S1720&S2700&S3700&S5700&S6700 Product Use Precautions

S1720&S2700&S3700&S5700&S6700 Series
Ethernet Switches
Product Use Precautions

Issue
11
Date
2016-07-22
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2016. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address:
Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://e.huawei.com
Issue 11 (2016-07-22)
Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.
S1720&S2700&S3700&S5700&S6700 Series Ethernet

Switches
About This Document
About This Document
Intended Audience
This document is intended for:
l
Data configuration engineers
Commissioning engineers
Network monitoring engineers
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates an imminently hazardous situation
which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation
which, if not avoided, could result in death
or serious injury.
which, if not avoided, may result in minor
or moderate injury.
which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 11 (2016-07-22)

ii

Switches
About This Document
Symbol
Description
Calls attention to important information,
best practices and tips.
NOTE
NOTE is used to address information not

related to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n

times.
A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples and may not exist on devices. In device
configuration, use the existing interface numbers on devices.
Security Conventions
l
Issue 11 (2016-07-22)
Password setting
iii

Switches
About This Document
To ensure device security, use ciphertext when configuring a password and change
the password periodically.
The switch considers all passwords starting and ending with %^%#, %#%#, %@
%@ or @%@% as ciphertext and decrypts them. If you configure a plaintext
password that starts and ends with %^%#, %#%#, %@%@ or @%@%, the switch
decrypts it and records it into the configuration file (plaintext passwords are not
recorded for the sake of security). Therefore, do not set a password starting and
ending with %^%#, %#%#, %@%@ or @%@%.
When you configure passwords in ciphertext, different features must use different
ciphertext passwords. For example, the ciphertext password set for the AAA feature
cannot be used for other features.
Encryption algorithms
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5 encryption
algorithms. 3DES, RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are
irreversible. Using the encryption algorithms DES , 3DES, RSA (RSA-1024 or lower),
MD5 (in digital signature scenarios and password encryption), or SHA1 (in digital
signature scenarios) is a security risk. If protocols allow, use more secure encryption
algorithms, such as AES, RSA (RSA-2048 or higher), SHA2, or HMAC-SHA2.
An irreversible encryption algorithm must be used for the administrator password. SHA2
is recommended for this purpose.
Personal data
Some personal data may be obtained or used during operation and fault location of your
purchased products, services, or features. Set up privacy policies and take appropriate
measures to protect personal data based on regional privacy laws.
Mirroring
The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this
document are mentioned only to describe the product's function of communication error
or failure detection, and do not involve collection or processing of any personal
information or communication data of users.
Disclaimer
This document is designed as a reference for you to configure your devices. Its contents,
including web pages, command line input and output, are based on laboratory conditions. It
provides instructions for general scenarios, but does not cover all use cases of all product
models. The examples given may differ from your use case due to differences in software
versions, models, and configuration files. When configuring your advice, alter the
configuration depending on your use case.
The specifications provided in this document are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Issue 11 (2016-07-22)

iv

Switches
About This Document
Changes in Issue 11 (2016-07-22)

The documentation is updated according to product feature updates.

Mistakes in the document are corrected.

Mistakes in the document are corrected.




The following information is modified:
l
4.1 MAC

The following information is modified:
l
4.14 VBST



Initial commercial release.
Issue 11 (2016-07-22)


Switches
Contents
Contents
About This Document.....................................................................................................................ii
1 Basic Configuration.......................................................................................................................1
1.1 EasyDeploy.....................................................................................................................................................................2
1.2 USB-based Deployment................................................................................................................................................. 7
2 Device Management .................................................................................................................. 12

2.1 Information Center....................................................................................................................................................... 13
2.2 NTP...............................................................................................................................................................................14
2.3 Energy-Saving Management........................................................................................................................................ 16
2.4 PoE................................................................................................................................................................................18
2.5 iStack............................................................................................................................................................................ 29
2.6 SVF............................................................................................................................................................................... 32
3 Interface Management................................................................................................................ 47
3.1 Ethernet Interface......................................................................................................................................................... 48
3.2 Logical Interface...........................................................................................................................................................63
4 Ethernet Switching...................................................................................................................... 67
4.1 MAC............................................................................................................................................................................. 68
4.2 Link Aggregation..........................................................................................................................................................70
4.3 VLAN........................................................................................................................................................................... 74
4.4 VLAN Aggregation...................................................................................................................................................... 77
4.5 MUX VLAN.................................................................................................................................................................79
4.6 VLAN Termination.......................................................................................................................................................81
4.7 Voice VLAN................................................................................................................................................................. 83
4.8 QinQ............................................................................................................................................................................. 85
4.9 VLAN Mapping............................................................................................................................................................90
4.10 GVRP..........................................................................................................................................................................94
4.11 VCMP......................................................................................................................................................................... 97
4.12 STP/RSTP...................................................................................................................................................................99
4.13 MSTP........................................................................................................................................................................101
4.14 VBST........................................................................................................................................................................ 103
4.15 SEP........................................................................................................................................................................... 106
4.16 RRPP........................................................................................................................................................................ 108
4.17 ERPS (G.8032)......................................................................................................................................................... 110
Issue 11 (2016-07-22)

vi

Switches
Contents
4.18 LBDT........................................................................................................................................................................ 112

4.19 Layer 2 Protocol Transparent Transmission............................................................................................................. 114
5 IP Service.....................................................................................................................................117
5.1 ARP.............................................................................................................................................................................118
5.2 DHCP..........................................................................................................................................................................120
5.3 DHCP Policy VLAN.................................................................................................................................................. 123
5.4 DNS............................................................................................................................................................................ 124
5.5 mDNS Relay...............................................................................................................................................................126
5.6 UDP Helper................................................................................................................................................................ 128
5.7 IP Performance........................................................................................................................................................... 130
5.8 Basic IPv6...................................................................................................................................................................132
5.9 DHCPv6......................................................................................................................................................................134
5.10 IPv6 DNS..................................................................................................................................................................135
5.11 IPv6 over IPv4 Tunnel.............................................................................................................................................. 137
5.12 IPv4 over IPv6 Tunnel..............................................................................................................................................139
6 IP Unicast Routing.................................................................................................................... 141

6.1 ip routing table management...................................................................................................................................... 142
6.2 RIP.............................................................................................................................................................................. 143
6.3 RIPng.......................................................................................................................................................................... 146
6.4 OSPF...........................................................................................................................................................................148
6.5 OSPFv3.......................................................................................................................................................................149
6.6 IPv4 IS-IS................................................................................................................................................................... 151
6.7 IPv6 IS-IS................................................................................................................................................................... 153
6.8 BGP............................................................................................................................................................................ 155
6.9 Routing Policy............................................................................................................................................................ 158
6.10 PBR...........................................................................................................................................................................160
7 IP Multicast.................................................................................................................................163
7.1 IGMP.......................................................................................................................................................................... 164
7.2 MLD........................................................................................................................................................................... 166
7.3 PIM (IPv4).................................................................................................................................................................. 168
7.4 PIM (IPv6).................................................................................................................................................................. 170
7.5 MSDP......................................................................................................................................................................... 172
7.6 Multicast VPN............................................................................................................................................................ 174
7.7 Multicast Route Management (IPv4)......................................................................................................................... 176
7.8 Multicast Route Management (IPv6)......................................................................................................................... 178
7.9 IGMP Snooping.......................................................................................................................................................... 180
7.10 MLD Snooping......................................................................................................................................................... 183
7.11 Static Multicast MAC Address................................................................................................................................. 186
7.12 Multicast VLAN Replication....................................................................................................................................189
7.13 Controllable Multicast.............................................................................................................................................. 192
7.14 Multicast Network Management.............................................................................................................................. 195
Issue 11 (2016-07-22)

vii

Switches
Contents
8 MPLS............................................................................................................................................199
8.1 Static LSP................................................................................................................................................................... 200
8.2 MPLS LDP................................................................................................................................................................. 201
8.3 MPLS QoS..................................................................................................................................................................203
8.4 MPLS TE.................................................................................................................................................................... 205
9 VPN.............................................................................................................................................. 208
9.1 GRE............................................................................................................................................................................ 209
9.2 BGP/MPLS IP VPN................................................................................................................................................... 210
9.3 BGP/MPLS IPv6 VPN............................................................................................................................................... 212
9.4 VLL............................................................................................................................................................................ 214
9.5 PWE3..........................................................................................................................................................................216
9.6 VPLS.......................................................................................................................................................................... 218
10 WLAN-AC................................................................................................................................. 221
10.1 WLAN Service......................................................................................................................................................... 222
10.2 WLAN Security........................................................................................................................................................ 223
10.3 Radio Resource Management................................................................................................................................... 225
10.4 Spectrum Analysis.................................................................................................................................................... 228
10.5 Roaming....................................................................................................................................................................229
10.6 WLAN QoS.............................................................................................................................................................. 231
10.7 WDS......................................................................................................................................................................... 232
10.8 Mesh......................................................................................................................................................................... 235
10.9 Vehicle-Ground Communication.............................................................................................................................. 238
10.10 Tag Location........................................................................................................................................................... 239
10.11 Terminal Location...................................................................................................................................................241
10.12 Bluetooth Location................................................................................................................................................. 243
10.13 Dual-Link Backup.................................................................................................................................................. 245
10.14 N+1 Backup............................................................................................................................................................246
11 Reliability..................................................................................................................................248
11.1 BFD...........................................................................................................................................................................249
11.2 VRRP........................................................................................................................................................................ 250
11.3 DLDP........................................................................................................................................................................ 252
11.4 Smart Link and Monitor Link...................................................................................................................................254
11.5 MAC Swap Loopback.............................................................................................................................................. 256
11.6 EFM.......................................................................................................................................................................... 258
11.7 CFM.......................................................................................................................................................................... 260
11.8 Y.1731....................................................................................................................................................................... 261
12 User Access and Authentication........................................................................................... 264

12.1 AAA..........................................................................................................................................................................265
12.2 NAC (Common Mode) ............................................................................................................................................ 266
12.3 NAC (Unified Mode) ...............................................................................................................................................270
12.4 Policy Association.................................................................................................................................................... 274
Issue 11 (2016-07-22)

viii

Switches
Contents
13 Security...................................................................................................................................... 278
13.1 ACL.......................................................................................................................................................................... 279
13.2 Local Attack Defense............................................................................................................................................... 282
13.3 MFF.......................................................................................................................................................................... 284
13.4 Attack Defense......................................................................................................................................................... 285
13.5 Traffic Suppression and Storm Control.................................................................................................................... 287
13.6 ARP Security............................................................................................................................................................ 290
13.7 Port Security............................................................................................................................................................. 292
13.8 DHCP Snooping....................................................................................................................................................... 294
13.9 ND Snooping............................................................................................................................................................ 295
13.10 PPPoE+...................................................................................................................................................................297
13.11 IPSG........................................................................................................................................................................299
13.12 SAVI....................................................................................................................................................................... 301
13.13 URPF...................................................................................................................................................................... 303
13.14 Keychain................................................................................................................................................................. 304
13.15 MPAC..................................................................................................................................................................... 306
14 QoS............................................................................................................................................. 308
14.1 MQC......................................................................................................................................................................... 309
14.2 Priority Mapping.......................................................................................................................................................313
14.3 Traffic Policing, Traffic Shaping, and Interface-based Rate Limiting..................................................................... 315
14.4 Congestion Avoidance and Congestion Management.............................................................................................. 320
14.5 ACL-based Simplified Traffic Policy.......................................................................................................................323
14.6 HQoS........................................................................................................................................................................ 325
15 Network Management and Monitoring ............................................................................. 327

15.1 SNMP....................................................................................................................................................................... 328
15.2 RMON...................................................................................................................................................................... 329
15.3 LLDP........................................................................................................................................................................ 331
15.4 Performance Management........................................................................................................................................ 333
15.5 iPCA......................................................................................................................................................................... 334
15.6 NQA..........................................................................................................................................................................335
15.7 Service Diagnosis..................................................................................................................................................... 337
15.8 Mirroring.................................................................................................................................................................. 339
15.8.1 Involved Network Elements.................................................................................................................................. 339
15.8.2 License Support..................................................................................................................................................... 339
15.8.3 Version Support..................................................................................................................................................... 339
15.8.4 Number of Observing Ports................................................................................................................................... 342
15.8.5 1:N Mirroring........................................................................................................................................................ 357
15.8.6 N:1 Mirroring........................................................................................................................................................ 362
15.8.7 M:N Mirroring....................................................................................................................................................... 362
15.8.8 Limitations.............................................................................................................................................................363
15.9 Packet Capture.......................................................................................................................................................... 364
15.10 NetStream............................................................................................................................................................... 366
Issue 11 (2016-07-22)

ix

Switches
Contents
15.11 sFlow.......................................................................................................................................................................367
16 Free Mobility ........................................................................................................................... 370

16.1 Free Mobility............................................................................................................................................................ 371
Issue 11 (2016-07-22)


Switches
1 Basic Configuration
Basic Configuration
About This Chapter

1.1 EasyDeploy
1.2 USB-based Deployment
Issue 11 (2016-07-22)


Switches
1.1 EasyDeploy
Involved Network Elements
EasyDeploy networking involves the following components:
l
DHCP server
File server
Commander and client
License Support
EasyDeploy is not under license control.
Version Support
Table 1-1 Products and minimum version supporting EasyDeploy
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI/S2700EI
Not supported
S2710SI
Not supported
S2720EI
V200R006 (The S2720EI is

unavailable in V200R007
and V200R008 versions.)
S2750EI
V200R003
S3700SI/S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
V200R003
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700EI/S5700SI
V200R003 (The S5700SI

and S5700EI are unavailable
in V200R006 and later
versions.)
S5710EI

and later versions.)
S5720EI
V200R007
S3700
S5700
Issue 11 (2016-07-22)


Switches
Series
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S5720SI/S5720S-SI
V200R008
S5700HI
V200R003 (The S5700HI is

S5710HI

S5720HI
V200R006


Switches
Series
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S6700
S6700EI

V
2
0
0
R
0
0
3
(
T
h
e
S
6
7
0
0
E
I
i
s
u
n
a
v
a
i
l
a
b
l
e
i
n
V
2
0
0
R
0
0
6
a
n
d
l
a
t
e

Switches
Series
Product
Minimum Version
Required
r
v
e
r
s
i
o
n
s
.
)
S6720EI
V200R008
S6720S-EI
V200R009
Feature Dependencies and Limitations

When configuring EasyDeploy, note the following points:
l
The EasyDeploy feature cannot be applied on an IPv6 or VPN network.
In the unconfigured device deployment or faulty device replacement scenarios, if you log
in to a device to be configured through its console interface, the device stops the
EasyDeploy process and starts to operate.
In the unconfigured device deployment and faulty device replacement scenarios,

EasyDeploy can only run on the service interfaces in the default VLAN.
The option fields or intermediate file method only applies to unconfigured device
deployment. The Commander method applies to both deployment and maintenance
scenarios and therefore is recommended.
The Commander can be located anywhere on a network, as long as reachable routes exist
between the Commander and clients. If a client does not have the configuration file, the
client must already obtain an IP address.
EasyDeploy is mutually exclusive with USB-based deployment, SVF, and web initial
login mode.
EasyDeploy allows a stack system to act as a client. In this case, the client MAC address
is the system MAC address of the stack system, and the client ESN is the ESN of the
stack master switch.
When the EasyDeploy topology collection function is enabled, the Commander that
initiates topology collection will receive a large number of protocol packets if the
Network Topology Discovery Protocol (NTDP) needs to collect the topology of more
than 200 devices. If the rate of NTDP packets exceeds the default committed access rate
(CAR), NTDP packets will be dropped. To prevent packet loss from affecting topology
collection, you can run the car (attack defense policy view) command to increase the
central processor CAR (CPCAR) of NTDP packets.
Specifications
Issue 11 (2016-07-22)


Switches
Table 1-2 lists the product models that support the EasyDeploy feature and specifications of
this feature.
Table 1-2 EasyDeploy feature specifications
EasyDeplo
y
Implement
ation
Role
Product
Model
Version
Maximum
Number of
Managed
Clients
Descriptio
n
Through the
Commander
Commander
S5700HI,
S5710HI,
S6700EI
V200R003C
00 to
V200R005C
00
128
S5720HI
V200R006C
00 and later
128
S5720EI
V200R007C
00 and later
128
S6720EI
V200R008C
00 and later
128
S6720S-EI
V200R009C
00 and later
128
All fixed
switch
models
except
S1720GFR
V200R003C
00 and later
l If the
clients
are
modular
switches,
EasyDepl
oy can
only be
applied
to the
batch
upgrade
and batch
configura
tion
scenarios
.
l If the
clients
are fixed
switches,
EasyDepl
oy
applies to
the batch
upgrade,
batch
configura
tion,
unconfig
ured
device
deploym
ent, and
faulty
device
replacem
ent
scenarios
.
S5700EI and
S5710EI
Client
All modular
switch
models
Issue 11 (2016-07-22)

64

Switches
EasyDeplo
y
Implement
ation
Role
Product
Model
Version
Maximum
Number of
Managed
Clients
Through
option fields
or an
intermediate
file
All the devices to be configured can be fixed switches.
Descriptio
n
Table 1-3 lists the types of files that can be loaded through EasyDeploy in various scenarios.
Table 1-3 File types supported by EasyDeploy
Usage Scenario
File Type
Unconfigured device deployment
System software, patch file, web page file,

configuration file (mandatory), and userdefined file
Faulty device replacement

configuration file (automatically backed
up), and user-defined file
Batch upgrade

configuration file, license file (supported
when the clients are modular switches), and
user-defined file
Batch configuration
Command script
NOTE
Each device can download a maximum of three user-defined files, including batch file and login
headline file. Devices cannot download user-defined files when unconfigured device deployment is
implemented using option fields or an intermediate file.
1.2 USB-based Deployment

Other network elements are not required.
License Support
USB-based deployment is not under license control.
Issue 11 (2016-07-22)


Switches
Version Support
Table 1-4 Products and minimum version supporting USB-based deployment
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI/S3700EI
Not supported
S3700HI
Not supported
S5700LI
V200R003
S5700S-LI
V200R008
S5710-C-LI
V200R001 (The S5710-CLI is unavailable in

