV mode. In the MSTP network. l MSTP mode: This mode is adopted in the MSTP network. the MA5600T automatically switches to IGMP v2 when receiving the IGMP v2 packets. run this command to change the IGMP version. Run the igmp uplink-port command to configure the multicast upstream port. the MA5600T can implement IGMP proxy. In the IGMP snooping mode. the port is in the default mode. run the igmp uplink-port-mode command to change the mode of the multicast upstream port. l Run the igmp leave-proxy enable command to enable the proxy of the snooping leave packet. proxy can be enabled for the report packet and the leave packet. The report packets of the users that follow the first user are not sent by the MA5600T to the network side. it automatically Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. When a multicast user joins or leaves a multicast program. Run the igmp version{ v2 | v3 } command to set the IGMP version. Run the igmp mode { proxy | snooping } command to select the L2 multicast mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) CAUTION The igmp match mode command can be executed only when the IGMP mode is disabled. l Default mode: If the multicast VLAN contains only one upstream port. the port adopts the MSTP mode. If the multicast VLAN contains multiple upstream ports. Step 3 Configure the multicast upstream port. the MA5600T sends the user leave packet to the network side to request the upper-layer device to stop sending multicast streams.

Step 6 Change the priority for forwarding IGMP packets.10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) switches back to IGMP v3.1 sourceip 10.10.10 hostip 10. To perform these configurations.the program bandwidth is 5000 kbit/s.0. the upstream port of the multicast VLAN is 0/17/0..1. By default.0.0. run the igmp proxy router timeout command to set the IGMP v2 timeout time.1. Command has been executed successfully huawei(config-mvlan101)#igmp uplink-port 0/17/0 huawei(config-mvlan101)#igmp mode proxy Are you sure to change IGMP mode?(y/n)[n]:y huawei(config-mvlan101)#igmp version v3 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the source IP address is 10. l In the IGMP proxy mode. ----End Example Assume the following configurations: VLAN 101 is created. and the IGMP version is IGMP V3. By default. the IGMP packets sent from the upstream port to the network side adopt the priority set through the preceding command in the multicast VLAN.the host IP address is 10.1... do as follows: huawei(config)#vlan 101 smart huawei(config)#multicast-vlan 101 huawei(config-mvlan101)#igmp match mode disable This operation will delete all the programs in current multicast vlan Are you sure to change current match mode? (y/n)[n]: y Command is being executed. the timeout time is 400s. In the BTV mode. multicast programs are configured statically. do as follows: huawei(config)#vlan 101 smart huawei(config)#multicast-vlan 101 huawei(config-mvlan101)#igmp match mode enable huawei(config-mvlan101)#igmp program add name movie ip 224.254 bandwidth 5000 huawei(config-mvlan101)#igmp uplink-port 0/17/0 huawei(config-mvlan101)#igmp mode proxy Are you sure to change IGMP mode?(y/n)[n]:y huawei(config-mvlan101)#igmp version v3 Assume the following configurations: VLAN 101 is created. and the IGMP version is IGMP V3. the priority is 6 and need not be changed. To perform these configurations. l Run the display igmp program vlan command to query the information about the program of the multicast VLAN.0.10. Step 7 Check whether the configuration is correct. the IGMP proxy is used. the IGMP proxy is used. l Run the display igmp config vlan command to query the attributes of the multicast VLAN. Ltd. l In the IGMP snooping mode.1.10. the IGMP packets forwarded to the network side adopt the priority of the user service stream. 318 . Run the igmp priority command to change the priority for forwarding the IGMP packets by the upstream port. please wait. multicast programs are configured dynamically.10.1. the IP address of the program is 224. The priority of the service stream is set through the traffic profile.254. the upstream port of the multicast VLAN is 0/17/0.

the downstream data streams of the multicast VLAN are discarded by the ONT.. 2. 319 . Procedure If the ONT is managed in the SNMP mode. the MA5600T manages the MDU in the SNMP mode. see Configuring the EPON ONT. After adding an EPON ONT service profile. Prerequisites Before configuring the multicast EPON ONT. configure the multicast data in the ONT service profile. directly enter the EPON ONT service profile mode to configure the related multicast data. you need to configure the ONT line profile and the ONT service profile.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) 6. 3. Context l When connected downstream to an ONT such as the HG8240. Ltd. POTS. l Add an ONT line profile.3 Configuring the Multicast EPON ONT When the device is connected downstream to an ONT or an MDU. WARNING If the multicast VLAN of the ONT port is not configured. see Configuring the EPON ONT Line Profile. you do not need to configure the ONT service profile. Run the port multicast-vlan command to configure the multicast VLAN of the ONT port. The port capability set in the ONT service profile must be the same as the actual ONT capability set. You only need to configure the multicast data on the MDU for interconnection with the MA5600T to forward the multicast traffic streams. 1. Configure the multicast VLAN of the ONT port. For the configuration method. you must add the ONT correctly. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. In this case. you need to configure the multicast interconnection data for forwarding the multicast traffic streams. l When connected downstream to an MDU such as the MA5612 or MA5662. you do not need to configure a service profile. In this case. (Optional) Configure the VLAN tag processing mode of the multicast data packets. The capability set plans the number of ETH. Run the port vlan command to configure the port VLAN of the ONT. Run the ont-port command to configure the port capability set of the ONT. and TDM ports supported by the ONT. For the configuration method. the MA5600T manages the ONT in the OAM mode. l Add an ONT service profile. and bind the profiles to the ONT to issue the multicast service. Run the port eth ont-portidmulticast-tagstripe { untag | tag | translation } command to configure the VLAN tag processing mode of the multicast data packets. 4.

After the configuration is complete. update the MA5600T only and you do not need to update the ONUs. – translation: Translates the VLAN tag of the downstream packets to another VLAN tag. and configure 4 ETH ports and 2 POTS ports. The MA5600T is the party of the multicast rights management and the ONU is the executor. and then bind the profiles to the ONT. if a multicast program is added or updated. the ONT service profile ID to 10. l Configure the multicast mode of the ONT. In the CTC mode. You need to first configure the ONT line profile and the ONT service profile. l The advantage of the CTC mode is that the multicast rights management of the dynamic controllable multicast is transferred to the MA5600T. the ONU configuration is simplified and the management and maintenance efficiency is improved. The MA5600T uses extended OAM packets for multicast control to issue the users' access rights of the multicast channel to the ONU and the ONU forwards or disconnects the traffic stream. the modified profile parameters take effect immediately.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) – untag: Removes the VLAN tag of the downstream packets. the VLAN ID of the service port to be created is the ID of the port to which the ONT is connected. run the commit command to make the configured service profile take effect. and the VLAN ID of multicast ports to 100. – igmp-snooping: The ONU generates a multicast forwarding table based on the upstream IGMP report and leave packets and maintains it to control multicast users' rights to order multicast programs. In the EPON mode. 5. the profile parameters are not allowed modification. NOTE l For an ONT that is added by running the ont add command or an auto-discovered ONT that is confirmed by running the ont confirm command. if you run the commit command after modifying the ONT line profile parameters and the ONT service profile parameters. Specifically. NOTE l If the multicast mode is the CTC mode. The MA5600T maintains a rights control table of multicast services to manage the users' multicast service access rights in a unified manner. The multicast service access rights are managed by the MA5600T-side NMS in a unified manner. run the ont multicast-mode { igmp-snooping | ctc | transparent } command to select the multicast mode. Ltd. l The controllable multicast mode is different from multicast modes (IGMP proxy and IGMP snooping).. ----End Example To configure the multicast mode of ONT 1 connected to port 0/4/1 to IGMP snooping. – tag: Transparently transmits the downstream multicast data packets. – ctc: It is a standard of China Telecom Corporation (CTC). – transparent: Directly forward the multicast traffic streams without processing them. 320 . After the binding. Hence. the ONU maintains a multicast forwarding table that is not generated based on the upstream IGMP report and leave packets but a multicast forwarding table that is dynamically updated according to the multicast control OAM packets issued by the MA5600T. The IGMP proxy and IGMP snooping are processing modes for the multicast streams. the VLAN ID of ETH ports to 10. l The EPBA board does not support the commit command. do as follows: huawei(config-if-epon-0/4)#ont multicast-mode 1 1 igmp-snooping huawei(config-if-epon-0/4)#quit Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

In this case. Run the multicast mode { igmp-snooping|olt-control|unconcern } command to select the multicast mode. directly enter the GPON ONT service profile mode to configure the related multicast data.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) huawei(config)#ont-srvprofile epon profile-id 10 huawei(config-epon-srvprofile-10)#ont-port eth 4 pots 2 huawei(config-epon-srvprofile-10)#port vlan eth 1 10 huawei(config-epon-srvprofile-10)#multicast mode igmp-snooping huawei(config-epon-srvprofile-10)#port multicast-vlan eth 1 100 huawei(config-epon-srvprofile-10)#commit huawei(config-epon-srvprofile-10)#quit 6. The port capability set in the ONT service profile must be the same as the actual ONT capability set. l igmp-snooping: IGMP snooping obtains related information and maintains the multicast forwarding entries by listening to the IGMP packets in the communication between the user and the multicast router. configure the multicast data in the ONT service profile. Run the port vlan command to configure the port VLAN of the ONT. Procedure Step 1 Add an ONT line profile. In this case. Run the ont-port command to configure the port capability set of the ONT. the MA5600T manages the ONT in the OMCI mode. l When the OLT is connected with an MDU such as the MA5612 or MA5662. and then enter the GPON ONT service profile mode. Ltd.4 Configuring a GPON ONT. you need to configure the ONT line profile and the ONT service profile. you need to configure the multicast interconnection data to forward the multicast traffic streams. 3. the MA5600T manages the MDU in the SNMP mode. Context l When the OLT is connected with an ONT such as the HG8240.4 Configuring the Multicast GPON ONT When the MA5600T is connected with an ONT or an MDU. and bind the profiles to the ONT to issue the multicast service.. 2. Prerequisites Before configuring the multicast GPON ONT. Step 2 Add an ONT service profile. you must add the ONT correctly. After adding a GPON ONT service profile. 1. You only need to configure the multicast data on the MDU interconnected with the MA5600T to forward the multicast traffic streams. see 4. Configure the multicast mode of the ONT.1. you need not configure the ONT service profile. For the configuration method. 321 . For the configuration method. If the ONT management mode is the SNMP mode.2 Configuring a GPON ONT Line Profile. Run the ont-srvprofile gpon command to add a GPON ONT service profile. you need not configure the service profile. see 4. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

Prerequisites Before configuring a multicast user. After this mode is selected. Configure the upstream port 3. Configure the multicast GPON ONT Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. After the configuration is complete. A multicast forwarding entry can be created for the multicast join packet of the user only after the packet passes the authentication. the multicast mode as IGMP snooping. 322 . Configure the VLAN 2. ----End Example To configure the ONT service profile 10 of 4 ETH ports. the VLAN of the ETH port as 10. 4. l tag: Set the multicast forwarding mode to contain the VLAN tag. 2 POTS ports. the modified profile parameters take effect immediately.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) l olt-control: It is the dynamic controllable multicast mode. and the multicast mode on the OLT automatically matches the multicast mode on the ONT. l unconcern: The forwarding mode is not concerned. run the commit command to make the configured service profile take effect. if you run the commit command after modifying the ONT line profile parameters and the ONT service profile parameters. l unconcern: It is the unconcern mode. Configure the multicast forwarding mode. the OLT does not limit the multicast mode. do as follows: huawei(config)#ont-srvprofile gpon profile-id 10 huawei(config-gpon-srvprofile-10)#ont-port eth 4 pots 2 huawei(config-gpon-srvprofile-10)#port vlan eth 1 10 huawei(config-gpon-srvprofile-10)#multicast mode igmp-snooping huawei(config-gpon-srvprofile-10)#multicast-forward unconcern huawei(config-gpon-srvprofile-10)#commit huawei(config-gpon-srvprofile-10)#quit 6. you need to create the service channel. The procedure is as follows: l Issue 01 (2012-01-18) Configure a GPON multicast user 1.5 Configuring a Multicast User This topic describes how to configure a multicast user and the related authority to provision the multicast service. 5. Run the multicast-forward { tag|unconcern|untag } command to configure the processing mode on the VLAN tag of the multicast data packets. the multicast forwarding mode as unconcern. Ltd. NOTE For an ONT that is added through the ont add command or an automatically found ONT that is confirmed through the ont comfirm command.. l untag: Set the multicast forwarding mode not to contain the VLAN tag.

By default. Add a multicast user. it is no limit. Bind the multicast user to an authority profile to implement multicast user authentication.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) 4. l immediate: After receiving the leave request packet of the multicast user. Configure the GPON user port 5. l Run the igmp user add service-port index max-program { max-program-num | nolimit } command to set the maximum number of programs that can be watched by the multicast user concurrently. Run the igmp user add service-port command to add a multicast user. Table 6-5 Default settings of the multicast user attributes Parameter Default Setting Limitation on the number of programs that can be watched by the multicast user Number of programs that can be watched concurrently: 8 Quick leave mode of the multicast user mac-based Global switch of multicast user authentication enable Maximum number of programs at various levels that can be watched: no limit Procedure Step 1 In the global config mode. run the btv command to enter the BTV mode. Set the quick leave mode of the multicast user. 3. Run the igmp user add service-port index quickleave { immediate | disable | macbased } command to set the quick leave mode of the multicast user. This setting is applicable to the scenario where only one terminal is connected to the same port or the terminal works in the IGMP proxy mode. l Run the igmp user watch-limit service-port { hdtv | sdtv | streaming-video } command to set the maximum number of programs at various levels that can be watched by the multicast user. Configure the maximum number of programs that can be watched by the multicast user. the quick leave mode is the mac-based mode. Up to 32 programs can be watched by the multicast user concurrently. Configure the GPON traffic stream Context Add a multicast user and bind the multicast user to the multicast VLAN to create a multicast member.. Step 2 Configure a multicast user and the multicast user attributes. the system immediately deletes the multicast user from the multicast group. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 323 . Ltd. Table 6-5 lists the default settings of the multicast user attributes. 2. 1. By default.

l mac-based: It is the quick leave mode based on the MAC address. do as follows: huawei(config)#service-port 100 vlan 101 gpon 0/4/1 ont 0 gemport 1 rx-cttr 2 txcttr 2 huawei(config)#btv huawei(config-btv)#igmp user add service-port 100 auth log enable max-bandwidth 10240 huawei(config-btv)#igmp user bind-profile service-port 100 profile-name music huawei(config-btv)#quit huawei(config)#multicast-vlan 101 huawei(config-mvlan10)#igmp multicast-vlan member service-port 100 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. ----End Example To add multicast user (port) 0/4/1 to multicast VLAN 101. set the maximum bandwidth to 10 Mbit/s. Bind the multicast user to a global profile. enable user authentication. Ltd. 1. 324 . Run the igmp user bind-profile command to bind the user to an authority profile. enable log report. To control the authority of a multicast user. and bind the user to right profile music. Step 3 Configure multicast user authentication. You can run the igmp proxy authorization command to change the configuration.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) l disable: After receiving the leave request packet of the multicast user. In this mode. Then. The system detects the MAC address in the leave packet of the user. 2. The default configuration is no-auth. and then deletes the multicast user from the multicast group. If it is the same as the MAC address in the report packet of the user. The multicast user is bound to an authority profile to implement user authentication. you can enable the multicast user authentication function. Step 5 Run the display igmp user command to check whether the related information about the multicast user is correct. Step 4 Bind the multicast user to a multicast VLAN. the multicast user uses the authority of the programs configured in the bound profile. Otherwise. the system sends ACK packets to confirm that the multicast user leaves. NOTE After configuring multicast user authentication. the system immediately deletes the multicast user from the multicast group. In the multicast VLAN mode. Run the igmp user add service-port index { auth | no-auth } command to configure whether to authenticate a multicast user. By default. the user becomes a multicast member of the multicast VLAN and can demand programs configured for the multicast VLAN.. run the igmp multicast-vlan member command to bind the user to the multicast VLAN. the application scenario with multiple terminals is supported. Configure the multicast user authentication switch. the system does not delete the multicast user. After the binding. you need to enable the global authentication switch to make the configuration take effect. the global switch of multicast user authentication is enabled.

If the bandwidth is insufficient. Table 6-6 Default settings of the CAC parameters Parameter Default Setting Global CAC switch enable Bandwidth of the multicast program 5000 kbit/s Bandwidth of the multicast user no-limit Bandwidth of the GPON port 716800 kbit/s Procedure Step 1 In the global config mode. and then control the bandwidth of a multicast user by setting the program bandwidth and the user bandwidth. the system compares the remaining bandwidth of the user (bandwidth configured for the user . Ltd. run the btv command to enter the BTV mode. Prerequisites The program matching mode of the multicast VLAN must be the static configuration mode. Context If the CAC function (not the dynamic ANCP CAC function) is enabled and a user demands a multicast program. If the remaining bandwidth of the user is sufficient. that is. This Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. If the CAC function is disabled. Step 2 Enable the global CAC switch. the system adds the user to the multicast group. By default.total bandwidth of the online programs of the user) with the bandwidth of the multicast program. the global CAC switch is already enabled. 325 . problems such as mosaic and delay occur in the multicast program. l Run the igmp bandwidth port frameid/slotid/portid max-bandwidth{ bandwidth | nolimit } command to configure the program bandwidth of a physical port on a board. l Run the igmp program add ip ip-addr bandwidth command to configure the bandwidth of a single multicast program. the system does not respond to the request of the user.. you can enable multicast bandwidth management. You can run the igmp bandwidthCAC { enable | disable } command to change the setting. connection admission control (CAC). Table 6-6 lists the default settings of the CAC parameters.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) 6. Step 3 Configure the bandwidth of the multicast program.6 (Optional) Configuring the Multicast Bandwidth To limit the multicast bandwidth of a user. When the bandwidth is not guaranteed. the system does not guarantee the bandwidth of the multicast program.

huawei(config)#btv huawei(config-btv)#igmp bandwidthcAC enable huawei(config-btv)#igmp user add port 0/4/1 max-bandwidth 10240 huawei(config-btv)#quit huawei(config)#multicast-vlan 101 huawei(config-mvlan101)#igmp program add ip 224. l Run the display igmp config global command to check the status of the global CAC switch. In other words.1. the duration. l Run the display igmp user command to query the maximum bandwidth and the occupied bandwidth of the multicast user.. One program can be bound to only one preview profile. ----End Example To enable bandwidth management for multicast users. 326 . The user can request the program again only after the preview interval expires.1. The count by which the user can request the program within a day (the start time can be configured) is restricted by the preview count of the user. interval. When the duration expires. but one preview profile can be referenced by multiple programs.7 (Optional) Configuring Multicast Preview Multicast preview is an advertizing method provided by carriers for ISPs. l Run the display igmp program command to query the bandwidth allocated to the multicast program. set the user bandwidth to 10 Mbit/s when adding multicast user 0/4/1.1. the user goes offline. Multicast preview parameters are managed through the preview profile.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) command is available for only the GPON port.1. Ltd. and count of the user previews are controlled. the duration of the preview is restricted. Context The difference between program preview and normal program watching is that. Step 4 Configure the bandwidth of the multicast user. The purpose is to allow users to have an overview of a program in a controlled way. The default bandwidth of a port is 716800 kbit/s. Step 5 Check whether the multicast bandwidth configuration is correct. Table 6-7 lists the default settings of the multicast preview parameters.1. Prerequisites The program matching mode of the multicast VLAN must be the static configuration mode. after the user goes online.1 bandwidth 1024 6. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Run the igmp user add service-port index max-bandwidth command to allocate the bandwidth that is available to the multicast user. and configure the program bandwidth to 1 Mbit/s when adding multicast program 224.

Run the igmp proxy recognition-time command to modify the valid duration of multicast preview.m. the system resets the preview record at 4:00:00 a.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) Table 6-7 Default settings of the multicast preview parameters Parameter Default Value Global multicast preview function enable Preview profile Preview profile with index 0 Preview profile parameters Maximum preview duration: 120s Maximum preview count: 8 Minimum interval between two previews: 120s Time for resetting the preview record 4:00:00 am Valid duration of multicast preview 30s Procedure Step 1 In the global config mode. Step 3 Configure the preview profile. the preview is not regarded as a valid one and is not added to the preview count. In the multicast VLAN mode. 327 . Step 6 Modify the valid duration of multicast preview. Run the igmp preview auto-reset-time command to change the time for resetting the preview record. maximum preview count. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. run the igmp program add ip ip-addr preview-profile index command to bind the program to be previewed to the preview profile so that the program has the preview attributes as defined in the preview profile. and set the parameters: maximum preview duration. Step 4 Bind the program to the preview profile. Step 2 Enable the global multicast preview function. The preview record of the user remains valid within one day. By default. If the actual preview duration of the user is shorter than the valid duration. The system has a default preview profile with index 0. By default. the preview record is reset. Ltd. Step 5 Change the time for resetting the preview record. Run the igmp preview-profile add command to configure the preview profile. and minimum interval between two previews. By default. the program is bound to the preview profile with index 0. the global multicast preview function is enabled. By default. run the btv command to enter the BTV mode. the valid duration of multicast preview is 30s. On the second day. You can run the igmp preview{ enable | disable } command to change the setting..

The MA5600T plays the role of a user and sends the report packet for receiving in advance the multicast stream from the upperlayer multicast router to the upstream port. set the maximum preview time to 150s. 328 . the MA5600T receives in advance the multicast stream of a program from the upper-layer multicast router to the upstream port before a user sends a request to join a program. create preview profile 1.1.1. the upper-layer multicast router processes the user request by responding to the group-specific query and the general query.1.1 preview-profile 1 6.. do as follows: huawei(config)#btv huawei(config-btv)#igmp preview enable huawei(config-btv)#igmp preview-profile add index 1 duration 150 times 10 huawei(config-btv)#quit huawei(config)#multicast-vlan 101 huawei(config-mvlan101)#igmp program add ip 224. Table 6-8 lists the default settings of the prejoin parameters. Ltd. Prerequisites The program matching mode of the multicast VLAN must be the static configuration mode. do as follows: huawei(config)#btv huawei(config-btv)#igmp preview enable To enable preview of multicast programs.8 (Optional) Configuring Program Prejoin In program prejoin.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) Step 7 Run the display igmp config global command to check whether the values of the multicast preview parameters are correct. thus shortening the waiting time of the user for requesting the program. Generally. After the prejoin function is enabled.1. and apply this preview profile when adding program 224. Context Multicast program prejoin is the same as program request. if the upper-layer multicast router does not support static multicast entry forwarding. the unsolicited report function needs to be enabled so that the user can request the program quickly. the maximum preview count to 10.1. ----End Example To enable preview of multicast programs by using the system default preview profile. Table 6-8 Default settings of the prejoin parameters Issue 01 (2012-01-18) Parameter Default Value Prejoin function disable Unsolicited report of IGMP packets disable Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

l Run the igmp program add ip ip-addr unsolicited enable command to enable the unsolicited report function for IGMP packets. Step 2 After the prejoin function is enabled. l The upstream port to which the program is bound changes. l The user is blocked or deleted. the unsolicited report function needs to be enabled for IGMP packets. do as follows: huawei(config-mvlan101)#igmp program add ip 224.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) Procedure Step 1 Enable the prejoin function.. Step 3 Check whether the prejoin function is configured correctly.1. Ltd. by force. ----End Example To enable the prejoin function when adding program 224.1. l Run the display igmp config vlan command to query the interval for unsolicitedly reporting IGMP packets. the syslog server must be properly configured. or abnormally. l The VLAN of the upstream port to which the program is bound changes.9 (Optional) Configuring the Multicast Logging Function Multicast log serves as a criterion for carriers to evaluate the viewership of multicast programs. When the user stays online for longer than the valid time for generating logs. l Run the igmp unsolicited-report interval command to modify the interval for unsolicitedly reporting IGMP packets. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. if the upper-layer multicast router does not support static multicast entry forwarding. and multicast program level. Context Multicast logs have three control levels: multicast VLAN level. Run the igmp program add ip ip-addr prejoin enable command to enable the prejoin function of a program. the prejoin function is disabled. the unsolicited report function is disabled. By default. l Run the display igmp program command to query the status of the prejoin function and the unsolicited report function. the interval is 10s. the system generates logs in any of the following conditions: l The user goes offline naturally. Prerequisites If the syslog is used for reporting multicast logs.1.1. l The program priority is changed. l The program is deleted. By default. By default.1 prejoin enable 6. multicast user level. 329 .1. The system generates logs only when the logging functions at the three levels are enabled.

The system supports up to 10K logs. The system generates logs only when the logging functions at the three levels are enabled. – In the BTV mode. 1. By default. l The IGMP mode is switched. Multicast logs have three control levels: multicast VLAN level. Table 6-9 Default settings of the multicast logging parameters Parameter Default Value Report mode of the multicast log Syslog mode Logging function at the multicast VLAN level enable Logging function at the multicast user level enable Logging function at the multicast program level enable Interval for automatically logging 2 hours Minimum online duration for generating a valid log 30s Parameters of the log report in the CDR mode Report interval: 600s Maximum number of logs that can be reported each time: 200 Procedure l Configure the parameters of the logging function of the multicast host..run the igmp log { enable | disable } command to configure the logging function at the multicast VLAN level. l The bandwidth CAC is not passed. l CDR mode: Logs are reported to the log server in the form of a log file (. multicast user level. l The user preview times out. By default. When the user goes online. Table 6-9 lists the default settings of the multicast logging parameters. Enable the multicast logging functions.cvs). and multicast program level. the MA5600T reports the log in the syslog mode. One log file contains multiple logs. l Syslog mode: Logs are reported to the syslog server in the form of a single log.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) l The right mode is switched. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the system records only the online date and time. The system generates a complete log only when the user goes offline. Ltd. The MA5600T can report the multicast log to the log server in the syslog mode and the call detailed record (CDR) mode. 330 . the three functions are enabled.