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI
V100R005 (The S5700SI is

S5700EI
Not supported
S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S3700
S5700
Issue 11 (2016-07-22)


Switches
Series
Product
Minimum Version
Required
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

In the S5700LI series, only the S5700-52X-LI-48CS-AC, S5701-28X-LI-24S-AC,
S5701-28X-LI-AC, S5700-28X-LI-24S-DC, and S5700-28X-LI-24S-AC support USB-based
deployment.
In the S5700S-LI series, only the S5700S-28X-LI-AC and S5700S-52X-LI-AC support USBbased deployment.
Constraints on USB-based deployment
l
The file system format of the USB flash drive must be FAT32, and standard for the USB
interface is USB2.0 (USB1.1 interface on the S5700LI). To ensure compatibility between
USB flash drives and devices, use Huawei-certified USB flash drives to configure the
Huawei devices. Table 1-5 lists the USB flash drives applicable to a switch.
Table 1-5 USB flash drives applicable to a switch
Capaci
ty
Vendor
Model
Remarks
4 GB
Netac
U208
You can buy Netac USB 4 GB flash drives

from Huawei or other vendors.
SanDisk
Cruzer Blade
Huawei does not offer this USB flash

drive, and you need to buy it from other
vendors.
HewlettPackard
v218G

vendors.
PNY
M1

vendors.
Netac
U208

vendors.
HewlettPackard
v225w

vendors.
8 GB
Issue 11 (2016-07-22)


Switches
Capaci
ty
Vendor
Model
Remarks
STEC
SLUFD8GU2T
UI

vendors.
Only one USB flash drive can be connected to a device.
In V200R005C00 and later versions, USB-based deployment using a smart_config.ini

index file is supported, and this deployment mode is supported in a stack. The USB flash
drive must be connected to the master switch of the stack. If it is connected to the
standby switch or a slave switch, the USB-based deployment process will not start.
USB-based deployment using the usbload_config.txt index file can only be performed
in a single switch, not a stack of multiple switches. In a stack of multiple switches, if the
USB flash drive is connected to the standby switch or a slave switch, the USB-based
deployment process will not start. If the USB flash drive is connected to the master
switch, the USB indicator blinks red fast, indicating that the USB-based deployment
fails. In this case, the switch records an error report including the following information:
The usbload_config.txt index file cannot be used for USB deployment of a multimember stack.
The S5710-X-LI, S5720SI, S5720S-SI, S6720EI, S6720S-EI, S5720EI and S5720HI

series switches support only the smart_config.ini format.
The S5700S-28X-LI-AC, S5700S-52X-LI-AC, and S5700S-28P-PWR-LI-AC in the

S5700S-LI series support only the smart_config.ini format.
Fields in an index file are restricted by the current system version. For example, if some
fields in the index file are not supported by the current system version, these fields are
invalid for an upgrade to a later version.
USB-based deployment is mutually exclusive with the SVF, web initial login mode and
EasyDeploy functions.
In USB-based deployment scenarios, the devices (S5720HI switches) may be upgraded

to V200R008C00 or a later version after restart. In this case, the devices check whether
the configuration file for next startup contains WLAN configuration that conflicts with
the software package for next startup. If so, the devices cannot restart and the USB-based
deployment fails. The error report file usbload_error.txt is generated in the root
directory of the USB flash drive, recording the failure causes. To solve this problem, you
need to use eDesk to convert the configuration file and then set it as the next startup
configuration file.
Precautions for USB-based deployment

l
Devices to be deployed are unconfigured devices and do not have security measures
configured. Therefore, when onsite non-professionals perform deployment task, ensure
that they do not perform any unauthorized operations on the devices, USB flash drive,
and deployment files.
Before saving files to a USB flash drive, disable the write-protection function of the
USB flash drive.
Do not use a partitioned USB flash drive to deploy the S5720EI, S5720HI, S5720SI,
S5720S-SI, S6720EI, or S6720S-EI switches. Otherwise, the switches may fail to find
the files saved on the USB flash drive, resulting in a failed USB-based deployment.
Issue 11 (2016-07-22)

10

Switches
Before using a USB flash drive to upgrade a device, ensure that the device can start
successfully and has sufficient space to store the required files.
Do not power off the device during a USB-based deployment process. Otherwise, the
upgrade fails or the device cannot start.
Do not remove the USB flash drive before the USB-based deployment process is
complete. Otherwise, data in the USB flash drive may be corrupted.
A smart_config.ini index file supports encryption and HMAC check for a configuration
file, whereas a usbload_config.txt index file does not. Therefore, if upgrade files include
a configuration file, you are advised to make a smart_config.ini index file, configure an
encryption password for the configuration file, and enable HMAC check to enhance
security.
The S5700LI supports two index file formats: smart_config.ini and usbload_config.txt.
If both types of index files are saved in a USB flash drive, the smart_config.ini file is
preferred. During USB-based deployment, it is not recommended to save the two types
of index files in the USB flash drive. When rolling back a device to V200R003 or earlier
using a USB flash drive, it is recommended to use the usbload_config.txt index file
because V200R003 and earlier versions do not support the smart_cfg.ini index file.
Issue 11 (2016-07-22)

11

Switches
2 Device Management
Device Management
About This Chapter

2.1 Information Center
2.2 NTP
2.3 Energy-Saving Management
2.4 PoE
2.5 iStack
2.6 SVF
Issue 11 (2016-07-22)

12

Switches
2 Device Management
2.1 Information Center

After configuring the information center on a switch, you can use any of the following
methods to view logs on the switch:
l
Run a command to view logs in the log buffer. Only the latest logs are saved in the log
buffer.
Run a command to view logs in the storage device.
Export logs to a log server and view logs on the server.
The first two methods do not require other network elements. To use the third method, you
need a server to save logs.
License Support
Information center is a basic feature of a switch and is not under license control.
Version Support
Table 2-1 Products and minimum version supporting information center
Series
Product Model
Minimum Version Required
S1700
S1720
V200R006 (The S1720 is unavailable

in V200R007 and V200R008
versions.)
S2700
S2700SI/S2700EI
V100R005 (The S2700SI and S2700EI

are unavailable in V200R001 and later
versions.)
S2710SI

unavailable in V200R001 and later
versions.)
S2720EI

unavailable in V200R007 and
V200R008 versions.)
S2750EI
V200R003
S3700SI/S3700EI

versions.)
S3700HI

versions.)
S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

13

Switches
Series
S6700
2 Device Management
Product Model
S5710-C-LI
V200R001 (The S5710-C-LI is

versions.)
S5710-X-LI
V200R008
S5700SI/S5700EI

versions.)
S5720S-SI/S5720SI
V200R008
S5710EI

versions.)
S5700HI

versions.)
S5710HI

versions.)
S5720EI
V200R007
S5720HI
V200R006
S6700EI

versions.)
S6720EI
V200R008
S6720S-EI
V200R009

None
2.2 NTP
Other network elements are required to support NTP.
License Support
NTP is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

14

Switches
2 Device Management
Version Support
Table 2-2 Products and minimum version supporting NTP
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S3700
S5700
Issue 11 (2016-07-22)

15

Switches
Series
S6700
2 Device Management
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

The existing configuration will not be deleted when the NTP service is disabled.
If the device does not support Real-Time Clock (RTC), it is recommended that you configure
NTP to ensure time accuracy in logs. For the NTP configuration procedure, see Switch
Configuration Guide - Device Management. The following models do not support RTC:
l
S5700-10P-LI-AC
S5700-10P-PWR-LI-AC
S5700-28P-LI-BAT
S5700-28P-LI-4AH
S5700-28P-LI-24S-BAT
S5700-28P-LI-24S-4AH
2.3 Energy-Saving Management

Issue 11 (2016-07-22)

16

Switches
2 Device Management
License Support
Energy-saving management is not under license control.
Version Support
Table 2-3 Products and minimum version supporting energy-saving management
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI/S2700EI
V100R005 (The S2700SI

versions.)
S2710SI

S2720EI

S2750EI
V200R003
S3700SI/S3700EI
V100R005 (The S3700SI

versions.)
S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI/S5700SI
V100R005 (The S5700SI

versions.)
S5710EI

S3700
S5700
Issue 11 (2016-07-22)

17

Switches
Series
S6700
2 Device Management
Product
Minimum Version
Required
S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
During device sleeping configuration, if you run the speed { 10 | 100 } command on any
awakening port to set the port rate to 10 or 100 Mbit/s or run the loopback internal
command on any awakening port to configure the loopback detection mode, the device
cannot enter the sleeping state. To enable the device to enter the sleeping state, you need
to configure the awakening port on which the speed { 10 | 100 } or loopback internal
command has been configured as a non-awakening port or delete the speed { 10 | 100 }
or loopback internal command configuration from the awakening port.
When the interval between the sleeping start time and end time is less than 10 minutes,
the device will not enter the sleeping state.
2.4 PoE
Powered devices (PDs)
License Support
PoE is not under license control.
Issue 11 (2016-07-22)

18

Switches
2 Device Management
Version Support
Table 2-4 Products and minimum version supporting PoE
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700EI

S2700SI
Not supported
S2710SI

S2720EI
Not supported
S2750EI
V200R003
S3700SI/S3700EI
V100R005 (The S3700SI

versions.)
S3700HI
Not supported
S5700LI
V200R001
S5700S-LI
V200R008
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
Not supported
S5700EI/S5700SI
V100R005 (The S5700SI

versions.)
S5710EI

S5720EI
V200R007
S5700HI
Not supported
S5710HI

S3700
S5700
Issue 11 (2016-07-22)

19

Switches
Series
S6700
2 Device Management
Product
Minimum Version
Required
S5720HI
V200R006
S5720SI
V200R008
S5720S-SI
Not supported
S6700EI
Not supported
S6720EI
Not supported
S6720S-EI
Not supported

PoE Functions Provided by the Device
l
The device supports power supply capability negotiation using the Link Layer Discovery
Protocol (LLDP).
PoE power supply is independent of the system power supply. You can configure
maximum power, alarm threshold, and reserved PoE to the total power supply.
The device supports automatic, manual, and forcible power-on and power-off mode.
The device can detect PDs that are compliant with 802.3af or 802.3at and provides
power for these PDs.
The device can be configured with the power-off time range to facilitate PD
management.
The device can be equipped with more than one PoE power supply. You can install
corresponding PoE power supplies according to the total power consumption of PDs to
ensure stability of the PoE system.
If a switch supports PoE, its PoE feature is not affected after it joins a stack.
The PoE models of the S5700LI, S5700S-LI, S2750EI, S5710EI, S5720EI, S5720SI,
S5720HI and S5710HI series can still power the attached PDs when they are reboot
using the reboot command. After rebooting, a PD will be powered off and then on when
all the following conditions are met:
a.
The PD can be powered on successfully.
b.
Forcible power supply has been enabled on the port connected to the PD or any of
the other three ports that share the same PSE chip with this port, but the forcible
power supply configuration has not been saved before the reboot.
If the system power is sufficient but PDs cannot be powered on, try to use the poe forcepower command to forcibly power on the PDs connected to interfaces.
PoE Power Supply Configuration

The downlink electrical interfaces of PoE switches provide PoE power. Each interface
provides a maximum of 30 W power (except that a MultiGE interface provides a maximum of
90 W power) and supports a maximum of 100 m power supply distance. The PoE switch can
transmit both current and data on a pair of signal cables.
Among S2700EI, S2710SI, S3700EI and S3700SI series switches, S2700-9TP-PWR-EI,
S2700-26TP-PWR-EI, S2700-52P-PWR-EI, S2710-52P-PWR-SI, S3700-28TP-PWR-EI,
Issue 11 (2016-07-22)

20

Switches
2 Device Management
S3700-28TP-PWR-SI, S3700-52P-PWR-EI, and S3700-52P-PWR-SI support the PoE

function.
Among these switches, S2700-9TP-PWR-EI has a built-in 180 W PoE power supply unit, and
provides 123.2 W PoE power. The S2700-26TP-PWR-EI, S2700-52P-PWR-EI, S2710-52PPWR-SI, S3700-28TP-PWR-EI, S3700-28TP-PWR-SI, S3700-52P-PWR-EI, and S3700-52PPWR-SI all have two power slots, each of which provides 500 W or 250 W PoE power. The
power supply configurations are shown in the following table.
Power Supply
250 W
PoE Power
Device
Maximum
Number of
Interfaces
123.2 W
S2700-52PPWR-EI
l 802.3af (15
W per port):
8
S2710-52PPWR-SI
S3700-28TPPWR-EI
l 802.3at (30
W per port):
4
S3700-28TPPWR-SI
S3700-52PPWR-EI
S3700-52PPWR-SI
500 W
369.6 W
S2700-52PPWR-EI
S2710-52PPWR-SI
S3700-28TPPWR-EI
l 802.3af (15
W per port):
24
l 802.3at (30
W per port):
12
S3700-28TPPWR-SI
S3700-52PPWR-EI
S3700-52PPWR-SI
Issue 11 (2016-07-22)

21

Switches
Power Supply
250 W
250 W
2 Device Management
PoE Power
Device
Maximum
Number of
Interfaces
246.4 W
S2700-52PPWR-EI
l 802.3af (15
W per port):
16
S2710-52PPWR-SI
S3700-28TPPWR-EI
l 802.3at (30
W per port):
8
S3700-28TPPWR-SI
S3700-52PPWR-EI
S3700-52PPWR-SI
500 W
500 W
739.2 W
S3700-28TPPWR-EI
S3700-28TPPWR-SI
S2700-52PPWR-EI
S2710-52PPWR-SI
S3700-52PPWR-EI
l 802.3af (15
W per port):
24
l 802.3at (30
W per port):
24
l 802.3af (15
W per port):
48
l 802.3at (30
W per port):
24
S3700-52PPWR-SI
The following S5700EI, S5700SI, S5710EI and S5710HI switches support the PoE function
and the power supply configurations are shown in the following table.
Issue 11 (2016-07-22)

22

Switches
2 Device Management
Power Supply
PoE Power
Device
Maximum
Number of
Interfaces
250 W
123.2 W
S5700-48TP-PWRSI
l 802.3af (15.4 W
per port): 8
S5700-52C-PWR-EI
l 802.3at (30 W per

port): 4
S5700-28C-PWR-EI
S5700-24TP-PWRSI
S5700-28C-PWR-SI
S5700-52C-PWR-SI
500 W
369.6 W
S5700-48TP-PWRSI
l 802.3af (15.4 W
per port): 24
S5700-52C-PWR-EI
l 802.3at (30 W per

port): 12
S5700-28C-PWR-EI
S5700-24TP-PWRSI
S5700-28C-PWR-SI
S5700-52C-PWR-SI
250 W
250 W
246.4 W
S5700-48TP-PWRSI
l 802.3af (15.4 W
per port): 16
S5700-52C-PWR-EI
l 802.3at (30 W per

port): 8
S5700-28C-PWR-EI
S5700-24TP-PWRSI
S5700-28C-PWR-SI
S5700-52C-PWR-SI
500 W
500 W
739.2 W
S5700-48TP-PWRSI
l 802.3af (15.4 W
per port): 48
S5700-52C-PWR-EI
l 802.3at (30 W per

port): 24
S5700-52C-PWR-SI
S5700-28C-PWR-EI
l 802.3af (15.4 W
per port): 24
l 802.3at (30 W per
port): 24
369.6 W
Issue 11 (2016-07-22)
S5700-24TP-PWRSI
l 802.3af (15.4 W
per port): 24
S5700-28C-PWR-SI
l 802.3at (30 W per

port): 12

23

Switches
2 Device Management
Power Supply
PoE Power
Device
Maximum
Number of
Interfaces
580 W
369.6 W
S5710-28C-PWREI-AC
l 802.3af (15.4 W
per port): 24
S5710-52C-PWR-EI
l 802.3at (30 W per

port): 12
S5710-52C-PWREI-AC
580 W
580 W
739.2 W
S5710-52C-PWR-EI
S5710-52C-PWREI-AC
S5710-28C-PWREI-AC
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 24
l 802.3af (15.4 W
per port): 24
l 802.3at (30 W per
port): 24
1150 W
785.4 W
S5710-52C-PWR-EI
S5710-108C-PWRHI
1150 W
1150 W
1570.8 W
S5710-52C-PWR-EI
S5710-108C-PWRHI
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 26
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 48
The S5700LI series provides built-in PoE power supplies. The S5700LI series includes
S5700-10P-PWR-LI-AC, S5700-28P-PWR-LI-AC, S5700-28TP-PWR-LI-AC, S5701-28TPPWR-LI-AC, S5700-52P-PWR-LI-AC, S5700-28X-PWR-LI-AC and S5700-52X-PWR-LIAC.
The S5700-10P-PWR-LI-AC has an internal power module and cannot connect to the RPS.
The internal power module provides 123.2 W PoE power. The switch supports a maximum of
eight ports in compliance with 802.3af or a maximum of four ports in compliance with
802.3at.
The S5700-28P-PWR-LI-AC, S5700-28TP-PWR-LI-AC, S5701-28TP-PWR-LI-AC,
S5700-52P-PWR-LI-AC, S5700-28X-PWR-LI-AC and S5700-52X-PWR-LI-AC can connect
to the RPS1800. The power supply configurations are shown in the following table.
Issue 11 (2016-07-22)

24

Switches
2 Device Management
Power
Supply
PoE Power
Device
Maximum Number of
Interfaces
No
connection
with the RPS
369.6 W
S5700-28P-PWR-LI-AC
l 802.3af (15.4 W per

port): 24
S5700-28TP-PWR-LIAC
S5700-52P-PWR-LI-AC
l 802.3at (30 W per

port): 12
S5700-28X-PWR-LI-AC
S5700-52X-PWR-LI-AC
184.8 W
S5701-28TP-PWR-LIAC
l 802.3af (15.4 W per

port): 12
l 802.3at (30 W per
port): 6
Connection
with the RPS
800 W
S5700-28P-PWR-LI-AC
S5700-28TP-PWR-LIAC
S5700-28X-PWR-LI-AC
S5700-52P-PWR-LI-AC
S5700-52X-PWR-LI-AC
l 802.3af (15.4 W per

port): 24
l 802.3at (30 W per
port): 24
l 802.3af (15.4 W per
port): 48
l 802.3at (30 W per
port): 26
184.8 W
S5701-28TP-PWR-LIAC
l 802.3af (15.4 W per

port): 12
l 802.3at (30 W per
port): 6
In the S2750 series, the S2750-28TP-PWR-EI-AC, S2750-20TP-PWR-EI-AC and