Enable the function of CDR-mode log report. – In the BTV mode.run the igmp proxy recognition-time command to modify the minimum online duration for generating a valid log.run the igmp cdr-interval command to set the report interval. In the BTV mode. In the BTV mode.run the igmp cdr { enable | disable } command to configure the function of CDR-mode log report. A log is generated only when a user stays online for longer than the specified duration. – Run the display igmp config global command to query the status and other parameters of the function of CDR-mode log report. the interval is two hours. the maximum number is 200. 2. This is to prevent the problem that a log is not generated when the user leaves the multicast group without sending a leave packet.run the igmp program add ip ip-addr log { enable | disable } command to configure the logging function at the multicast program level. 331 . After the function is disabled. the minimum online duration is 30s. the system generates logs at the preset interval. l Configure the function of CDR-mode log report. ----End Example To configure the multicast log to be reported to log server 10. – In the BTV mode. the MA5600T reports the local multicast logs to the multicast log server in the form of a file. the interval is 600s. which can affect the accounting.run the igmp cdr-number command to set the maximum number of logs that can be reported each time.10. After the function is enabled. By default. do as follows: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Run the file-server auto-backup cdr command to configure the active and standby multicast log servers. 2. – Run the display file-server command to query the configuration of the CDR multicast log server.1 in the CDR mode. 4. Modify the interval for automatically logging. When the user stays online for a long time. By default. the user operation is not regarded as a valid one and a log is not generated. By default.10. the MA5600T reports the logs. Modify the minimum online duration for generating a valid log. the MA5600T reports each single log to the syslog server in the default syslog mode.Run the igmp user add service-port index log { enable | disable } command to configure the logging function at the multicast user level. In the BTV mode. 3. Check whether the configuration is correct. Ltd. – In the Multicast VLAN mode. When the number of the multicast logs in the CDR file reaches the preset value.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) – In the BTV mode. and use the TFTP transmission mode. 3.. 1. If the user is in a multicast group (such as to preview a program) for shorter than the preset duration. By default.run the igmp proxy log-interval command to modify the interval for automatically logging. Configure the parameters of the log report in the CDR mode. Configure the multicast log server and the data transmission mode for the CDR-mode log report.

Ltd.10..1 tftp huawei(config)#btv huawei(config-btv)#igmp cdr enable Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 332 .10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6 Configuring the Multicast Service (PON) huawei(config)#file-server auto-backup cdr primary 10.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 7 Configuring MPLS and PWE3 Configuring MPLS and PWE3 About This Chapter The Multi-protocol Label Switching (MPLS) network adopts the standard packet switching mode to forward L3 packets and the label switching mode to exchange L2 packets. l ETH PWE3 ETH PWE3 uses user Ethernet frames as payload. 333 . The MPLS feature includes the following sub-features: l Basic MPLS functions. PWE3 is a technology used to emulate ATM. On the control plane. the provider edge (PE) creates the PWE3 service. l MPLS OAM. and sends them to the PSN. l MPLS RSVP-TE. According to the emulation service type. Ethernet and SONET/SDH services in packet switched network (PSN). frame relay. MPLS can meet the requirements on the network from various new applications with the help of the powerful and flexible routing functions of the IP network. The label in a short fixed length is used to encapsulate IP packets. On the data plane. Context MPLS resides between the data link layer and the network layer in the TCP/IP protocol stack. MA5600T supports the following types of PWE3: l TDM PWE3. Ltd. ETH PWE3 terminates the PW encapsulation of Ethernet frames and forwards them to the user device. In the downstream direction. which can be carried on the IP or MPLS network in a unified manner.. encapsulates the frames through PWE3. After processing various services from the access layer. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Pseudo Wire Emulation Edge to Edge (PWE3) uses MPLS to carry L2 services so that packets can smoothly traverse the MPLS area and users or services can be differentiated. TDM PWE3 is a mechanism that emulates the basic behaviors and characteristics of the TDM circuit service in the PSN to enable the PSN to carry the TDM service. fast label forwarding is implemented.

Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The MA5600T terminates the emulation data.2 Configuring the PWE3 Private Line Service Pseudo wire emulation edge-to-edge (PWE3) uses LDP or RSVP-TE as the signaling protocol and carries various L2 services of the customer edge (CE) over the MPLS LSP or TE tunnel. and sends them to the PSN.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l 7 Configuring MPLS and PWE3 ATM PWE3 ATM PWE3 uses user ATM cells as payload. In the downstream direction.3 Configuring TDM PWE3 Private Line Service (T1 Upstream Transmission) The MA5612 receives the time division multiplexing (TDM) service through T1 ports. transparently transmitting the L2 data of the CE. 334 . 7.1 Configuring the MPLS Service This topic describes the MPLS technology and how to configure the MPLS service on the MA5600T. restores TDM signals. ETH PWE3 terminates the PW encapsulation of ATM cells and forwards them to the user device. encapsulates the frames through PWE3.. Ltd. 7. 7. Such a mechanism allows the traditional circuit-switched service to be carried over the Ethernet passive optical network (EPON). and transmits the signals to the synchronous digital hierarchy (SDH) network through T1 ports. performs circuit emulation service over packet (CESoP) emulation on the TDM service and transmits the service to the MA5600T.

Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 7. l Configure an LDP LSP. Basic concept l The path that an FEC traverses in an MPLS network is called LSP. The LSP. A static LSP can work in the normal state only when all the LSRs along the static LSP are configured. the configuration of the static LSP involves the ingress configuration. The LSR ID must be configured. Therefore. LSRs on a static LSP cannot perceive the entire LSP. 335 . l The dynamic LSP is the label forwarding path dynamically established through the label distribution protocol (LDP or RSVP-TE). l The static LSP is the label forwarding path manually set up for label distribution to each FEC. Prerequisites 1. whose function is the same as the virtual circuit in ATM and frame relay. and RSVP-TE LSP. 7. A static or dynamic route must be successfully configured on each device in the network (so that LSRs can reach each other through the IP route). Context The administrator needs to manually distribute labels to each LSR when configuring the static lsp. Each node on the LSP is an LSR.. LDP LSP. VLAN MPLS. l Configure a static LSP.1 Configuring the Static LSP Static LSP is configured manually. 2. and VLAN interface MPLS must be enabled. 3. According to the protocol for creating LSPs. According to the position of the LER or LSR in a network. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The IP address of the loopback interface must be configured.1 Configuring the MPLS Service This topic describes the MPLS technology and how to configure the MPLS service on the MA5600T. At the same time. Configure LSPs. configure MPLS as follows: 1. The MA5600T can function as a label switching edge router (LER) or a label switching router (LSR). static LSP is a local concept. Therefore. is a unidirectional path from the ingress to the egress. transit node configuration. Configure LSP protection. Principle: The out label value of a node must be equal to the in label value of its next node. LSPs are categorized as static LSP. The global MPLS. the core is to configure the LSP and the second is to configure fault detection and protection for the LSP. Configuration logic In the MPLS configuration. l Configure an RSVP-TE LSP. Configure the MPLS OAM . 4.1. 2. and egress configuration.

the VLAN interface of the upstream egress. The P device can be considered an LSR that forwards MPLS labels. Procedure l When the MA5600T functions as an LER. The two LSPs have opposite directions. Run the static-lsp transit command to configure the transit node parameters of a static LSP. configure the static LSP as follows: 1. The PE or PTN device can be considered an LER. you must run the interface tunnel command to create a tunnel interface and then configure its attributes. To create a static LSP by using the tunnel. or even free of being configured. – destination ip-addr: Indicates the destination IP address of the LSP. – out-label out-label: Indicates the out label value. When the MA5600T functions as an LSR. configure the static LSP as follows: 1. 3. 336 . that is. Run the static-lsp egress command to configure the egress parameters of a static LSP. Their ingress and egress are reverse. which must be the same as the in label value of the downstream LSR. Run the static-lsp ingress command to configure the ingress parameters of a static LSP. Ltd. two static LSPs are required. 2.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 An LSP corresponds to a unidirectional forwarding path. the VLAN interface IP address of the adjacent LSR. the loopback interface IP address of the PE or PTN device. that is. Format: static-lsp ingress { lsp-name | tunnel-interface tunnel tunnel-id } destination ip-addr nexthop ip-addr out-label out-label – You can create a static LSP by using the LSP name or the tunnel. An LER is generally located at the edge of an MPLS network. which must be the same as the out label value of the upstream LSR.. only a VLAN interface can be used as the ingress interface. An LSR is generally located in the middle of an MPLS network. – nexthop ip-addr: Indicates the next hop IP address. – in-label in-label: Indicates the in label value of the egress. Format: static-lsp transit lsp-name incoming-interface interface-type interface-number in-label in-label nexthop next-hop-address out-label out-label – The ingress interface of the transit node on a static LSP can only be the VLAN interface. l Run the display mpls static-lsp command to query the configuration of a static LSP. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Their transit nodes can be the same or different according to the networking requirements. To ensure bidirectional communication of the MPLS service. Format: static-lsp egress lsp-name incoming-interface vlanif vlanid in-label in-label[ lsrid ingress-lsr-id tunnel-id tunnel-id ] – In the egress configuration of a static LSP. that is.

– nexthop next-hop-address: Indicates the next hop IP address.3 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.2/24 l Destination IP address of the LSP: 3. to configure the transit node parameters of a static LSP.3 huawei(config)#static-lsp ingress lsp1 destination 3. ----End Example When the MA5600T functions as an LER.1.1.1.3 32 nexthop 100. in label: 8300 l Next hop IP address: 100. – out-label out-label: Indicates the out label value of the transit node.1.3/32 l Out label: 8200. Ltd.3.3. the VLAN interface IP address of the adjacent LSR. you must configure the transit node parameters twice with opposite directions to ensure bidirectional communication of the MPLS service.3. LSP name of the transit node in the negative direction: lsp2 l IP address of local VLAN interface 100: 100.1. in label in the negative direction: 8300 l Next hop IP address in the positive direction: 200. 2.3. which must be the same as the in label value of the downstream LSR. set the parameters as follows: l LSP name of the transit node in the positive direction: lsp1.1.1.2/24 l Out label in the positive direction: 8200.2/24 l IP address of local VLAN interface 200: 200. egress name of the static LSP: lsp2 l IP address of local VLAN interface 100: 100. 337 . Run the display mpls static-lsp command to query the configuration of a static LSP..1. that is.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 – in-label in-label: Indicates the in label value of the transit node.3.1.3. to configure the ingress and egress of a static LSP. which must be the same as the out label value of the upstream ingress. CAUTION Because the LSP is unidirectional. set the parameters as follows: l Ingress node name of the static LSP: lsp1.3/32 -/- LSP(S) LSP(S) LSP(S) I/O Label I/O If NULL/8200 -/vlanif100 8300/NULL vlanif100/- Stat Down Down When the MA5600T functions as an LSR.1. in label in the positive direction: 8300 l Out label in the negative direction: 8200.1.1.3 out-label 8200 huawei(config)#static-lsp egress lsp2 incoming-interface vlanif 100 in-label 8300 huawei(config)#display mpls static-lsp { <cr>|exclude<K>|include<K>|string<S><Length 1-19>|verbose<K> }: Command: TOTAL UP DOWN Name lsp1 lsp2 display mpls static-lsp : 2 STATIC : 0 STATIC : 2 STATIC FEC 3.

if remote adjacency exists and local adjacency is set up for the remote peer. remote adjacency cannot be set up. l Remote LDP session: Two LSRs between which a session is set up are not connected directly. Context Procedure Step 1 Configure the MPLS LDP session. and out label of each specific FEC. Prerequisites 1. which correlates the in label.1.1. They can also be set up between adjacent LSRs. 2. The VLAN for MPLS label forwarding must be created. Remote LDP sessions are mainly set up between nonadjacent LSRs. the remote peer will be deleted. The MPLS-LDP session is used for information exchange such as label mapping and release between LSRs.1.2 Configuring the LDP LSP Set up an MPLS LDP session between LSRs along the LSP.1. only one session can exist between two LSRs and a local LDP session takes priority over a remote LDP session.3 huawei(config)#static-lsp transit lsp1 incoming-interface vlanif 100 in-label 82 00 nexthop 200. LDP. The MPLS-LDP session is classified into two types: l Local LDP session: Two LSRs between which a session is set up are connected directly. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 4. the LDP LSP is automatically created.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l 7 Configuring MPLS and PWE3 Next hop IP address in the negative direction: 100. l The MA5600T supports LDP and RSVP-TE.2 out-label 8200 huawei(config)#display mpls static-lsp { <cr>|exclude<K>|include<K>|string<S><Length 1-19>|verbose<K> }: Command: TOTAL UP DOWN Name lsp1 lsp2 display mpls static-lsp : 2 STATIC : 0 STATIC : 2 STATIC FEC -/-/- LSP(S) LSP(S) LSP(S) I/O Label I/O If 8200/8300 vlanif100/vlanif200 8300/8200 vlanif200/vlanif100 Stat Down Down 7. l LDP is a standard MPLS label distribution protocol defined by IETF. The IP address of the loopback interface must be configured. which is mainly used to distribute labels for the negotiation between LSRs to set up label switching paths (LSPs). The LSRs form an LSP that crosses the entire MPLS domain according to the local forwarding table..3 out-label 8300 huawei(config)#static-lsp transit lsp2 incoming-interface vlanif 200 in-label 83 00 nexthop 100. Global MPLS must be enabled. NOTE If local adjacency with the specified remote peer exists. A static or dynamic route must be successfully configured on each device in the network (so that LSRs can reach each other through the IP route).1. regulates various types of information for the label distribution process. The LSR ID must be configured. Ltd.1. In other words. 338 . network hop node. and the related processing. 3. After the MPLS LDP session is set up. both of which generate dynamic LSPs.1. 5.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 l Configure the local LDP session. run the mpls vlan command to enable the MPLS function of the VLAN. the host route triggers the LDP to set up an LSP. 1. By default. l Run the display mpls ldp lsp command to query the relevant information about the created LDP LSP. Run the mtu-signalling command to enable the sending of the MTU type. run the mpls command to enable the MPLS function of the VLAN interface and run the mpls ldp command to enable the MPLS LDP function of the VLAN interface. 2. NOTE It is recommended that you configure the route trigger policy for setting up an LSP to host (default). Step 2 (Optional) Configure the LDP MTU signaling function. In the global config mode. thereby avoiding the forwarding failure on transit nodes caused by oversize packets at the ingress. 5. the setup of useless LSPs can be prevented. Ltd. Step 3 (Optional) Configure the route trigger policy for setting up an LSP. When the LSR ID is used as the transmission address of a remote peer. 3. Run the propagate mapping command to filter certain routes received by the LDP by using the IP prefix table. run the mpls ldp command to enable global MPLS LDP. that is. run the mpls ldp command to enable global MPLS LDP. Run the quit command to quit the VLAN interface mode. 339 . In this way. run this command. 2. Run the interface vlanif command to enter the VLAN interface mode. NOTE The IP address of the remote LDP peer should be the LSR ID of the remote LSR. l Run the display mpls interface command to check whether the MPLS interface is in the normal (up) state. Step 4 (Optional) Configure the trigger policy set up by the transit LSP. the LDP does not filter the received routes when creating the transit LSP. Only the route that matches the specified IP prefix table is used by the local LDP for creating the transit LSP. length. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 1. Run the remote-ip command to configure the IP address of the LDP remote peer. This enables the LDP to automatically calculate and negotiate the minimum MTU value for all ports on each LSP. 3.. Run the mpls ldp remote-peer command to create an LDP remote peer and then enter the remote peer mode. two remote peers set up a TCP connection between them using the LSR ID as the transmission address. Run the lsp-trigger host command to configure the route trigger policy for setting up an LSP. Step 5 Query the relevant information about the LDP LSP configuration. In the VLAN interface mode. the MPLS determines the size of the MPLS forwarding packet at the ingress according to the minimum MTU. The default route trigger policy is used to set up an LSP by triggering the LDP through the host address. In this way. In the global config mode. In the global config mode. 4. By default. and value (TLV). To modify the default route trigger policy. l Configure the remote LDP session. the LDP MTU signaling is enabled. l Run the display mpls ldp session command to check whether the created remote MPLS LDP session is in the normal (operational) state.

Through the MPLS TE technology.1.3:0 Transport Address: 3. Prerequisites 1.5. The IP address of the loopback interface must be configured.5.5.3 Configure an RSVP-TE LSP MPLS TE is a technology that integrates TE with MPLS. do as follows: huawei(config)#mpls ldp huawei(config-mpls-ldp)#quit huawei(config)#mpls vlan 200 huawei(config)#interface vlanif 200 huawei(config-if-vlanif200)#mpls ldp huawei(config-if-vlanif200)#quit huawei(config)#display mpls interface vlanif 200 { <cr>|verbose<K> }: Command: Interface vlanif200 display mpls interface vlanif 200 Status TE Attr LSP Count Down Dis 0 CRLSP Count Effective MTU 0 1500 To configure an LDP LSP between two nonadjacent LSRs by configuring the local lsr-id to 3. The OSPF protocol must be successfully configured on each device in the network (the host route of each port must be successfully advertised).5. you can create an LSP tunnel to a specified path. 2. configuring the remote lsr-id to 5.3.3 Entity Status: Active Configured Keepalive Timer: 45 Sec Configured Hello Timer: 45 Sec Negotiated Hello Timer: 45 Sec Hello Packet sent/received: 0/0 -----------------------------------------------------------------------------TOTAL: 1 Peer(s) Found.. The VLAN for MPLS label forwarding must be created.5 LDP ID: 3. Ltd.5.3. 3.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Example To configure an LDP LSP between two adjacent LSRs by using VLAN interface 200 as the MPLS forwarding interface and using default values for other parameters. to reserve resources and implement reoptimization. and using default values for other parameters.3.3. Global MPLS and VLAN MPLS must be enabled.5.3. 340 .5 huawei(config-mpls-ldp-remote-session1)#quit huawei(config)#display mpls ldp remote-peer { <cr>|string<S><Length 1-32>||<K> }: Command: display mpls ldp remote-peer LDP Remote Entity Information -----------------------------------------------------------------------------Remote Peer Name: session1 Remote Peer IP: 5.3.5.3. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 4. 5. The LSR ID must be configured. 7. do as follows: huawei(config)#mpls ldp huawei(config-mpls-ldp)#quit huawei(config)#mpls ldp remote-peer session1 huawei(config-mpls-ldp-remote-session1)#remote-ip 5.

perform this operation. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Each router in the network collects all the TE information in OSPF area and generates traffic engineering database (TEDB). carriers can accurately control the path that traffic traverses to avoid the node where congestion occurs. 1. Thus. In the VLAN interface mode. and run the mpls te cspf command to enable Constraint Shortest Path First (CSPF). l The bandwidth values must meet the following requirement: maximum reservable bandwidth ≥ BC0 bandwidth ≥ BC1 bandwidth. Run the quit command to quit the MPLS mode and run the interface vlanif command to enter the VLAN interface mode. MPLS TE can reserve resources during the creation of LSP tunnels to ensure the QoS. In the VLAN interface mode. Step 3 Enable MPLS TE for the OSPF area. The extended OSPF enables the link status entry to add TE attributes. utilizing the current bandwidth resources sufficiently. It is used to transmit services with higher priority and higher performance requirements. run the mpls command to enable the VLAN interface MPLS. The MA5600T enables the MPLS TE to know the relevant dynamic TE attributes of each link by extending the OSPF protocol. Ltd. In the MPLS mode. NOTE l BC0: Indicates the global pool bandwidth of an MPLS TE tunnel. run the mpls rsvp-te command to enable global RSVP-TE. run the mpls te bandwidth max-reservable-bandwidth command to configure the maximum reservable bandwidth for the MPLS TE tunnel on the VLAN interface. and run the mpls rsvpte command to enable the VLAN interface RSVP-TE. NOTE l CSPF provides a way to select the path in an MPLS area. 2. run the mpls te command to enable the VLAN interface MPLS TE. In addition. 341 . This solves the problem that certain paths are overloaded and other paths are idle. run the mpls te command to enable global MPLS TE. 2. 3. 1. To guarantee the bandwidth of the service transmitted on the MPLS TE tunnel. In the VLAN interface mode. such as link bandwidth and affinity attribute. l It is recommended that you configure CSPF on all transit nodes lest the ingress cannot calculate the entire path. l BC1: Indicates the sub-pool bandwidth type of an MPLS TE tunnel. The extended RSVP signaling protocol is called the RSVP-TE signaling protocol.. 4. run the mpls command to enter the MPLS mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Context l To create constraint-based LSPs in MPLS TE. Enable CSPF before configuring other CSPF functions. RSVP is extended. run the mpls te bandwidth { bc0 bandwidth | bc1 bandwidth } command to configure the bandwidth that can be obtained from BC0 and BC1 of the VLAN interface when an MPLS TE tunnel is created. l MPLS TE creates the LSP tunnel along a specified path through RSVP-TE and reserves resources. Procedure Step 1 Enable MPLS TE and RSVP-TE. Step 2 (Optional) Configure the line bandwidth. In the global config mode.

Run the destination ip-address command to configure the destination IP address of the tunnel. Run the tunnel-protocol mpls te command to configure the tunnel protocol to MPLS TE. and delete hop command to add a next hop node. you can run the next hop. 7. Run the display mpls te cspf tedb command to query the CSPF TEDB information. 2. which constitute a vector path according to the configured sequence. An explicit path consists of a series of nodes. only the VLAN interface that meets this bandwidth value can be selected as the node traversed by the MPLS TE tunnel path when the MPLS TE tunnel is created. 1. After the opaque capability of the MA5600T is enabled. Run the display mpls te tunnel command to query details about a specified tunnel. you may not configure the explicit path used by the MPLS TE tunnel. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 5. you may not configure the tunnel bandwidth. Run the mpls te signal-protocol rsvp-te command to configure the signaling protocol of the tunnel to RSVP-TE. 6. Run the area ospf command to enter the OSPF area mode and run the mpls-te enable command to enable the OSPF area TE. 4. In the global config mode. Generally. modify hop. the egress LSR ID is used. 3. If only the bandwidth used by the MPLS TE tunnel is limited but the transmission path is not limited. and delete a node respectively for the explicit path. 1. Run the mpls te tunnel-id command to configure the tunnel ID. (Optional) Run the mpls te bandwidth command to configure the bandwidth for the tunnel. including the bandwidth and priority. After the configuration is completed. it can exports TEDB information to neighbor devices. 342 . the loopback interface IP address on the egress is used as the destination IP address of the explicit path. 3.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 1. you can run the explicit-path command in the global config mode to configure an explicit path. If the MPLS TE tunnel is only used to change the data transmission path. 3. 2. 2. Generally. Run the display mpls te link-administration admission-control command to check the CR LSP information allowed on the link. run the interface tunnel command to create a tunnel interface and enter the tunnel interface mode. In global config mode. After an explicit path is created. Ltd. Step 5 Configure an MPLS TE tunnel interface. Step 6 Check the configuration. 8. Step 4 (Optional) Configure an MPLS TE explicit path. run the ospf command to start the OSPF process and enter the OSPF mode. Run the opaque-capability enable command to enable the OSPF opaque capability. To specify a known path for a special traffic stream in the MPLS network.. modify a node. (Optional) Run the mpls te path explicit-path command to configure the explicit path used by the MPLS TE tunnel. The IP address in an explicit path is the IP address of the interface on the node. and then run the mpls te path explicit-path command in the tunnel mode to specify the explicit path for the tunnel. Run the mpls te commit command to commit the current configuration of the tunnel.

0. l Set the parameters on the MA5600T. huawei(config-if-vlanif20)#mpls rsvp-te huawei(config-if-vlanif20)#quit huawei(config)#ospf 100 //Enable the opaque capability to send the engineering data base information to peripheral devices.3. huawei(config-if-vlanif20)#mpls //Enable MPLS TE for the VLAN interface. Ltd. BC0 bandwidth: 10240 kbit/s – OSPF process ID: 100. 343 .3. Run the display mpls te tunnel path command to query the path information about a tunnel on a local node.3 24 //Enable MPLS for the VLAN interface.1. 5.1)#mpls-te enable standard-complying huawei(config-ospf-100-area-0. ----End Example To configure the RSVP-TE LSP from the MA5600T to the PTN.1.3 – L3 interface IP address of VLAN 20 for MPLS forwarding: 10.3/24 – Maximum reservable bandwidth of the VLAN interface: 20480 kbit/s.5.3.3. OSPF area ID: 1 – MPLS TE tunnel ID: 10. tunnel interface ID: 10 – Required BC0 bandwidth when an MPLS TE tunnel is created: 5120 kbit/s – Other parameters: default settings l Set the LSR ID of the PTN to 5.. huawei(config-if-vlanif20)#mpls te //Enable MPLS RSVP-TE for the VLAN interface.1. huawei(config-ospf-100)#opaque-capability enable huawei(config-ospf-100)#area 1 //Enable MPLS TE for the OSPF area.0.5.0. huawei(config-if-vlanif20)#mpls te bandwidth max-reservable-bandwidth 20480 //Configure the obtainable maximum bandwidth of the L3 interface from BC0 when the MPLS TE tunnel is created.3 huawei(config)#mpls huawei(config-mpls)#mpls te huawei(config-mpls)#mpls rsvp-te //Configure the MPLS TE to use CSPF to calculate the shortest path to a node.3.3 32 huawei(config-if-loopback0)#quit huawei(config)#mpls lsr-id 3. huawei(config-if-vlanif20)#ip address 10.0. – LSR-ID: 3. huawei(config-mpls)#mpls te cspf huawei(config-mpls)#quit huawei(config)#mpls vlan 20 huawei(config)#interface vlanif 20 //Configure the IP address of the VLAN L3 interface. huawei(config-if-vlanif20)#mpls te bandwidth bc0 10240 huawei(config-if-vlanif20)#quit huawei(config)#interface tunnel 10 //Configure the link layer encapsulation protocol to MPLS TE for the tunnel Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. set the parameters as follows. Run the display mpls te tunnel-interface command to query the tunnel interface information about a local node.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 4.5. huawei(config)#interface loopback 0 huawei(config-if-loopback0)#ip address 3.1)#quit huawei(config-ospf-100)#quit huawei(config)#interface vlanif 20 //Configure the maximum reservable bandwidth of the L3 interface.1.3. huawei(config-ospf-100-area-0.

and locate internal defects at the MPLS layer of a network. the MA5600T can effectively detect. Enable the MPLS OAM function at the destination end. huawei(config-if-tunnel10)#destination 3. the MPLS TE tunnel can function as the outer tunnel of the PWE3 service. that is. 2. uniquely indicates an MPLS TE tunnel. In addition. Configure the standby LSP at the source end. confirm. the system reports and handles the defects. Configure the active LSP at the source end (ingress). which triggers a switchover when a defect at the MPLS layer is detected to minimize the user data loss. 3.3.3. huawei(config-if-tunnel10)#mpls te tunnel-id 10 //Configure the protocol of the MPLS TE tunnel to RSVP-TE. huawei(config-if-tunnel10)#mpls te signal-protocol rsvp-te //Configure the global pool bandwidth required by the MPLS TE tunnel.. The source transmits the CV/FFD packets to the destination through the detected LSP. NOTE If only the MPLS OAM connectivity check needs to be enabled and 1:1 protection is not required for the LSP. 6.4 Configuring the MPLS OAM The MPLS OAM function uses an effective OAM mechanism to detect whether an LSP is normal and report an alarm in time when an LSP fault occurs. Configure the MPLS OAM as follows: 1. 344 . Then. which. along with the LSR-ID. The source learns about the status of the defect. that is. Enable the MPLS OAM function at the source end. huawei(config-if-tunnel10)#mpls te reserved-for-binding huawei(config-if-tunnel10)#mpls te commit huawei(config-if-tunnel10)#quit 7. huawei(config-if-tunnel10)#tunnel-protocol mpls te //Configure the destination IP address of the MPLS TE tunnel.3 //Configure the MPLS TE tunnel ID. and triggers the corresponding protection switching when the protect group is correctly configured. huawei(config-if-tunnel10)#mpls te bandwidth bc0 5120 //Allow the MPLS TE tunnel to be bound to a VPN instance. Ltd. 3. 4. Configure the backward LSP at the destination end (egress). 2. Context Through the MPLS OAM mechanism. you need not configure the standby LSP or the tunnel protect group at the source end. After detecting a defect. The destination checks the correctness of the type and frequency carried in the received detection packets and measures the number of correct and errored packets that are received within the detection period to monitor the connectivity of the LSP in real time. configure the tunnel interface to work in the CR-LSP tunnel mode. the destination transmits the BDI packets that carry the defect information to the source through the backward path. 5.1. In addition. The basic process of the MPLS OAM connectivity check and protection switching is as follows: 1. Create a tunnel protect group.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 interface. the system provides a mechanism for triggering 1:1 protection switching when a fault occurs. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 4. the MPLS OAM function features a complete protection switching mechanism.

the MA5600T is used at both the source end and destination end as an example. 2. but their implementation principles are the same. 345 . Source end MA5600T_A sends CV/FFD detection packets to the destination end through the detected LSP (MA5600T_A->Router A->MA5600T_B). Figure 7-1 Example network of detection of MPLS OAM for static LSP connectivity Data Plan Table 7-1 provides the data plan for detection of MPLS OAM for static LSP connectivity. the MA5600T at one end may be replaced by a device that supports MPLS OAM such as a PTN device. NOTE To facilitate description of the MPLS OAM application. make sure that: l Set the IP addresses and the masks of the ports based on the example network. After that.. the destination transmits the BDI packets that carry the defect information to the source through the backward LSP (MA5600T_B->Router B>MA5600T_A). 1. LSRs can ping the peer LSRs.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Configuration Example for Detection of MPLS OAM for Static LSP Connectivity This topic describes how to configure the function of MPLS OAM to detect the static LSP connectivity. After detecting a defect. Networking Figure 7-1 shows an example network of configuring MPLS OAM to detect the static LSP connectivity. This enables the source end to obtain the defect status in time. l A static or dynamic route must be successfully configured on each device in the network (so that LSRs can reach each other through the IP route). Ltd. In the actual application. Prerequisites Before the configuration. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

1.1.10/24 Tunnel ID: 10.1.1.20/24 IP address of the interface connected to the MA5600T_B: 10.1 32 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.1..3 Port: 0/17/0 IP address of VLAN interface 11 connected to Router A: 10.2. Ltd.3.1. 1.1.10/24 Procedure l Configure source end MA5600T_A.20/24 Port: 0/17/1 IP address of VLAN interface 20 connected to Router B: 10.2.1.4.3. tunnel interface ID: 20 Out label value of the LSP ingress: 8200 In label value of the LSP egress: 8201 Static LSP: Router B to MA5600T_A Router A LSR ID: 2. 346 .1.2.3. Configure the loopback interface.4 IP address of the interface connected to the MA5600T_A: 10.4.2.4.1 Port: 0/17/0 IP address of VLAN interface 10 connected to Router A: 10.1.10/24 Static LSP: Router A to MA5600T_B MA5600T_B LSR ID: 3.1. tunnel interface ID: 10 Out label value of the LSP ingress: 8192 In label value of the LSP egress: 8193 Port: 0/17/1 IP address of VLAN interface 21 connected to Router B: 10. huawei(config)#interface loopback 0 huawei(config-if-loopback0)#ip address 1.10/24 Router B LSR ID: 4.1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Table 7-1 Data plan for detection of MPLS OAM for static LSP connectivity Item Data MA5600T_A LSR ID: 1.3.1.1.20/24 IP address of the interface connected to the MA5600T_B: 10.20/24 Tunnel ID: 20.2 IP address of the interface connected to the MA5600T_A: 10.4.

huawei(config)#vlan 10 standard huawei(config)#mpls vlan 10 huawei(config)#port vlan 10 0/17 0 huawei(config)#interface vlanif 10 huawei(config-if-vlanif10)#ip address 10. Configure the static LSP bound to the MPLS TE tunnel.3 tunnel-id 20 . Destination end MA5600T functions as the ingress of the detected static LSP.3. Enable the basic MPLS and MPLS TE globally. detection packet type to FFD. a. huawei(config)#static-lsp egress LSP2 incoming-interface vlanif 20 inlabel 8201 5..SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 huawei(config-if-loopback0)#quit 2.3.3.3.2..3 huawei(config-if-tunnel10)#mpls te tunnel-id 20 huawei(config-if-tunnel10)#mpls te signal-protocol static huawei(config-if-tunnel10)#mpls te commit huawei(config-if-tunnel10)#quit 4.1. . Enable the basic MPLS and MPLS TE on the interface.//and backward LSP tunnel ID to 20.1 huawei(config)#mpls huawei(config-mpls)#mpls te huawei(config-mpls)#quit b. Configure the MPLS TE tunnel bound to the detected LSP. huawei(config)#mpls huawei(config-mpls)#mpls oam huawei(config-mpls)#quit huawei(config)#mpls oam ingress tunnel 10 type ffd frequency 100 backward-lsp lsr-id 3.3.. huawei(config)#save l Issue 01 (2012-01-18) Configure Router A or Router B. Configure the MPLS TE tunnel from the source end to the destination end. Save the data. Tx frequency to 100 ms.1. Ltd. huawei(config)#mpls lsr-id 1.10 24 huawei(config-if-vlanif21)#mpls huawei(config-if-vlanif21)#mpls te huawei(config-if-vlanif21)#quit 3. Enable MPLS OAM at source end MA5600T_A.1.10 24 huawei(config-if-vlanif10)#mpls huawei(config-if-vlanif10)#mpls te huawei(config-if-vlanif10)#quit huawei(config)#vlan 21 standard huawei(config)#mpls vlan 21 huawei(config)#port vlan 21 0/17 1 huawei(config)#interface vlanif 21 huawei(config-if-vlanif21)#ip address 10. LSR-ID of the backward LSP to 3.20 out-label 8192 Destination end MA5600T functions as the egress of the detected static LSP.3.//Configure the MPLS OAM source end.. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co..3. huawei(config)#mpls oam ingress enable all 6. huawei(config)#static-lsp ingress tunnel-interface tunnel 10 destination 3.3. huawei(config)#interface tunnel 10 huawei(config-if-tunnel10)#tunnel-protocol mpls te huawei(config-if-tunnel10)#destination 3.3.1. Configure the tunnel ID of the detected LSP to 10. Enable the basic MPLS and MPLS TE.1.2. 347 . huawei(config)#static-lsp egress LSP1 incoming-interface vlanif 10 inlabel 8193 Destination end MA5600T functions as the egress of the backward static LSP.3 nexthop 10.1.

Router A or Router B mainly forwards MPLS labels. Configure the MPLS TE tunnel from the destination end to the source end.1. Configure the MPLS TE tunnel bound to the detected LSP. Ltd.1 nexthop 10. 348 .1.10 out-label 8193 Source end MA5600T functions as the ingress of the backward static LSP. in label. Enable the basic MPLS and MPLS TE. Configure the static LSP bound to the tunnel. l Configure destination end MA5600T_B.1 huawei(config-if-tunnel10)#mpls te tunnel-id 10 huawei(config-if-tunnel10)#mpls te signal-protocol static huawei(config-if-tunnel10)#mpls te commit huawei(config-if-tunnel10)#quit Configure the MPLS TE tunnel bound to the backward LSP. The ingress interface. huawei(config)#mpls lsr-id 3.3. huawei(config)#interface loopback 0 huawei(config-if-loopback0)#ip address 3. Source end MA5600T functions as the egress of the detected static LSP.1 huawei(config-if-tunnel20)#mpls te tunnel-id 20 huawei(config-if-tunnel20)#mpls te signal-protocol static huawei(config-if-tunnel20)#mpls te commit huawei(config-if-tunnel20)#quit 4.3.. huawei(config)#static-lsp ingress tunnel-interface tunnel 10 destination 1.1. huawei(config)#vlan 11 standard huawei(config)#mpls vlan 11 huawei(config)#port vlan 11 0/17 0 huawei(config)#interface vlanif 11 huawei(config-if-vlanif11)#ip address 10.3.3. Enable the basic MPLS and MPLS TE globally. 1. huawei(config)#interface tunnel 10 huawei(config-if-tunnel10)#tunnel-protocol mpls te huawei(config-if-tunnel10)#destination 1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 When functioning as the transit node.3 32 huawei(config-if-loopback0)#quit 2. and out label must be configured bidirectionally. Enable the basic MPLS and MPLS TE on the interface.3 huawei(config)#mpls huawei(config-mpls)#mpls te huawei(config-mpls)#quit b. a. huawei(config)#interface tunnel 20 huawei(config-if-tunnel20)#tunnel-protocol mpls te huawei(config-if-tunnel20)#destination 1. huawei(config)#static-lsp egress LSP2 incoming-interface vlanif 10 inlabel 8192 Source end MA5600T functions as the ingress of the detected static LSP.1. next hop IP address.20 24 huawei(config-if-vlanif20)#mpls huawei(config-if-vlanif20)#mpls te huawei(config-if-vlanif20)#quit 3. For detailed configuration.1. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.20 24 huawei(config-if-vlanif11)#mpls huawei(config-if-vlanif11)#mpls te huawei(config-if-vlanif11)#quit huawei(config)#vlan 20 standard huawei(config)#mpls vlan 20 huawei(config)#port vlan 20 0/17 1 huawei(config)#interface vlanif 20 huawei(config-if-vlanif20)#ip address 10. see the configuration guide of the specific router.3.1.3.4. Configure the loopback interface.1.1.1.

//backward LSP tunnel ID to 20. Enable MPLS OAM at destination end MA5600T. 349 .1 nexthop 10. huawei(config)#save ----End Result After the configuration.1. run the display mpls oam ingress command and you can see the following defect state: in defect (In-defect).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 huawei(config)#static-lsp ingress tunnel-interface tunnel 20 destination 1. Save the data. l The end-to-end tunnel protection technology is provided to recover the interrupted service.1.1. run the display mpls oam egress command and you can see the following defect state: dLocv detected (dLocv).1. l The interface IP address and mask.. Service Requirements l The OAM mechanism is used to detect in real time whether the MPLS link is normal and generates an alarm in time when a link fault is detected..1. tunnel ID to 10.10 out-label 8200 5.. shut down the interface of VLAN 10 by running the shutdown command on MA5600T_A to simulate the link fault: l On MA5600T_B.1 tunnel-id 10 frequency 100 backward-lsp t unnel 20 private .1. l RSVP-TE is used to create an LSP tunnel for the specified path and reserve resources so that the existing bandwidth resources can be fully used and QoS can be improved for specific services.1. Perform similar operations on MA5600T_B and you can obtain similar results. Tx frequency to 100 ms. huawei(config)#mpls huawei(config-mpls)#mpls oam huawei(config-mpls)#quit huawei(config)#mpls oam egress lsr-id 1. and tunnel to exclusive huawei(config)#mpls oam egress enable all 6. Prerequisite Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.4. l On MA5600T_A... and LSR-ID must be configured on each LSR. Configure the of the detected LSP to 1. Ltd. l The OSPF protocol must be successfully configured on each LSR in the network (the host route of each port must be successfully advertised). type ffd ingress LSR-ID packet type to mode. . Configuration Example of the MPLS OAM Protection Switching Function This topic describes how to configure MPLS OAM to implement the protection switching function. loopback interface. l The global and physical interface MPLS and MPLS TE functions must be enabled on each node of the LSR.//Configure the MPLS OAM destination end. detection FFD.1.

router A).1 Port: 0/17/0 IP address of VLAN interface 10 connected to Router A: 10. the traffic is switched to the secondary LSP.3. NOTE To prevent a fault from occurring on a transit node (for example. Enable the MPLS OAM protection switching function for the LSPs.1.10/24 MA5600T_B Issue 01 (2012-01-18) LSR ID: 3.1.. When the primary LSP is faulty. it is recommended that you specify different transit nodes when creating a secondary LSP. Table 7-2 Data plan for the MPLS OAM protection switching Item Data MA5600T_A LSR ID: 1.1.5.3.1.1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Networking Figure 7-2 shows an example network for configuring the MPLS OAM protection switching function. Figure 7-2 Configuring the MPLS OAM protection switching function Data Plan Table 7-2 provides the data plan for the MPLS OAM protection switching.1. Configure two LSP tunnels on source end MA5600T_A and destination end MA5600T_B functioning primary and secondary LSPs.10/24 Port: 0/17/1 IP address of VLAN interface 30 connected to Router A: 10.10/24 IP address of VLAN interface 21 connected to Router B: 10. Ltd.2. 350 .3 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Configure the backward LSP for reporting a fault to source end MA5600T_A.

2.4.10 24 huawei(config-if-vlanif30)#mpls huawei(config-if-vlanif30)#mpls te huawei(config-if-vlanif30)#mpls rsvp-te huawei(config-if-vlanif30)#mpls te bandwidth max-reservable-bandwidth 10240 //(Optional) Configure VLAN interface 30 to provide a reservable Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.5.20/24 IP address of VLAN interface 31 connected to Router A: 10.1.6.1 huawei(config)#mpls huawei(config-mpls)#mpls te huawei(config-mpls)#mpls rsvp-te huawei(config-mpls)#mpls te cspf huawei(config-mpls)#quit b. huawei(config)#vlan 30 standard huawei(config)#mpls vlan 30 huawei(config)#port vlan 30 0/17 1 huawei(config)#interface vlanif 30 huawei(config-if-vlanif30)#ip address 10.4. and RSVP-TE functions.1. huawei(config)#mpls lsr-id 1.2.1 32 huawei(config-if-loopback0)#quit 2.20/24 Port: 0/17/1 IP address of VLAN interface 20 connected to Router B: 10. MPLS TE. 351 . MPLS TE. 1.2.4 Procedure l Configure source end MA5600T_A. huawei(config)#interface loopback 0 huawei(config-if-loopback0)#ip address 1. Enable the interface basic MPLS.2.10/24. MPLS TE.2 Router B LSR ID: 4.1. Enable the global basic MPLS.4.1. and RSVP-TE functions.1. and RSVP-TE functions.1. a. Configure the loopback interface. huawei(config-if-vlanif10)#quit //Configure the attributes of VLAN interface 30 and configure the IP address of VLAN interface 30 to 10.1.1..3.10 24 huawei(config-if-vlanif10)#mpls huawei(config-if-vlanif10)#mpls te huawei(config-if-vlanif10)#mpls rsvp-te huawei(config-if-vlanif10)#mpls te bandwidth max-reservable-bandwidth 10240 //(Optional) Configure VLAN interface 10 to provide a reservable bandwidth of 10240 kbit/s for all tunnels.1.1. Enable the basic MPLS. Ltd.10/24.1. //Configure the attributes of VLAN interface 10 and configure the IP address of VLAN interface10 to 10.20/24 Backward tunnel: Router B to MA5600T_A Router A LSR ID: 2. huawei(config)#vlan 10 standard huawei(config)#mpls vlan 10 huawei(config)#port vlan 10 0/17 0 huawei(config)#interface vlanif 10 huawei(config-if-vlanif10)#ip address 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Item 7 Configuring MPLS and PWE3 Data Port: 0/17/0 IP address of VLAN interface 11 connected to Router A: 10.1.

0. huawei(config)#interface tunnel 10 huawei(config-if-tunnel10)#tunnel-protocol mpls te huawei(config-if-tunnel10)#destination 3.3 huawei(config-if-tunnel30)#mpls te tunnel-id 30 huawei(config-if-tunnel30)#mpls te signal-protocol rsvp-te huawei(config-if-tunnel30)#mpls te bandwidth bc0 5120 //(Optional) Configure the global bandwidth of tunnel 30 to 5210 kbit/s. switching mode to revertive. Configure a tunnel protect group.3. 352 . Enable MPLS TE for the OSPF area.1.0)#mpls-te enable standard-complying huawei(config-ospf-100-area-0.1.3 huawei(config-if-tunnel10)#mpls te tunnel-id 10 huawei(config-if-tunnel10)#mpls te signal-protocol rsvp-te huawei(config-if-tunnel10)#mpls te bandwidth bc0 5120 //(Optional) Configure the global bandwidth of tunnel 10 to 5210 kbit/s. Enable MPLS OAM at source end MA5600T_A. huawei(config)#ospf 100 huawei(config-ospf-100)#opaque-capability enable huawei(config-ospf-100)#area 0 huawei(config-ospf-100-area-0..1.10 24 huawei(config-if-vlanif21)#mpls huawei(config-if-vlanif21)#mpls te huawei(config-if-vlanif21)#mpls rsvp-te huawei(config-if-vlanif21)#mpls te bandwidth max-reservable-bandwidth 10240 //(Optional) Configure VLAN interface 21 to provide a reservable bandwidth of 10240 kbit/s for all tunnels.3.0. Configure the attributes of the working MPLS TE tunnel from the source end to the destination end. Configure the tunnel ID of the Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. huawei(config-if-vlanif30)#quit //Configure the attributes of VLAN interface 21 and configure the IP address of VLAN interface 21 to 10. Ltd. huawei(config)#mpls huawei(config-mpls)#mpls oam huawei(config-mpls)#quit huawei(config)#mpls oam ingress tunnel 10 type ffd frequency 100 backward-lsp lsr-id 3.0.3.1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 bandwidth of 10240 kbit/s for all tunnels. Configure the MPLS TE tunnel from the source end to the destination end.10/24.3. Configure tunnel 30 as the protect tunnel for tunnel 10. huawei(config-if-tunnel10)#mpls te commit huawei(config-if-tunnel10)#quit Configure the attributes of the protection MPLS TE tunnel from the source end to the destination end. huawei(config)#interface tunnel 10 huawei(config-if-tunnel10)#mpls te protection tunnel 30 mode revertive wtr 30 huawei(config-if-tunnel10)#mpls te commit huawei(config-if-tunnel10)#quit 6. huawei(config-if-vlanif21)#quit 3.3. and automatic WTR time to 900s. huawei(config)#vlan 21 standard huawei(config)#mpls vlan 21 huawei(config)#port vlan 21 0/17 1 huawei(config)#interface vlanif 21 huawei(config-if-vlanif21)#ip address 10.0.3 tunnel-id 20 //Configure the MPLS OAM source end.0)#quit huawei(config-ospf-100)#quit 4. huawei(config-if-tunnel30)#mpls te commit huawei(config-if-tunnel30)#quit 5. huawei(config)#interface tunnel 30 huawei(config-if-tunnel30)#tunnel-protocol mpls te huawei(config-if-tunnel30)#destination 3.3.

huawei(config)#save l Configure Router A or Router B.20/24.20/24. huawei(config)#vlan 31 standard huawei(config)#mpls vlan 31 huawei(config)#port vlan 31 0/17 1 huawei(config)#interface vlanif 31 huawei(config-if-vlanif31)#ip address 10.20 24 huawei(config-if-vlanif11)#mpls huawei(config-if-vlanif11)#mpls te huawei(config-if-vlanif11)#mpls rsvp-te huawei(config-if-vlanif10)#quit //Configure the attributes of VLAN interface 20 and configure the IP address of VLAN interface 20 to 10. huawei(config)#mpls lsr-id 3. MPLS TE. and out label must be configured bidirectionally. next hop IP address.6. and global bandwidth for the tunnel to 5120 kbit/s. When functioning as the transit node.3.1. huawei(config)#vlan 11 standard huawei(config)#mpls vlan 11 huawei(config)#port vlan 11 0/17 0 huawei(config)#interface vlanif 11 huawei(config-if-vlanif11)#ip address 10. detection packet type to FFD.6.1. destination IP address to 1. l Configure destination end MA5600T_B. Configure the loopback interface.1.1. Router A or Router B mainly forwards MPLS labels.3. see the configuration guide of the specific router. Ltd.3. 353 . //and backward LSP tunnel ID to 20.3 huawei(config)#mpls huawei(config-mpls)#mpls te huawei(config-mpls)#mpls rsvp-te huawei(config-mpls)#mpls te cspf huawei(config-mpls)#quit b.3 32 huawei(config-if-loopback0)#quit 2.1. LSR-ID of the backward LSP to 3. MPLS TE. The ingress interface.3. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.3. //Configure the attributes of VLAN interface 11 and configure the IP address of VLAN interface 11 to 10.4.20 24 huawei(config-if-vlanif31)#mpls huawei(config-if-vlanif31)#mpls te huawei(config-if-vlanif31)#mpls rsvp-te huawei(config-if-vlanif31)#quit 3.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 detected LSP to 10.3. Save the data. huawei(config)#interface loopback 0 huawei(config-if-loopback0)#ip address 3.20 24 huawei(config-if-vlanif20)#mpls huawei(config-if-vlanif20)#mpls te huawei(config-if-vlanif20)#mpls rsvp-te huawei(config-if-vlanif20)#quit //Configure the attributes of VLAN interface 31 and configure the IP address of VLAN interface 31 to 10.1.1. For detailed configuration. Configure the tunnel ID to 20.3. huawei(config)#mpls oam ingress enable all 7. and RSVP-TE functions.20/24.1. a. Configure the MPLS TE tunnel bound to the backward LSP. and RSVP-TE functions.4. Enable the basic MPLS. MPLS TE.3.3.1. and RSVP-TE functions. Tx frequency to 100 ms. Enable the global basic MPLS. Enable the interface basic MPLS. in label. huawei(config)#vlan 20 standard huawei(config)#mpls vlan 20 huawei(config)#port vlan 20 0/17 1 huawei(config)#interface vlanif 20 huawei(config-if-vlanif20)#ip address 10. 1..

1. Configure the of the detected LSP to 1. Enable MPLS OAM at destination end MA5600T_B.. huawei(config)#mpls huawei(config-mpls)#mpls oam huawei(config-mpls)#quit huawei(config)#mpls oam egress lsr-id 1.2 Configuring the PWE3 Private Line Service Pseudo wire emulation edge-to-edge (PWE3) uses LDP or RSVP-TE as the signaling protocol and carries various L2 services of the customer edge (CE) over the MPLS LSP or TE tunnel. PWE3 Service Model According to the PWE3 service model.1.1.1. type ffd ingress LSR-ID packet type to mode.1. 354 . //backward LSP tunnel ID to 20. l Switch result: The traffic is switched to protection tunnel 30. Tx frequency to 100 ms. Network Application The mainstream applications of the MPLS PWE3 supported by the MA5600T are as follows: Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. or layer-2 tunneling protocol (L2TP) technology. l Status of the protection tunnel (protect-tunnel defect state): non-defect.1 huawei(config-if-tunnel20)#mpls te tunnel-id 20 huawei(config-if-tunnel20)#mpls te signal-protocol rsvp-te huawei(config-if-tunnel20)#mpls te bandwidth bc0 5120 huawei(config-if-tunnel20)#mpls te reserved-for-binding huawei(config-if-tunnel20)#mpls te commit huawei(config-if-tunnel20)#quit 4. MPLS over IP. UDP over IP.1 tunnel-id 10 frequency 100 backward-lsp tunnel 20 private //Configure the MPLS OAM destination end. UDP. transparently transmitting the L2 data of the CE. The PWE3 outer label and inner label support the following combinations: MPLS over MPLS.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 huawei(config)#interface tunnel 20 huawei(config-if-tunnel20)#tunnel-protocol mpls te huawei(config-if-tunnel20)#destination 1. you can shut down the interface of VLAN 10 by running the shutdown command on MA5600T_A to simulate the link fault. PWE3 is indicated by the outer packet switch network (PSN) tunnel label and the inner label (PW demultiplexer). and tunnel to exclusive huawei(config)#mpls oam egress enable all 5. The PSN layer can select the MPLS or IP technology and the PW demultiplexer can select the MPLS. Ltd. tunnel ID to 10. The MA5600T supports the first three. Then. huawei(config)#save ----End Result After the configuration. 7.1. and L2TP over IP. The information is as follows: l Status of the working tunnel (work-tunnel defect state): in defect.1. you can query the information about the primary tunnel (with ID 10) that is configured on MA5600T_A by running the display mpls te protection tunnel command on MA5600T_A. detection FFD. Save the data.