S2751-28TP-PWR-EI-AC are PoE models. All the three models use internal AC power
modules. The internal power modules of the S2750-28TP-PWR-EI-AC and S2750-20TPPWR-EI-AC provide 369.6 W of PoE power, sufficient for full PoE power supply (IEEE
802.3af) on 24 and 16 ports respectively or full PoE+ power supply (IEEE 802.3at) on 12
ports. The internal power modules of the S2751-28TP-PWR-EI-AC provide 123.2 W of PoE
power, sufficient for full PoE power supply on 8 ports and full PoE+ power supply on 4 ports.
In the S5720HI and S5720EI series, S5720-56C-PWR-HI-AC, S5720-56C-PWR-HI-AC1,
S5720-36C-PWR-EI-AC, S5720-56C-PWR-EI-AC and S5720-56C-PWR-EI-AC1 support
pluggable PoE power modules. S5720-56C-PWR-HI-AC and S5720-56C-PWR-EI-AC1
support only 1150 W PoE power modules. S5720-56C-PWR-HI-AC1 supports only 580 W
PoE power modules. You can install AC and DC power modules to the same S5720-36CPWR-EI-AC or S5720-56C-PWR-EI-AC switch. The following table shows the mappings
between power modules and device models.
Issue 11 (2016-07-22)

25

Switches
2 Device Management
Power
Supply 1
Power
Supply 2
PoE Power
Device
Maximum
Number of Ports
(Full PoE Power)
1150 W
(220 V)
785.4 W
S5720-56C-PWRHI-AC
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 26
1150 W
(220 V)
1150 W
(220 V)
1440 W
S5720-56C-PWRHI-AC
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 48
1150 W
(110 V)
446.6 W
S5720-56C-PWRHI-AC
l 802.3af (15.4 W
per port): 29
l 802.3at (30 W per
port): 14
1150 W
(110 V)
1150 W
(110 V)
893.2 W
S5720-56C-PWRHI-AC
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 29
580 W
369.6 W
S5720-56C-PWRHI-AC1
l 802.3af(15.4 W
per port): 24
l 802.3at(30 W per
port): 12
580 W
580 W
739.2 W
S5720-56C-PWRHI-AC1
l 802.3af(15.4 W
per port): 48
l 802.3at(30 W per
port): 24
500 W or
650 W
500 W or
650 W
500 W or
650 W
369.6 W
739.2 W
S5720-36C-PWREI-AC
l 802.3af (15.4 W
per port): 24
S5720-56C-PWREI-AC
l 802.3at (30 W per

port): 12
S5720-36C-PWREI-AC
l 802.3af (15.4 W
per port): 28
l 802.3at (30 W per
port): 24
S5720-56C-PWREI-AC
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 24
Issue 11 (2016-07-22)

26

Switches
2 Device Management
Power
Supply 1
Power
Supply 2
PoE Power
Device
Maximum
Number of Ports
(Full PoE Power)
1150 W
(220 V)
785.4 W
S5720-56C-PWREI-AC1
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 26
1150 W
(220 V)
1150 W
(220 V)
1440 W
S5720-56C-PWREI-AC1
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 48
1150 W
(110 V)
446.6 W
S5720-56C-PWREI-AC1
l 802.3af (15.4 W
per port): 29
l 802.3at (30 W per
port): 14
1150 W
(110 V)
1150 W
(110 V)
893.2 W
S5720-56C-PWREI-AC1
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 29
In the S5720SI series, S5720-28X-PWR-SI-AC, S5720-52X-PWR-SI-AC, and S5720-52XPWR-SI-ACF support the PoE function. The following table shows the mappings between
power modules and device models.
Power
Supply 1
Power
Supply 2
PoE Power
Device
Maximum
Number of Ports
(Full PoE Power)
500 W or
650 W
369.6 W
l S5720-28XPWR-SI-AC
l 802.3af (15.4 W
per port): 24
l S5720-52XPWR-SI-AC
l 802.3at (30 W per

port): 12
S5720-28X-PWRSI-AC
l 802.3af (15.4 W
per port): 24
500 W or
650 W
500 W or
650 W
739.2 W
l 802.3at (30 W per

port): 24
S5720-52X-PWRSI-AC
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 24
Issue 11 (2016-07-22)

27

Switches
2 Device Management
Power
Supply 1
Power
Supply 2
PoE Power
Device
Maximum
Number of Ports
(Full PoE Power)
1150 W
(220 V)
785.4 W
S5720-52X-PWRSI-ACF
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 26
1150 W
(220 V)
1150 W
(220 V)
1440W
S5720-52X-PWRSI-ACF
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 48
1150 W
(110 V)
446.6W
S5720-52X-PWRSI-ACF
l 802.3af (15.4 W
per port): 29
l 802.3at (30 W per
port): 14
1150 W
(110 V)
1150 W
(110 V)
893.2W
S5720-52X-PWRSI-ACF
l 802.3af (15.4 W
per port): 48
l 802.3at (30 W per
port): 29
The S5720-14X-PWH-SI-AC has a built-in PoE power module and cannot connect to the
RPS1800. The following table shows the mappings between power modules and device
models.
Issue 11 (2016-07-22)

28

Switches
2 Device Management
Table 2-5 Power supply configurations

PoE Power
Device
Maximum Number of Ports

(Full PoE Power)
369.6W
S5720-14X-PWH-SI-AC
l 802.3af (15.4 W per port): 12

l 802.3at (30 W per port): 12
l Non-standard (90 W per port):
4 (only PoE++ ports)
NOTE
A PoE++ port is a non-standard
port and can only provide 90 W
power for the attached PD.
Currently, PoE++ ports can
provide power to the following
PDs:
l AP: AP7050DN-E (with
2.5G uplink interfaces)
running V200R007C00
l Pico: BTS3911B running
V100R010C10SPC092T
If the device power is sufficient,
GE and MultiGE ports can
provide power for different
attach PDs simultaneously.
The S5700S-LI series has only one PoE model: S5700S-28P-PWR-LI-AC, which has a builtin PoE power module. The built-in PoE power module can provide PoE power and connect to
an RPS1800 for power supply. Table 2-6 lists the power supply configurations.
Table 2-6 Power supply configurations
Power Supply
PoE Power
Maximum Number of Ports (Full

PoE Power)
No connection with
the RPS
369.6 W
l 802.3af (15.4 W per port): 24
Connection with the

RPS
800 W
l 802.3at (30 W per port): 12

l 802.3af (15.4 W per port): 24
l 802.3at (30 W per port): 24
NOTE
When two power supplies are used, they work in redundancy mode to provide power for the device and
in load balancing mode to provide power for PDs.
2.5 iStack
Issue 11 (2016-07-22)

29

Switches
2 Device Management

License Support
Stacking is not under license control.
Version Support
Table 2-7 Products and minimum version supporting stacking
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700EI

S2700SI
Not supported
S2710SI

S2720EI

S2750EI
V200R003
S3700SI/S3700EI
V100R005 (The S3700SI

versions.)
S3700HI
Not supported
S5700LI
V200R001
S5700S-LI
V200R008
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI/S5700SI
V100R005 (The S5700SI

versions.)
S3700
S5700
Issue 11 (2016-07-22)

30

Switches
Series
S6700
2 Device Management
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5700HI

S5720SI/S5720S-SI
V200R008
S5710HI
Not supported
S5720HI
V200R009
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

MAD Limitations:
l
You can configure a maximum of eight direct detection links for each member switch in
a stack
You can configure the relay mode on a maximum of four Eth-Trunks in a stack
In V200R008C00 and earlier versions, you can configure a maximum of 64 Eth-Trunks

on a relay agent to provide the relay function for multiple stacks. This restriction does
not apply to versions later than V200R008C00.
After multiple switches form a stack, the following features cannot be configured in the stack:
l
Y.1731
N:1 VLAN mapping
IPv6 over IPv4 tunnel
Inter-device link aggregation (E-Trunk)
When you establish a stack on the switches that support both stack card connection and
service port connection, such as S5720-C-EI, note the following:
l
All member switches must use the same stack connection mode.
When a member switch has stack cards installed and the service port stack configuration,
the switch uses the service port connection mode to establish a stack. It does not use the
stack card connection mode even though a stack fails to be established in service port
connection mode and stack cards are connected correctly.
Issue 11 (2016-07-22)

31

Switches
2 Device Management
A switch uses the stack card connection mode to establish a stack only when it has no
service port stack configuration.
If a switch is currently using the stack card connection mode, perform the service port
stack configuration on the switch before changing the stack connection mode to service
port connection. After the service port stack configuration is complete, the switch uses
the service port connection mode when restarting.
If a switch using the stack card connection mode has service port configuration, a
smooth upgrade cannot be performed on the switch.
If a switch is currently using the service port connection mode, correctly connect stack
cards and stack cables and clear the existing service port stack configuration before
changing the stack connection mode to stack card connection. You can use the reset
stack-port configuration command to clear the existing service port stack
configuration.
When changing service port connection to stack card connection, you are advised to
remove the cables connected to service ports to prevent loops.
When multiple switches set up a stack, member switches will synchronize the running version
of the master switch. If a member switch does not support this running version, it will restart
repeatedly.
In V200R009C00, if MPLS-incapable S5720EIs exist in a stack, this stack cannot have MPLS
enabled. If member devices in a stack are running MPLS services, adding MPLS-incapable
S5720EIs to the stack is not allowed.
An S5720HI supports the stacking function since V200R009C00. When a member device in a
stack is faulty and fails to restart for three consecutive times, the device attempts to roll back
to a version earlier than V200R009C00 for restart. When the device restarts successfully after
rolling back to a version earlier than V200R009C00, a multi-active situation may occur
because the version earlier than V200R009C00 does not support the stacking function. To
prevent this situation, you are advised to delete the system software earlier than
V200R009C00 from member devices when using S5720HIs to set up a stack.
2.6 SVF
SVF networking involves the following components:
l
Parent
AS
AP
License Support
The SVF function on a parent requires a license. The license controls only the SVF function
but not the SVF service specifications and only needs to be loaded on the parent.
Issue 11 (2016-07-22)

32

Switches
2 Device Management
Version Support
Table 2-8 Products and minimum version supporting SVF
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2700EI
Not supported
S2710SI
Not supported
S2720EI
V200R009
S2750EI
V200R007
S3700SI/S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
V200R007
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700EI/S5700SI
Not supported
S5710EI
Not supported
S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI
Not supported
S5710HI
Not supported
S5720HI
V200R007
S6700EI
Not supported
S6720EI/S6720S-EI
V200R009
S7712/S7706
(The main control unit is not
SRUH.)
V200R007
S7712/S7706
(The main control unit is
SRUH.)
V200R008
S7703
V200R007
S9700
S9712/S9706/S9703
V200R007
S12700
S12704
V200R008
S12708/S12712
V200R007
S3700
S5700
S6700
S7700
Issue 11 (2016-07-22)

33

Switches
2 Device Management
Series
Product
Minimum Version
Required
E600
E600
V200R008

When configuring SVF, pay attention to the following points:
l
The SVF function is mutually exclusive with the web initial login mode, EasyDeploy,
and USB-based deployment functions.
The system automatically enables the STP and LLDP functions globally on the parent.
Pay attention to the following points when using the STP and LLDP functions in an SVF
system:
The STP and LLDP functions cannot be disabled globally but can be disabled on
interfaces.
The LLDP function cannot be disabled on member ports of a fabric port, ports
connected to APs, and AP uplink ports. Otherwise, SVF topology information
becomes inaccurate.
After the SVF function is enabled, the parent changes STP to Rapid Spanning Tree
Protocol (RSTP) and sets the priority of instance 0 to 28672 using the stp instance 0
priority 28672 command. After the SVF function is disabled, the priority of instance 0
restores to the default value. When the SVF function is enabled or disabled, STP
recalculates the port roles and changes the interface status. Subsequently, traffic on the
interface is interrupted temporarily.
The multi-active detection (MAD) relay function is automatically enabled on the EthTrunk to which a downlink fabric port is bound, and the MAD function is automatically
enabled on the Eth-Trunk to which an uplink fabric port is bound to perform MAD in an
AS that is a stack. When the standby switch in an AS is removed, MAD cannot be
performed because the standby switch restarts automatically without saving the
configuration.
To prevent the SVF function from being affected, do not modify the configuration
automatically generated in an SVF system using MIB operations, including the
configuration of STP, LLDP, and Eth-Trunk to which a fabric port is bound.
If an AP has connected to the parent before the SVF function is enabled, the parent
cannot collect topology information about the AP after the uni-mng command is used to
enable the SVF function. You need to run the commit { all | ap ap-id } command in the
WLAN view to commit the AP configuration. Subsequently, the parent can collect
topology information about the AP.
When GE or XGE optical interfaces are used to connect a level-1 AS to the parent and
connect a level-2 AS to a level-1 AS, the interfaces must use GE optical modules but not
XGE optical modules.
On the parent, there may be a delay in displaying the output of some commands (such as
patch delete all and patch load filename all [ active | run ]) executed on the ASs.
In an SVF system, the maximum frame length allowed by interfaces cannot be

configured on an AS. Therefore, the maximum frame length is the default value 9216
(including the CRC field).
Issue 11 (2016-07-22)

34

Switches
2 Device Management
After an AS goes online, a static ARP entry in which the IP address is the management
address of the parent is generated on the AS. Deleting the static ARP entry is not
allowed. Otherwise, the AS may be forcibly removed from the SVF system.
Internal attacks in the management VLAN will cause an AS to go offline. You need to
identify the attack source and then shut down the attacked port or remove the port from
the management VLAN.
After an AS goes offline, all downlink ports of the AS are shut down.
When an AS connects to APs, all member ports of the Eth-Trunk bound to the fabric port
that connects the parent to the AS must be ports on X1E cards or ports on non-X1E
cards. Otherwise, APs cannot go online.
Configured CAPWAP tunnel parameters apply to the SVF system. To ensure that the
CAPWAP tunnel of the SVF system works normally, you are advised to retain the
default CAPWAP tunnel parameters. For details on how to configure CAPWAP tunnel
parameters, see Configuring CAPWAP Tunnel Parameters.
When an AS is an S5700-10P-LI, S2720EI or S2750EI and Layer 3 hardware forwarding

for IPv4 packets has been enabled using the assign forward-mode ipv4-hardware
command in the system view before the AS joins an SVF system,
The AS cannot negotiate to join the SVF system if the AS directly connects to the
parent.
The management VLAN cannot be configured if the AS connects to the parent

across a network.
To solve these problems, start the AS in standalone mode and run the undo assign
forward-mode command in the system view to disable Layer 3 hardware forwarding for
IPv4 packets.
l
In an SVF system running V200R008C00 and earlier versions, you can run the
authentication free-rule command to control the network access right of NAC users
before they pass authentication. UCL-based group authorization is not supported for
NAC users.
In an SVF system running V200R009C00 and later versions, you can run the free-rule
command to control the network access right of NAC users before they pass
authentication. UCL-based group authorization is not supported for NAC users.
SVF does not support the built-in Portal server.
If the AS is a stack set up using service ports, you need to configure the stack function
on the AS and then connect the AS to the SVF system. This requirement does not apply
to the AS that is a stack set up using stack cards.
From V200R009C00, an AS can a stack of the same device series but different device
models. If an AS is a stack, you can run the slot command to modify the preconfigured
device type.
Some commands such as STP and LLDP commands are shielded on the parent, and
configuration commands are shielded on member ports of fabric ports. However, these
commands can still be executed through MIBs. Do not execute these commands through
MIBs.
When an AS connects to the parent across a Layer 2 network, pay attention to the following
points:
l
Automatic AS discovery is not supported, and fabric ports of the parent and AS need to
be manually configured.
The indirectly-connected fabric port of the parent and configured uplink fabric port of
the AS do not support connection error check. The administrator needs to ensure the
Issue 11 (2016-07-22)

35

Switches
2 Device Management
connection correctness of the Eth-Trunk, and the AS can only connect to third-party
network devices through Eth-Trunks in manual load balancing mode.
l
The administrator needs to ensure that the downlink fabric port of the parent and the
intermediate Layer 2 network are correctly configured, the SVF management VLAN and
service VLAN between the parent and AS are correctly connected, and the intermediate
network transparently transmits data traffic between the parent and AS. Therefore, the
intermediate network must be a pure Layer 2 network.
The AS does not support the MAD function because this function requires that thirdparty devices support the MAD relay function.
In centralized forwarding mode, traffic from the network segment where the AS resides
may be forwarded by the intermediate network but not the parent.
After the AS is configured to work in client mode, the AS can only be manually
configured to return to the standalone mode and must be restarted. If the AS is a stack,
new stack member devices will be automatically configured to work in client mode after
the AS is configured to work in client mode.
The S6720EI or S6720S-EI can function as the parent or AS. The device works in AS
mode by default. To change the device working mode, run the as-mode disable
command.
Parent/AS Specifications
Issue 11 (2016-07-22)

36

Switches
2 Device Management
Table 2-9 Parent/AS specifications

Devic
e
Role
Device
Model
Softw
are
Versi
on
Ma
xim
um
Nu
mb
er
of
AS
s
Ma
xim
um
Nu
mb
er
of
AP
s
Parent
S12708/
S12712
V200R
007C0
0 and
later
versio
ns
(The
SVF
functio
n is
not
suppor
ted in
V200R
007C1
0.)
V20
0R0
07C
00
and
V20
0R0
08C
00:
64
l V l V l The parent can be a standalone

e
device or a stack.
e
r l The parent can be a standalone
r
s
s
device or a cluster switch system
i
i
(CSS) of two devices. The
o
o
S9703 and S7703 do not support
n
n
the CSS function.
s
s
p l In an SVF system, ASs and APs
p
share the CAPWAP link
r
r
specifications. That is, the
i
i
maximum number of ASs and
o
o
APs cannot exceed the
r
r
maximum number of CAPWAP
t
t
links. For example, when an
o
o
S7703 functions as the parent in
V
V
an SVF system and 32 ASs have
2
2
connected to the SVF system, a
0
0
maximum of 480 (512-32) APs
0
0
can connect to the SVF system.
R
R
0
0
0
0
9
9
:
:
4
4
0
0
9
9
6
6
V20
0R0
09C
00
and
later
vers
ions
:
256
Ma
xim
um
Nu
mb
er
of
CA
PW
AP
Lin
ks
Description
l V l V
2
2
0
0
0
0
R
R
0
0
0
0
9
9
a
a
Issue 11 (2016-07-22)

37

Switches
Devic
e
Role
Issue 11 (2016-07-22)
Device
Model
Softw
are
Versi
on
2 Device Management
Ma
xim
um
Nu
mb
er
of
AS
s
Ma
xim
um
Nu
mb
er
of
AP
s
Ma
xim
um
Nu
mb
er
of
CA
PW
AP
Lin
ks
n
d
l
a
t
e
r
v
e
r
s
i
o
n
s
:
6
1
4
4
n
d
l
a
t
e
r
v
e
r
s
i
o
n
s
:
6
1
4
4
S9712/
S9706
64
204
8
204
8
S9703
32
512
512
S7712/
S7706
(The main
control unit
is not
SRUH.)
64
102
4
102
4
S7703
32
512
512
S5720HI
32
102
4
102
4
Description

38

Switches
Devic
e
Role
2 Device Management
Device
Model
Softw
are
Versi
on
Ma
xim
um
Nu
mb
er
of
AS
s
Ma
xim
um
Nu
mb
er
of
AP
s
Ma
xim
um
Nu
mb
er
of
CA
PW
AP
Lin
ks
S7712/
S7706
(The main
control unit
is SRUH.)
V200R
008C0
0 and
later
versio
ns
V20
0R0
08C
00:
64
204
8
204
8
409
6
409
6
32
S12704
Description
V20
0R0
09C
00
and
later
vers
ions
:
256
V20
0R0
08C
00:
64
V20
0R0
09C
00
and
later
vers
ions
:
256
S6720EI/
S6720S-EI
Issue 11 (2016-07-22)
V200R
009C0
0 and
later
versio
ns
32

39

Switches
2 Device Management
Devic
e
Role
Device
Model
Softw
are
Versi
on
Ma
xim
um
Nu
mb
er
of
AS
s
Ma
xim
um
Nu
mb
er
of
AP
s
Ma
xim
um
Nu
mb
er
of
CA
PW
AP
Lin
ks
Description
AS
l S2750E
I
V200R
007C0
0 and
later
versio
ns
V200R
008C0
0 and
later
versio
ns
l ASs or APs connecting to an

SVF system can be different
models. ASs must use the same
system software version as the
parent. Otherwise, the parent
cannot deliver service
configurations to ASs. The
system software versions of APs
must match that of the parent.
l An AS can be a standalone
device or an iStack system (a
stack for short) of multiple
devices. In V200R008C00 and
earlier versions, each AS can be
a stack of up to three member
devices that are the same model
and provide the same number of
ports. From V200R009C00,
each AS can be a stack of up to
five member devices that are the
same model and provide the
same number or different
numbers of ports. For example,
S5700-28P-LI-ACs can set up a
stack, and S5700-28P-LI-AC as
well as S5700-52P-LI-AC can
also set up a stack.
l An AS cannot connect to a
parent if the following
conditions are met:
The parent runs
V200R009C00 or later.
The AS is a stack running
V200R007C00 or
V200R008C00 and has a
member switch with a stack
ID larger than 2.
l S5700L
I
l S5700S
-LI
l S5720E
I
l S5720S
I
l S5720S
-SI
l S5710X-LI
l E600
Issue 11 (2016-07-22)

40

Switches
Devic
e
Role
2 Device Management
Device
Model
Softw
are
Versi
on
Ma
xim
um
Nu
mb
er
of
AS
s
Ma
xim
um
Nu
mb
er
of
AP
s
Ma
xim
um
Nu
mb
er
of
CA
PW
AP
Lin
ks
l S2720E
I
V200R
009C0
0 and
later
versio
ns
l S6720E
I
l S6720S
-EI
Description
To connect the AS to the parent,

remove the member switch with
a stack ID larger than 2 from the
stack, upgrade the stack to
V200R009C00 or later, and then
connect the removed member
switch to the stack. This member
switch will synchronize with the
master switch's configuration
file and system software.
Subsequently, the AS can
connect to the parent.
l In V200R008 and earlier
versions, an AS can only
connect to the upstream parent
or AS using fixed uplink ports or
ports on an extension card. Since
V200R009, downlink service
ports of an AS can also be
connected to the upstream parent
or AS after you configure them
as member ports of an upstream
fabric port using the uni-mng
up-direction fabric-port
interface interface-type
interface-number [ to interfacenumber ].
l Stack member switches
connected using downlink
service ports cannot join an SVF
system as ASs.
l Downlink service ports of an AS
cannot be configured as member
ports of upstream and
downstream fabric ports
simultaneously. If this
configuration is performed, the
AS will be unable to go online
Issue 11 (2016-07-22)

41

Switches
Devic
e
Role
Device
Model
Softw
are
Versi
on
2 Device Management
Ma
xim
um
Nu
mb
er
of
AS
s
Ma
xim
um
Nu
mb
er
of
AP
s
Ma
xim
um
Nu
mb
er
of
CA
PW
AP
Lin
ks
Description
after a reboot. If the reset slot

command is executed in the slot
of the AS, the AS will reset
repeatedly.
l AS ports provided by an
extended card can only be used
to connect to the parent or
level-1 AS or set up a stack and
cannot be used as downlink
service ports or downlink
connected to other ASs.
l From V200R009C00, AS uplink
ports can be used to connect to
the parent or leve-1 AS or set up
a stack and be configured as
downlink fabric ports to connect
to other ASs.
NOTE
On the S6720EI and S6720S-EI,
40GE ports and 10GE ports split
from 40GE ports cannot be
configured as downlink fabric
ports.
l Each level-1 AS can connect to a

maximum of 16 level-2 ASs.
Issue 11 (2016-07-22)

42

Switches
Devic
e
Role
Device
Model
Softw
are
Versi
on
2 Device Management
Ma
xim
um
Nu
mb
er
of
AS
s
Ma
xim
um
Nu
mb
er
of
AP
s
Ma
xim
um
Nu
mb
er
of
CA
PW
AP
Lin
ks
Description
NOTE
If APs need to connect to an SVF system with an S12700, S9700, or S7700 functioning as the parent,
X1E cards must be configured on the parent.
If DTLS encryption is configured for packets transmitted in a CAPWAP tunnel, recommendations on
the maximum number of ASs and APs supported on the parent are as follows:
l S12704/S12708/S12712: The maximum numbers of ASs and APs do not exceed 32 and 96
respectively.
l S9712/S9706/S7712/S7706/S9703/S7703/S5720HI: The maximum numbers of ASs and APs do not
exceed 16 and 48 respectively.
l S6720EI/S6720S-EI:The maximum numbers of ASs do not exceed 16.
l The preceding AS or AP specifications apply to scenarios where all ASs or APs go online. If both
ASs and APs go online, it is recommended that the value of AS*3+AP do not exceed the maximum
number of APs.
l When the number of ASs or APs exceeds the maximum value, a high CPU usage may occur,
affecting existing services.
If more ASs&APs are deployed, more terminals can connect to the campus network, requiring
more CPU and memory resources of the parent. Table 2-10 lists the recommended maximum
numbers of ASs&APs and access terminals in an SVF system depending on CPU and
memory capabilities of the parent.
Table 2-10 Recommended maximum numbers of ASs&APs and access terminals
Issue 11 (2016-07-22)
Model of the
Parent
Recommende
d Maximum
Number of
ASs
Recommende
d Maximum
Number of
Wired
Terminals
Recommende
d Maximum
Number of
APs
Recommende
d Maximum
Number of
Wireless
Terminals
S12712/
S12708/S12704
64
3000 to 5000
1000
3000 to 5000
S9712/S9706
48
2000 to 3000
800
2000 to 3000
S7712/S7706
32
Smaller than
2000
300
Smaller than
1000
S5720HI
32
1000 to 2000
600
1000 to 2000

43

Switches
2 Device Management
Model of the
Parent
Recommende
d Maximum
Number of
ASs
Recommende
d Maximum
Number of
Wired
Terminals
Recommende
d Maximum
Number of
APs
Recommende
d Maximum
Number of
Wireless
Terminals
S6720EI/
S6720S-EI
32
1000 to 2000
S9703/S7703
200
AS Group/Port Group Specifications

Table 2-11 AS group/port group specifications
Group
Type
Maximum
Number of
Groups
Bound Service Profile

Type
Description
AS group
16
AS administrator profile
l An AS can be added to
only one AS group.
l An AS port group can
be bound to only one
AS administrator
profile.
AS port
group
256
l Network basic profile

l Network enhanced
profile
l User access profile
l A port can be added to

only one port group (an
AS port group or AP
port group).
l V200R007C00 and
V200R008C00: All
ports of an AS can be
assigned to a maximum
of 6 AS port groups in
total.
V200R009C00 and
later versions: All ports
of an AS can be
assigned to a maximum
of 32 AS port groups
in total.
l An AS port group can
be bound to a network
basic profile, network
enhanced profile, and
user access profile.
Issue 11 (2016-07-22)

44

Switches
2 Device Management
Group
Type
Maximum
Number of
Groups
Bound Service Profile

Type
Description
AP port
group
Network basic profile
l An AP port group can

be bound to only one
network basic profile.
Service Profile Specifications

Table 2-12 Service profile specifications
Service Profile Type
Maximum Number of Service

Profiles
AS administrator profile
16
Network basic profile
256
Network enhanced profile
16
User access profile
16
Device Models in a Stack of an AS

Table 2-13 Device models in a stack of an AS
Issue 11 (2016-07-22)
Series
Device Models
S2750EI
All device models of this series
S5700-P-LI
S5700-28P-LI-AC, S5700-28P-LI-DC,
S5700-52P-LI-AC, S5700-52P-LI-DC,
S5700-28P-PWR-LI-AC, S5700-52PPWR-LI-AC
S5700-X-LI
S5700-28X-LI-AC, S5700-28X-LI-DC,
S5700-52X-LI-AC, S5700-52X-LI-DC,
S5700-28X-PWR-LI-AC, S5700-52XPWR-LI-AC, S5700-28X-LI-24S-DC,
S5700-28X-LI-24S-AC, S5700-52XLI-48CS-AC
S5700S-X-LI
S5700S-28X-LI-AC, S5700S-52X-LIAC
S5700-TP-LI
S5700-28TP-LI-AC, S5700-28TP-PWRLI-AC, S5701-28TP-PWR-LI-AC
S5710-X-LI
S5710-28X-LI-AC, S5710-52X-LI-AC

45

Switches
Issue 11 (2016-07-22)
2 Device Management
Series
Device Models
S5720SI
S5720EI
S6720EI/S6720S-EI
E600

46

Switches
3 Interface Management
Interface Management
About This Chapter

3.1 Ethernet Interface
3.2 Logical Interface
Issue 11 (2016-07-22)

47

Switches
3.1 Ethernet Interface

Involved Network Element
License Support
An Ethernet interface is a basic feature of a switch and is not under license control.
Version Support
Table 3-1 Products and minimum version supporting Ethernet interfaces
Issue 11 (2016-07-22)
Serie
s
Produ
ct
Mini
mum
Versi
on
Supp
ortin
g FE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
Multi
GE
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g FE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
40GE
Optic
al
Interf
aces
S1700
S1720
Not
suppor
ted by
any
versio
n
V200
R006
(The
S1720
is
unavai
lable
in
V200
R007
and
V200
R008.
)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R006
(The
S1720
is
unavai
lable
in
V200
R007
and
V200
R008.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n

48

Switches
Issue 11 (2016-07-22)
Serie
s
Produ
ct
Mini
mum
Versi
on
Supp
ortin
g FE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
Multi
GE
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g FE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
40GE
Optic
al
Interf
aces
S2700
S2700
SI and
S2700
EI
V100
R005
(The
S2700
SI and
S2700
EI are
unavai
lable
in
V200
R001
and
later
versio
ns.)
V100
R005
(The
S2700
SI and
S2700
EI are
unavai
lable
in
V200
R001
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V100
R005
(The
S2700
SI and
S2700
EI are
unavai
lable
in
V200
R001
and
later
versio
ns.)
V100
R005
(The
S2700
SI and
S2700
EI are
unavai
lable
in
V200
R001
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
S2710
SI
V100
R006
(The
S2710
SI is
unavai
lable
in
V200
R001
and
later
versio
ns.)
V100
R006
(The
S2710
SI is
unavai
lable
in
V200
R001
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V100
R006
(The
S2710
SI is
unavai
lable
in
V200
R001
and
later
versio
ns.)
V100
R006
(The
S2710
SI is
unavai
lable
in
V200
R001
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n

49

Switches
Serie
s
S3700
Issue 11 (2016-07-22)
Produ
ct
Mini
mum
Versi
on
Supp
ortin
g FE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
Multi
GE
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g FE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
40GE
Optic
al
Interf
aces
S2720
EI
V200
R006
(The
S2720
EI is
unavai
lable
in
V200
R007
and
V200
R008.)
Not
suppo
rted
by any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R006
(The
S2720
EI is
unavai
lable
in
V200
R007
and
V200
R008.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
S2750
EI
V200
R003
V200
R003
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R003
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
S3700
SI and
S3700
EI
V100
R005
(The
S3700
SI and
S3700
EI are
unavai
lable
in
V200
R001
and
later
versio
ns.)
V100
R005
(The
S3700
SI and
S3700
EI are
unavai
lable
in
V200
R001
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V100
R005
(The
S3700
SI and
S3700
EI are
unavai
lable
in
V200
R001
and
later
versio
ns.)
V100
R005
(The
S3700
SI and
S3700
EI are
unavai
lable
in
V200
R001
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n

50

Switches
Serie
s
S5700
Issue 11 (2016-07-22)
Produ
ct
Mini
mum
Versi
on
Supp
ortin
g FE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
Multi
GE
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g FE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
40GE
Optic
al
Interf
aces
S3700
HI
V100
R006
(The
S3700
HI is
unavai
lable
in
V200
R002
and
later
versio
ns.)
V100
R006
(The
S3700
HI is
unavai
lable
in
V200
R002
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V100
R006
(The
S3700
HI is
unavai
lable
in
V200
R002
and
later
versio
ns.)
V100
R006
(The
S3700
HI is
unavai
lable
in
V200
R002
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
S5700
LI and
S5700
S-LI
Not
suppor
ted by
any
versio
n
V200
R001
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R001
V200
R001
Not
suppor
ted by
any
versio
n
S5710
-C-LI
Not
suppor
ted by
any
versio
n
V200
R001
(The
S5710
-C-LI
is
unavai
lable
in
V200
R002
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R001
(The
S5710
-C-LI
is
unavai
lable
in
V200
R002
and
later
versio
ns.)
V200
R001
(The
S5710
-C-LI
is
unavai
lable
in
V200
R002
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n

51

Switches
Serie
s
Issue 11 (2016-07-22)
Produ
ct
Mini
mum
Versi
on
Supp
ortin
g FE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
Multi
GE
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g FE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
40GE
Optic
al
Interf
aces
S5710
-X-LI
Not
suppor
ted by
any
versio
n
V200
R008
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R008
V200
R008
Not
suppor
ted by
any
versio
n
S5700
EI and
S5700
SI
Not
suppor
ted by
any
versio
n
V100
R005
(The
S5700
SI and
S5700
EI are
unavai
lable
in
V200
R006
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V100
R005
(The
S5700
SI and
S5700
EI are
unavai
lable
in
V200
R006
and
later
versio
ns.)
V100
R005
(The
S5700
SI and
S5700
EI are
unavai
lable
in
V200
R006
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
S5710
EI
Not
suppor
ted by
any
versio
n
V200
R001
(The
S5710
EI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R001
(The
S5710
EI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
V200
R001
(The
S5710
EI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n

52

Switches
Serie
s
Issue 11 (2016-07-22)
Produ
ct
Mini
mum
Versi
on
Supp
ortin
g FE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
Multi
GE
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g FE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
40GE
Optic
al
Interf
aces
S5720
EI
Not
suppor
ted by
any
versio
n
V200
R007
V200
R007
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R007
V200
R007
Not
suppor
ted by
any
versio
n
S5700
HI
Not
suppor
ted by
any
versio
n
V100
R006
(The
S5700
HI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R001
(The
S5700
HI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
V200
R001
(The
S5700
HI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
S5710
HI
Not
suppor
ted by
any
versio
n
V200
R003
(The
S5710
HI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R003
(The
S5710
HI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
V200
R003
(The
S5710
HI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
V200
R003
(The
S5710
HI is
unavai
lable
in
V200
R006
and
later
versio
ns.)