The ONU restores the IMA service to the ATM service and encapsulates the ATM service on the ATM PWE3 private line for connecting to the peer ATM PWE3 device (PTN device in the figure).SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 l TDM PWE3: A mobile 2G base station is connected to the ONU through the TDM E1 port. 3. The OSPF protocol must be successfully configured on each device in the network (the host route of each port must be successfully advertised). the MA5600T supports PW over the IP tunnel or MPLS tunnel to transparently transmit services in the IP network. Procedure 1. namely MPLS network or IP network. MPLS over IP. Ltd. The MA5600T functions as a L2 transparent transmission device or P device. Different PWE3s support different tunnel encapsulation formats. 355 . and tunnel protection. The EDTB board does not support UDP over IP currently. l ATM PWE3 supports the following PWE3 tunnel encapsulation formats: MPLS over MPLS and MPLS over IP. l ETH PWE3: A 3G base station is connected to the ONU through the FE/GE port. 7.2. Issue 01 (2012-01-18) In the global config mode. Pay attention to the following points during the configuration: l TDM PWE3 supports the following PWE3 tunnel encapsulation formats: MPLS over MPLS. 4. The loopback interface IP address must be configured. l ATM PWE3: The IMA service data of a 3G base station is connected to the ONU through the E1 port. inner PW configuration. Therefore. transmitting traffic streams to the peer TDM PWE3 device through the PSN. The ONU performs the ETH PWE3 encapsulation for interconnecting with the peer ETH PWE3 device. 2. and UDP over IP. Prerequisites 1.. The LSR ID must be configured. Procedure According to the PWE3 service model. Context According to the upper-layer PSN type. the configuration procedure is as follows. l ETH PWE3 supports only the MPLS over MPLS encapsulation format. The ONU implements the TDM PWE3. The MA5600T functions as a L2 transparent transmission device or P device. PWE3 configurations include the outer tunnel configuration. The global MPLS and MPLS TE functions must be enabled.1 Configuring the PWE3 Outer Tunnel To provide services across the IP network or MPLS network. PE device. l Configure the MPLS TE tunnel. or P device. the PWE3 outer tunnel is categorized as MPLS tunnel and IP tunnel. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. run the interface tunnel command to create a tunnel interface and enter the tunnel interface mode. The OLT functions as a L2 transparent transmission device.

NOTE Each time the MPLS IP parameters on the tunnel interface are changed. the LSR ID of the egress is used. After the configuration is completed. fewer resources are used. 8. (Optional) Run the mpls te bandwidth command to configure the bandwidth of the tunnel. According to whether the MPLS TE tunnel uses the dynamic signaling protocol. – MPLS RSVP-TE tunnel: MPLS TE creates the LSP tunnel along a specified path through RSVP-TE and reserves resources.. Generally. Run the tunnel-protocol mpls ip command to configure the tunnel protocol to MPLS IP. If the MPLS TE tunnel is only used to change the data transmission path. you may not configure the bandwidth of the tunnel. Generally. 4. 356 . This solves the problem that certain paths are overloaded and other paths are idle. that is. 3. In the global config mode.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 2. you need to run the mpls te commit command to commit the configuration. The static tunnel. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. – Static MPLS TE tunnel: The forwarding information and resource information are configured manually. configure the tunnel interface to work in the TE tunnel mode. that is. NOTE Each time the MPLS TE parameters on the tunnel interface are changed. 5. Run the tunnel-protocol mpls te command to configure the tunnel protocol to MPLS TE. utilizing the current bandwidth resources sufficiently. Run the mpls te signal-protocol { rsvp-te | static } command to configure the signaling protocol for the MPLS TE tunnel. the LSR ID of the ingress is used. Run the destination ip-address command to configure the destination IP address of the tunnel. (Optional) Run the mpls te path explicit-path command to configure the explicit path used by the MPLS TE tunnel. 6. configure the tunnel interface to work in the IP tunnel mode. the LSR ID of the ingress is used. Run the mpls te commit command to commit the current tunnel configuration. 4. l Run the display interface tunnel command to query the configuration of the tunnel. To limit only the bandwidth of the MPLS TE tunnel but not the transmission path. Run the mpls te tunnel-id command to configure the tunnel ID. cannot be dynamically adjusted according to network changes. you may not configure the explicit path of the tunnel. 5. the tunnel is categorized as static MPLS TE tunnel and MPLS RSVP-TE tunnel. and the signaling protocol and path calculation are not involved. Therefore. Ltd. you need to run the mpls te commit command to commit the configuration. 2. 1. Generally. Run the source ip_addr command to configure the source IP address of the tunnel. however. Configure the MPLS IP tunnel. Run the mpls te commit command to commit the current tunnel configuration. the actual application is limited. 7. 9. only the VLAN interface meeting this bandwidth requirement is selected as the node traversed by an MPLS TE tunnel when the MPLS TE tunnel is created. Thus. run the interface tunnel command to create a tunnel interface and enter the tunnel interface mode. carriers can accurately control the path that traffic traverses to avoid the node where congestion occurs. 3. Run the destination ip-address command to configure the destination IP address of the tunnel. Because the MPLS-related control packets are not exchanged.

. To configure different tunnel types for load balancing according to priorities. 357 . run the mpls te reserved-for-binding command in the tunnel mode to allow the MPLS TE tunnel to be bound to the VPN instance. packets in the tunnel are processed according to tunnel policy. The tunnels are selected according to the tunnel configuration. Step 2 For IP tunnel. ----End Example To configure a tunnel policy named te_policy and bind to tunnels with the destination IP address 5. huawei(config-tunnel-policy-te_policy)#tunnel binding destination 5. Prerequisites The PWE3 outer tunnel must be created.2 Configuring the Tunnel Policy Configure the tunnel selection sequence for load balancing or the tunnel binding policy in the tunnel. l The IP tunnel supports the configuration of only the tunnel selection sequence.2. Ltd. In other words. This means that you can configure only one of them. destination ip-addr indicates the destination IP address of the tunnel. Context The tunnel selection sequence and the tunnel binding policy are mutually exclusive.5. the higher priority for load balancing. Step 3 For MPLS TE tunnel. To bind to a specified tunnel ID and configure the system to switch another tunnel according to the configured sequence when a tunnel is not available. The more the tunnel type close to keyword select-seq. ----End 7. Step 4 In the global config mode. run this command. l The MPLS TE tunnel supports the configuration of only the tunnel binding policy. which must be the same as the destination IP address configured in the MPLS TE tunnel. tunnels for load balancing must be of the same type. Procedure Step 1 Run the tunnel-policy command to create a tunnel policy name and enter the tunnel policy mode.5. do as follows: huawei(config)#tunnel-policy te_policy Info: New tunnel-policy is configured. After the configuration is successful.5.5. run the tunnel binding command to configure the tunnel binding policy. After the tunnel binding policy is configured. run the tunnel select-seq command to configure the selection sequence of tunnels for load balancing.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 6. run this command.5 and IDs 10 and 20. 7 Configuring MPLS and PWE3 Run the display interface tunnel command to query the configuration of the tunnel. run the display tunnel-policy command to query the information about the tunnel policy. The MA5600T does not support load balancing between different tunnels.5 te Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

maximum transmission unit (MTU).. Different services have different configurations when the services are bound to a PW. flow label classification.5. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. ATM and ETH PWs. Prerequisites l MPLS L2VPN must be enabled. Procedure Step 1 Run the pw-para command to create PW parameter. and TDM load time (only for TDM PWs). The ATM PW is categorized as ATM NTo1 VCC and ATM SDU types. l Raw mode: The PW VLAN tag is not carried in the upstream direction. jitter buffer (only for TDM PWs). Step 2 Run the peer-address command to configure the IP address of the peer device. PW parameters and the PW have a one-to-one mapping. In the actual transmission. Step 3 Run the pw-type command to configure the PW type. Ltd. l ATM NTo1 VCC: One or more ATM VCCs are transmitted on a PW. data packets are automatically transmitted to the peer device according to this IP address. Context PW parameters include the following parameters: control word. loopback IP address of the peer device.3 Configuring the PWE3 Inner PW Configure the attribute of PW and use the PW parameters for PW binding. peer-address indicates the peer IP address in the PW for creating communication. 358 .2. The MA5600T supports TDM. RTP control header. used tunnel policy.5. ETH PWs are categorized as raw and tagged modes.5 tunnel10 Disable tunnel20 7. but the PW payload can carry the SVLAN.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 tunnel 10 tunnel 20 huawei(config)#display tunnel-policy { <cr>|string<S><Length 1-19> }: Command: Total Sel-Seq Binding Invalid display tunnel-policy tunnel policy num: tunnel policy num: tunnel policy num: tunnel policy num: 1 0 1 0 Tunnel Policy Name Destination Tunnel Intf Down switch ----------------------------------------------------------------------------te_policy 5. virtual circuit connectivity verification (VCCV). l The tunnel policy must be configured. l ATM SDU: Only the AAL5 CPCS-SDU payload is transmitted. PW type. One PW parameter can be used by only one PW.

PW packets of the TDM type carry the RTP control header. For format of the RTP header. a virtual circuit connectivity verification is performed by using LSP ping according to the priority of the VCCV type. For the same PW. see RFC3550. VCCV is a control channel for the PW to send verification messages between the ingress and egress.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 l Tagged mode: The payload of an upstream packet carries the PW VLAN tag. The timestamp field. the IP address and PW type of the peer device cannot be changed after they are configured. the PW types at both ends must be the same. Step 7 Run the rtp-header command to configure the RTP control header. NOTE This command is applicable to only TDM PWs. including the version number. the PW can be available. In this way. the jitter buffer size is 2000 µs. When VCCV ping works in the control word mode. The jitter buffer can effectively prevent jitter and delay. The length of the RTP header is 12 bytes. padding flag. Otherwise. By default. the configurable MTU ranges for different PW types are different: l MTU values set on the two devices at the ends of an ETH PW must be the same. run the undo pw-para command to delete them first. To change these two parameters. and then configure them again. Make sure that the two parameters are correctly configured the first time. and the PW VLAN tag is removed in the downstream direction. you need to enable the control word. If MTU values are different. an ETH PW can never be available. After RTP is enabled. Simply. the MA5600T disables the RTP control header. Step 4 Run the control-word command to enable the control word mode. the RTP control header is not carried. the MTU is 1500 bytes. It is recommended that you enable the control word mode. so as to notify the peer device of the VCCV types supported by the local device. so as to prevent repeated operations. The RTP configuration must be the same as that on the peer PW device. After a successful negotiation be both devices. Step 8 Run the vccv command to enable VCCV. By default. l The jitter buffer size must be an integer multiple of 125. Step 6 (Optional) Run the mtu command to configure the MTU. is used for clock synchronization. CAUTION Among PW parameters. VCCV is an end-to-end PW fault detection and diagnosis mechanism.. whose length is 32 bits. Ltd. 359 . Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Step 5 (Optional) Run the jitter-buffer command to configure the jitter buffer. and timestamp fields. NOTE l Only a TDM PW supports setting of the jitter buffer size. Due to the limit in the system. Do not modify this value unless there is a special requirement. l By default.

To implement PWE3 load balancing. Step 13 (Optional) Run the max-encapcell-delay command to configure the packet delay of the ATM cell maximum group.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Enable the LSP ping function for alter. and any combination of the previous four IP addresses. the number of ATM cells in the packet sent from the peer end cannot exceed this value. Ltd. VCCV is disabled. you need to run the mpls ecmp command in the global config mode to enable the MPLS ECMP function. and the packet carrying no flow label will also be dropped after they arrive at the local end. the load time must be an integer multiple of 125. destination MAC and address. NOTE l The tunnel policy and the PW flow label classification are mutually exclusive. Then. After the tunnel policy used by the PW is configured. Step 10 (Optional) Run the tnl-policy command to configure the tunnel policy used by the PW. source MAC address. and TTL channels or any of the three channels according to the VCCV types supported by the system. at the start point of the PW (ingress PE). By default. Step 12 (Optional) Run the max-atm-cells command to configure the maximum number of ATM cells that can be subtended. If the entered number is not an integer multiple of 125. the PW data is classified into different flows and each flow is allocated with a flow label. NOTE Only a TDM PW supports the setting of the load time. After the configuration. As a result. The default jitter buffer is 1000 µs. The flow label supports the following flow classification by the source IP address. NOTE The tunnel policy and the PW flow label classification are mutually exclusive. Only the PW of the NTo1 VCC type requires the configuration of the packet delay of the ATM cell maximum group. l After flow classification is enabled. The default value is 1. 360 . make sure that the status of the flow label function on the local end is same as that on the peer end. l Before configuring the flow label capability. the packets carrying a flow label sent by the local end will be dropped after they arrive at the peer end. Do not modify this value unless there is a special requirement. The default value is 0 ms. Step 9 (Optional) Run the tdm-load-time command to configure the TDM load time. the system rounds it down to the nearest integer multiple of 125 µs. Configure either of them. Only the PW bound to a PW of the NTo1 VCC type requires the configuration of the maximum number of ATM cells that can be subtended. After the configuration. the PW can perform load balancing or path selection according to the tunnel policy. and it is recommended that you adopt the same classification rules. Step 11 (Optional) Run the flow-label command to enable flow classification. The jitter buffer must be greater than the load time. Configure either of them. Because each TDM frame is 125 µs. the maximum waiting time of subtended ATM cells encapsulated in a packet is the packet delay of the ATM cell maximum group. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. destination IP address. services will be interrupted. l Only the ETH PW supports flow label. CW. The downstream P node of the PW performs load balancing according to the flow labels. If the flow label function is enabled on the local end but is disabled on the peer end. the flow classification function takes effect..

30. Before changing the attributes. Step 14 In the privilege mode or global config mode. the attributes of the PW cannot be changed.20.. ----End Example To configure PW 10 with the following attributes.20 huawei(config-pw-para-10)#pw-type tdm satop e1 huawei(config-pw-para-10)#tnl-policy tdm-policy huawei(config-pw-para-10)#rtp-header huawei(config-pw-para-10)#control-word huawei(config-pw-para-10)#vccv cc cw alert ttl cv lsp-ping huawei(config-pw-para-10)#quit huawei(config)#display pw-para 10 PW ID : 10 PeerIP : 10. Then.10. run the undo manual-set pw-ac-fault command to set the adminstatus of the PW back to up. 361 .10.20 l Name of the tunnel policy used by the PW: tdm-policy l Enable the RTP control header and the control word mode l Enable the connectivity verification function of the alter. After the attributes are changed.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 CAUTION If a PW is already set up and its adminstatus queried by running the display pw command is displayed as up. run the display pw-para command to query the configuration of the PW.10. run the manual-set pw-ac-fault command to set the adminstatus of the PW to down. Ltd.20 Tnl Policy Name : tdm-policy PW Type : tdm satop e1 CtrlWord : enable VCCV Capability : cw alert ttl lsp-ping MTU : 1500 MaxAtmCells : -MaxEncapDelay : -RTP : enable JitterBuffer : 2000 LoadTime(us) : 1000 TimeSlotNum : 32 PayLoadSize(bytes) : 256 FlowLabel : -- To configure PW 20 with the following attributes.40 l Name of the tunnel policy used by the PW: eth-policy l Other parameters: default settings huawei(config)#pw-para 20 huawei(config-pw-para-20)#pw-type ethernet tagged Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10. CW and TTL channels l Other parameters: default settings huawei(config)#pw-para 10 huawei(config-pw-para-10)#peer-address 10.10. do as follows: l PW type: TDM SAToP E1 l IP address of the peer PW device: 10.10. the new configurations of the PW take effect. do as follows: l PW type: ETH Tagged l IP address of the peer PW device: 10.

Pay attention to the following points during the configuration: – To specify a PW as a static PW. you need to configure the in label and out label of the PW. The destination port ID must be the same as the source port Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 362 . Run the pw-ac-binding tdm command to use a PW to create the TDM PW service.2. static PW.40 Tnl Policy Name : eth-policy PW Type : ethernet tagged CtrlWord : disable VCCV Capability : disable MTU : 1500 MaxAtmCells : -MaxEncapDelay : -RTP : -JitterBuffer : -LoadTime(us) : -TimeSlotNum : -PayLoadSize(bytes) : -FlowLabel : -- 7.30.20. Ltd. Procedure l Bind the TDM service to a PW. the relevant information is configured manfully through the command line interface (CLI). l For ETH PWE3. l TDM PWE3 supports dynamic PW.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 huawei(config-pw-para-20)#peer-address 10. user packets are encapsulated and forwarded according to the modes defined in the PW parameters.20. and the data is transmitted through tunnels between PEs.. l ETH PWE3 supports dynamic PW and static PW. – To specify a PW and an UDP PW. Context Different PWE3 services have different configurations when the services are bound to a PW.40 huawei(config-pw-para-20)#tnl-policy eth-policy huawei(config-pw-para-20)#quit huawei(config)#display pw-para 20 PW ID : 20 PeerIP : 10. you need to configure the destination port ID and source port ID of the PW. Prerequisites l The PW must be configured. After the binding. the ETH-based service port must be created. and UDP PW. static PW. The out label value must be an unallocated and idle value at the peer end and the in label value must be an unallocated value at the local end. the ATM-based service port must be created. The parameters of a static PW are not negotiated using the signaling protocol. and UDP PW. the TDM connection must be created. l For ATM PWE3.4 Binding the Service to the PW Bind various PWE3 services to a PW.30. l ATM PWE3 supports dynamic PW. l For TDM PWE3.

and UDP source port ID 50050. When the working tunnel is faulty.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 ID at the peer PW device and the source port ID must be the same as the destination port ID at the peer PW device. the system quickly switches to the protection tunnel to ensure the service reliability. do as follows. Run the pw-ac-binding vlan command to use a PW to create the ETH PW service. Run the pw-ac-binding pvc command to bind a PW to a PVC. Run the pw-ac-binding pvc command to use a PW to create the ATM PW service. a PW can be bound to multiple PVCs. a PW is bound to only one PVC. Prerequisites l The forward LSP must be created. Run the pw-ac-append pvc command to bind the PW to another PVC. Ltd. you need not change the VPI or VCI. l Bind the ATM service to a PW. PW ID 30. VPI/VCI 0/35. PW ID 12.5 Configuring MPLS Tunnel Protection Create a protection tunnel for the MPLS TE tunnel. – In the NTo1 mode. Pay attention to the following points during the configuration: – In the SDU mode. you need to configure the in label and out label of the PW. you must change the out VPI and VCI of the PW. Bind the ETH service to a PW.2. PW type to ATM sdu.. l The backward LSP must be created. do as follows. Settings: ATM access port 0/3/0. UDP destination port ID 50050. l MPLS OAM must be enabled. Settings: TDM connection ID 10. huawei(config)#pw-ac-binding pvc 0/3/0 vpi 0 vci 35 pw 20 To bind the ETH service to a PW with the following settings. Settings: VLAN ID 100. Therefore. PW out label 8500. and PW in label 8600. PW label using the UDP port. To differentiate between PVCs. Operation procedure is as follows: l 1. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The PVC and the PW can be bound in two modes: NTo1 mode and SDU mode. Note: To specify a PW as a static PW. 2. 363 . and PW ID 20. do as follows. you must specify outvpi and outvci. that is. ----End Example To bind the TDM service to a PW with the following settings. huawei(config)#pw-ac-binding vlan 100 pw 30 static tra nsmit-label 8500 receive-label 8600 7. huawei(config)#pw-ac-binding tdm 10 pw 12 udp ingress-dst-por t 50050 egress-dst-port 50060 To bind the ATM service to a PW with the following settings. The out label value must be an unallocated and idle value at the peer end and the in label value must be an unallocated value at the local end.

each working tunnel has a protection tunnel. The source transmits the CV/FFD packets to the destination through the detected LSP. If only the bandwidth used by the MPLS TE tunnel is limited but the transmission path is not limited. The source learns about the status of the defect. 2. Run the mpls te tunnel-id command to configure the tunnel ID. The working mode of MPLS OAM protection switching is 1:1 protection. you may not configure the explicit path used by the MPLS TE tunnel. Step 3 Configure a tunnel protect group. Step 2 Configure protection MPLS TE tunnel. If the MPLS TE tunnel is only used to change the data transmission path. 1. (Optional) Run the mpls te path explicit-path command to configure the explicit path used by the MPLS TE tunnel. After detecting a defect. Run the mpls te commit command to commit the current configuration of the tunnel. 364 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Context MPLS tunnel protection is a part of the MPLS OAM connectivity detection mechanism. Procedure Step 1 Configure working MPLS TE tunnel. The destination checks the correctness of the type and frequency carried in the received detection packets and measures the number of correct and errored packets that are received within the detection period to monitor the connectivity of the LSP in real time. only the VLAN interface that meets this bandwidth value can be selected as the node traversed by the MPLS TE tunnel path when the MPLS TE tunnel is created. (Optional) Run the mpls te bandwidth command to configure the bandwidth for the tunnel. 7. Run the tunnel-protocol mpls te command to configure the tunnel protocol to MPLS TE. Generally. the destination transmits the BDI packets that carry the defect information to the source through the backward path. and triggers the corresponding protection switching when the protect group is correctly configured. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 5. 6. 2. The basic process of the MPLS OAM connectivity check and protection switching is as follows: 1. The configuration of the protection tunnel is the same as that of the working tunnel. Run the destination ip-address command to configure the destination IP address of the tunnel. After the configuration is completed. run the interface tunnel command to create a tunnel interface and enter the tunnel interface mode. In global config mode. Normally. 3. and the protection switching is required. the egress LSR ID is used. When the source end finds the active LSP is defective through the MPLS OAM detection mechanism. 8. 4.. Configure the working tunnel and the protection tunnel as a tunnel protect group. 4. Run the mpls te signal-protocol rsvp-te command to configure the signaling protocol of the tunnel to RSVP-TE. Ltd. 3. you may not configure the tunnel bandwidth. the system can switch the data to the protection tunnel for continuous transmission.

There are for forcible switching modes: l clear: clears all external switching commands that are already executed in the system. run this command..3 huawei(config-if-tunnel10)#mpls te tunnel-id 10 huawei(config-if-tunnel10)#mpls te signal-protocol rsvp-te huawei(config-if-tunnel10)#mpls te bandwidth bc0 5120 //(Optional) Configure the global bandwidth of tunnel 10 to 5210 kbit/s. and no automatic switchback. l force: forcible switching. In the global config mode. l manual work-lsp: manually switches data streams on the working tunnel to the protection tunnel. Keywords clear. and WTR time to 900s. l manual protect-lsp: manually switches data streams on the protection tunnel to the working tunnel. Step 5 In the global config mode. The switchback policy of a PW protect group can be immediate automatic switchback. lock.3. huawei(config-if-tunnel10)#mpls te commit huawei(config-if-tunnel10)#quit huawei(config)#interface tunnel 30 huawei(config-if-tunnel30)#tunnel-protocol mpls te huawei(config-if-tunnel30)#destination 3. which forcibly switch data streams to the protect tunnel. run the interface tunnel command to enter the working tunnel interface mode.3. Step 4 (Optional) Run the mpls te protect-switch command forcibly switch over the tunnel protect group. To manually switch data streams between working and protection tunnels. do as follows: huawei(config)#interface tunnel 10 huawei(config-if-tunnel10)#tunnel-protocol mpls te huawei(config-if-tunnel10)#destination 3.3.3. 365 . ----End Example To configure RSVP-TE tunnel IDs to 10 and 30. If a command with a higher priority is executed. tunnel 30 as the protection tunnel of tunnel 10. automatic switchback after a period of time.3 huawei(config-if-tunnel30)#mpls te tunnel-id 30 huawei(config-if-tunnel30)#mpls te signal-protocol rsvp-te huawei(config-if-tunnel30)#mpls te bandwidth bc0 5120 //(Optional) Configure the global bandwidth of tunnel 30 to 5210 kbit/s. which locks data streams on the working tunnel.3. huawei(config-if-tunnel30)#mpls te commit huawei(config-if-tunnel30)#quit huawei(config)#interface tunnel 10 huawei(config-if-tunnel10)#mpls te protection tunnel 30 mode revertive wtr 30 huawei(config-if-tunnel10)#mpls te commit huawei(config-if-tunnel10)#quit Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. switchback mode to revertive. Run the mpls te protection tunnel command to create a tunnel protect group and set the switchback mode of the protect group. 2. run the display mpls te protection tunnel command to query the configuration of the tunnel protect group. l lock: lock switching.3. destination IP address of the tunnels to 3.3. a command with a lower priority cannot be executed.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 1. Ltd. and manual corresponds to switching priorities in descending order. force.

The optical line terminals (OLTs) and cell backhaul units (CBUs) from different manufacturers are required to interoperate properly. and transmits the signals to the synchronous digital hierarchy (SDH) network through T1 ports. Service Requirements l The MA5612 receives TDM access service from enterprise users and home users through T1 ports. performs circuit emulation service over packet (CESoP) emulation on the TDM service and transmits the service to the MA5600T. 366 . The MA5612 receives the TDM service through T1 ports. This process implements the TDM private line access service between the MA5612 and the MA5600T by means of CESoP emulation. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and transmits the data upstream to the OLT's EPON service boards. and Table 7-4 provides the data plan of the MA5612. performs CESoP emulation on the TDM service data. Figure 7-3 TDM PWE3 private line access service Data Plan Table 7-3 provides the data plan of the OLT. restores TDM signals. The MA5600T terminates the emulation data.. and transmits the TDM signals to TDM networks through T1 ports on EDTB boards.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 7. l Existing SDH resources are utilized efficiently. Ltd. restores TDM signals. Figure 7-3 shows an example network of the TDM pseudo wire emulation edge-to-edge (PWE3) private line service. Such a mechanism allows the traditional circuit-switched service to be carried over the Ethernet passive optical network (EPON).3 Configuring TDM PWE3 Private Line Service (T1 Upstream Transmission) The MA5612 receives the time division multiplexing (TDM) service through T1 ports. The OLT terminates the emulation data.

3..1/24 IP address of the Layer 3 interface of VLAN 500: 10.168.5. Line profile 20 is bound to dynamic bandwidth allocation (DBA) profile 20. Ltd.50.0.3.0.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Table 7-3 Data plan for configuring the TDM PWE3 private line access service on OLT Item Data VLAN Inband management VLAN: smart VLAN 8 Service VLAN (S-VLAN): smart VLAN 500 IP address Inband management IP address: 192. 367 .5 PW type: TDM CESoP PW load time: 125 μs TDM timeslot: 24 Jitter buffer size: 2500 μs Control word: supported Real-time Transfer Protocol (RTP): enabled Virtual circuit connectivity verification (VCCV): enabled H802EDTB service board T1 port: 0/9/0 Port impedance: 100 ohms Port line coding: B8ZS DBA profile Profile ID: 20 Type: type1 Fixed bandwidth: 30 Mbit/s Bandwidth compensation: enabled Issue 01 (2012-01-18) ONU line profile Profile ID: 20.3 Multi-protocol label switch (MPLS) Label Distribution Protocol (LDP): enabled PW parameters PW ID: 3 IP address of the peer end: 5.5.10/24 EPON service board Port: 0/6/1 ONU ID: 1 ONU authentication mode: medium access control (MAC) address SPUB board Board slot: 0/3 MPLS MPLS label switching router (LSR) ID: 3. ONU management mode SNMP Tx clock of a T1 port Line clock. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Clock signals are obtained from the T1 line.

5.168.5. Configure EPON ONU profiles.5 Global MPLS: enabled MPLS LDP: enabled PW parameters PW ID: 5 PW type: TDM CESoP IP address of the peer end: 3. SVLAN: smart VLAN 500.. EPON ONU profiles include DBA profiles and line profiles. Ltd.0. ID of the TDM virtual channel link (VCL) timeslot bitmap created by the T1 port: 0xfffffffe TDM VCL ID: 10 TDM VCL service type: CESoP Tx Clock: adaptive clock. 1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Table 7-4 Data plan for configuring the TDM PWE3 private line access service on MA5612 Item Data VLAN Inband management VLAN: smart VLAN 8.50.3 PW load time: 125 μs TDM timeslot: 24 Jitter buffer size: 2500 μs Control word: supported RTP: enabled VCCV: enabled Port ID: 0/1/0 T1 port Port working mode: structured data transfer (SDT) TDM signals output by the T1 port support the extended super frame (ESF) check. restoring from PW 5 Procedure l Configure the OLT.5/32 IP address of the Layer 3 interface of VLAN 500: 10.1.5. IP address Inband management IP address: 192. EPON upstream port 0/0/0 is added to this VLAN. ONUs in this topic refer to the MA5612s.5. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.2/24 IP address of loopback interface 0: 5.3. 368 .10/24 MAC address MAC address of the EPON port of the MA5612: 0018-82D6D178 MPLS MPLS LSR ID: 5. NOTE Unless otherwise specified.3. EPON upstream port 0/0/0 is added to this VLAN.

Services can be configured only after an MA5612 is successfully added on the OLT. type to type1. 369 .. Select either mode as required. Configure an ONU line profile. set the management mode to SNMP. use the MAC address authentication mode. huawei(config)#ont-lineprofile epon profile-id 20 huawei(config-epon-lineprofile-20)#llid dba-profile-id 20 After the configurations are complete. run the ont confirm command to confirm the ONU after it is auto discovered. set the MAC address to 0018-82D6D178. run the commit command to make the configured parameters take effect. huawei(config)#dba-profile add profile-id 20 type1 fix 30720 bandwidth_compensate yes b. – Line profile: A line profile describes the relationships between an LLID and a DBA profile. Configure a DBA profile. Add an MA5612 on the OLT. (Optional) Run the llid ont-car command to limit ONU's upstream traffic. Ltd. Connect an MA5612 to the EPON port of the OLT by using optical fibers. Run the display dba-profile command to query existing DBA profiles in the system. huawei(config-epon-lineprofile-20)#commit huawei(config-epon-lineprofile-20)#quit 2. NOTE a. run the ont add command to add an ONU offline. Set the line profile ID to 20 and the DBA profile ID bound to LLID to 20. and bind line profile 20 to the ONU. run the dba-profile add command to add a DBA profile. A logic link ID (LLID) is bound to a DBA profile for dynamically allocating bandwidth and improving upstream bandwidth usage efficiency.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 – DBA profile: A DBA profile describes EPON traffic parameters. Then. Set the DBA profile ID to 20. a. (Optional) Run the fec enable command to enable FEC. Set ONT ID to 1. Connect the MA5612 to EPON port 0/6/1 through an optical splitter. b. and fixed bandwidth to 30 Mbit/s. – Offline mode: If an ONU's password or MAC address is obtained. If the existing DBA profiles in the system cannot meet the requirements. run the port ont-auto-find command in the EPON mode to enable the ONU auto discovery function of the EPON port. FEC improves transmission reliability between the OLT and ONU. Disable forward error correction (FEC) and traffic limitation. Run the following commands to add an MA5612 in offline mode: huawei(config)#interface epon 0/6 huawei(config-if-epon-0/6)#ont add 1 1 mac-auth 0018-82D6-D178 snmp ontlineprofile-id 20 desc MA5612_0/6/1/1_lineprofile20 Run the following commands to add an MA5612 in auto discovery mode: huawei(config)#interface epon 0/6 huawei(config-if-epon-0/6)#port 1 ont-auto-find enable Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Both functions are disabled by default. – Auto discovery mode: If an ONU's password or MAC address is unknown. An ONU can be added in two modes.

run the ont active command in the GPON port mode to activate the ONU. refer to the following suggestions to rectify the fault. After adding an MA5612. Run state : online //Indicates that the ONU goes online successfully. and Match state is match.//The rest of the response information is not provided here.. the preceding command can be modified as follows: huawei(config-if-epon-0/6)#ont confirm 1 all mac-auth snmp ontlineprofile-id 20 desc MA5612_0/6/1_lineprofile20 3. huawei(config-if-epon-0/6)#display ont info 1 1 --------------------------------------------------------------------F/S/P : 0/6/1 ONT-ID : 1 Control flag : active //Indicates that the ONU is activated. Ensure that Control flag of the MA5612 is active. you can bulk add MA5612s by bulk confirming auto discovered MA5612s to make configuration easier and more efficient.. Config state is normal. 370 . Run state is offline. . run the display ont info command to query the current status of the MA5612. When Config state is failed. the information about all ONUs connected to the EPON port through optical splitters is displayed. Ltd. Confirm that the MA5612 goes online normally. or Match state is mismatch. Run State is online. – If Control flag is deactive. -----------------------------------------------------------------------Number : 1 F/S/P : 0/6/1 Ont Mac : 0018-82D6D178 Password : 00000000000000000000000000000000 VenderID : HWTC Ontmodel : MA5612 Ont SoftwareVersion : V800R308C00 OntHardwareVersion : MA5612 Ont autofind time : 2010-03-20 10:20:45 -----------------------------------------------------------------------huawei(config-if-epon-0/6)#ont confirm 1 ontid 1 mac-auth 0018-82D6-D178 snmp ont-lineprofile-id 20 desc MA5612_0/6/1/1_lineprofile20 NOTE If multiple MA5612s bound to the same line profile are connected to the same port. Match state : match //Indicates that the capability profile bound to the ONU is consistent with the actual capabilities of the ONU.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 huawei(config-if-epon-0/6)#display ont autofind 1 //After this command is executed.. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Config state : normal //Indicates that the ONU configuration recovery is in the normal state. For example.

huawei(config-if-epon-0/6)#quit huawei(config)#vlan 8 smart huawei(config)#port vlan 8 0/17 0 huawei(config)#interface vlanif 8 huawei(config-if-vlanif8)#ip address 192. The ONU will automatically recover the configuration. Configure the inband management VLAN and IP address of the MA5612. Configure the inband management VLAN and IP address of the OLT. To telnet to the MA5612 from the OLT and configure the MA5612. Configure the inband management VLAN and IP address of the OLT. and customer VLAN (C-VLAN) ID to 8. and run the ont modify command to modify the configuration data of the ONU. a physical line break may occur or the optical module may be damaged. run the display ont failed-configuration command in the diagnosis mode to check the failed configuration item and the failure cause. 371 ..50.168. Configure the management service port index to 0. Configure the management channel from the OLT to the MA5612.168. – Run the telnet 192.50. you need to configure the inband management VLANs and IP addresses of the OLT and the MA5612 on the OLT. huawei(config-if-epon-0/6)#quit huawei(config)#service-port vlan 8 epon 0/6/1 ont 1 multi-service user-vlan 8 inbound traffic-table index 6 outbound traffic-table index 6 5. – If Config state is failed. To limit the rate of a service port.255. Rectify the fault accordingly.50. and select either of the following methods to modify the ONU configuration: – Create a proper ONU profile based on the actual capabilities of the ONU. a. use default traffic profile 6. Confirm that the management channel between the OLT and the MA5612 is available.255.2 command to check the connectivity with the MA5612. add the upstream port to VLAN 8. – Modify the ONU profile based on the actual capabilities of the ONU and save the modification.0 manage-vlan 8 c. run the display ont capability command to query the actual capabilities of the ONU.168. Set 192. and set the inband management IP address to 192. 4. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 6. – On the OLT. run the ping 192. The MA5612 can be configured from the OLT. GEM port ID to 0. Therefore. Configure an inband management service port. – If Match state is mismatch.1 24 huawei(config-if-vlanif8)#quit b. run the traffic table ip command to create a traffic profile and then bind the traffic profile to the service port.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 – If Run state is offline. management VLAN ID to 8. Create management VLAN 8.2 command to telnet to the MA5612. Check the line and the optical module hardware. Ltd.168. huawei(config)#interface epon 0/6 huawei(config-if-epon-0/6)#ont ipconfig 1 1 ip-address 192. Issue 01 (2012-01-18) Configure a loopback interface.168.50. The ICMP ECHO-REPLY message should be received from the MA5612.1/24.50.2/24 as the static IP address of the MA5612 and VLAN 8 (the same as that of the OLT) as the management VLAN of the MA5612.50.2 mask 255.168. The OLT does not limit the rate of the inband management service port.

100)#return Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l If the MA5600T is not directly connected to the PTN. huawei(config)#mpls huawei(config-mpls)#lsp-trigger host the host to set up an LSP.3.0.0.3 Enable MPLS and Layer 2 virtual private network (VPN) globally.3 0.0 huawei(config-ospf-1-area-0.0.0. In this case.3. huawei(config)#mpls vlan 500 Set the IP address of VLAN interface 500 to 10. 372 . Ltd.0. Then.0. RIP routes. PWE3 has no special requirement for routing policies.0.0.3.3 32 huawei(config-if-loopback0)#quit 7. huawei(config)#mpls ldp huawei(config-mpls-ldp)#quit NOTE l Only one session is allowed between two LSRs.0. Local LDP sessions have higher priority over remote LDP sessions. Enable basic MPLS functions..0 0. Set the MPLS LSR ID.0. Configure a route. huawei(config-mpls)#quit huawei(config)#mpls l2vpn //Triggers LDP by the IP address of Enable LDP globally. run the remote-ipip-addr command to set the remote LSR ID. huawei(config)#vlan 500 smart Enable MPLS for VLAN 500. Set the OSPF process ID to 100 and OSPF area ID to 1. an OSPF dynamic route is recommended. Add VLAN 500 for MPLS forwarding. Set the IP address of loopback interface 0 as the LSR ID. and OSPF routes.3/32. only LDP needs to be enabled. To simplify configuration.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 Set the ID of the loopback interface to 0 and its IP address to 3. huawei(config)#mpls lsr-id 3. a local LDP session is automatically set up.0.0.0.0. Configure a VLAN and enable MPLS for the VLAN and VLAN interface.3. PWE3 supports static routes. huawei(config)#ospf 1 huawei(config-ospf-1)#area 100 huawei(config-ospf-1-area-0.10/24 and enable MPLS LDP for the VLAN interface. after enabling LDP.100)#network 10. When LDP is enabled.3. run the mpls ldp remote-peer command to create a remote LDP peer and enter the remote peer mode.10 24 huawei(config-if-vlanif500)#mpls huawei(config-if-vlanif500)#mpls ldp huawei(config-if-vlanif500)#quit 9. huawei(config)#interface vlanif 500 huawei(config-if-vlanif500)#ip address 10.3.0.3.100)#network 3.0. Configure the interface (loopback interface) that runs OSPF and configure the area of the interface. Because OSPF supports MPLS RSVP-TE extension. huawei(config)#interface loopback 0 huawei(config-if-loopback0)#ip address 3. 8.255 huawei(config-ospf-1-area-0. assume that the MA5600T is directly connected to the packet transport network (PTN).3.

the TDM PW packets will carry an RTP control header.5. huawei(config-pw-para-3)#jitter-buffer buffer-size 2500 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The default line code of a T1 port default is B8ZS. Create PW 3 and enter the PW parameter mode. huawei(config)#interface edt 0/9 huawei(config-edt-0/9)#board workmode satop Success: Set the board workmode success huawei(config-edt-0/9)#tdm access-mode t1 – (Optional) Configure port impedance. a. (Optional) Set a jitter buffer size. S-VLAN ID to 500.. The MA5612 limits upstream and downstream traffic but the OLT does not.5. – Set the board working mode to SAToP and port working mode to T1.5. By default. run the traffic table ip command to create a traffic profile and then bind the traffic profile to this service port.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 10. huawei(config)#pw-para 3 b. Set the load time to 125 μs and the number of timeslots to 24. Set the loopback interface IP address to 5. Set the PW load time. Ltd.5. huawei(config-pw-para-3)#tdm-load-time cesopsn loadtime 125 timeslotnum 24 e. NOTE The RTP configuration must be the same as that on the PTN. In this example. To limit the rate of a service port. RTP is disabled. Configure the attributes of the T1 port on the EDTB board. huawei(config-edt-0/9)#impendance 100 – (Optional) Configure the port line code. huawei(config-edt-0/9)#line-code 0 B8ZS huawei(config-edt-0/9)#quit 12. The jitter buffer can effectively prevent jitter and latency. and C-VLAN ID to 500.5 c. 373 . Therefore. Set this value based on specific requirements. huawei(config-pw-para-3)#pw-type tdm cesopsn d. ONU ID to 1. the jitter buffer size is set to 2500 μs. huawei(config-pw-para-3)#rtp enable f. (Optional) Enable RTP. A T1 port supports only 100 ohm impedance by default. The attributes of the T1 port must be the same as those of the peer T1 port. huawei(config)#service-port 1 vlan 500 epon 0/6/1 ont 1 multi-service uservlan 500 inbound traffic-table index 6 outbound traffic-table index 6 11. Set the service port ID to 1. The C-VLAN must be the same as the upstream VLAN of the MA5612.5. Configure PW parameters. Create an EPON service port. Set the PW type to TDM CESoP. huawei(config-pw-para-3)#peer-address 5. When RTP is enabled. Only PWs of the TDM type support jitter buffer settings. use default traffic profile 6. NOTE The jitter buffer size ranges from 500 μs to 32000 μs and must be an integer multiple of 125. Configure the loopback interface IP address of the remote PTN device. The default jitter buffer size is 2000 μs.

Confirm that the PW is in the normal state. huawei(config)#save l Configure the MA5612. You can also log in to the MA5612 through a serial port and perform configuration. This means to obtain clock signals from T1 line.168.5. Configure clock synchronization on the T1 port. huawei(config)#tdm-connect connectid 2 tdm pwe3-uplink 0/9 t1 0/9/0 14. Ensure that PW STATE is up. huawei(config)#display pw-ac-binding tdm 3 Total : 1 (Up/Down : 1/0 Static/LDP : 0/1) --------------------------------------------------------------------------TDM PW PW PROTO RECEIVE TRNS PW ID ID STATE TYPE LABEL LABEL INDEX --------------------------------------------------------------------------2 3 up LDP ----3 --------------------------------------------------------------------------Note : F--Frame.5. NOTE Because the management VLAN and the management IP address have been configured. Configure a TDM connection.5/32. huawei(config-pw-para-3)#vccv cc cw alert ttl cv lsp-ping huawei(config-pw-para-3)#quit 13. S--Slot. Configure the IP address of the loopback interface. run the telnet 192. Set the line clock as the Tx clock of the EDTB T1 port. 374 . Set the IP address of loopback interface 0 to 5. 7 Configuring MPLS and PWE3 Configure the PW to support the control word.2 command on the OLT to log in to the MA5612 and perform configuration.5. P-Port *: Secondary 16. huawei(config)#pw-ac-binding tdm 2 pw 3 15. huawei(config-pw-para-3)#control-word h.50. Configure a TDM connection on T1 port 0/9 of the EDTB board.. Ltd. Bind the TDM connection to the PW to create the PW service of the TDM type. run the display pw or display pw-ac-binding command to query the PW status. huawei(config)#interface edt 0/9 huawei(config-edt-0/9)#clock-work 0 line huawei(config-edt-0/9)#quit 17. On the OLT. huawei(config)#interface loopback 0 huawei(config-if-loopback0)#ip address 5. Bind TDM connection 2 to PW 3. 1.5 32 huawei(config-if-loopback0)#quit Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide g. Save the data. Enable VCCV.5.

5. 375 .5 huawei(config)#mpls huawei(config-mpls)#quit huawei(config)#mpls l2vpn huawei(config)#mpls ldp huawei(config-mpls-ldp)#quit 3. Because OSPF supports MPLS RSVP-TE extension. Set the PW load time. huawei(config-pw-para-5)#peer-address 3.10 24 huawei(config-if-vlanif500)#mpls huawei(config-if-vlanif500)#mpls ldp huawei(config-if-vlanif500)#quit 4. huawei(config)#pw-para 5 b.1. and enable MPLS LDP and Layer 2 VPN globally.0. huawei(config-pw-para-5)#pw-type tdm cesopsn d. the TDM PW packets will carry an RTP control header. NOTE The RTP configuration must be the same as that on the PTN.3. Set the PW type to TDM CESoP.5.0.0. Ltd.200)#network 5. a. Configure the loopback interface IP address of the remote PTN device.0.200)#return 5. Configure PW parameters. RIP routes. By default.5 0. When RTP is enabled. RTP is disabled. Add VLAN 500 for forwarding MPLS packets and add an upstream port to it.3. huawei(config)#ospf 2 huawei(config-ospf-2)#area 200 huawei(config-ospf-2-area-0. and OSPF routes.0.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 2. PWE3 supports static routes.5.0.10/24 and enable MPLS LDP for the interface.3. Set the loopback interface IP address to 3. Configure a VLAN and enable MPLS for the VLAN and VLAN interface.0 0.3.0. Set the OSPF process ID to 200 and OSPF area ID to 2.0.0.5.3. Set the load time to 125 μs and the number of timeslots to 24.0 huawei(config-ospf-2-area-0. huawei(config-pw-para-5)#tdm-load-time cesopsn loadtime 125 timeslotnum 24 e. huawei(config)#vlan 500 smart huawei(config)#port vlan 500 0/0/0 Enable MPLS for VLAN 500. 7 Configuring MPLS and PWE3 Configure the MPLS LSR ID.255 huawei(config-ospf-2-area-0. huawei(config)#mpls lsr-id 5. Configure a route.0. huawei(config)#interface vlanif 500 huawei(config-if-vlanif500)#ip address 10.1. huawei(config)#mpls vlan 500 Set the Layer 3 IP address of VLAN 500 to 10.200)#network 10.0. an OSPF dynamic route is recommended.1. huawei(config-pw-para-5)#rtp enable Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. PWE3 has no special requirement for routing policies.0.0.. Create PW 5 and enter the PW parameter mode.3 c. Configure the interface (loopback interface) that runs OSPF and configure the area of the interface. (Optional) Enable RTP.

NOTE The jitter buffer size ranges from 500 μs to 32000 μs and must be an integer multiple of 125. huawei(config-if-tdm-0/1)#quit huawei(config)#tdm-vcl tdm-vcl-id 10 cesop 0/1/0 timeslot 0xfffffffe //On port 0/1/0. Ltd. Only PWs of the TDM type support jitter buffer settings. huawei(config)#interface tdm 0/1 huawei(config-if-tdm-0/1)#adapt-clock-source 0 5 //Configure adaptive clock source 0. 7. huawei(config-pw-para-5)#control-word h. Confirm that the PW is in the normal state. recovered from PW 5. The jitter buffer can effectively prevent jitter and latency. and timeslot to 0xfffffffe. the jitter buffer size is set to 2500 μs. Configure the PW to support the control word. huawei(config-if-tdm-0/1)#port 0 sdt acm 0 esf enable //Configure TDM port 0 to work in the SDT mode.. Use MPLS over MPLS dynamic encapsulation mode and set TDM VPN ID to 10 and PW ID to 3. huawei(config)#display pw-ac-binding tdm 10 { <cr>| secondary<K> }: Command: display pw-ac-binding tdm 10 Total : 1 0/1) (Up/Down : 1/0 Static/LDP : --------------------------------------------------------------------------TDM PW PW PROTO RECEIVE TRNS TEMPLATE ID ID STATE TYPE LABEL LABEL NAME --------------------------------------------------------------------------10 5 up LDP ----- Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ensure that PW STATE is up.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide f. huawei(config)#pw-ac-binding tdm 10 pw 5 9. The default jitter buffer size is 2000 μs. Configure the TDM service port and create TDM VCL 10. Dynamically bind the TDM to the PW. 376 . set TDM VCL ID to 10. huawei(config-pw-para-5)#jitter-buffer buffer-size 2500 g. Configure clock synchronization. Set this value based on specific requirements. In this example. and enable ESF. huawei(config-pw-para-5)#vccv cc cw alert ttl cv lsp-ping huawei(config-pw-para-5)#quit 6. use the adaptive clock as the Tx clock of the port. run the display pw or display pw-ac-binding command to query the PW status. Enable VCCV. Configure the MA5612 T1 port to restore clock from TDM PWE3 service packets and use it as the Tx clock of the T1 port. 7 Configuring MPLS and PWE3 (Optional) Set a jitter buffer size. 8. huawei(config-if-tdm-0/1)#tdm access-mode t1 //Configure the board access mode to T1. TDM VCL service type to CESoP. On the CBU (MA5612).

3..0.255.168.255 return service-port 1 vlan 500 epon 0/6/1 ont 1 multi-service user-vlan 500 inbound traffic-table index 6 outbound traffic-table index 6 interface edt 0/9 board workmode satop Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and the operation method for end users is not changed.1 24 quit dba-profile add profile-id 20 type1 fix 30720 ont-lineprofile epon profile-id 20 llid dba-profile-id 20 commit quit interface epon 0/6 port 1 ont-auto-find enable ont confirm 1 ontid 1 mac-auth 0018-82D6-D178 snmp ont-lineprofile-id 20 desc MA5612_0/6/1/1_lineprofile20 ont ipconfig 1 1 ip-address 192.3.0 manage-vlan 8 quit service-port 0 vlan 8 epon 0/6/1 ont 1 multi-service user-vlan 8 interface loopback 0 ip address 3. Save the data.0.3 mpls lsp-trigger host quit mpls l2vpn mpls ldp quit vlan 500 smart mpls vlan 500 interface vlanif 500 ip address 10.50.0 network 10. Configuration File Configure the OLT.0.3. vlan 8 smart port vlan 8 0/17 0 interface vlanif 8 ip address 192.0. Ltd.3.3 32 quit mpls lsr-id 3. S--Slot. huawei(config)#save ----End Result After a network is restructured.0 0. P-Port *: Secondary 10.0.168.50.3. bit error ratio and latency over a long period meet application requirements. 377 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 5 --------------------------------------------------------------------------Note : F--Frame.0.3.10 24 mpls mpls ldp quit ospf 1 area 100 network 3. the T1 private line service or ISDN PRI PBX service runs normally.2 mask 255.0.0.3 0.255.