53

Switches
Serie
s
S6700
Issue 11 (2016-07-22)
Produ
ct
Mini
mum
Versi
on
Supp
ortin
g FE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
Multi
GE
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g FE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
40GE
Optic
al
Interf
aces
S5720
HI
Not
suppor
ted by
any
versio
n
V200
R006
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R006
V200
R006
Not
suppor
ted by
any
versio
n
S5720
SI and
S5720
S-SI
Not
suppor
ted by
any
versio
n
V200
R008
Not
suppor
ted by
any
versio
n
Suppo
rted
by
only
the
S5720
-14XPWHSI-AC
in
V200
R009
Not
suppor
ted by
any
versio
n
V200
R008
V200
R008
Not
suppor
ted by
any
versio
n
S6700
EI
Not
suppor
ted by
any
versio
n
V100
R006
(The
S6700
EI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V100
R006
(The
S6700
EI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
V200
R001
(The
S6700
EI is
unavai
lable
in
V200
R006
and
later
versio
ns.)
Not
suppor
ted by
any
versio
n

54

Switches
Serie
s
Produ
ct
Mini
mum
Versi
on
Supp
ortin
g FE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Electr
ical
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
Multi
GE
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g FE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g GE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
XGE
Optic
al
Interf
aces
Mini
mum
Versi
on
Supp
ortin
g
40GE
Optic
al
Interf
aces
S6720
EI
Not
suppor
ted by
any
versio
n
Not
suppo
rted
by any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R008
V200
R008
S6720
S-EI
Not
suppor
ted by
any
versio
n
Not
suppo
rted
by any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
Not
suppor
ted by
any
versio
n
V200
R009
V200
R009

Table 3-2 lists the common attributes of Ethernet interfaces.
Table 3-2 Common attributes of Ethernet interfaces
Issue 11 (2016-07-22)
Interfac
e Type
Transm
ission
Mediu
m
Rate
(Mbit/s)
Duplex
Mode
AutoNegotia
tion
Flow
Control
Flow
Contro
l AutoNegoti
ation
Remark
s
MultiGE
interface
Network
cable
100
Fullduplex/
halfduplex
Supporte
d
Supporte
d
Support
ed
1000
Fullduplex
Only the
S5720-14
X-PWHSI-AC
supports
MultiGE
interfaces
.
You can
set the
rate of a
MultiGE

55

Switches
Interfac
e Type
FE
electrica
l
interface
GE
electrica
l
interface
Issue 11 (2016-07-22)
Transm
ission
Mediu
m
Network
cable
Network
cable
Rate
(Mbit/s)
Duplex
Mode
2500
Fullduplex
10
Fullduplex/
halfduplex
100
Fullduplex/
halfduplex
10
Fullduplex/
halfduplex
100
Fullduplex/
halfduplex
1000
Fullduplex
AutoNegotia
tion
Flow
Control
Flow
Contro
l AutoNegoti
ation
Remark
s
interface
to 100
Mbit/s
and
duplex
mode to
halfduplex
only
when the
interface
works in
autonegotiati
on mode.
Supporte
d
Supporte
d
Support
ed
Supporte
d
Supporte
d
Support
ed
Before
enabling
flow
control
autonegotiati
on,
enable
autonegotiati
on first.
FE
optical
interface
FE
optical
module
100
Fullduplex
Not
supporte
d
Supporte
d
Not
support
ed
GE
optical
interface
FE
optical
module
100
Fullduplex
Not
supporte
d
Supporte
d
Not
support
ed

56

Switches
Interfac
e Type
Issue 11 (2016-07-22)
Transm
ission
Mediu
m
Rate
(Mbit/s)
Duplex
Mode
AutoNegotia
tion
Flow
Control
Flow
Contro
l AutoNegoti
ation
Remark
s
GE
optical
module
100
Fullduplex
Supporte
d
Supporte
d
Not
support
ed
By
default,
autonegotiati
on is
enabled
on GE
optical
interfaces
and rate
autonegotiati
on is
disabled.
You can
run the
speed
autonegotiati
on
comman
d to
enable
rate autonegotiati
on.
After
running
the speed
autonegotiati
on
comman
d to
configure
rate autonegotiati
on on a
GE
optical
interface
working
in autonegotiati
on mode,
you

57

Switches
Interfac
e Type
Transm
ission
Mediu
m
GE
copper
module
Issue 11 (2016-07-22)
Rate
(Mbit/s)
Duplex
Mode
AutoNegotia
tion
Flow
Control
Flow
Contro
l AutoNegoti
ation
Remark
s
1000
Fullduplex
Supporte
d
Supporte
d
Support
ed
cannot
configure
flow
control
autonegotiati
on on the
interface.
10
Fullduplex/
halfduplex
Supporte
d
Supporte
d
Support
ed
100
Fullduplex/
halfduplex
1000
Fullduplex
Before
enabling
flow
control
autonegotiati
on,
enable
autonegotiati
on first.
XGE
(10GE)
electrica
l
interface
Network
cable
10000
Fullduplex
Supporte
d
Supporte
d
Support
ed
Only the
ES5D21
X02T01
card of
the
S5720EI
supports
XGE
electrical
interfaces
.
XGE
(10GE)
optical
interface
XGE
optical
module
10000
Fullduplex
Not
supporte
d
Supporte
d
Not
support
ed
GE
optical
module
1000
Fullduplex
Supporte
d
Supporte
d
Not
support
ed
GE
copper
module
100
Fullduplex
Supporte
d
Supporte
d
Support
ed
l The
XGE
interf
aces
on the
ES5D
21X0
2S01
card
of the
S5720
EI
and

58

Switches
Interfac
e Type
Issue 11 (2016-07-22)
Transm
ission
Mediu
m
Rate
(Mbit/s)
Duplex
Mode
AutoNegotia
tion
Flow
Control
Flow
Contro
l AutoNegoti
ation
Remark
s
1000
Fullduplex
Supporte
d
Supporte
d
Support
ed
the
ES5D
21X0
4S01
card
of the
S5720
HI
suppo
rt
only
XGE
optica
l
modul
es.
l The
last
four
GE
interf
aces
(base
d on
the
interf
ace
numb
er) on
the
S5720
-PCEI,
S5720
-P-EI,
S5720
-28PSIAC
and
S5720
-52PSIAC
suppo
rt

59

Switches
Interfac
e Type
Transm
ission
Mediu
m
Rate
(Mbit/s)
Duplex
Mode
AutoNegotia
tion
Flow
Control
Flow
Contro
l AutoNegoti
ation
Remark
s
only
GE
optica
l
modul
es and
GE
coppe
r
modul
es,
and
the
interf
ace
rate
can
only
be
1000
Mbit/
s.
l Only
XGE
optica
l
interf
aces
on the
S6720
EI
and
S6720
S-EI
in
V200
R009
can
autom
aticall
y
negoti
ate
the
rate to
100
Issue 11 (2016-07-22)

60

Switches
Interfac
e Type
Transm
ission
Mediu
m
Rate
(Mbit/s)
Duplex
Mode
AutoNegotia
tion
Flow
Control
Flow
Contro
l AutoNegoti
ation
Remark
s
Mbit/
s after
havin
g GE
coppe
r
modul
es
install
ed.
40GE
optical
interface
Issue 11 (2016-07-22)
Highspeed
cable
10000
Fullduplex
Supporte
d
Supporte
d
Not
support
ed
When
used for
data
transmiss
ion
between
service
ports,
copper
cables
can only
connect
switches
of the
same
subseries,
and
cannot be
used
between
switches
of
different
subseries
or
between
Huawei
and nonHuawei
switches.
40GE
optical
module
40000
Fullduplex
Not
supporte
d
Supporte
d
Not
support
ed

61

Switches
Interfac
e Type
Issue 11 (2016-07-22)
Transm
ission
Mediu
m
Rate
(Mbit/s)
Duplex
Mode
AutoNegotia
tion
Flow
Control
Flow
Contro
l AutoNegoti
ation
Remark
s
Highspeed
cable
40000
Fullduplex
Supporte
d
Supporte
d
Not
support
ed
When
you run
the
display
interface
comman
d on a
40GE
optical
interface
that has a
highspeed
cable
installed,
the
comman
d output
shows
that autonegotiati
on is
enabled.
However,
you
cannot
run the
negotiati
on auto
comman
d to
configure
the autonegotiati
on mode.
Switches providing MultiGE interfaces can connect to the following devices:
All switches providing GE electrical interfaces
AP: AP7050DN-E (with 2.5G uplink interfaces) running V200R007C00
Pico: BTS3911B running V100R010C10SPC092T
On the S5700SI, S5700EI, and S5700HI in V200R003 or V200R005, a GE interface can

go Up after it has a GE copper module installed. However, you cannot run corresponding
commands to configure the rate, duplex mode, auto-negotiation, MDI, flow control, and
62

Switches
virtual cable test on the interface. The 10GE interfaces on the S5700EI do not support
GE copper modules.
l
Only the S1720 and S5700-X-LI support the IFG configuration.
Only the XGE optical interfaces that have XGE optical modules installed support singlefiber communication without requiring licenses. S5720HI does not support single-fiber
communication.
Only MEth0/0/1 on the S5720HI, S5720EI, S6700EI, S6720EI, and S6720S-EI supports
the duplex mode configuration.
On the S5720S-28P-SI-AC, S5720S-52P-SI-AC, S5720-28P-SI-AC, and S5720-52P-SIAC, the last four GE interfaces cannot have FE optical modules installed and do not
support the rate auto-negotiation configuration.
For switches in V200R003C00 and earlier versions, only Layer 2 Ethernet interfaces on
the S5700HI, S5710EI, and S5710HI can be configured as Layer 3 interfaces. For
switches in V200R005C00 and later versions, only Layer 2 Ethernet interfaces on the
S5700HI, S5710EI, S5710HI, S5700EI, S6700EI, S5720EI, S5720HI, S6720EI, and
S6720S-EI can be configured as Layer 3 interfaces.
3.2 Logical Interface

License Support
A logical interface is a basic feature of a switch and is not under license control.
Version Support
Table 3-3 Products and minimum version supporting logical interfaces
Issue 11 (2016-07-22)
Series
Product
Minim
um
Version
Suppor
ting
Subinterfac
es
Minim
um
Version
Suppor
ting
EthTrunk
S1700
S1720
Not
supporte
d by any
version
V200R006 (The S1720 is unavailable in V200R007 and

V200R008.)
S2700
S2700SI
and
S2700EI
Not
supporte
d by any
version
V100R005 (The S2700SI and S2700EI are unavailable

in V200R001 and later versions.)
Minim
um
Version
Suppor
ting
Tunnel
Interfac
es

Minim
um
Version
Suppor
ting
VLANI
F
Interfac
es
Minim
um
Version
Suppor
ting
Loopba
ck
Interfac
es
Minim
um
Version
Suppor
ting
Null
Interfac
es
63

Switches
Series
S3700
Product
Issue 11 (2016-07-22)
Minim
um
Version
Suppor
ting
EthTrunk
Minim
um
Version
Suppor
ting
Tunnel
Interfac
es
Minim
um
Version
Suppor
ting
VLANI
F
Interfac
es
Minim
um
Version
Suppor
ting
Loopba
ck
Interfac
es
Minim
um
Version
Suppor
ting
Null
Interfac
es
S2710SI
V100R006 (The S2710SI is unavailable in V200R001

S2720EI
V200R006 (The S2720EI is unavailable in V200R007

and V200R008.)
S2750EI
V200R003
S3700SI
and
S3700EI
Not
supporte
d by any
version

S5700LI
and
S5700SLI
Not
supporte
d by any
version
V200R001
S5710C-LI
Not
supporte
d by any
version
V200R001 (The S5710-C-LI is unavailable in

V200R002 and later versions.)
S5710X-LI
Not
supporte
d by any
version
V200R008
S5700EI
and
S5700SI
Not
supporte
d by any
version

S3700HI
S5700
Minim
um
Version
Suppor
ting
Subinterfac
es
V100R006 (The S3700HI is unavailable in V200R002


64

Switches
Series
Issue 11 (2016-07-22)
Product
Minim
um
Version
Suppor
ting
Subinterfac
es
Minim
um
Version
Suppor
ting
EthTrunk
S5710EI
V200R0
03 (The
S5710EI
is
unavaila
ble in
V200R0
06 and
later
versions.
)

S5720EI
V200R0
09
V200R007
S5700HI
V200R0
03 (The
S5700HI
is
unavaila
ble in
V200R0
06 and
later
versions.
)

S5710HI
V200R0
03 (The
S5710HI
is
unavaila
ble in
V200R0
06 and
later
versions.
)

S5720HI
V200R0
07
V200R007
Minim
um
Version
Suppor
ting
Tunnel
Interfac
es

Minim
um
Version
Suppor
ting
VLANI
F
Interfac
es
Minim
um
Version
Suppor
ting
Loopba
ck
Interfac
es
Minim
um
Version
Suppor
ting
Null
Interfac
es
65

Switches
Series
S6700
Product
Minim
um
Version
Suppor
ting
Subinterfac
es
Minim
um
Version
Suppor
ting
EthTrunk
S5720SI
and
S5720SSI
Not
supporte
d by any
version
V200R008
S6700EI
V200R0
05 (The
S6700EI
is
unavaila
ble in
V200R0
06 and
later
versions.
)

S6720EI
V200R0
08
V200R008
S6720SEI
V200R0
09
V200R009
Minim
um
Version
Suppor
ting
Tunnel
Interfac
es
Minim
um
Version
Suppor
ting
VLANI
F
Interfac
es
Minim
um
Version
Suppor
ting
Loopba
ck
Interfac
es
Minim
um
Version
Suppor
ting
Null
Interfac
es

l
Only hybrid and trunk Layer 2 interfaces on the preceding switches support sub-interface
configuration.
Before configuring sub-interfaces on Layer 2 interfaces on the preceding switches, run

the undo portswitch command to configure the Layer 2 interfaces as Layer 3 interfaces.
After an interface is added to an Eth-Trunk, you can only configure sub-interfaces on the
Eth-Trunk, but not on the interface.
Issue 11 (2016-07-22)

66

Switches
4 Ethernet Switching
Ethernet Switching
About This Chapter

4.1 MAC
4.2 Link Aggregation
4.3 VLAN
4.4 VLAN Aggregation
4.5 MUX VLAN
4.6 VLAN Termination
4.7 Voice VLAN
4.8 QinQ
4.9 VLAN Mapping
4.10 GVRP
4.11 VCMP
4.12 STP/RSTP
4.13 MSTP
4.14 VBST
4.15 SEP
4.16 RRPP
4.17 ERPS (G.8032)
4.18 LBDT
4.19 Layer 2 Protocol Transparent Transmission
Issue 11 (2016-07-22)

67

Switches
4.1 MAC
License Support
The MAC address table is a basic feature of a switch and is not under license control.
Version Support
Table 4-1 Products and minimum version supporting the MAC address table
Series
Product
Minimum Version
Required
S1700
S1720GFR
V200R006 (The S1720GFR

is unavailable in V200R007
and V200R008.)
S2700
S2700SI

S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

68

Switches
Series
S6700
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Dynamic MAC address entries can be learned on an interface only after the interface is
added to an existing VLAN.
Each static MAC address entry can have only one outbound interface.
When the aging time of dynamic MAC address entries is set to 0, dynamic MAC address
entries do not age. To age MAC address entries, delete the aging time configuration.
When MAC address learning is disabled in a VLAN and an interface in the VLAN on
the S5700EI, S5710EI, S5700HI, S5710HI, and S5720EI and the discard action is
configured for the interface, the interface does not discard packets from this VLAN. For
example, MAC address learning is disabled in VLAN 2 but enabled in VLAN 3; Port1 in
Issue 11 (2016-07-22)

69

Switches
VLAN 2 and VLAN 3 has MAC address learning disabled and the discard action is
defined. In this situation, Port1 discards packets from VLAN 3 but forwards packets
from VLAN 2.
l
When the interface frequently alternates between Up and Down, MAC address entries
may be not aged within two aging period. At this time, you are advised to check the link
quality or run the port link-flap protection enable command to configure link flapping
protection.
4.2 Link Aggregation

License Support
Ethernet link aggregation is a basic feature of a switch and is not under license control.
Version Support
Table 4-2 Products and minimum version supporting Ethernet link aggregation
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700
Issue 11 (2016-07-22)

70

Switches
Series
S5700
S6700
Product
Minimum Version
Required
S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

Configuration Notes Before an Eth-Trunk Is Configured
Issue 11 (2016-07-22)

71

Switches
Each Eth-Trunk supports a maximum of 8 member interfaces on other models and 32

member interfaces on the S5720HI.
In V200R009 and later versions, you can run the assign trunk command on the S6720EI
and S6720S-EI to set the maximum number of LAGs and the maximum number of
member interfaces in each LAG, and run the display trunk configuration command to
check the configuration.
Member interfaces cannot be configured with some services or static MAC address
entries. For example, when an interface is added to an Eth-Trunk, the interface must use
the default link type.
An Eth-Trunk cannot be added to another Eth-Trunk.
Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
Interfaces that use different Ethernet types and rates cannot join the same Eth-Trunk. For
example, GE and FE interfaces cannot join the same Eth-Trunk, and GE electrical and
optical interfaces can join the same Eth-Trunk.
Both devices of the Eth-Trunk must use the same number of physical interfaces,
interface rate, duplex mode, and flow control mode.
If an interface of the local device is added to an Eth-Trunk, an interface of the remote

device directly connected to the interface of the local device must also be added to the
Eth-Trunk so that the two ends can communicate.
Both devices of an Eth-Trunk must use the same link aggregation mode.
When the number of active interfaces falls below the lower threshold, the Eth-Trunk
goes Down. This ensures that the Eth-Trunk has a minimum available bandwidth.
The preceding configuration notes are applicable to scenarios where switches are directly
connected. In the following scenarios, there are other configuration notes in addition to the
preceding ones.
Table 4-3 Configuration notes in different scenarios
Issue 11 (2016-07-22)
Usage Scenario
Precaution
Switches Are Connected Across a

Transmission Device Using Link
Aggregation
l The switches at both ends must use link

aggregation in LACP mode.
Switches Connect to Transmission Devices

Using Link Aggregation
l The link aggregation mode on the

transmission device must be the same as
that of the switch. Configure the
transmission device according to its
operation guide.
l The transmission device between

switches must be configured to
transparently transmit LACPDUs.

72

Switches
Usage Scenario
Precaution
A Switch Connects to a Server Using Link

Aggregation
l Network adapters of the server must use

the same type.
l The link aggregation modes on the
server and access device must be
consistent.
Intel network adapter is used as an
example. A server often uses static or
IEEE 802.3ad dynamic link aggregation.
When the server uses static link
aggregation, the access device must use
the manual mode. When the server uses
IEEE 802.3ad dynamic link aggregation,
the access device must use the LACP
mode.
Configuration Notes After an Eth-Trunk Is Configured

l
An Ethernet interface can be added to only one Eth-Trunk. To add an Ethernet interface
to another Eth-Trunk, delete it from the original one first.
After an interface is added to an Eth-Trunk, only the Eth-Trunk learns MAC address
entries or ARP entries, but the member interface does not.
Before deleting an Eth-Trunk, delete member interfaces from the Eth-Trunk.
Specifications
Link aggregation mode:
l
Manual
LACP
Link aggregation modes supported by the device

l
Intra-device: Member interfaces of an Eth-Trunk are located on the same device.
Inter-stack-device: Member interfaces of an Eth-Trunk are located on member devices of

a stack. For details, see Link Aggregation in Stack Scenarios.
Inter-device: The inter-device link aggregation refers to E-Trunk. E-Trunk allows links
between multiple devices to be aggregated based on LACP. For details, see E-Trunk.
Load balancing modes supported by the device

To prevent data packet mis-sequencing, an Eth-Trunk uses flow-based load balancing.
You can use the following load balancing modes based on actual networking:
l
Based on source MAC addresses of packets
Based on destination MAC addresses of packets
Based on source IP addresses of packets
Based on destination IP addresses of packets
Based on the Exclusive-Or result of source and destination MAC addresses of packets
Issue 11 (2016-07-22)

73

Switches
Based on the Exclusive-Or result of source and destination IP addresses of packets
Enhanced load balancing: based on VLAN IDs and source physical interface numbers
for Layer 2, IPv4, IPv6, and MPLS packets
4.3 VLAN
License Support
VLAN technology is a basic feature of a switch and is not under license control.
Version Support
Table 4-4 Products and minimum version supporting VLAN technology
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI

S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700
Issue 11 (2016-07-22)

74

Switches
Series
S5700
S6700
Product
Minimum Version
Required
S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Issue 11 (2016-07-22)
Table 4-5 describes the specifications of VLAN technology.