10 24 mpls quit mpls l2vpn mpls ldp quit ospf 2 area 200 network 10.255 network 5.3 pw-type tdm cesopsn tdm-load-time cesopsn loadtime 125 timeslotnum 24 rtp enable jitter-buffer buffer-size 2500 control-word vccv cc cw alert ttl cv lsp-ping quit interface tdm 0/1 adapt-clock-source 0 3 port 0 sdt acm 0 esf enable tdm access-mode t1 quit tdm-vcl tdm-vcl-id 10 cesop 0/1/0 timeslot 0xfffffffe pw-ac-binding tdm 10 pw 5 save Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0.0.3.5.0 0.5.1.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 7 Configuring MPLS and PWE3 tdm access-mode t1 impendance 100 line-code 0 B8ZS quit pw-para 3 peer-address 5.5. Ltd. 378 .0.1..5.5 pw-type tdm cesopsn tdm-load-time cesopsn loadtime 125 timeslotnum 24 rtp enable jitter-buffer buffer-size 2500 control-word vccv cc cw alert ttl cv lsp-ping quit tdm-connect connectid 2 tdm pwe3-uplink 0/9 t1 0/9/0 pw-ac-binding tdm 2 pw 3 interface edt 0/9 clock-work 0 line quit save Configure the MA5612.5.0.3.0 return pw-para 5 peer-address 3.0.0. interface loopback 0 ip address 5.5.5 0.5 32 quit vlan 500 smart port vlan 500 0/0/0 mpls vlan 500 interface vlanif 500 ip address 10.

8. automatic switching is performed and the services are not affected.. The solution provides high reliability for carriers' network. 8.6 Configuring EPON Type B Protection Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. when the MPLS service board is faulty. Subtending saves the upstream optical fibers and simplifies networking and service configuration. when a GPON port is faulty. the service is not affected. to ensure that the system to work normally in case of an accident or disaster. when an exception occurs.1 Configuring the NE Subtending Through the FE or GE Port The MA5600Ts (NEs) can be directly connected to each other though the FE or GE port. In this way. redundancy (backup) devices or parts are added to increase the reliability of the entire system.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 8 Configuring Network Protection Configuring Network Protection About This Chapter The MA5600T provides a powerful redundancy backup mechanism.5 Configuring GPON Type B Protection Type B protection is to configure 1+1 redundancy backup of different GPON ports on MA5600T. In this way.4 Configuring the MPLS Service Board Redundancy Backup This topic describes how to configure 1+1 redundancy backup for the MPLS service board. 8. 8. the stability of the services and customer network provided by the carrier can be optimally ensured and the loss is reduced to the minimum. 8. generally. 379 . The redundancy or backup implements the high reliability and self-healing capability of the system. Background Information In the carrier-class operation.3 Configuring the Smart Link Redundancy Backup The smart link is a solution that is applied in the network with dual uplinks and provides reliable and efficient backup and quick switching for the dual uplinks.2 Configuring the Uplink Redundancy Backup This topic describes how to configure the link aggregation group or uplink protection group to improve the reliability of service transmission. Ltd. 8. In this way.

When a link on the Ethernet ring is disconnected. When the active uplink in the dual uplinks of the MA5600T is faulty. 8.. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and Rapid Spanning Tree Protocol (RSTP).7 Configuring the Switchover of the Protect Group This topic describes how to configure the ARP detection between the MA5600T and the BRAS. When the Ethernet ring is complete. administration. 380 . RRPP can quickly recover the communication channels between nodes on the Ethernet ring. thus implementing the switchover between protect group of upstream ports on the MA5600T to ensure the normal running of the service. the service data can be automatically switched to the protection uplink. 8.11 Configuring ETH OAM In a broad sense. services will not be affected when the EPON service board is faulty. thus increasing the network reliability.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection This topic describes how to configure 1+1 redundancy backup for the EPON service board. operation.9 Configuring RRPP Rapid Ring Protection Protocol (RRPP) is a data link layer protocol specially applied to the Ethernet ring. which can meet various networking requirements. Ltd. The MA5600T supports the MSTP ring network. Spanning Tree Protocol (STP). 8.8 Configuring the MSTP The MA5600T supports the application of the Multiple Spanning Tree Protocol (MSTP).10 Configuring the BFD This topic describes how to configure the BFD on the MA5600T. 8. After 1+1 redundancy backup is configured. 8. The Ethernet OAM feature includes two subfeatures: Ethernet CFM OAM and Ethernet EFM OAM. and maintenance (OAM) means a set of methods for monitoring and diagnosing network faults. RRPP can prevent broadcast storms caused by a data loop.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection 8. 1. l GIU board supports to set the network role of each port. Run the port vlan command to add a subtending port to the VLAN. Procedure Step 1 Configure the VLAN of the master NE. Step 5 Configure the VLAN of the slave NE. Ltd.6 Configuring a VLAN. Run the port vlan command to add an upstream port to the VLAN. Run the port vlan command to add an upstream port to the VLAN.1 Configuring the NE Subtending Through the FE or GE Port The MA5600Ts (NEs) can be directly connected to each other though the FE or GE port. ----End Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and port duplex mode. Background Information l The two ports to be subtended must be the same in the port type. while the port of GIU board functions as an upstream port. 381 . Subtending saves the upstream optical fibers and simplifies networking and service configuration.. The VLAN of the slave NE is the same as the VLAN of the master VLAN. Run the network-role command to set the network role of the port to subtending. the port of ETHB board functions as a cascade port. l ETHB board supports to set the network role of the port based only on whole board. see 2. and the VLAN attribute is common. Step 2 Add an upstream port to the VLAN of the master NE. and the VLAN attribute is common.6 Configuring a VLAN. The VLAN type is smart. Run the interface eth command or interface giu command to enter the ETH mode or GIU mode. so if the ETHB board is used for subtending. The VLAN type is smart. the network role of the specified port on the GIU board must be set as "cascade". Step 4 Set the network role of the subtending port of the master NE. see 2. By default. 2. port rate. so if the GIU board is used for subtending. the network role of the all ports on the ETHB board must be set as "cascade". Step 3 Add a subtending port to the VLAN of the master NE. Step 6 Add an upstream port to the VLAN of the slave NE. For details about the configuration. For details about the configuration.

To add upstream port 0/17/0 and subtending port 0/17/1 of huawei_A to VLAN 100. l Issue 01 (2012-01-18) Upstream port protection group: An upstream port protection group contains a working port and a protection group. inter-board aggregation is supported between the SCUN board and the GIU slot. which increases the link security. the working port carries services. the ports in an aggregation group back up each other. and add upstream port 0/17/0 of huawei_B to VLAN 100. do as follows: huawei_A(config)#vlan 100 smart huawei_A(config)#port vlan 100 0/17 0 huawei_A(config)#port vlan 100 0/17 1 huawei_A(config)#interface giu 0/17 huawei_A(config-if-giu-0/17)#network-role 1 cascade huawei_B(config)#vlan 100 smart huawei_B(config)#port vlan 100 0/17 0 Assume that master NE huawei_A and slave NE huawei_B are subtended through the ETHB board. l When only one control board is configured. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. When the link of the working port fails. Ltd. 382 . l An aggregation group can implement inter-board aggregation between two SPUA boards.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection Example Assume that master NE huawei_A and slave NE huawei_B are subtended through the GIU board. do as follows: huawei_A(config)#vlan 100 smart huawei_A(config)#port vlan 100 0/17 0 huawei_A(config)#port vlan 100 0/4 0 huawei_A(config)#interface eth 0/4 huawei_A(config-if-eth-0/4)#network-role cascade huawei_A(config-if-eth-0/4)#quit huawei_B(config)#vlan 100 smart huawei_B(config)#port vlan 100 0/17 0 8. NOTE l An aggregation group can implement inter-board aggregation between two GIU slots. To add upstream port 0/17/0and subtending port 0/4/0 of huawei_A to VLAN 100..2 Configuring the Uplink Redundancy Backup This topic describes how to configure the link aggregation group or uplink protection group to improve the reliability of service transmission. At the same time. and add upstream port 0/17/0 of huawei_B to VLAN 100. In the normal state. the system automatically switches the service on the working port to the protect port to ensure normal service transmission and to protect the uplink. Background Information Uplink redundancy backup includes to aspects: l Link aggregation group: Multiple Ethernet ports are aggregated as an aggregation group to increase the bandwidth and share the incoming/outgoing load of each member port.

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

8 Configuring Network Protection

NOTE

A protection group works in either of the following modes:
1. Port status detection mode.
l Two ports of the protection group or the transmit ports on two boards are enabled. You can
determine whether to perform a switchover according to the port status.
l When the number of ports that are in the up state on the standby board is larger than the number
of ports that are in the up state on the active board, a switchover is triggered.
2. Time delay detection mode.
l Only one transmit port of the protection group is enabled, and the other is disabled.
l When the enabled transmit port is in the down state, disable the transmit port and enable the other
transmit port.
l If the second port is in the up state, a switchover is performed. Otherwise, the detection continues.

Procedure
l

Configure redundancy backup for the uplink by configuring an aggregation group.
1.

Create an Ethernet port aggregation group.
Run the link-aggregation command to add multiple upstream Ethernet ports to the
same aggregation group to implement protection and load balancing between ports.
When configuring port aggregation, note that the SCU board does not support interboard aggregation. When you run the link-aggregation command, if frameid/slotid
is entered twice, inter-board aggregation is configured; if frameid/slotid is entered
only once, intra-board aggregation is configured.

2.

(Optional) Add members to the aggregation group.
Run the link-aggregation add-member command to add an Ethernet port to an
existing aggregation port to increase the bandwidth of the aggregation port and
improves the link reliability.
NOTE

This step is optional and is recommended if you need to further increase the bandwidth of an
aggregation group or improve the link reliability.

3.

l

Query the information about the aggregation group.
Run the display link-aggregation command to query the types, number, and working
modes of aggregated Ethernet ports.

Configure redundancy backup for the uplink by configuring an upstream port protection
group.
1.

Create an upstream port protection group.
In the protect mode, run the protect-group command to create an upstream port
protection group. After the protection group is configured successfully, the system
switches the service over to the standby port to protect the uplink if the connection
between the active port and the upper-layer device is broken.
When running the protect-group to create a protection group, if frameid/slotid/
portid is entered, a port-level protection group is created; if frameid/slotid is entered,
a board-level protection group is created.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

383

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

8 Configuring Network Protection

NOTE

1. When working in the load balancing mode, the SCUN board supports the board-level protection
of the control board.
2. When supporting the board-level protection of the control board, the SCUB or SCUN board can
work in only the port status detection mode.

2.

Query the information about the protection group.
Run the display protect-group command to query the information about the
protection group and all the members in the protection group.

----End

Example
Assume the following configurations: The MA5600T transmits services upstream through the
GIU board, upstream ports 0/17/0 and 0/17/1 on the same GIU board are configured as an
upstream port aggregation group, packets are distributed to the member ports of the aggregation
group according to the source MAC address, and the working mode is the LACP static
aggregation mode. To perform these configurations, do as follows:
huawei(config)#link-aggregation 0/17 0-1 ingress workmode lacp-static

Assume the following configurations: The MA5600T transmits services upstream through the
GIU board, upstream ports 0/17/0 and 0/18/0 on the same GIU board are configured as an interboard aggregation group, packets are distributed to the member ports of the aggregation group
according to the source MAC address and destination MAC address, and the working mode is
the LACP static aggregation mode. To perform these configurations, do as follows:
huawei(config)#link-aggregation 0/17 0 0/18 0 egress-ingress workmode lacp-static

Assume the following configurations: The MA5600T transmits services upstream through the
GIU board, upstream ports 0/17/0 and 0/17/1 on the same GIU board are configured as an
upstream port protection group, port 0/17/0 functions as the active port, port 0/17/1 functions as
the protection port, the working mode is the delay detection mode, and enable the protection
group function. To perform these configurations, do as follows:
huawei(config-protect)#protect-group first 0/17/0 second 0/17/1 eth workmode
timedelay enable

When the MA5600T is configured with only one SCUN board, to configure the SCUN board
and the GIU slot as an inter-board aggregation group, distribute packets to each member port
according to the source MAC address, and configure the working mode to LACP static
aggregation, do as follows:
huawei(config)#link-aggregation 0/9 0-3 0/20 0-1 ingress workmode lacp-static

8.3 Configuring the Smart Link Redundancy Backup
The smart link is a solution that is applied in the network with dual uplinks and provides reliable
and efficient backup and quick switching for the dual uplinks. The solution provides high
reliability for carriers' network.

Background Information
Thus, the smart link solution is applied to the access network. With this solution, redundancy
backup for active and standby links and quick switching are implemented for a dual homing
network. This ensures high reliability and quick convergence. Meanwhile, as a supplementary
Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

384

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

8 Configuring Network Protection

to the smart link solution, the monitor link solution is introduced to monitor uplinks. This
improves the backup function of the smart link solution.
The smart link and monitor link feature, which is applied to the scenario of a network with dual
uplinks (the network is connected to the upstream IP network through dual uplinks), is related
to the OLT and the upstream network device. The upstream network device such as the router
must support the smart link and monitor link feature.
NOTE

The smart link and monitor link feature is put forth by Huawei. Currently, only Huawei devices support this
technology.

Smart link-related concepts:
l

Smart link protection group
A smart link group contains up to two ports, namely one master port and one slave port. In
normal conditions, only one port is in the active state, and the other port is blocked and in
the standby state. When the port in the active state fails, the smart link group automatically
blocks the port, and switches the previously standby port to the active state.

l

Master port
The master port, which is also called the work port, is a port role in a smart link group.
When both ports are in the standby state, the master port takes priority to switch to the
active state.

l

Slave port
The slave port, which is also called the protection port, is a port role in the smart link group.
When both ports are in the standby state, the master is prevailed upon to switch to the active
state, and the slave port remains in the standby state.

l

Flush packet
After link switching occurs on the smart link group, the original forwarding entry is not
applicable to the network with new topology, and the upstream convergence device needs
to update the MAC and ARP entries. In this case, the smart link group notifies the other
devices in the network of updating the address table through sending the notification packet.
This notification packet is the flush packet.

Monitor link-related concepts:
l

Monitor link group
A monitor link group is composed of one uplink and several downlinks.

l

Uplink
When the uplink in a monitor link group fails, it indicates that the monitor link group fails.
In this case, the downlinks in the monitor link group will be blocked by force.

l

Downlink
When a downlink in a monitor link group fails, it does not affect the uplink or the other
downlinks.

A smart link can work in either the active/standby mode or the load balancing mode. The
differences are as follows:
l

In the active/standby mode, both ports are enabled. Only the master port is in the active
state and can forward data. The slave port is blocked and is in the standby state.

l

In the load balancing mode, both ports are enabled. If both ports work in the normal state,
the data is forwarded through both ports, implementing load balancing.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

385

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

8 Configuring Network Protection

Procedure
Step 1 Configure a smart link protection group.
1.

Run the protect-group command to create a smart link protection group. The protection
group works in either the active/standby mode or the load balancing mode.
NOTE

l When configuring a smart link protection group, set the protected object to eth-nni-port. Working
modes of other types do not support the smart link feature.
l Keyword smart-link: Indicates the smart-link active and standby mode. In this mode, both members
in the PG are enabled, but only the active member forwards data.
l Keyword smart-link load-balance: Indicates the smart-link load balancing mode. In this mode, both
links are enabled to share load to improve the usage ratio of the line.

2.

Run the protect-group member command to add members to a smart link protection
group.
When adding members to the protection group, add a working member, and then add a
protection member.

3.

Run the protect-group enable command to enable the smart link protection group.
After a protection group is created, the protection group is in the disabled state by default.
You should enable the protection group to make the configuration take effect.

4.

Query the information about the protection group.
Run the display protect-group command to query the information about the protection
group and all the members in the protection group.

Step 2 Configure the flush packet sending mode.
After service switching occurs on a protection group, the original forwarding entry is not
applicable to the new network, and the entire network needs to update the MAC and ARP entries.
In this case, the protection group sends flush packets to other devices to notify them of updating
the MAC and ARP entries.
1.

2.

Run the flush send command to configure the flush packet sending parameters of the
protection group, including the control VLAN and the password.
a.

If the flush packet sending parameters are not configured, no flush packet is sent when
switching occurs on the protection group.

b.

If the protection group is not in the control VLAN, no flush packet is sent.

c.

The peer device must support receiving flush packets, and the flush packet receiving
function of the corresponding port must be enabled.

Run the display flush receive command to query the port that receives flush packets and
the flush packet receiving parameters.

Step 3 (Optional) Run the load-balance instance command to configure the load balancing parameters
of a protection group.
Load balancing parameters determine that the working member and protection member carry
different STP instances. Because VLANs are mapped to STP instances, the load balancing
parameters in practice determine through which port (working member or protection member)
the packets with different VLAN tags are transmitted.
NOTE

Configure the load balancing parameters only when the specified smart link protection group works in the load
balancing mode.

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

386

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

8 Configuring Network Protection

l This command is used to configure STP instances that are carried by the protection member.
The instances that are unconfigured are carried by the working member.
l The load balancing parameters of a protection group are based on STP instances preconfigured. You can run the instance vlan command to map VLANs to STP instances.
Step 4 (Optional) Configure a monitor link group.
The monitor link group and the smart link protect group are generally used together for
monitoring the uplink and completing the smart link redundancy.
NOTE

1. Generally, the monitor link group is configured on the upper-layer device (such as a router) that is
interconnected with the OLT, subtended to the smart link protection group.
2. You need to configure the monitor link on the MA5600T for monitoring the uplink of the subtended OLT
only when the MA5600T functions as an upper-layer device interconnecting with the OLT. Otherwise, the
configuration is meaningless.

1.

Run the monitor-link group command to create a monitor link group, and enter the monitor
link group mode.
A monitor link group consists of one upstream port and multiple downstream ports. When
the upstream port is faulty, the downstream ports are disabled. Thus, the downstream
devices can detect the link fault and switch the services to a normal link.

2.

Run the member port command to add members to a monitor link group.
l The uplink of a monitor link group can be a common Ethernet port, the master port of
a protection group, or the master port of an aggregation group.
l The downlink of a monitor link group can be only a common Ethernet port.

3.

Run the display monitor-link group command to query the information about the monitor
link group.

----End

Example
Assume the following configurations: The MA5600T implements dual uplinks through the
GIU board, upstream ports 0/17/0 and 0/17/1 on the GIU board are added as members of smart
link protection group 2, port 0/17/0 functions as the working port, port 0/17/1 functions as the
protection port, the working mode is the load balancing mode, where,
l

The STP instance 1 (mapping to VLAN 100-110) is carried by the working member.

l

The STP instance 2 (mapping to VLAN 120-130) is carried by the protection member.

l

The control VLAN of flush packets is VLAN 10, and the password is abc.

To perform these configurations and enable the protection group function, do as follows:
huawei(config)##stp region-configuration
huawei(stp-region-configuration)#instance 1 vlan 100 to 110
huawei(stp-region-configuration)#instance 2 vlan 120 to 130
huawei(stp-region-configuration)#active region-configuration
STP actives region configuration,it may take several minutes,are you sure to
active region configuration? [Y/N][N]y
huawei(stp-region-configuration)#quit
huawei(config)#protect-group 2 protect-target eth-nni-port workmode smart-link
load-balance
huawei(config-protect-group-2)#protect-group member port 0/17/0 role work
huawei(config-protect-group-2)#protect-group member port 0/17/1 role protect
huawei(config-protect-group-2)#load-balance instance 2
huawei(config-protect-group-2)#flush send control-vlan 10 password simple abc
huawei(config-protect-group-2)#protect-group enable
huawei(config-protect-group-2)#quit

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

387

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

8 Configuring Network Protection

8.4 Configuring the MPLS Service Board Redundancy
Backup
This topic describes how to configure 1+1 redundancy backup for the MPLS service board. In
this way, when the MPLS service board is faulty, the service is not affected.

Context
Only MPLS boards of the same type support redundancy backup.

Procedure
Step 1 Create a protection group.
Run the protect-group command to a protection group that protects the service processing
board.
l Configure protect-target to service-process-board.
l The working mode of the MPLS service board protection group can be only boardstate.
Step 2 Add members to the protection group.
Run the protect-group member command to add members to a protection group.
l When adding members to the protection group, add a working member, and then add a
protection member.
l Adding a protection group member based on the port is not supported for the MPLS service
board, and only adding a protection group member based on the board is supported.
Step 3 Enable the protection group.
Run the protect-group enable command to enable the protection group. After a protection group
is created, the protection group is in the disabled state by default. You should enable the
protection group to make the configuration take effect.
Step 4 Query the information about the protection group.
Run the display protect-group command to query the information about the protection group
and all the members in the protection group.
----End

Example
To configure redundancy back for MPLS boards in slots 0/4 and 0/5 of the MA5600T so that
when the service board in slot 0/4 fails, the system can automatically switch the services to the
service board in slot 0/5.
huawei(config)#protect-group 1 protect-target service-process-board workmode
boardstate
huawei(protect-group-1)#protect-group member board 0/4 role work
huawei(protect-group-1)#protect-group member board 0/5 role protect
huawei(protect-group-1)#protect-group enable

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

388

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

8 Configuring Network Protection

8.5 Configuring GPON Type B Protection
Type B protection is to configure 1+1 redundancy backup of different GPON ports on
MA5600T. In this way, when a GPON port is faulty, automatic switching is performed and the
services are not affected.

Background Information
The GPON port supports redundancy backup on the same board and the redundancy on different
boards. The differences are as follows:
l

Port redundancy backup on the same board does not require extra GPON service board,
which saves hardware resources. In case that the GPON service board fails, however, the
services on the entire board are interrupted.

l

Port redundancy backup on the different boards requires an independent standby GPON
service board, which increases the hardware cost. In the case that the active GPON service
board fails, however, the services can be automatically switched over to the GPON ports
on the standby board, and the service access is not affected.
NOTE

Only GPON boards of the same type support inter-board redundancy backup.

After Type B protection is configured, service configuration on the ONU is the same as that
before Type B protection is configured. That is, service configuration is applied to the active
GPON port only.
Figure 8-1 shows the Type B protection network topology.
Figure 8-1 Type B protection network topology

Procedure
Step 1 Create a GPON port protection group.
Run the protect-group command to add a protection group that protects the ports on the GPON
access side.
NOTE

1. Configure protect-target to gpon-uni-port.
2. The working mode of the GPON port protection group can be only timedelay.

Step 2 Add members to the protection group.
Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

389

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

8 Configuring Network Protection

Run the protect-group member command to add members to a protection group.
NOTE

l When adding members to the protection group, add a working member, and then add a protection member.
l Adding a protection group member based on the board is not supported for the GPON port, and only adding
a protection group member based on the port is supported.
l The member ports can be ports on different GPON boards, but the GPON board types must be the same.

Step 3 Enable the protection group.
Run the protect-group enable command to enable the GPON protection group. After a
protection group is created, the protection group is in the disabled state by default. You should
enable the protection group to make the configuration take effect.
Step 4 Query the information about the protection group.
Run the display protect-group command to query the information about the protection group
and all the members in the protection group.
NOTE

The GPON protection group supports the binding to a PPPoE single-MAC address pool. When the PPPoE singleMAC address function is enabled, run the bind mac-pool single-mac command to bind a GPON protection
group to a PPPoE single-MAC address. If the GPON protection group is not bound to the PPPoE source MAC
address, when the GPON protection group is switched over, the PPPoE service carried on this port is interrupted.
In this case, you must re-dial and determine the service interruption time according to the BRAS configuration.
This may fail to meet the switchover performance requirement that the service interruption time must not exceed
50 ms.

----End

Example
To configure redundancy backup for ports 0/4/0 and 0/4/1 on the same GPON board of the
MA5600T so that when port 0/4/0 is faulty, the system can automatically switch the service to
port 0/4/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target gpon-uni-port workmode timedelay
huawei(protect-group-0)#protect-group member port 0/4/0 role work
huawei(protect-group-0)#protect-group member port 0/4/1 role protect
huawei(protect-group-0)#protect-group enable

To configure inter-board redundancy backup for ports 0/5/1 and 0/6/1 on different GPON boards
of the MA5600T so that when port 0/5/1 is faulty, the system can automatically switch the service
to port 0/6/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target gpon-uni-port workmode timedelay
huawei(protect-group-0)#protect-group member port 0/5/1 role work
huawei(protect-group-0)#protect-group member port 0/6/1 role protect
huawei(protect-group-0)#protect-group enable

8.6 Configuring EPON Type B Protection
This topic describes how to configure 1+1 redundancy backup for the EPON service board. After
1+1 redundancy backup is configured, services will not be affected when the EPON service
board is faulty.

Background Information
The EPON port supports redundancy backup on the same board and redundancy on different
boards. The differences are as follows:
Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

390

SmartAX MA5600T Multi-service Access Module
Commissioning and Configuration Guide

8 Configuring Network Protection

l

Port redundancy backup on the same board does not require an extra EPON service board,
which saves hardware resources. If the EPON service board fails, however, services carried
on the entire board will be interrupted.

l

Port redundancy backup on different boards requires an independent standby EPON service
board, which increases the hardware cost. In the case that the active EPON service board
fails, however, the services can be automatically switched over to the EPON ports on the
standby board, and the service access will not be affected.
NOTE

Only the same type of EPON boards support inter-board redundancy backup.

Procedure
Step 1 Create an EPON port protect group.
Run the protect-group command to a protect group that protects the ports on the EPON access
side.
NOTE

1. Configure protect-target to epon-uni-port.
2. The working mode of the EPON port protect group can be only timedelay.

Step 2 Add members to the protect group.
Run the protect-group member command to add members to a protect group.
NOTE

l When adding members to the protect group, add a working member, and then add a protection member.
l Adding a protect group member based on the board is not supported for the EPON port, and only adding a
protect group member based on the port is supported.
l The member ports can be ports on different EPON boards, but the EPON board types must be the same.