75

Switches
Table 4-5 Specifications of VLAN technology

Item
Specification
Maximum number of VLANs in the

system
4096 (VLAN 0 and VLAN 4095 are

reserved)
Maximum number of VLANIF interfaces

in the system
l S2700SI/S2710SI/S5710-C-LI: 1
l S2700EI/S1720GFR/S2720EI/S5710X-LI: 8
l S3700SI/S3700EI/S3700HI/S5700SI/
S5700EI: 256
l S5700HI/S5720EI/S5720HI/S5710HI/
S5720SI/S5720S-SI/S6720EI/
S6720S-EI: 1024
l S2750EI/S5700LI/S5700S-LI: 1 in
earlier versions of V200R005 and 8 in
V200R005 and later versions
l S5710EI/S6700EI: 256 in earlier
versions of V200R005 and 1024 in
V200R005 and later versions
If LNP is used to dynamically negotiate the link type (LNP is enabled by default), it is
recommended that each interface should be added to a maximum of 1000 VLANs and a
maximum of 200 interfaces should be configured on a switch. If 4096 VLANs are
configured globally, it is recommended that a maximum of 50 interfaces should be
enabled with LNP. Otherwise, the alarm about a high CPU usage is generated for a short
time.
You are advised to plan service and management VLANs so that any broadcast storms in
service VLANs do not affect switch management.
In practice, specify VLANs from which packets need to be transparently transmitted by a

trunk interface. Do not use the port trunk allow-pass vlan all command if possible.
In earlier versions of V200R005, before changing the interface type, restore the default
VLAN of the interface.
In earlier versions of V200R005, before deleting a VLAN where a VLANIF interface

has been configured, run the undo interface vlanif vlan-id command to delete the
VLANIF interface.
All interfaces join VLAN 1 by default. When unknown unicast, multicast, or broadcast
packets of VLAN 1 exist on the network, broadcast storms may occur. When VLAN 1 is
used, pay attention to the following points:
Issue 11 (2016-07-22)
Remove the interfaces that do not need to join VLAN 1 from VLAN 1 to prevent
loops. A trunk interface often permits packets from VLAN 1 to pass through. If a
trunk interface rejects packets from VLAN 1, some protocol packets such as
BPDUs transmitted in VLAN 1 may be incorrectly discarded. To prevent such
faults, take measures to prevent potential risks when packets of VLAN 1 are
allowed to pass through.
If a spanning tree protocol is used and a trunk interface on the switch rejects packets
from VLAN 1, run the stp bpdu vlan command to enable the switch to encapsulate
76

Switches
the specified VLAN ID in outgoing STP BPDUs so that the spanning tree protocol
runs properly.
You are advised to remove interfaces from VLAN 1 in Eth-Trunk or ring

networking.
When the switch connects to an access device, to prevent broadcast storms in

VLAN 1, do not configure the uplink interface of the access device to transparently
transmit packets from VLAN 1.
When an interface is bound to a VLANIF interface for Layer 3 forwarding, remove

the interface from VLAN 1 to prevent Layer 2 loops in VLAN 1.
4.4 VLAN Aggregation

License Support
VLAN aggregation, also called super-VLAN, is a basic feature of a switch and is not under
license control.
Version Support
Table 4-6 Products and minimum version supporting VLAN aggregation
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI

S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI

S3700EI

S3700
Issue 11 (2016-07-22)

77

Switches
Series
S5700
S6700
Product
Minimum Version
Required
S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
VLAN 1 cannot be configured as a super-VLAN.
A physical interface cannot be added to a VLAN configured as a super-VLAN.
A VLAN that has been configured as a guest VLAN cannot be configured as a superVLAN.
A traffic policy takes effect in a super-VLAN only after the traffic policy is configured in
all sub-VLANs of the super-VLAN.
Issue 11 (2016-07-22)

78

Switches
The VLAN terminated by a sub-interface cannot be configured as a super-VLAN or subVLAN.
An IP address must have been assigned to the VLANIF interface corresponding to the
super-VLAN. Otherwise, proxy ARP cannot take effect.
4.5 MUX VLAN

License Support
The MUX VLAN is a basic feature of a switch and is not under license control.
Version Support
Table 4-7 Products and minimum version supporting the MUX VLAN
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

79

Switches
Series
S6700
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Table 4-8 describes the specifications of the MUX VLAN.

Table 4-8 Specifications of the MUX VLAN
Issue 11 (2016-07-22)
Item
Specification
Maximum number of principal VLANs

on the entire device
128

80

Switches
Item
Specification
Maximum number of separate VLANs in

each principal VLAN
Maximum number of group VLANs in

each principal VLAN
128
NOTE
Each principal VLAN supports a total of 128
separate and group VLANs. That is, if one
separate VLAN is configured, a maximum of
127 group VLANs can be configured.
The VLAN ID assigned to a principal VLAN cannot be used to configure VLAN

mapping, VLAN stacking, super-VLAN, or sub-VLAN.
The VLAN ID assigned to a group or separate VLAN cannot be used to configure a

VLANIF interface, VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
Disabling MAC address learning or limiting the number of learned MAC addresses on
an interface will compromise the performance of the MUX VLAN function.
MUX VLAN and port security cannot be configured on the same interface.
MUX VLAN and MAC address authentication cannot be configured on the same
interface.
MUX VLAN and 802.1x authentication cannot be configured on the same interface.
When both DHCP snooping and MUX VLAN are configured, if DHCP snooping is
configured in the subordinate VLAN and DHCP clients are configured in the principal
VLAN, the DHCP clients may fail to obtain IP addresses. In this case, configure the
DHCP server in the principal VLAN.
After the MUX VLAN function is enabled on an interface, VLAN mapping or VLAN
stacking cannot be configured on the interface.
You can create a VLANIF interface for a principal VLAN, but cannot create a VLANIF
interface for a subordinate group VLAN or separate VLAN.
When the interface is enabled with MUX VLAN and configured with the PVID using the
port trunk pvid vlan command, do not configure the PVID as the ID of the principal
VLAN or subordinate VLAN of the MUX VLAN. For example, VLAN 10 is the
principal VLAN, VLAN 11 is a subordinate group VLAN, and VLAN 12 is a
subordinate separate VLAN. After the port mux vlan enable 10 command is used on
the interface to enable MUX VLAN, do not run the port trunk pvid vlan command to
set the PVID to VLAN 11 or VLAN 12.
4.6 VLAN Termination

License Support
VLAN termination, that is, QinQ on a sub-interface, is a basic feature of a switch and is not
under license control.
Issue 11 (2016-07-22)

81

Switches
Version Support
Table 4-9 Products and minimum version supporting VLAN termination
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700EI
Not supported
S5700SI
Not supported
S5710EI

S5720EI
V200R009
S5720SI/S5720S-SI
Not supported
S5700HI

S5710HI

S5720HI
V200R007 (The V200R008

does not support this
function.)
S6700EI

S3700
S5700
S6700
Issue 11 (2016-07-22)

82

Switches
Series
Product
Minimum Version
Required
S6720EI
V200R008
S6720S-EI
V200R009

l
Termination sub-interfaces cannot be configured on an Eth-Trunk member interface.
You are advised to add member interfaces to an Eth-Trunk and configure termination
sub-interfaces on the Eth-Trunk in sequence. Termination sub-interfaces can be
configured successfully on an Eth-Trunk only when all series of cards where member
interfaces reside support termination sub-interfaces.
The VLAN IDs terminated by a sub-interface cannot be created in the system view or be
displayed using a display command.
When VLAN IDs terminated by a sub-interface are used for Layer 3 forwarding, only
the first VLAN takes effect even if multiple inner VLAN IDs are specified.
VLAN termination sub-interfaces cannot be created on a VCMP client.
The VLAN terminated by a sub-interface cannot be configured as a super-VLAN or subVLAN.
If the PW-side interface is a Layer 3 interface switched by the undo portswitch

command, the AC-side interface cannot be a subinterface belonging to a Layer 3
interface; otherwise, traffic forwarding is abnormal. This rule applies to S5720EI,
S6720EI, and S6720S-EI.
4.7 Voice VLAN

License Support
The voice VLAN is a basic feature of a switch and is not under license control.
Version Support
Table 4-10 Products and minimum version supporting the voice VLAN
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)

83

Switches
Series
Product
Minimum Version
Required
S2700
S2700SI
Not supported
S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S3700
S5700
Issue 11 (2016-07-22)

84

Switches
Series
S6700
Product
Minimum Version
Required
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
VLAN 1 cannot be configured as a voice VLAN.
To transmit different services, ensure that the voice VLAN and default VLAN on an
interface are different VLANs.
Only one VLAN on an interface can be configured as a voice VLAN at a time.
After a voice VLAN is configured on an interface, VLAN mapping, VLAN stacking, or

traffic policies cannot be configured on the interface.
Do not set the VLAN ID to 0 on an IP phone.
The S5720HI do not support the automatic mode.
In auto mode, access, negotiation-auto, or negotiation-desirable interfaces cannot be

added to a voice VLAN. To add the interface to the voice VLAN, run the port link-type
command to change the link type of the interface to trunk or hybrid.
In V200R003 and later versions, the automatic mode takes effect only when the voicevlan remark-mode mac-address command is configured to increase the priority of
voice packets based on MAC addresses and the voice-vlan enable command without
include-untagged specified is configured to enable voice VLAN on the interface.
When the remark (user group view) and voice-vlan remark commands are used
together to modify the user packet priority in V200R008, if the services conflict:
For S5720HI, the priority configured using the remark (user group view)
command takes effect.
For S5720EI and S6720EI, the priority configured using the voice-vlan remark
4.8 QinQ
Issue 11 (2016-07-22)

85

Switches

License Support
QinQ is a basic feature of a switch and is not under license control.
Version Support
Table 4-11 Products and minimum version supporting QinQ
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI

NOTE
The S2700SI does not support
selective QinQ.
S3700
S5700
Issue 11 (2016-07-22)
S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001

86

Switches
Series
S6700
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
For the points of attention when configuring QinQ on a sub-interface, see 4.6 VLAN
Termination.
The devices listed in Table 4-12 can add double tags to untagged packets.
Issue 11 (2016-07-22)

87

Switches
Table 4-12 Products and minimum version supporting the function of adding double tags
to untagged packets
Series
Product
Minimum Version
Required
S1700
S1720GFR
V200R006 (The
S1720GFR is unavailable
in V200R007 and
V200R008.)
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
V200R006 (The S2720EI

is unavailable in
V200R007 and
V200R008.)
S2750EI
V200R003
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
V200R003
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI
Not supported
S5700EI
Not supported
S5710EI
V200R003 (The S5710EI

is unavailable in
V200R006 and later
versions.)
S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI
V200R002 (The S5700HI

is unavailable in
V200R006 and later
versions.)
S3700
S5700
Issue 11 (2016-07-22)

88

Switches
Series
S6700
Product
Minimum Version
Required
S5710HI
V200R003 (The S5710HI

is unavailable in
V200R006 and later
versions.)
S5720HI
V200R006
S6700EI
V200R003 (The S6700EI

is unavailable in
V200R006 and later
versions.)
S6720EI
V200R008
S6720S-EI
V200R009
The switch forwards packets based only on their outer VLAN tags and learns MAC
address entries based on the outer VLAN tags.
Before configuring selective QinQ, run the qinq vlan-translation enable command to
enable VLAN translation.
Selective QinQ can only be enabled on hybrid interfaces and is valid only for incoming
packets.
The outer VLAN must be created before selective QinQ is performed.
When an interface configured with VLAN stacking needs to remove the outer tag from
outgoing frames, the interface must join the VLAN specified by stack-vlan in untagged
mode. If the outer VLAN does not need to be removed, the interface must join the
VLAN specified by stack-vlan in tagged mode.
During selective QinQ configuration, each inner VLAN ID on an interface is mapped to

only one outer VLAN ID.
If only single-tagged packets from a VLAN need to be transparently transmitted, do not

specify the VLAN as the inner VLAN for selective QinQ.
After selective QinQ is configured on the S3700EI, S3700SI, and S5700EI, configure
VLAN mapping to map the VLANs of which the tags need to be transparently
transmitted to themselves, for example, port vlan-mapping vlan 20 map-vlan 20.
VLAN-based flow mirroring allows the device to identify only outer VLAN tags of
QinQ packets.
The globally configured traffic-limit command that takes effect for all interfaces in the
inbound direction is invalid for QinQ packets.
ND snooping and adding double tags to untagged packets cannot be configured together
on the S1720GFR, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-C-LI, S5710-X-LI,
S5720SI, or S5720S-SI.
SAVI and adding double tags to untagged packets cannot be configured together on the
S1720GFR, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, or S5720SSI.

Issue 11 (2016-07-22)

89

Switches

4.9 VLAN Mapping

License Support
VLAN mapping is a basic feature of a switch and is not under license control.
Version Support of 1:1 and N:1 VLAN Mapping

Table 4-13 Products and minimum version supporting 1:1 and N:1 VLAN mapping
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI
Not supported
S2700EI

NOTE
The S2752EI does not support
N:1 VLAN mapping.
S3700
Issue 11 (2016-07-22)
S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI


90

Switches
Series
S5700
Product
Minimum Version
Required
S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
NOTE
The S5720HI does not support
N:1 VLAN mapping.
S6700
Issue 11 (2016-07-22)
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

91

Switches
Version Support of 2:1 VLAN Mapping

Table 4-14 Products and minimum version supporting 2:1 VLAN mapping
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700EI

S5700SI
Not supported
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
Not supported
S5700HI

S5710HI

S5720HI
V200R006
S3700
S5700
Issue 11 (2016-07-22)

92

Switches
Series
Product
Minimum Version
Required
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
Version Support of 2:2 VLAN Mapping

Table 4-15 Products and minimum version supporting 2:2 VLAN mapping
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700EI
Not supported
S5700SI
Not supported
S5710EI
Not supported
S5720EI
V200R009
S5720SI/S5720S-SI
Not supported
S5700HI
Not supported
S5710HI
Not supported
S5720HI
V200R009
S3700
S5700
Issue 11 (2016-07-22)

93

Switches
Series
Product
Minimum Version
Required
S6700
S6700EI
Not supported
S6720EI
V200R009
S6720S-EI
V200R009

l
VLAN mapping can be configured only on a trunk or hybrid interface, and the hybrid
interface must be added to the translated VLAN in tagged mode.
When N:1 VLAN mapping is configured (VLAN IDs can be non-contiguous before
mapping), the interface needs to be added to these VLANs in tagged mode, and the
VLAN specified by map-vlan cannot be a VLAN corresponding to a VLANIF interface.
If VLAN mapping and DHCP are configured on the same interface, the interface must be
added to the original VLANs (VLANs before mapping) in tagged mode.
N:1 VLAN mapping is not supported in a stack scenario.
Configuring MAC address limiting and N:1 VLAN mapping simultaneously causes a
high CPU usage on some low-end switches, so such configuration is not recommended.
4.10 GVRP
License Support
GVRP is a basic feature of a switch and is not under license control.
Version Support
Table 4-16 Products and minimum version supporting GVRP
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI
Not supported
S2700EI


94

Switches
Series
S3700
S5700
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S2710SI
Not supported
S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006

95

Switches
Series
Product
Minimum Version
Required
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

When many dynamic VLANs need to be registered or the network radius is large, using
default values of timers may cause VLAN flapping and high CPU usage. In this case, increase
values of the timers. The following values are recommended depending on the number of
VLANs.
Table 4-17 Relationship between GARP timer values and number of dynamic VLANs that
need to be registered
Number of Dynamic VLANs to Be Registered (N)
Timer
N <= 500
500 < N <=

1000
1000 < N <=

1500
N > 1500
GARP Hold
timer
100
centiseconds (1
second)
200
centiseconds (2
seconds)
800
centiseconds (8
seconds)
1000
centiseconds
(10 seconds)
GARP Join
timer
600
centiseconds (6
seconds)
1200
centiseconds
(12 seconds)
4000
centiseconds
(40 seconds)
6000
centiseconds (1
minute)
GARP Leave
timer
3000
centiseconds
(30 seconds)
6000
centiseconds (1
minute)
20000
centiseconds (3
minutes and 20
seconds)
30000
centiseconds (5
minutes)
GARP
LeaveAll timer
12000
centiseconds (2
minutes)
24000
centiseconds (4
minutes)
30000
centiseconds (5
minutes)
32765
centiseconds (5
minutes and
27.65 seconds)
The blocked port in instance 0 of STP/RSTP/MSTP can block GVRP packets; the blocked
ports of other MSTIs and other ring network protocols such as ERPS, SEP, RRPP, Smart
Link, and VBST cannot block GVRP packets. To ensure that GVRP runs normally and
prevent GVRP loops, do not enable GVRP on the blocked port of a ring network protocol.
Issue 11 (2016-07-22)

96

Switches
4.11 VCMP
License Support
VCMP is a basic feature of a switch and is not under license control.
Version Support
Table 4-18 Products and minimum version supporting VCMP
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R005
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
V200R005
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700EI

S5700SI

S3700
S5700
Issue 11 (2016-07-22)

97

Switches
Series
S6700
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
VCMP can only help the network administrator synchronize VLAN information but not
dynamically assign VLANs. VCMP is often used with LNP to simplify user
configurations. For details about LNP, see LNP.
VCMP packets can be only transmitted in VLAN 1. By default, all interfaces join VLAN
1. To prevent loops, deploy a loop prevention protocol such as STP in addition to VCMP.
By default, a switch is a VCMP client. If a switch is upgraded from an earlier version to

V200R005C00, the default role of the switch is a VCMP silent switch.
VCMP synchronizes only the VLAN ID in the current version.
One switch can join only one VCMP domain, and only one VCMP server exists in a
VCMP domain.
If the VCMP domain authentication password is set, ensure that the VCMP server and
clients use the same VCMP domain authentication password.
If VLANs created or deleted on the VCMP server are the control VLANs of the Ethernet
Ring Protection Switch (ERPS), Rapid Ring Protection Protocol (RRPP), Smart Ethernet
Protocol (SEP), or Smart link, or reserved VLANs of stack, a VCMP client does not
create or delete the VLANs.
If the Generic VLAN Registration Protocol (GVRP) has been enabled, the VCMP role
can be only the transparent or silent switch. If the VCMP role is set to client or server, do
not use GVRP.
Termination sub-interfaces cannot be configured on a VCMP client. For details on how

to configure a termination sub-interface, see Configuring a Sub-interface.
Issue 11 (2016-07-22)

98

Switches
After a VLAN is deleted on the VCMP server, VCMP clients delete the VLAN but do
not delete configurations in the VLAN. In addition, the vlan vlan-id configuration
command is generated in the configuration file, and the configurations in the deleted
VLAN specified by vlan-id are moved to the VLAN configuration view.
When the device used as a VCMP client that connects to a VCMP server restarts, the
VLAN configuration before the restart takes effect. To make the saved VLAN
configuration take effect, use one of the following methods to delete the vlan.dat file
and then restart the device:
Run the vcmp role { server | silent | transparent } command to change the device
role to a non-client.
Run the startup saved-configuration configuration-file command to configure a

new configuration file. Ensure that the name of the new configuration file is
different from that of the current configuration file.
Run the reset saved-configuration command to clear the saved configuration file.
This command will clear all the configuration.
NOTE
When the value of Server ID in the display vcmp status command output is not empty, the device
used as a VCMP client has been connected to a VCMP server.
4.12 STP/RSTP
Other network elements also need to support STP or RSTP.
License Support
STP or RSTP is a basic feature of a switch and is not under license control.
Version Support
Table 4-19 Products and minimum version supporting STP or RSTP
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI

S2700EI


99

Switches
Series
S3700
S5700
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI


100

Switches
Series
S6700
Product
Minimum Version
Required
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

When STP or RSTP is enabled on a ring network, STP or RSTP immediately starts spanning
tree calculation. Parameters such as the device priority and port priority affect spanning tree
calculation, and the change of these parameters may cause network flapping. To ensure fast
and stable spanning tree calculation, configure parameters such as the device priority and port
priority before enabling STP or RSTP.
On a switch enabled with a spanning tree protocol, when a terminal connects to the switch,
spanning tree calculation is performed again. As a result, it takes a long period of time for the
terminal to obtain an IP address. In this case, disable the spanning tree protocol on the switch
port connected to the terminal or configure this switch port as the edge port.
4.13 MSTP
License Support
MSTP is a basic feature of a switch and is not under license control.
Version Support
Table 4-20 Products and minimum version supporting MSTP
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI
Not supported

101

Switches
Series
S3700
S5700
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI


102

Switches
Series
S6700
Product
Minimum Version
Required
S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Table 4-21 lists the specification of MSTP.

Table 4-21 Specification of MSTP
Item
Specification
Maximum number of instances on the

entire system
65
MSTP BPDUs may be discarded in a scenario wherein there are many MSTIs and MSTP
multi-process is configured. This is due to the default CIR of STP being insufficient.
(The default CIR of STP is insufficient because the length of MSTP BPDUs increases as
the number of MSTIs increases, and the number of outgoing MSTP BPDUs increases
when MSTP multi-process is configured.) To avoid this situation, increase the CIR of
STP.
If the CPCAR values are adjusted improperly, network services are affected. To adjust
the CPCAR values of STP BPDUs, contact technical support personnel.
Enabling MSTP on a ring network immediately triggers spanning tree calculation. If

basic configurations are not performed on switches and interfaces before MSTP is
enabled, network flapping may occur upon changes to parameters such as device priority
and interface priority.
4.14 VBST
Other network elements also need to support VBST.
License Support
VBST is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

103

Switches
Version Support
Table 4-22 Products and minimum version supporting VBST
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI
Not suooprted
S2700EI
Not suooprted
S2710SI
Not suooprted
S2720EI

S2750EI
V200R005
S3700SI
Not suooprted
S3700EI
Not suooprted
S3700HI
Not suooprted
S5700LI/S5700S-LI
V200R005
S5710-C-LI
Not suooprted
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S3700
S5700
Issue 11 (2016-07-22)

104

Switches
Series
S6700
Product
Minimum Version
Required
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Table 4-23 describes the specifications of VBST.

Table 4-23 Specifications of VBST
Item
Specification
Number of protected VLANs
128
When VBST is enabled on a ring network, VBST immediately starts spanning tree
calculation. Parameters such as the device priority and port priority affect spanning tree
calculation, and the change of these parameters may cause network flapping. To ensure
fast and stable spanning tree calculation, perform basic configurations on the switch and
interfaces before enabling VBST.
If the protected instance has been configured in a SEP segment or ERPS ring but the
mapping between protected instances and VLANs is not configured, VBST cannot be
enabled.
VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS, RRPP,
SEP, or Smart Link.
If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the switch,
delete the mapping before changing the STP working mode to VBST.
If the stp vpls-subinterface enable command has been configured on a switch, run the
undo stp vpls-subinterface enable command on an interface before changing the STP
working mode to VBST.
If the device has been configured as the root bridge or secondary root bridge, run the
undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to disable the root
bridge or secondary root bridge function and run the stp vlan { vlan-id1 [ to vlan-id2 ] }
&<1-10> priority priority command to change the device priority.
When more than 128 MSTIs are dynamically specified, STP is disabled in a created
VLAN in the configuration file, for example, stp vlan 100 disable.
To prevent frequent network flapping, ensure that the values of Hello time, Forward
Delay, and Max Age conform to the following formulas:
Issue 11 (2016-07-22)
2 x (Forward Delay - 1.0 second) Max Age
Max Age 2 x (Hello Time + 1.0 second)

105

Switches
After all ports are configured as edge ports and BPDU filter ports in the system view,
none of ports on the switch send BPDUs or negotiate the VBST status with directly
connected ports on the remote device. All ports are in forwarding state. This may cause
loops on the network, leading to broadcast storms. Exercise caution when you configure
a port as an edge port and BPDU filter port.
After a port is configured as an edge port and BPDU filter port in the interface view, the
port does not process or send BPDUs. The port cannot negotiate the VBST status with
the directly connected port on the peer device. Exercise caution when you configure a
port as an edge port and BPDU filter port.
Root protection takes effect only on designated ports.
An alternate port is the backup of the root port. If a switch has an alternate port,
configure loop protection on both the root port and alternate port.
4.15 SEP
Other network elements also need to support SEP.
License Support
SEP is a basic feature of a switch and is not under license control.
Version Support
Table 4-24 Products and minimum version supporting SEP
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700
Issue 11 (2016-07-22)

106

Switches
Series
S5700
S6700
Product
Minimum Version
Required
S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Issue 11 (2016-07-22)
Table 4-25 lists the specification of SEP.

107

Switches
Table 4-25 Specification of SEP
Item
Specification
Maximum number of segments on the

device
16.
On a SEP network where there are no-neighbor edge interfaces, a device that is not in a
SEP segment cannot be added to the control VLAN of the SEP segment. Otherwise, a
loop will occur on the network.
4.16 RRPP
License Support
RRPP is a basic feature of a switch and is not under license control.
Version Support
Table 4-26 Products and minimum version supporting RRPP
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI

S2710SI

S2720EI
V200R006 (The S2720 is

and V200R008.)
S2750EI
V200R003
S3700SI

S3700
Issue 11 (2016-07-22)

108

Switches
Series
S5700
S6700
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

109

Switches

Only the S5700HI, S5710HI, S5720EI, S5720HI, S5710EI, S6700EI, S6720S-EI, and
S6720EI support RRPP snooping.
When you configure the list of protected VLANs, note the following points:
l
Protected VLANs must be configured before you configure an RRPP ring.
You can delete or change existing protected VLANs before configuring an RRPP ring.
The protected VLANs cannot be changed after the RRPP ring is configured.
In the same physical topology, the control VLAN in a domain cannot be configured as a
protected VLAN in another domain.
The control VLAN must be included in the protected VLANs; otherwise, the RRPP ring
cannot be configured.
The control VLAN can be mapped to other instances before the RRPP ring is created.
After the RRPP ring is created, the mapping cannot be changed unless you delete the
RRPP ring.
When the mapping between instances and VLANs changes, the protected VLANs in the
RRPP domain also change.
All the VLANs allowed by an RRPP interface must be configured as protected VLANs.
4.17 ERPS (G.8032)

Other network elements are required to support ERPS functions.
License Support
ERPS is a basic feature of a switch and is not under license control.
Version Support
Table 4-27 Products and minimum version supporting ERPS
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI

S2710SI
Not supported

110

Switches
Series
S3700
S5700
S6700
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S2720EI
V200R006 (The S2720 is

and V200R008.)
S2750EI
V200R003
S3700SI
Not supported
S3700EI
Not supported
S3700HI

S5700LI
V200R001
S5700S-LI
Not supported
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI


111

Switches
Series
Product
Minimum Version
Required
S6720EI
V200R008
S6720S-EI
V200R009

l
V200R002 and earlier versions support only ERPSv1.
Before adding a port to an ERPS ring, ensure that port security has been disabled on the
port. Otherwise, loops cannot be eliminated.
Before adding a port to an ERPS ring, ensure that the Spanning Tree Protocol (STP),
Rapid Ring Protection Protocol (RRPP), Smart Ethernet Protection (SEP), or Smart Link
is not enabled on the port.
The S5700S-LI and S6700EI do not support association between an ERPS interface and
Ethernet CFM.
4.18 LBDT
License Support
LBDT is a basic feature of a switch and is not under license control.
Version Support
Table 4-28 Products and minimum version supporting LBDT
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700EI

S2700SI


112

Switches
Series
S3700
S5700
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI


113

Switches
Series
S6700
Product
Minimum Version
Required
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
LBDT requires that the device should send a large number of detection packets to detect
loops, occupying system resources. Therefore, disable LBDT if loops do not need to be
detected.
LBDT cannot be configured on an Eth-Trunk or its member interfaces.
LBDT cannot be used with ERPS, RRPP, SEP, Smart Link, STP, RSTP, MSTP, or VBST.
The S2700SI and S2710SI support only detection of self-loops on an interface, and do
not support detection loops on the downstream device or between interfaces.
4.19 Layer 2 Protocol Transparent Transmission

License Support
Layer 2 protocol transparent transmission is a basic feature of a switch and is not under
license control.
Version Support
Table 4-29 Products and minimum version supporting Layer 2 protocol transparent
transmission
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI
Not supported

114

Switches
Series
S3700
S5700
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S2700EI

S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI


115

Switches
Series
S6700
Product
Minimum Version
Required
S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
When the default CPCAR value is used, the device transparently transmits a maximum
of 10 Layer 2 protocol packets per second. Excess packets are discarded.
On the S5700HI, if the VLANIF interface configured based on a PVID is bound to a

VSI, interfaces corresponding to this PVID cannot forward Layer 2 protocol BPDUs.
In V200R005 and later versions, when PVST+ packets need to be transparently

transmitted, disable VBST on the interface. Otherwise, PVST+ packets cannot be
transparently transmitted.
Do not replace the destination MAC addresses of SSTP, STP, GVRP, and GMRP packets
with the same multicast MAC address.
When configuring Layer 2 protocol transparent transmission, do not use any of the
following multicast MAC addresses to replace the destination MAC address of Layer 2
protocol packets:
Destination MAC addresses of BPDUs: 0180-C200-0000 to 0180-C200-002F
Destination MAC address of Smart Link packets: 010F-E200-0004
Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
Common multicast MAC addresses that have been used on the device
To transparently transmit BPDUs such as DLDP and EFM packets on a physical

interface, the L2PT tunnel egress cannot be the Eth-Trunk. Otherwise, BPDU negotiation
may be abnormal.
When an interface is enabled to transparently transmit the packets of a certain protocol,

these packets do not participate in protocol processing. For example, after an interface is
enabled to transparently transmit STP packets, the interface does not participate in STP
calculation. Therefore, you are advised not to enable a protocol and the transparent
transmission of this protocol on the same interface.
Issue 11 (2016-07-22)

116

Switches
5 IP Service
IP Service
About This Chapter

5.1 ARP
5.2 DHCP
5.3 DHCP Policy VLAN
This section provides the points of attention when configuring the DHCP policy VLAN
function.
5.4 DNS
5.5 mDNS Relay
This section provides the points of attention when configuring mDNS relay.
5.6 UDP Helper
5.7 IP Performance
5.8 Basic IPv6
5.9 DHCPv6
This section provides the points of attention when configuring DHCPv6.
5.10 IPv6 DNS
5.11 IPv6 over IPv4 Tunnel
Issue 11 (2016-07-22)

117

Switches
5 IP Service
5.1 ARP
License Support
ARP is a basic feature of a switch and is not under license control.
Version Support
Table 5-1 Products and minimum version supporting ARP
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

118

Switches
Series
S6700
5 IP Service
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

ARP-CPCAR
CPCAR limits the rate of protocol packets of different services sent to the control plane,
ensuring security of the control plane. A device can set the default CPCAR values for the
packets of each protocol. The CPCAR values of some protocol packets need to be adjusted
based on the actual service scale and user network.
If the CPCAR values are adjusted improperly, network services are affected. To adjust the
CPCAR values of ARP Request and Reply packets, contact Huawei technical support
engineers.
Issue 11 (2016-07-22)

119

Switches
5 IP Service
5.2 DHCP
License Support
DHCP is a basic feature of the device and is not under license control.
Version Support
Table 5-2 Products and minimum version supporting DHCP(DHCP server, and DHCP relay)
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

NOTE
The S2720EI supports the
DHCP server function since
V200R009.
S3700
S5700
Issue 11 (2016-07-22)
S2750EI
V200R005
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R005
S5710-C-LI
Not supported

120

Switches
Series
S6700
5 IP Service
Product
Minimum Version
Required
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
Minimum version supporting DHCP client :V100R006.

Table 5-3 lists DHCP specifications.
Table 5-3 DHCP specifications
Issue 11 (2016-07-22)
Function
Description
Specifications
DHCP server
Maximum number of IP
addresses that can be
allocated by the device
16384

121

Switches
Function
DHCP relay
DHCP client
5 IP Service
Description
Specifications
address pools that can be
configured on the device
128 (including global and

interface address pools). The
number of address pools of
each type is not limited.
Maximum number of egress

gateway addresses that can
be configured in the global
address pool view
Maximum number of DNS

server or NetBIOS server IP
addresses configured in an
address pool
addresses in each address
pool
l Interface address pool:

8192
Maximum number of fixed

IP addresses that can be
allocated to specified clients
4096
Number of customized
options in each address pool
Maximum number of DHCP

server groups that can be
configured on the device
32

servers in a DHCP server
group
20

server groups that can be
applied to an interface

server addresses that can be
configured on an interface
20
addresses that a DHCP
client can apply for
l S5720HI, S5720EI,
S5720SI, S5720S-SI,
S6720EI, and S6720SEI: 32
l Global address pool:

16384
l S1720GFR, S2720,
S2750EI, S5700LI,
S5700S-LI, and S5710X-LI: 8
Issue 11 (2016-07-22)

122

Switches
5 IP Service
5.3 DHCP Policy VLAN

This section provides the points of attention when configuring the DHCP policy VLAN
function.

License Support
The DHCP policy VLAN function is a basic feature of the device and is not under license
control.
Version Support
Table 5-4 Products and minimum version supporting the DHCP policy VLAN function
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
Not supported
S5700SI

S3700
S5700
Issue 11 (2016-07-22)

123

Switches
Series
S6700
5 IP Service
Product
Minimum Version
Required
S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None
5.4 DNS
License Support
DNS is a basic feature of the device and is not under license control.
Issue 11 (2016-07-22)

124

Switches
5 IP Service
Version Support
Table 5-5 Products and minimum version supporting DNS
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S3700
S5700
Issue 11 (2016-07-22)

125

Switches
Series
S6700
5 IP Service
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

A switch only supports the DNS client function.
When static DNS is configured, a maximum of fifty static DNS entries can be configured on
the device.
When dynamic DNS is configured, a maximum of six DNS server IP addresses (shared by
IPv4 and IPv6) and ten domain name suffixes can be configured on the device.
5.5 mDNS Relay

This section provides the points of attention when configuring mDNS relay.
Issue 11 (2016-07-22)

126

Switches
5 IP Service

Role
Product Model
Minimum
Version Required
Description
mDNS gateway
Huawei ACs
V200R005
Records all available

service lists on the
network, and
responds to service
requests of the user
terminals that
support Bonjour
technology.
License Support
mDNS relay is a basic feature of the device and is not under license control.
Version Support
Table 5-6 Products and minimum version supporting mDNS relay
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S3700
S5700
Issue 11 (2016-07-22)

127

Switches
Series
S6700
5 IP Service
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
Not supported
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

A switch only supports the mDNS relay function.
5.6 UDP Helper

License Support
The UDP helper function is a basic feature of a switch and is not under license control.
Version Support
Table 5-7 Products and minimum version supporting the UDP helper function
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported

128

Switches
Series
Product
Minimum Version
Required
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
S3700
S5700
S6700
Issue 11 (2016-07-22)
5 IP Service

129

Switches
5 IP Service

None
5.7 IP Performance
License Support
IP performance is a basic feature of a switch and is not under license control.
Version Support
Table 5-8 Products and minimum version supporting IP performance
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S3700
Issue 11 (2016-07-22)

130

Switches
5 IP Service
Series
Product
Minimum Version
Required
S5700
S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
S6700

None
Issue 11 (2016-07-22)

131

Switches
5 IP Service
5.8 Basic IPv6

License Support
IPv6 is a basic feature of a switch and is not under license control.
Version Support
Table 5-9 Products and minimum version supporting IPv6
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

132

Switches
Series
S6700
5 IP Service
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

ND-CPCAR
The device can set the CPCAR values for the packets of each protocol. The CPCAR values of
some protocol packets need to be adjusted based on the actual service scale and user network.
If the default CPCAR value of ND packets cannot meet the packet exchange requirements
when too many IPv6 user hosts are connected to the device, a large number of ND packets
may be lost and the device fails to learn ND neighbor entries. Therefore, the CPCAR value
must be adjusted. To prevent the CPU from running with a high load, the CPCAR value needs
to be increased to a proper value.
Issue 11 (2016-07-22)

133

Switches
5 IP Service
CPCAR values of ND packets, contact technical support personnel.
5.9 DHCPv6
This section provides the points of attention when configuring DHCPv6.