Step 3 Enable the protect group.
Run the protect-group enable command to enable the smart link protect group. After a protect
group is created, the protect group is in the disabled state by default. You need to enable the
protect group to make the protect group take effect.
Step 4 Query the information about the protect group.
Run the display protect-group command to query the information about the protect group and
all the members in the protect group.
NOTE

The EPON protect group supports the binding to a PPPoE single-MAC address pool. When the PPPoE singleMAC address function is enabled, run the bind mac-pool single-mac command to bind an EPON protect group
to a PPPoE single-MAC address. If the EPON protect group is not bound to the PPPoE source MAC address,
when the EPON protect group is switched over, the PPPoE service carried on this port is interrupted. In this
case, you must re-dial and determine the service interruption time according to the BRAS configuration. This
may fail to meet the switchover performance requirement that the service interruption time must not exceed 50
ms.

----End

Example
To configure redundancy backup for ports 0/4/0 and 0/4/0 on the same EPON board of the
MA5600T so that when port 0/4/0 is faulty, the system can automatically switch the service to
port 0/4/1 to continue service access, do as follows:
huawei(config)#protect-group 0 protect-target EPON-uni-port workmode timedelay
huawei(protect-group-0)#protect-group member port 0/4/0 role work

Issue 01 (2012-01-18)

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.

391

When the active uplink in the dual uplinks of the MA5600T is faulty. thus implementing the switchover between protect group of upstream ports on the MA5600T to ensure the normal running of the service. Background Information Figure 8-2 shows an example network of the dual uplink protect group between the MA5600T and the BRAS. 392 . the service data can be automatically switched to the protection uplink. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.. The current uplinks are Link1 and Link2. Figure 8-2 Example network of the dual uplink protect group between the MA5600T and the BRAS The MA5600T accesses BRAS1 and BRAS2 through the protect group of upstream ports.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection huawei(protect-group-0)#protect-group member port 0/4/1 role protect huawei(protect-group-0)#protect-group enable To configure inter-board redundancy backup for ports 0/5/1 and 0/5/1 on different EPON boards of the MA5600T so that when port 0/5/1 is faulty. the MA5600T can actively trigger a switchover of the upstream port according to the ARP detection result to ensure the normal running of the service. The protection switchover module of the MA5600T processes the link status and port status detected through ARP. the system can automatically switch the service to port 0/5/1 to continue service access. If Link1 is broken and Link2 is normal. do as follows: huawei(config)#protect-group 0 protect-target epon-uni-port workmode timedelay huawei(protect-group-0)#protect-group member port 0/5/1 role work huawei(protect-group-0)#protect-group member port 0/6/1 role protect huawei(protect-group-0)#protect-group enable 8. Ltd. and Link3 functions as the protection link. both of which jointly determine whether to trigger the SF signal of the port.7 Configuring the Switchover of the Protect Group This topic describes how to configure the ARP detection between the MA5600T and the BRAS. although the upstream port of the MA5600T is in the UP state.

You should enable the protect group to make the configuration take effect. 2. NOTE The upstream port of the ARP detection task must be added to the VLAN. Run the detect command to enable ARP detection. a. 3. Step 2 Configure an upstream port protect group.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection NOTE l The protect group created in the GIU slot or on the ETH board supports ARP detection. which is the time for the ARP detection to trigger a switchover. the interval for transmitting ARP detection packets is 1000 ms. Configure the interval for transmitting ARP detection packets. the ARP detection timeout multiplier is 3. The detailed value varies according to the CPU load of the MA5600T and the CPU load of the peer device. Ltd. the LAN switch in the network cannot terminate the ARP detection packet sent from the MA5600T or the BRAS.. Run the min-tx-interval command to configure the interval for transmitting ARP detection packets. It should be configured properly according to the application environment. Run the protect-group command to create a protect group of Ethernet upstream ports. The minimum value is 3s. and configure its working mode. no network device that can terminate ARP detection packets should exist between the source end and destination end of ARP detection. that is. 393 . the protect group is in the disabled state by default. Run the detect-multiplier command to configure the ARP detection timeout multiplier. and the CPU usage increases as the frequency for transmitting ARP packets increases. Currently. By default. Configure the ARP detection timeout multiplier. the CPU usage increases because the CPUs of the MA5600T and the BRAS need to process ARP packets. upstream ports 0/17/0 and 0/17/1 on the GIU board are configured as a protect Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. After a protect group is created. Step 3 Enable the protect group. b. other types of protect groups do not support ARP detection. l According to the ARP detection feature. Therefore. ----End Example Assume the following configurations: The MA5600T accesses BRAS1 and BRAS2 through dual uplinks. Run the protect-group member command to add the working port and protection port to the protect group. ARP detection timeout time = Transmit interval x Detection multiplier. By default. 1. Run the protect-group enable command to enable the protect group. 4. After ARP detection is enabled. 1. Create a protect group and configure its members. Enable ARP detection. you need to configure the interval for transmitting ARP detection packets according to actual conditions. Procedure Step 1 Create an ARP detection task. Run the arp-detect command to create an ARP detection task in the VLAN from the upstream port to the peer IP address.

l After the MSTP function is enabled.10. the IP address of BRAS1 for ARP detection is 10. 3. Run the stp region-configuration command to enter MST region mode.8 Configuring the MSTP The MA5600T supports the application of the Multiple Spanning Tree Protocol (MSTP). To perform these configurations so that the system automatically switches to BRAS2 when the ARP detection times out to ensure the normal running of the service.. port 0/17/0 functions as the working port. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Run the display stp command or the display stp port command to query the MPLS state of the bridge or the port. Step 2 Configuring the MST region name. By default. In addition. Run the region-name command to configure the name of the MST region. which can meet various networking requirements. Run the stp port enable command to enable the MSTP function of the port. 2. the expected interval for transmitting ARP detection packets is 60 ms. which provides a better load-sharing mechanism. MSTP makes the network converge fast and the traffic of different VLANs distributed along their respective paths.10. l By default. port 0/17/1 functions as the protect port. the device determines whether it works in STP compatible mode or MSTP mode based on the configured protocol. 1. MSTP maintains dynamically the spanning tree of the VLAN based on the received BPDU packets. The MA5600T supports the MSTP ring network. 394 . Step 3 Configuring the MSTP instance. the MST region name is the bridge MAC address of the device. It prevents the proliferation and infinite cycling of the packets in the loop network. and the ARP detection timeout multiplier is 5. Background Information l MSTP applies to a redundant network. 1. l MSTP trims a loop network into a loop-free tree network. the MSTP function is disabled. and Rapid Spanning Tree Protocol (RSTP). It makes up for the drawback of STP and RSTP. the VLAN for ARP detection is VLAN 10. Procedure Step 1 Enabling the MSTP function.10. do as follows: huawei(config)#arp-detect dett bind peer-ip 10. Spanning Tree Protocol (STP). 2.10.10 vlan 10 port 0/17/0 huawei(config-arp-detect-dett)#min-tx-interval 60 huawei(config-arp-detect-dett)#detect-multiplier 5 huawei(config-arp-detect-dett)#detect enable huawei(config-arp-detect-dett)#quit huawei(config)#protect-group 2 protect-target eth-nni-port workmode timedelay huawei(protect-group-2)protect-group member port 0/17/0 role work huawei(protect-group-2)#protect-group member port 0/17/1 role protect huawei(protect-group-2)#protect-group enable 8. the MA5600T becomes a transparent bridge and does not maintain the spanning tree. MSTP supports load sharing by VLAN during data transmission. Run the stp enable command to enable the MSTP function of the bridge. Ltd. l After the MSTP function is enabled. After the MSTP function is disabled.10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection group that allows ARP detection.

l Setting the time parameters of the specified network bridge. – Run the stp root command to specify the device as a root bridge or a backup root bridge. Run the display stp region-configuration command to query the effective configuration of the MST region. Run the stp region-configuration command to switch over to MST region mode. l By default. Step 6 Other optional configurations. run the revision-level command to set the MSTP revision level of the device. Step 4 Activating the configuration of the MST region. all VLANs are mapped to CIST. 2. run the vlan-mapping module command to map all VLANs to the MSTP instances by modular arithmetic. Run the check region-configuration command to query the parameters of the current MST region. – In the MSTP region mode. 395 .. NOTE A VLAN section refers to the consecutive VLAN IDs from the start VLAN ID to the end VLAN ID. – Run the reset stp region-configuration command to restore the default settings to all parameters of the MST region.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection The MSTP protocol configures the VLAN mapping table (mapping between the VLAN and the spanning tree). Run the display stp command to query the MSTP configuration of the device. – Run the stp time-factor command to set the timeout time factor of the specified network bridge. 2. 1. – Run the stp timer max-age command to set the Max Age of the specified network bridge. 2. Run the instance vlan command to map the specified VLAN to the specified MSTP instance. 3. l A maximum of 10 VLAN sections can be configured for an MSTP instance. – Run the stp md5-key command to set the MD5-Key for the MD5 encryption algorithm configured on the MST region. 1. instance 0. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l Specifying the device as a root bridge or a backup root bridge. Run the active region-configuration command to activate the configuration of the MST region. l One VLAN can be mapped to only one instance. 1. – Run the stp timer hello command to set the Hello Time of the specified network bridge. If you re-map a VLAN to another instance. Run the stp region-configuration command to switch over to MST region mode. which maps the VLAN to the spanning tree. – Run the stp timer forward-delay command to set the Forward Delay of the specified network bridge. 3. that is. – In the MSTP region mode. Ltd. l Setting the MST region parameters. Run the stp priority command to set the priority of the device in the specified spanning tree instance. Step 5 Setting the priority of the device in the specified spanning tree instance. the original mapping is disabled.

----End Example Configure the MSTP parameters as follows: l Enable the MSTP function. – Run the stp bridge-diameter command to set the diameter of the switching fabric. – Configure the MST region name to huawei-mstp-bridge. – Run the stp pathcost-standard command to set the calculation standard for the path cost. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l Clear the MSTP protocol statistics. Ltd. l Configure the priority of the device in spanning tree instance 2 to 4096. – Run the reset stp statistics command to clear the MSTP protocol statistics. l Configuring the device protection function. l Activate the configuration of the MST region manually.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection l Setting the parameters of the specified port. – Run the stp bpdu-protection enable command to enable the BPDU protection function of the device. 396 . – Run the stp max-hops command to set the maximum number of hops of the MST region. – Run the stp port port-priority command to set the priority of the specified port. – Run the stp port edged-port enable command to set the port as an edge port. l Enable the MSTP function on port 0/17/0. – Map all the VLANs to the specified MSTP instances. – Run the stp port cost command to set the path cost of a specified port. l Set the MSTP running mode to MSTP compatible mode. l Setting the diameter of the switching fabric.. l Setting the maximum number of hops of the MST region. – Run the stp port transmit-limit command to set the number of packets transmitted by the port within the Hello Time. – Run the stp port loop-protection enable command to enable the loop protection function of the port. l Configure the current device as the root bridge of MSTP instance 2. – Configure the MSTP revision level of the device to 100. l Configure MST region parameters: – Configure the MD5-Key for the MD5 encryption algorithm to 0x11ed224466. – Run the stp port point-to-point command to set whether the link that is connected to the port is a point-to-point link. – Map VLAN2-VLAN10 and VLAN12-VLAN16 to MSTP instance 3. l Configure the maximum hops for the MST region to 10. l Setting the calculation standard for the path cost. – Run the stp port root-protection enable command to enable the root protection function of the port.

Any faulty node on the ring does not affect the service. RRPP is a dedicated data link layer Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 397 .SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection l Configure the diameter of the switching network to 6. Ltd. – Configure port 0/17/0 to be an edge port. RRPP can prevent broadcast storms caused by a data loop. l Enable the BPDU protection function on the device. – Configure the path cost of the port in a specified spanning tree instance to 1024. huawei(config)#stp enable Change global stp state may active region configuration. – The link connected to port 0/17/0 is a point-to-point link.it may take several minutes.. – Configure the max age to 3000 centiseconds. Context Most MANs and enterprise networks adopt the ring network structure to increase the reliability. – Configure the timeout time factor to 6. l Configure the time parameters of a specified bridge: – Configure the forward delay to 2000 centiseconds. – Configure the hello time to 1000 centiseconds. – Configure the priority of the port to 64. thus increasing the network reliability. When the Ethernet ring is complete.are you sure to change global stp state? [Y/N][N]y huawei(config)#stp port 0/17/0 enable huawei(config)#stp mode mstp huawei(config)#stp md5-key 11ed224466 huawei(config)#stp region-configuration huawei(stp-region-configuration)#region-name huawei-mstp-bridge huawei(stp-region-configuration)#instance 3 vlan 2 to 10 12 to 16 huawei(stp-region-configuration)#vlan-mapping module 16 huawei(stp-region-configuration)#revision-level 100 huawei(stp-region-configuration)#active region-configuration huawei(stp-region-configuration)#quit huawei(config)#stp instance 2 priority 4096 huawei(config)#stp instance 2 root primary huawei(config)#stp max-hops 10 huawei(config)#stp bridge-diameter 6 huawei(config)#stp pathcost-standard dot1t huawei(config)#stp timer forward-delay 2000 huawei(config)#stp timer hello 1000 huawei(config)#stp timer max-age 3000 huawei(config)#stp time-factor 6 huawei(config)#stp port 0/17/0 transmit-limit 16 huawei(config)#stp port 0/17/0 edged-port enable huawei(config)#stp port 0/17/0 instance 0 cost 1024 huawei(config)#stp port 0/17/0 instance 0 port-priority 64 huawei(config)#stp port 0/17/0 point-to-point force-true huawei(config)#stp bpdu-protection enable 8. When a link on the Ethernet ring is disconnected.1t. l Configure the parameters of a specified port: – Configure the maximum number of packets transmitted in a hello time period to 16.9 Configuring RRPP Rapid Ring Protection Protocol (RRPP) is a data link layer protocol specially applied to the Ethernet ring. RRPP can quickly recover the communication channels between nodes on the Ethernet ring. l Configure the calculation standard for the path cost to IEEE 802.

– Currently. The sub-control VLAN ID is specified by the system. l A complete Ethernet ring can prevent broadcast storm caused by data loop. the MA5600T supports only the single-ring network application of RRPP. Issue 01 (2012-01-18) 6. the RRPP protocol mode cannot be changed. Compared with other Ethernet ring technologies. Ltd. RRPP can quickly recover the communication between nodes in the ring network by using the backup link. It cannot be a subtending port. – The specified VLAN must be created through the vlan command and must be a standard VLAN. Run the rrpp mode command to configure the RRPP protocol mode. you need to specify only the major control VLAN ID. 1. 398 . – You can select the RRPP standard mode or EAPS compatible mode. you must disable the STP function of the primary and secondary ports. – During the configuration. – The major control VLAN or sub-control VLAN cannot be a system reserved VLAN or a VLAN that is in use. the MA5600T supports only one RRPP ring and the ring must be the primary ring. RRPP is applicable to the network that has a relatively large network diameter. the RRPP function and the STP function cannot be enabled at the same time. Sub-control VLAN ID = Major control VLAN ID + 1. Currently.. – When the RRPP function is enabled or an RRPP domain exists on the device. 5. Run the rrpp enable command to enable the RRPP protocol. Run the rrpp domain command to configure the RRPP domain. the hello timer is 1s and the fail timer is 3s. 7. before creating an RRPP port. l The convergence time is irrelevant with the number of nodes in the ring network. – The value of the fail timer must be three times equal to or larger than the value of the hello timer. Run the control-vlan command to configure the control VLAN of the RRPP domain. NOTE On the same port. Run the ring command to configure the RRPP ring. The MA5600T can function as a primary node or a transmission node. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 4. l When a link in the Ethernet ring network is disconnected. – By default.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection protocol applied to the Ethernet ring. Because the system enables the STP port-level switch by default. 2. – The network role of a port joining the RRPP ring must be an upstream port. Procedure l Configure the primary node. (Optional) Run the timer hello-timer command to configure the hello timer and fail time of the RRPP domain. 3. RRPP has the following advantages: l The topology convergence is quick. the MA5600T supports only one RRPP domain. Run the ring enable command to enable the RRPP ring. Currently. The RRPP standard mode is used by default.

4. The domain ID must be the same as that on the primary node. 5. It cannot be a subtending port. – The transmission node uses the fail timer as the timeout timer. 3. The sub-control VLAN ID is specified by the system. Ltd. 6. Run the display rrpp brief domain command to query the brief information about the RRPP domain. the hello timer is 1s and the fail timer is 3s. you need to specify only the major control VLAN ID. The configuration must be the same as that on the primary node. 2. Run the rrpp enable command to enable the RRPP protocol. Currently. the RRPP function and the STP function cannot be enabled at the same time. 399 . The ring ID must be the same as that on the primary node. Run the ring command to configure the RRPP ring. Run the ring enable command to enable the RRPP ring. Run the display rrpp verbose domain command to query details of the RRPP ring. the MA5600T supports only one RRPP domain. NOTE On the same port. Because the system enables the STP port-level switch by default. 9. do as follows: l Issue 01 (2012-01-18) RRPP mode: standard Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. 7. Run the rrpp mode command to configure the RRPP protocol mode. 1. the RRPP protocol mode cannot be changed. The RRPP standard mode is used by default. – The network role of a port joining the RRPP ring must be an upstream port. the MA5600T supports only one RRPP ring and the ring must be the primary ring. The configuration must be the same as that on the primary node.. Sub-control VLAN ID = Major control VLAN ID + 1. Configure the transmission node. – You can select the RRPP standard mode or EAPS compatible mode. Run the control-vlan command to configure the control VLAN of the RRPP domain.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide l 8 Configuring Network Protection 8. – The specified VLAN must be created through the vlan command and must be a standard VLAN. – The major control VLAN or sub-control VLAN cannot be a system reserved VLAN or a VLAN that is in use. before creating an RRPP port. – During the configuration. Run the rrpp domain command to configure the RRPP domain. ----End Example To configure the MA5600T as the primary node of an RRPP ring with the following settings. – When the RRPP function is enabled or an RRPP domain exists on the device. (Optional) Run the timer hello-timer command to configure the hello timer and fail time of the RRPP domain. – By default. – Currently. you must disable the STP function of the primary and secondary ports.

Master. E .10. sub-control VLAN ID: 15 l RRPP primary port: 0/17/0.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection l Major control VLAN ID: 14.Transit .1 Configuration Example of the BFD Link Detection (Static Route) The MA5600T supports detecting the fault of a static route by using the BFD. RRPP secondary port: 0/17/1 l RRPP domain ID: 1 l RRPP ring ID: 64 Other parameters adopt the default settings. 400 . This topic describes how to configure the BFD link detection based on an example network. A . Context Bidirectional Forwarding Detection (BFD) protocol is a draft standardized by the Internet Engineering Task Force (IETF). Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Ltd.Assistant-Edge 8.Edge . Prerequisites The BFD function must be enabled globally on the MA5600T. huawei(config)#vlan 14 standard huawei(config)#vlan 15 standard huawei(config)#port vlan 14-15 0/17 0-1 huawei(config)#stp port 0/17/0 disable huawei(config)#stp port 0/17/1 disable huawei(config)#rrpp mode rrpp huawei(config)#rrpp domain 1 huawei(rrpp-domain-region-1)#control-vlan 14 huawei(rrpp-domain-region-1)#ring 64 node-mode master primary-port 0/17/0 second ary-port 0/17/1 level 0 huawei(rrpp-domain-region-1)#ring 64 enable huawei(rrpp-domain-region-1)#quit huawei(config)#rrpp enable huawei(config)#display rrpp brief domain 1 ---------------------------------------------------------------------------Rrpp Protocol Status : Enable Rrpp protocol mode : RRPP Number of RRPP Domains: 1 ---------------------------------------------------------------------------Domain Index : 1 Major Control VLAN : 14 Hello Timer : 1 sec (default is 1 sec) Fail Timer : 3 sec (default is 3 sec) Number of RRPP Rings : 1 ---------------------------------------------------------------------------Ring Ring Node Primary/Common Secondary/Edge Is ID Level Mode Port Port Enabled --------------------------------------------------------------------------64 0 M GE 0/17/0 GE 0/17/1 Yes ---------------------------------------------------------------------------Note: M .. BFD detects the traffic forwarding capability of the link or system by quickly sending BFD control packets (the UDP packets in a specified format) at intervals between two nodes. T .10 Configuring the BFD This topic describes how to configure the BFD on the MA5600T. 8.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection Networking Figure 8-3 shows an example network of the BFD link detection.2 10.10.10.1 MA5600T Data Plan Table 8-1 provides the data plan for configuring the BFD link detection.2 20.10.20..30. Figure 8-3 Example network of the BFD link detection 30. 401 . When one link is faulty.1/24 BFD session Session name: ToRouter_1 - Minimum transmit interval: 10 ms Minimum receive interval: 10 ms Detection multiplier: 3 Identifier: auto-negotiation Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.10. Ltd. Different static routes exist between the MA5600T and Router_3 through Router_1 and Router_2.1/24 VLAN ID: 40 - VLAN type: Smart VLAN IP address of the L3 interface: 20. Table 8-1 Data plan for configuring the BFD link detection Item Data Remarks MA5600T Upstream ports: 0/17/0 and 0/17/1 - VLANs VLAN ID: 30 - VLAN type: Smart VLAN IP address of the L3 interface: 10.1 20.10.20. the BFD session notifies the bound route for route switching.20.20.20.30. and the BFD session is bound to the static route.20.10.1 Router_3 Router_1 Router_2 10.

SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Item 8 Configuring Network Protection Data Remarks Session name: ToRouter_2 - Minimum transmit interval: 10 ms Minimum receive interval: 10 ms Detection multiplier: 3 Identifier: auto-negotiation Requirements for the upper-layer device Router_1: l IP address of the L3 interface: see the example network l VLAN ID: 30 l BFD session parameters: consistent with the parameters of the MA5600T Router_2: For details about the configuration of the routers.10.20.. see the corresponding configuration guide.1 auto huawei(config-bfd-session-torouter_2)#min-rx-interval 10 huawei(config-bfd-session-torouter_2)#min-tx-interval 10 huawei(config-bfd-session-torouter_2)#detect-multiplier 3 huawei(config-bfd-session-torouter_2)#commit huawei(config-bfd-session-torouter_2)#quit Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.20. huawei(config)#bfd huawei(config-bfd)#quit huawei(config)#bfd ToRouter_1 bind peer-ip 10. huawei(config)#interface vlanif 30 huawei(config-if-vlanif30)#ip address 10.20.10.2 source-ip 10. l IP address of the L3 interface: see the example network l VLAN ID: 40 l BFD session parameters: consistent with the parameters of the MA5600T Procedure Step 1 Create VLANs and add upstream ports to the VLANs. You can configure BFD sessions only after the BFD function is enabled.2 source-ip 20.1 24 huawei(config-if-vlanif40)#quit Step 3 Configure the BFD sessions. 402 .10.1 24 huawei(config-if-vlanif30)#quit huawei(config)#interface vlanif 40 huawei(config-if-vlanif40)#ip address 20.20.20. huawei(config)#vlan huawei(config)#port huawei(config)#vlan huawei(config)#port 30 smart vlan 30 0/17 0 40 smart vlan 40 0/17 1 Step 2 Configure the IP address of the L3 interface of the VLAN.20.10.10.1 auto huawei(config-bfd-session-torouter_1)#min-rx-interval 10 huawei(config-bfd-session-torouter_1)#min-tx-interval 10 huawei(config-bfd-session-torouter_1)#detect-multiplier 3 huawei(config-bfd-session-torouter_1)#commit huawei(config-bfd-session-torouter_1)#quit huawei(config)#bfd ToRouter_2 bind peer-ip 20.10. Ltd.

huawei(config)#save ----End Result BFD sessions ToRouter_1 and ToRouter_2 are in the up state. This topic describes how to configure the BFD link detection based on the dynamic routing protocol OSPF. 8.2 Configuration Example of the BFD Link Detection (Dynamic Route) The MA5600T supports detecting the fault of a dynamic route by using the BFD.1 24 20.30. huawei(config)#ip route-static 30. the route to which ToRouter_2 is bound takes effect and carries services.20.10. Ltd.10.20. Figure 8-4 Example network of the BFD link detection Router_3 Router_1 Router_2 10. Prerequisites The BFD function must be enabled globally on the MA5600T. Dynamic routes between the MA5600T and Router_1.30. In this case.20. BFD session ToRouter_1 turns to the down state.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection Step 4 Bind the BFD sessions to the static routes.10.. 403 .20. The BFD session is bound to the OSPF route. When one link is faulty.2 preference 6 track bfdsession ToRouter_2 Step 5 Save the data. Router_2 are generated through OSPF.2 preference 2 track bfdsession ToRouter_1 huawei(config)#ip route-static 30. The priority of the route to which ToRouter_1 is bound takes effect and carries services because it has a higher priority.1 20.1 24 10. Networking Figure 8-4 shows an example network of the BFD link detection.10. the BFD session reports that the bound OSPF neighbor is down. thus switching the route.10. When a faulty link is detected.30.30. which triggers the deactivation of the bound route.1 MA5600T Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

Ltd.1 24 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. huawei(config)#vlan huawei(config)#port huawei(config)#vlan huawei(config)#port 30 smart vlan 30 0/17 0 40 smart vlan 40 0/17 1 Step 2 Configure the IP address of the L3 interface of the VLAN.20.20.1/24 VLAN ID: 40 - VLAN type: Smart VLAN IP address of the L3 interface: 20. Table 8-2 Data plan for configuring the BFD link detection Item Data Remarks MA5600T Upstream ports: 0/17/0 and 0/17/1 - VLANs VLAN ID: 30 - VLAN type: Smart VLAN IP address of the L3 interface: 10..10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection Data Plan Table 8-2 provides the data plan for configuring the BFD link detection.1/24 BFD session Minimum transmit interval: 10 ms - Minimum receive interval: 10 ms Detection multiplier: 3 Requirements for the upper-layer device Router_1: l IP address of the L3 interface: see the example network l VLAN ID: 30 l OSPF: enabled l BFD session parameters: consistent with the parameters of the MA5600T Router_2: For details about the configuration of the router. huawei(config)#interface vlanif 30 huawei(config-if-vlanif30)#ip address 10.10.10. 404 . see the correspondin g configuration guide. l IP address of the L3 interface: see the example network l VLAN ID: 40 l OSPF: enabled l BFD session parameters: consistent with the parameters of the MA5600T Procedure Step 1 Create VLANs and add upstream ports to the VLANs.10.

0. Service Requirements The two remote devices send detection packets periodically to check the link connectivity. its bound BFD session is down.0. huawei(config)#save ----End Result After establishing the neighbor relation with each router through OSPF. which triggers the OSPF neighbor relation to be down.. When the active link is faulty. and maintenance (OAM) means a set of methods for monitoring and diagnosing network faults.20.0. the MA5600T automatically creates two BFD sessions. Ltd.0 0. huawei(config)#ospf 1 huawei(config-ospf-1)#area 0 huawei(config-ospf-1-area-0.0)#network 20.1 Configuring Ethernet CFM OAM The MA5600T can detect the fault by using the Ethernet CFM OAM. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.0.255 huawei(config-ospf-1-area-0.0. the route is switched to the standby link.10.0. huawei(config)#interface vlanif huawei(config-if-vlanif30)#ospf huawei(config-if-vlanif30)#ospf multiplier 3 huawei(config-if-vlanif30)#ospf huawei(config-if-vlanif30)#quit huawei(config)#interface vlanif huawei(config-if-vlanif40)#ospf huawei(config-if-vlanif40)#ospf multiplier 3 huawei(config-if-vlanif30)#ospf huawei(config-if-vlanif40)#quit 30 bfd enable bfd min-rx-interval 10 min-tx-interval 10 detectcost 30 40 bfd enable bfd min-rx-interval 10 min-tx-interval 10 detectcost 40 Step 5 Save the data.0.11 Configuring ETH OAM In a broad sense.20.0.20. Networking Figure 8-5 shows the example network for configuring the Ethernet CFM OAM. administration.0)#network 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection huawei(config-if-vlanif30)#quit huawei(config)#interface vlanif 40 huawei(config-if-vlanif40)#ip address 20.1 24 huawei(config-if-vlanif40)#quit Step 3 Configure OSPF. Thus. 8. The Ethernet OAM feature includes two subfeatures: Ethernet CFM OAM and Ethernet EFM OAM. 405 .0.0 0.255 huawei(config-ospf-1-area-0.10. 8.0)#quit huawei(config-ospf-1)#quit Step 4 Enable BFD in the L3 interface mode.11. operation.20. This topic describes how to configure Ethernet CFM OAM based on the example network.0.

Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. huawei(config)#vlan 100 smart Add port 0/17/0 to VLAN 100. 406 . Table 8-3 Data plan for configuring Ethernet CFM OAM Item Data MA5600T_A Port: 0/17/0 Smart VLAN: 100 MEP: 2/6/1 CC-interval: 10 minutes MA5600T_B Port: 0/17/1 Smart VLAN: 100 MEP: 2/6/2 CC-interval: 10 minutes Procedure Step 1 Create a VLAN and add the upstream port to the VLAN. The two devices are configured under the same MA in the same MD. Ltd. the Ethernet CFM OAM mechanism is run to detect faults on the link between MA5600T_A and MA5600T_B.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection In this example network. Set the VLAN ID to 100 and the VLAN type to smart. When a connection fault occurs. Figure 8-5 Example Network for configuring Ethernet CFM OAM Data Plan Table 8-3 provides the data plan for configuring Ethernet CFM OAM.. the system reports the alarm and locate the fault.

you must define the port as an UP MEP or a DOWN MEP. l The total length of the names of an MD and its MAs cannot be longer than 44 characters. and the function of sending CC packets is enabled. Set the ID of MEP contained by the MA to 1. 1. after the port is defined as an MEP.That is.For example. l The MD name type.Currently. l An MD of must be available for creating an MA. This step is to enable the packets of the upstream Ethernet port to or not to carry the VLAN tag. That is. and MD level 3.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection huawei(config)#port vlan 100 0/17 0 Step 2 (Optional) Configure the native VLAN for the upstream port. Ltd. Ethernet CFM OAM is used to test the link connectivity by using the MEPs at the two ends of a maintenance channel. after the GIU upstream Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.Whether the native VLAN needs to be set for the upstream port depends on whether the upper-layer device connected to the upstream port supports packets carrying a VLAN tag.When you define the port on a device. Create an MA with the index 2/6. huawei(config)#interface scu 0/17 huawei(config-if-scu-0/17)#native-vlan 0 100 huawei(config-if-scu-0/17)#quit Step 3 Configuring MD Configure MD 2 with a name of the character string type. l By default. Set the VLAN associated to the MA to 100. huawei(config)#cfm ma 2/6 vlan 100 3. it can send packets in only one direction. if an MD is configured with 4096 MAs. A DOWN MEP indicates that the MEP transmits packets to the physical medium direction. 407 . l The total length of the names of an MD and its MAs cannot be longer than 44 characters. l An existing MA cannot be created again. huawei(config)#cfm ma 2/6 name-format string ma-huawei cc-interval 10m 2. l The MA name type. and the their IDs must be unique. an MA supports a local MEP and a remote MEP. the priority of sending CFM packets is 7. The name type is the character string type. the MEP management function is enabled. l MDs with the same index or level cannot be created. The setting on the MA5600T must be consistent with that on the upper-layer device. l The name type and the name of an MD must be unique.MEP ID 2 needs to be configured on the MA5600T_B device of the peer end. the MD name and the MD level must be consistent at both ends. name md-huawei. The sending period of CC packets is 10 minutes (the sending period of CC packets is 1 minute by default).An UP MEP indicates that the MEP transmits packets to the bridge trunk direction. the MA name and the sending period of CC packets must be consistent at both ends. l There are two kinds of MEPs: UP MEP and DOWN MEP.. the other MDs in the system cannot be configured with any MA. huawei(config)#cfm ma 2/6 meplist 1 huawei(config)#cfm ma 2/6 meplist 2 Step 5 Configuring MEP l MEP refers to a maintenance association end points. huawei(config)#cfm md 2 name-format string md-huawei level 3 Step 4 Configuring MA l The system supports up to 4096 MAs. and the name is ma-huawei.

huawei(config)#cfm remote-mep-detect enable Step 7 Enable the global CFM function. run the display cfm mep command on MA5600T_A or MA5600T_B to query MEP configuration. vlantag2 is the inner VLAN of the port carrying the service link for the MEP. vlantag2 is the outer VLAN of the port carrying the service link for the MEP. Configuration File vlan 100 smart port vlan 100 0/17 0 interface scu 0/17 native-vlan 0 100 quit cfm md 2 name-format string md-huawei level 3 cfm ma 2/6 name-format string ma-huawei cc-interval 10m cfm ma 2/6 vlan 100 cfm ma 2/6 meplist 1 cfm ma 2/6 meplist 2 cfm mep 2/6/1 direction down port 0/17/0 priority 7 cfm ma 2/6 remote-mep-detect enable cfm remote-mep-detect enable cfm enable save Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The system can check the remote MEPs of an MA and report alarms for loss of CCM and RDI only when the following functions are enabled: the global CFM function. other parameters are the same. and the parameter Remote MEP ID/MAC is not empty. huawei(config)#save NOTE Configuration on MA5600T_B is the same as that on MA5600T_A. l vlantag1 or vlantag2 must be configured. Enable the RMEP detection function of the MA. huawei(config)#cfm ma 2/6 remote-mep-detect enable 2.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection port on the MA5600T is defined as an MEP. 1. By default. ----End Result After the configuration. it is a DOWN MEP if it can transmit packets to only the upstream direction (convergence layer) according to the definition. the global function of checking remote MEPs. huawei(config)#cfm mep 2/6/1 direction down port 0/17/0 priority 7 Step 6 Enable the RMEP detection function. and the function of checking the remote MEPs of the MA. it is an UP MEP if it can transmit packets to only the downstream direction (to hardware and logic) according to the definition.. Enable the global RMEP detection function. when you add an MEP is added for a port with service streams. while the global RMEP detection function is disabled. 408 . Except that the index of MEP is 2/6/2. huawei(config)#cfm enable Step 8 Save the data. l The MEP priority must be consistent at both ends. Ltd. the RMEP detection function of MA is enabled.

the local end generates an alarm. Service Requirements l Ethernet EFM OAM is enabled on both local MA5600T_A and remote MA5600T_B.2 Configuring Ethernet EFM OAM This topic describes how to configure the Ethernet EFM OAM on the MA5600T. l The local end can be used to locate a fault through the EFM remote end loopback..11. huawei(config)#efm oam mode 0/17/0 active 2. and the configuration of the local end is process. Prerequisites The Ethernet EFM OAM license must be obtained and installed. By default. l When the remote end is faulty. (Optional) Configure the loopback control parameter of the Ethernet EFM OAM port. Configure Ethernet OAM port 0/17/0 to actively initiate the discovery process and the loopback control packet. 1. Ltd. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. (Optional) Configure the Ethernet EFM OAM mode of the port.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection 8. Table 8-4 Data plan for configuring Ethernet EFM OAM Item Data MA5600T_A Port: 0/17/0 Ethernet OAM mode: active MA5600T_B Port: 0/17/1 Ethernet OAM mode: passive Loopback control parameter: process Procedure l Configure local MA5600T_A. 409 . The default mode is the active mode. Figure 8-6 Example network of Ethernet EFM OAM Data Plan Table 8-4 provides the data plan for configuring Ethernet EFM OAM. EFM remote loopback is disabled.

the EFM remote loopback function can be used normally. the loopback control parameter and Ethernet EFM OAM mode of the port cannot be modified. Ltd. 410 . Configuration File On local MA5600T_A: efm oam mode 0/17/0 active efm loopback 0/17/0 process efm oam 0/17/0 enable save efm loopback 0/17/0 start y On remote MA5600T_B: efm oam mode 0/17/1 passive efm loopback 0/17/1 process Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. (Optional) Enable EFM remote loopback. huawei(config)#efm loopback 0/17/1 process 3. Configure Ethernet EFM OAM port 0/17/1 to work in the passive mode. When the remote end is faulty. huawei(config)#efm loopback 0/17/0 start Starting loopback will interrupt all the services on this port. In this way. Save the data. After Ethernet EFM OAM is enabled. Configure the loopback control parameter of the Ethernet EFM OAM port. Enable Ethernet EFM OAM of the port. you can run the display efm oam status command on MA5600T_A or MA5600T_B to query the relevant information about the local end or remote end. the loopback control parameter and Ethernet EFM OAM mode of the port cannot be modified. 1. huawei(config)#efm oam 0/17/0 enable 4. Save the data. use the EFM remote loopback function to locate the fault. huawei(config)#save ----End Result After the configuration is completed.. The default mode is the active mode. The Ethernet EFM OAM loopback control parameter of the remote end must be process. Configure the Ethernet EFM OAM mode of the port. Are you sure to start loopback? (y/n)[n]:y l Configure remoteMA5600T_B. huawei(config)#save 5. huawei(config)#efm oam 0/17/1 enable 4. Enable Ethernet EFM OAM of the port.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection huawei(config)#efm loopback 0/17/0 process 3. huawei(config)#efm oam mode 0/17/1 passive 2. After Ethernet EFM OAM is enabled.

. 411 . Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 8 Configuring Network Protection efm oam 0/17/1 enable save Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.

5 Configuring the FTTH IPTV Service The OLT is connected to the remote ONT through a GPON port to provide users with the IPTV service. 9.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 9 9 Configuration Example of the FTTH Service Configuration Example of the FTTH Service About This Chapter This topic describes how to configure the Internet access. 9. and video services are provided through a single optical fiber. 9. 9. data. VoIP. Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.2 FTTH Data Plan (GPON Access) This topic provides the unified data plan for the FTTH GPON access. 9. The subsequent examples are configured based on the following data plan.4 Configuring the FTTH VoIP Service (SIP-based) The OLT is connected to the remote ONT through a GPON port to provide users with the IPbased high-quality and low-cost VoIP service.3 Configuring the FTTH Internet Access Service The OLT is connected to the remote ONT through the GPON port to provide users with the highspeed Internet access service.. Ltd. The ONT is connected to the OLT in the PON mode to implement FTTH. 412 . and IPTV services in the FTTH GPON access mode. The voice.1 FTTH Network FTTH indicates fiber to the home.

Network Figure 9-1 shows an example network of full access services in the FTTH scenario. data. The voice. The ONT is connected to the OLT in the PON mode to implement FTTH. and video services are provided through a single optical fiber.1/24 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Table 9-1 Data plan for the FTTH GPON access Issue 01 (2012-01-18) Service Classificat ion Item Data Remarks Network data FTTH OLT PON port: 0/5/1 - Device managemen t Inband NMS IP address of the OLT ONT ID: 1 192. VoIP in an FTTH network. Ltd. the network management protocol 413 .1 FTTH Network FTTH indicates fiber to the home. Data Plan Table 9-1 provides the unified data plan for configuring the HSI. In the GPON access. Figure 9-1 Example network of the FTTH service 9. IPTV.50.2 FTTH Data Plan (GPON Access) This topic provides the unified data plan for the FTTH GPON access.168.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 9 Configuration Example of the FTTH Service 9.. The subsequent examples are configured based on the following data plan.

queue scheduling: WRR Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. the VoIP service can be identified by a single VLAN tag. queue scheduling: WRR IPTV service Priority: 4. multicast VLANs are divided according to multicast sources. Ltd.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Service Classificat ion Service VLAN 9 Configuration Example of the FTTH Service Item Data Remarks Management VLAN of the OLT 4000 of the ONT adopts OMCI. OLT VLAN: 200 Each OLT. each user is allocated with a CVLAN. each slot of the OLT. On the OLT. you can use two precisely-bound VLAN tags to extend VLANs and identify users.. QoS (priority) Issue 01 (2012-01-18) HSI service Priority: 1. the QoS priorities are NMS service and IP voice service > IPTV service > Internet access 414 . or each PON port can be allocated with a VLAN to reduce VLAN broadcast domains. Generally. HSI service ONT VLAN: 10 l For the Internet access service. or each PON port can be allocated with an SVLAN. IPTV service Multicast VLAN: 1000 Generally. On the ONT. OLT VLANs: l CVLAN (using the VLAN of the ONT): 10 l SVLAN: 100 l The ONT VLANs of the same OLT must be planned in a unified manner and each ONT VLAN ID must be unique. each slot of the OLT. each OLT. VoIP service ONT VLAN: 20 Generally.

. HSI service l Profile type: Type4 DBA is used to control the upstream bandwidth of the ONT. DBA profiles are bound to TCONTs. Generally. in the case of FTTH. Different TCONTs are planned for different bandwidth assurance types.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Service Classificat ion QoS (DBA) 9 Configuration Example of the FTTH Service Item Data Remarks VoIP service Priority: 6. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. l Maximum bandwidth: 100 Mbit/s l T-CONT ID: 4 IPTV service l Profile type: Type4 l Maximum bandwidth: 60 Mbit/s l T-CONT ID: 3 VoIP service l Profile type: Type3 l Assured bandwidth: 15 Mbit/s l Maximum bandwidth: 30 Mbit/s l T-CONT ID: 2 QoS (CAR) IPTV service data Issue 01 (2012-01-18) VoIP service No rate limitation in the upstream and downstream directions IPTV service No rate limitation in the upstream and downstream directions HSI service Upstream and downstream bandwidth: 4 Mbit/s Multicast protocol OLT: IGMP proxy - Multicast version IGMP V3 IGMP v3 and IGMP v2 are supported. limit the rate on the OLT. queue scheduling: PQ service in a descending order. or on the OLT or ONT by using port rate limitation or using a traffic profile to limit the upstream and downstream traffic. the service with a high priority adopts a fixed bandwidth or an assured bandwidth. Ltd. and IGMP v3 is compatible with IGMP v2. and the service with a low priority adopts the maximum bandwidth or best effort. 415 . Generally. Traffic control can be implemented on the BRAS.

10/24 SIP support separate media and signaling. Signaling port ID of the SIP interface: 5056 - IP address of the primary softswitch to which the SIP interface belongs: 200. In this mode. and program prejoin are not supported. 416 . the IP address and the port ID of the secondary NOTE The parameters of the SIP interface must be the same as the parameters on the softswitch.10.1.1.10. SIP has many negotiation parameters.10.0/24 - SIP interface (SIP) SIP interface ID: 0 It is the SIP interface ID used for the VoIP service to be configured. Gateway IP address 17.. and the parameters here are mandatory. IP address of the multicast server 10.10.10. however. dynamically generate a program list according to the programs requested by users.200/24 When dual homing is configured. the program list need not be configured or maintained.10.10 - Multicast program 224.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Service Classificat ion VoIP service data Item Data Remarks Multicast program configuration mode Static configuration mode The OLT can also generate a multicast program library. Issue 01 (2012-01-18) 9 Configuration Example of the FTTH Service Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. The media and signaling IP address can be the same or different. the functions such as program management.200. Ltd. that is. which determines the virtual access gateway (VAG) specified for the user.200.10 - Signaling and media IP addresses 17. user multicast bandwidth management. program preview.

Ltd. For interconnection with a ZTE softswitch.. 9. use profile 5. Generally. UDP is adopted. Profile 0 can be used and the data is negotiated with the Bell softswitch. Home domain of the SIP interface: huawei - Index of the profile used by the SIP interface: 1 Different profile indexes are used for interconnection with non-Huawei softswitches.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide Service Classificat ion Item 9 Configuration Example of the FTTH Service Data Remarks Port ID of the primary softswitch to which the SIP interface belongs: 5060/24 softswitch must also be configured.3 Configuring the FTTH Internet Access Service The OLT is connected to the remote ONT through the GPON port to provide users with the highspeed Internet access service. The ONT is connected to the OLT and then to the upper-layer network in the GPON mode to provide the high-speed Internet access service. Service Requirements l Issue 01 (2012-01-18) The user PC is connected to the ONT through the LAN port in the PPPoE dialing mode. Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. for interconnection with a Bell softswitch. You can run the if-h248 attribute profileindex command to query the profile index. 417 . no constant profile is used. Coding mode of the SIP interface: text - Transmission mode of the SIP interface: UDP The transmission mode is selected according to the requirements on the softswitch.

Procedure 1. and set the aggregation group to work in the LACP static mode. Create an SVLAN and add upstream ports to it. which is translated into the same SVLAN on the OLT. set the packet forwarding mode of the aggregation group to egress-ingress. l Relevant configurations are performed on the BRAS according to the authentication and accounting requirements for dialup users. Each ONT is allocated with a CVLAN.. Add upstream ports 0/17/0 and 0/18/0 to VLAN 100. Ltd. l The VLAN of the LAN switch port connected to the OLT is the same as the upstream VLAN of the OLT. Table 9-2 Data plan Item Data OLT SVLAN ID: 100 S-VLAN type: smart VLAN SVLAN attribute: common Upstream ports: 0/17/0 and 0/18/0 ONT ONT ID: 1 ID of the port on the ONT that is connected to the PC: 1 Type of the port on the ONT that is connected to the PC: ETH VLAN ID of the port on the ONT that is connected to the PC: 10 Prerequisite l The OLT is connected to the BRAS.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 9 Configuration Example of the FTTH Service l The high-speed Internet access service adopts a single VLAN tag. l Configure the OLT. Configure the upstream port aggregation. 418 . l To ensure reliability. For details about the configuration. VLAN type to smart. Set the VLAN ID to 100. To aggregate the two upstream ports as one aggregation group. see the corresponding configuration guide. and VLAN attribute to common (default). l The high-speed Internet access service adopts a bandwidth-ensured mode with the maximum bandwidth 100 Mbit/s as the DBA profile and performs the 4 Mbit/s rate limitation on both the upstream and downstream directions. huawei(config)#vlan 100 smart huawei(config)#port vlan 100 0/17 0 huawei(config)#port vlan 100 0/18 0 2. dual GE ports are adopted for upstream transmission. huawei(config)#link-aggregation 0/17 0 0/18 0 egress-ingress workmode lacp-static Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. and link aggregation is configured for the two upstream ports.

you need to run the dba-profile add command to add a DBA profile. the default queue priority is 0. when the QoS mode is gem-car. huawei(config)#ont-lineprofile gpon profile-id 10 huawei(config-gpon-lineprofile-10)#tcont 4 dba-profile-id 10 Add GEM port 1 for transmitting ETH traffic streams and bind GEM port 1 to TCONT 4. and priority to 1. CIR to 4 Mbit/s. the following requirements must be met: The ports must work in the full duplex mode. To change the QoS mode. Configure a DBA profile. you need to run the traffic table ip command to add a traffic profile. the T-CONT can provide flexible DBA solutions based on different configurations in the DBA profile. – Run the gpon alarm-profile add command to configure an alarm profile. run the qos-mode command to configure the QoS mode to gem-car or flow-car. If the traffic profiles existing in the system do not meet the requirements. (Optional) Configure an alarm profile. NOTE 1. which is used for monitoring the performance of an activated ONT line. type to type4. If the DBA profiles existing in the system do meet the requirements. You can run the display traffic table ip command to query the traffic profiles existing in the system. traffic profile 6 is bound to the port by default (no rate limitation).. – The ID of the default GPON alarm profile is 1. Configure a traffic profile. 6. One port belongs to only one aggregation group. and schedule packets according to their priorities. and map CVLAN 10 to GEM port 1. huawei(config-gpon-lineprofile-10)#mapping-mode vlan huawei(config-gpon-lineprofile-10)#gem mapping 1 0 vlan 10 Issue 01 (2012-01-18) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co. Set the DBA profile ID to 10. when the QoS is flow-car. In this way. which indicates that no alarm is generated. You can run the display dba-profile command to query the DBA profiles existing in the system. The default VLANs (PVIDs) and VLAN attributes of both ports must be the same. The port rates must be the same. traffic profile 6 is bound to the port by default (no rate limitation). Set the profile ID to 8. The thresholds of all the alarm parameters in the default alarm profile are 0. The QoS mode is priority-queue (default). huawei(config-gpon-lineprofile-10)#gem add 1 eth tcont 4 Configure the service mapping mode from the GEM port to the ONT to VLAN (default). and therefore the configuration of the alarm profile is not required. When the QoS mode is PQ. the default alarm profile is used. Ltd. and maximum bandwidth to 100 Mbit/s. huawei(config)#traffic table ip index 8 cir 4096 priority 1 prioritypolicy tag-In-Packag 4. – In this example. and run the gem add command to configure the ID of the traffic profile bound to the GEM port. 419 . 3. Add GPON ONT line profile 10 and bind T-CONT 4 to the DBA profile 10. No mirror destination port is included. huawei(config)#dba-profile add profile-id 10 type4 fix 102400 5. Configure an ONT line profile. 2.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 9 Configuration Example of the FTTH Service NOTE To configure port aggregation.

B Ont SoftwareVersion : V1R1C01SPC033 Ont EquipmentID : EchoLife:HG850a Ont autofind time : 2009-10-24 14:59:10 -----------------------------------------------------------------------huawei(config-if-gpon-0/5)#ont confirm 1 ontid 1 sn-auth 32303131D659FD40 omci ont-lineprofile-id 10 ont-srvprofile-id 10 desc HG850a NOTE l After the ONT is added. l In this example. Considering the HG8240 as an example. run the display ont capability command to query the actual ONT capabilities and then based on the queried ONT capabilities. 7. huawei(config)#interface gpon 0/5 huawei(config-if-gpon-0/5)#port 1 ont-auto-find enable huawei(config-if-gpon-0/5)#display ont autofind 1 -----------------------------------------------------------------------Number : 1 F/S/P : 0/5/1 Ont SN : 32303131D659FD40 Password : VenderID : HWTC Ont Version : HG850aGTH. 8. it is recommended that you run the display ont info command to query the ONT status. run the commit command to make the configuration take effect before the system quits the profile mode. and the bound ONT service profile ID is 10.SmartAX MA5600T Multi-service Access Module Commissioning and Configuration Guide 9 Configuration Example of the FTTH Service huawei(config-gpon-lineprofile-10)#commit huawei(config-gpon-lineprofile-10)#quit NOTE After a profile is configured. Configure an ONT service profile. the management mode is OMCI. the SN is 32303131D659FD40. The ID of the VLAN to which ETH port 1 belongs is 10. 9. The service profile type must be the same as the actual ONT type. add a proper ONT profile and a proper ONT. 420 .. The default alarm profile (profile 1) is adopted. Add an ONT. ensure that Config State of the ONT is normal and Match State is match. The ONT ID is 1. the bound ONT line profile ID is 10. configure four ETH ports and two POTS ports. run the commit command to make the configuration take effect before the system quits the profile mode. the method of confirming the automatically discovered ONT is used. NOTE l You can run the ont add command to add an ONT offline or run the ont confirm command to confirm an automatically discovered ONT. huawei(config)#ont-srvprofile gpon profile-id 10 huawei(config-gpon-srvprofile-10)#ont-port eth 4 pots 2 huawei(config-gpon-srvprofile-10)#port vlan eth 1