License Support
DHCPv6 is a basic feature of the device and is not under license control.
Version Support
Table 5-10 Products and minimum version supporting DHCPv6
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

134

Switches
Series
S6700
5 IP Service
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None
5.10 IPv6 DNS

Issue 11 (2016-07-22)

135

Switches
5 IP Service
License Support
IPv6 DNS is a basic feature of the device and is not under license control.
Version Support
Table 5-11 Products and minimum version supporting IPv6 DNS
Series
Product
Minimum Version
Required
S1700
S1720GFR

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S3700
S5700
Issue 11 (2016-07-22)

136

Switches
Series
S6700
5 IP Service
Product
Minimum Version
Required
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

A switch only supports the IPv6 DNS client function.
When static IPv6 DNS entries are configured, each domain name can map a maximum of
eight IPv6 addresses.
When dynamic DNS is configured, a maximum of six DNS server IP addresses (shared by
IPv4 and IPv6) can be configured on the device.

Issue 11 (2016-07-22)

137

Switches
5 IP Service
License Support
The IPv6 over IPv4 tunnel function is a basic feature of a switch and is not under license
control.
Version Support
Table 5-12 Products and minimum version supporting the IPv6 over IPv4 tunnel function
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S3700
S5700
Issue 11 (2016-07-22)

138

Switches
Series
S6700
5 IP Service
Product
Minimum Version
Required
S5700HI

S5710HI

S5720HI
V200R009
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
After you run the ip error-packet-check disable command on the S5720SI, S5720S-SI
to disable the IP packet checking function, the IPv6 over IPv4 tunnel function does not
take effect.
After you run the drop illegal-mac alarm command on the S5720SI and S5720S-SI to
configure the switch to send a trap to the network management system (NMS) when
receiving a packet with an all-0 MAC address, the IPv6 over IPv4 tunnel function does
not take effect.
After you run the drop illegal-mac enable command on the S5720SI and S5720S-SI to
discard packets with an all-0 invalid MAC address, the IPv6 over IPv4 tunnel function
does not take effect.
The devices in stack do not support the IPv6 over IPv4 Tunnel function.

License Support
The IPv4 over IPv6 tunnel function is a basic feature of a switch and is not under license
control.
Issue 11 (2016-07-22)

139

Switches
5 IP Service
Version Support
Table 5-13 Products and minimum version supporting the IPv6 over IPv4 tunnel function
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI
Not supported
S5720EI
Not supported
S5720SI/S5720S-SI
Not supported
S5700HI
Not supported
S5710HI
Not supported
S5720HI
V200R009
S6700EI
Not supported
S6720EI
Not supported
S6720S-EI
Not supported
S3700
S5700
S6700

l
Issue 11 (2016-07-22)
None

140

Switches
6 IP Unicast Routing
IP Unicast Routing
About This Chapter

6.1 ip routing table management
6.2 RIP
6.3 RIPng
6.4 OSPF
6.5 OSPFv3
6.6 IPv4 IS-IS
6.7 IPv6 IS-IS
6.8 BGP
6.9 Routing Policy
6.10 PBR
Issue 11 (2016-07-22)

141

Switches
6.1 ip routing table management

License Support
The number of IPv4 FIB entries supported by an S5720HI depends on licenses. For the
maximum number of IPv4 FIB entries, contact the Huawei local office.
Version Support
Table 6-1 Products and minimum version supporting VLAN technology
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

and V200R008.)
S2700
S2700SI

S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S3700
Issue 11 (2016-07-22)

142

Switches
Series
Product
Minimum Version
Required
S5700
S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
S6700

None
6.2 RIP
Issue 11 (2016-07-22)

143

Switches

Other network elements are required to support RIP.
License Support
RIP is not under license control.
Version Support
Table 6-2 Products and minimum version supporting RIP
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported (The S2700SI

S2700EI
Not supported (The

S2700EI is unavailable in
V200R001 and later
versions.)
S2710SI

S2720EI
V200R009. Supported only

when Layer 3 hardware
forwarding for IPv4 packets
is enabled. To enable this
function, run the assign
forward-mode ipv4hardware command.
S2750EI

S3700SI

S3700EI

S3700
Issue 11 (2016-07-22)

144

Switches
Series
S5700
S6700
Issue 11 (2016-07-22)
Product Model
Minimum Version
Required
S3700HI

S5700LI/S5700S-LI
V200R009. S5700-10PPWR-LI-AC/S5700-10P-LIAC support RIP only when

Layer 3 hardware
S5710-C-LI
Not supported (The S5710C-LI is unavailable in

V200R002 and later
versions.)
S5710-X-LI
V200R009
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

145

Switches

None.
6.3 RIPng
Other network elements are required to support RIPng.
License Support
RIPng is not under license control.
Version Support
Table 6-3 Products and minimum version supporting RIPng
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI

S2700EI
Not supported (The

V200R001 and later
versions.)
S2710SI

S2720EI
Not supported
S2750EI
Not supported
S3700SI

S3700EI

S3700
Issue 11 (2016-07-22)

146

Switches
Series
S5700
S6700
Product Model
Minimum Version
Required
S3700HI

S5700LI/S5700S-LI
Supported. Only the

S5700-10P-PWR-LI-AC/
S5700-10P-LI-AC do not
support RIPng.
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R009
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
Issue 11 (2016-07-22)

147

Switches
6.4 OSPF
Other network elements are required to support OSPF.
License Support
OSPF is not under license control.
Version Support
Table 6-4 Products and minimum version supporting OSPF
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI

S2700EI
Not supported (The

V200R001 and later
versions.)
S2710SI

S2720EI
Not supported
S2750EI
Not supported
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
Not supported
S3700
S5700
Issue 11 (2016-07-22)

148

Switches
Series
S6700
Product Model
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
Not supported
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
6.5 OSPFv3
Other network elements are required to support OSPFv3.
Issue 11 (2016-07-22)

149

Switches
License Support
OSPFv3 is not under license control.
Version Support
Table 6-5 Products and minimum version supporting OSPFv3
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI

S2700EI
Not supported (The

V200R001 and later
versions.)
S2710SI

S2720EI
Not supported
S2750EI
Not supported
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
Not supported
S5700SI

S3700
S5700
Issue 11 (2016-07-22)

150

Switches
Series
S6700
Product Model
Minimum Version
Required
S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
6.6 IPv4 IS-IS

Other network elements are required to support IS-IS (IPv4).
License Support
IS-IS (IPv4) is not under license control.
Issue 11 (2016-07-22)

151

Switches
Version Support
Table 6-6 Products and minimum version supporting IS-IS (IPv4)
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI

S2700EI
Not supported (The

V200R001 and later
versions.)
S2710SI

S2720EI
Not supported
S2750EI
Not supported
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
Not supported
S5700SI

S5700EI

S3700
S5700
Issue 11 (2016-07-22)

152

Switches
Series
S6700
Product Model
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
6.7 IPv6 IS-IS

Other network elements are required to support IS-IS (IPv6).
License Support
IS-IS (IPv6) is not under license control.
Version Support
Table 6-7 Products and minimum version supporting IS-IS (IPv6)
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported

153

Switches
Series
Product Model
Minimum Version
Required
S2700
S2700SI

S2700EI
Not supported (The

V200R001 and later
versions.)
S2710SI

S2720EI
Not supported
S2750EI
Not supported
S3700SI

S3700EI
Not supported (The

V200R001 and later
versions.)
S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
Not supported
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S3700
S5700
Issue 11 (2016-07-22)

154

Switches
Series
S6700
Product Model
Minimum Version
Required
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
6.8 BGP
Other network elements are required to support BGP.
License Support
The BGP4/BGP4+ feature is not under license control.
Version Support
Table 6-8 Products and minimum version supporting BGP
Issue 11 (2016-07-22)
Series
Product Model
Minimum
Version Required
Supporting BGP
Minimum
Version Required
Supporting
BGP4+
S1700
S1720
Not supported
Not supported

155

Switches
Series
Product Model
Minimum
Version Required
Supporting BGP
Minimum
Version Required
Supporting
BGP4+
S2700
S2700SI
Not supported (The

S2700SI is
unavailable in
V200R001 and later
versions.)
Not supported (The

S2700SI is
unavailable in
V200R001 and later
versions.)
S2700EI
Not supported (The

S2700EI is
unavailable in
V200R001 and later
versions.)
Not supported (The

S2700EI is
unavailable in
V200R001 and later
versions.)
S2710SI
Not supported (The

S2710SI is
unavailable in
V200R001 and later
versions.)
Not supported (The

S2710SI is
unavailable in
V200R001 and later
versions.)
S2720EI
Not supported
Not supported
S2750EI
Not supported
Not supported
S3700SI
Not supported (The

S3700SI is
unavailable in
V200R001 and later
versions.)
Not supported (The

S3700SI is
unavailable in
V200R001 and later
versions.)
S3700EI
V100R005 (The
S3700EI is
unavailable in
V200R001 and later
versions.)
Not supported (The

S3700EI is
unavailable in
V200R001 and later
versions.)
S3700HI
V100R006 (The
S3700HI is
unavailable in
V200R002 and later
versions.)
V200R001 (The
S3700HI is
unavailable in
V200R002 and later
versions.)
S5700LI/S5700S-LI
Not supported
Not supported
S5710-C-LI
Not supported (The

S5710-C-LI is
unavailable in
V200R002 and later
versions.)
Not supported (The

S5710-C-LI is
unavailable in
V200R002 and later
versions.)
S5710-X-LI
Not supported
Not supported
S3700
S5700
Issue 11 (2016-07-22)

156

Switches
Series
S6700
Product Model
Minimum
Version Required
Supporting BGP
Minimum
Version Required
Supporting
BGP4+
S5700SI
Not supported (The

S5700SI is
unavailable in
V200R006 and later
versions.)
Not supported (The

S5700SI is
unavailable in
V200R006 and later
versions.)
S5700EI
V100R005 (The
S5700EI is
unavailable in
V200R006 and later
versions.)
V200R001 (The
S5700EI is
unavailable in
V200R006 and later
versions.)
S5710EI
V200R001 (The
S5710EI is
unavailable in
V200R006 and later
versions.)
V200R001 (The
S5710EI is
unavailable in
V200R006 and later
versions.)
S5720EI
V200R007
V200R007
S5720SI/S5720S-SI
V200R008
V200R008
S5700HI
V100R006 (The
S5700HI is
unavailable in
V200R006 and later
versions.)
V200R001 (The
S5700HI is
unavailable in
V200R006 and later
versions.)
S5710HI
V200R003 (The
S5710HI is
unavailable in
V200R006 and later
versions.)
V200R003 (The
S5710HI is
unavailable in
V200R006 and later
versions.)
S5720HI
V200R006
V200R006
S6700EI
V100R006 (The
S6700EI is
unavailable in
V200R006 and later
versions.)
V200R001 (The
S6700EI is
unavailable in
V200R006 and later
versions.)
S6720EI
V200R008
V200R008
S6720S-EI
V200R009
V200R009

None.
Issue 11 (2016-07-22)

157

Switches
6.9 Routing Policy

License Support
Route-policy is not under license control.
Version Support
Table 6-9 Products and minimum version supporting route-policy
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI

S2700EI
Not supported (The

V200R001 and later
versions.)
S2710SI

S2720EI

S2750EI

S3700SI

S3700
Issue 11 (2016-07-22)

158

Switches
Series
S5700
Issue 11 (2016-07-22)
Product Model
Minimum Version
Required
S3700EI

S3700HI

S5700LI/S5700S-LI
V200R009. S5700-10PPWR-LI-AC/S5700-10P-LIAC support Route-policy

only when Layer 3 hardware
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R009
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006

159

Switches
Series
Product Model
Minimum Version
Required
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
6.10 PBR
License Support
PBR is not under license control.
Version Support
Table 6-10 Products and minimum version supporting PBR
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI

S2700EI
Supported only by S2752EI

V100R005 and V100R006
(The S2700EI is unavailable
versions.)
S2710SI

S2720EI
Not supported

160

Switches
Series
S3700
S5700
S6700
Issue 11 (2016-07-22)
Product Model
Minimum Version
Required
S2750EI
Not supported
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
Not supported
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008

161

Switches
Series
Product Model
Minimum Version
Required
S6720S-EI
V200R009

None.
Issue 11 (2016-07-22)

162

Switches
7 IP Multicast
IP Multicast
About This Chapter

7.1 IGMP
7.2 MLD
7.3 PIM (IPv4)
7.4 PIM (IPv6)
7.5 MSDP
7.6 Multicast VPN
7.7 Multicast Route Management (IPv4)
7.9 IGMP Snooping
7.10 MLD Snooping
7.11 Static Multicast MAC Address
7.12 Multicast VLAN Replication
7.13 Controllable Multicast
7.14 Multicast Network Management
Issue 11 (2016-07-22)

163

Switches
7 IP Multicast
7.1 IGMP
An IPv4 multicast network consists of the following network elements:
l
Multicast source
A device that sends multicast data to receiver hosts. For example, a video server is a
multicast source.
IPv4 Protocol Independent Multicast (PIM) device

A device that uses the PIM (IPv4) protocol to generate and maintain multicast routing
entries and forwards multicast data based on multicast routing entries. On an IPv4
multicast network, all Layer 3 devices must run PIM (IPv4); otherwise, multicast
forwarding paths cannot be established.
Multicast Source Discovery Protocol (MSDP) device

A device that forwards multicast data from one PIM network to another. For example, if
multicast data needs to be transmitted between two autonomous systems (ASs), the
devices at the border of the ASs must run the MSDP protocol.
Multicast VPN device

Multicast VPN enables multicast data of a private network to be transmitted over a
public network. Multicast VPN devices are used on VPN networks. For example, if two
sites of a VPN network need to exchange multicast data across a public network,
multicast VPN needs to be configured on the PE devices.
IGMP querier
A device that exchanges IGMP messages with receiver hosts to create and maintain
group memberships. On a multicast network, Layer 3 devices connected to network
segments of receivers must run the IGMP protocol or be configured with static IGMP
groups. Otherwise, upstream PIM devices cannot know the multicast groups that users
want to join, and therefore cannot establish multicast forwarding paths.
IGMP snooping device

A device that listens on IGMP messages exchanged between upstream Layer 3 multicast
devices and receiver hosts to create and maintain Layer 2 multicast forwarding entries,
which are used for accurate multicast data forwarding on a Layer 2 network. To prevent
broadcasting of multicast packets on a Layer 2 network and conserve network
bandwidth, it is recommended that you configure IGMP snooping on Layer 2 devices.
Receiver
A multicast user that receives multicast data. A receiver can be a PC, a set top box, or
any device with multicast client installed.
The "IGMP Configuration" chapter is about configuring a Layer 3 device as an IGMP querier.
License Support
IGMP is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

164

Switches
7 IP Multicast
Version Support
Table 7-1 Products and minimum versions supporting IGMP
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2710SI/S2700EI/
S2720EI/S2750EI
Not supported
S3700
S3700SI
Not supported
S3700EI

S3700HI

S5700S-LI/S5700LI/S5710C-LI/S5710-X-LI/S5700SI
Not supported
S5720S-SI/S5720SI
V200R008
S5700EI

S5710EI

S5700HI

S5710HI

S5720EI
V200R007
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
S5700
S6700
Issue 11 (2016-07-22)

165

Switches
7 IP Multicast

l
Only the S5720HI supports wireless access to an IPv4 multicast network. When wireless
users connect to the IPv4 multicast network, the S5720HI's Layer 3 interfaces toward
wireless users do not support IGMP SSM mapping and static multicast group
configuration.
IGMP-capable switches support IGMP configuration on physical interfaces that have

been switched to Layer 3 mode using the undo portswitch command since V200R005.
This configuration, however, is not supported on the S5720S-SI and S5720SI.
Only the following versions of products support the IGMP multi-instance feature:
V200R005C01: S6700EI and S5700HI
V200R005C02: S6700EI, S5700HI, and S5710HI
V200R005C03: S5710HI
When IGMP multi-instance is configured, physical interfaces that have been switched to
the Layer 3 mode using the undo portswitch cannot be bound to the VPN instances.
If both Layer 2 and Layer 3 multicast services are required in a VLAN, enable IGMP on
the corresponding VLANIF interface first, and then enable IGMP snooping in the
VLAN. If IGMP snooping is enabled in the VLAN first, IGMP cannot be enabled on the
VLANIF interface.
7.2 MLD
l
Multicast source
Sends multicast data to receiver hosts. For example, a video server is a multicast source.

:
A device that uses the IPv6 PIM protocol to generate and maintain multicast routing
multicast network, all Layer 3 devices must run IPv6 PIM; otherwise, multicast
MLD querier
A device that exchanges MLD messages with receiver hosts to create and maintain group
memberships. On a multicast network, Layer 3 devices connected to network segments
of receivers must run the MLD protocol or be configured with static MLD groups.
Otherwise, upstream PIM devices cannot know the multicast groups that users want to
join, and therefore cannot establish multicast forwarding paths.
MLD snooping device

A device that listens to MLD messages exchanged between upstream Layer 3 multicast
bandwidth, it is recommended that you configure MLD snooping on Layer 2 devices.
l
Issue 11 (2016-07-22)
Receiver
166

Switches
7 IP Multicast
The "MLD Configuration" chapter mainly describes how to configure a Layer 3 device as an
MLD querier.
License Support
MLD is a basic feature of a switch and is not under license control.
Version Support
Table 7-2 Products and minimum versions supporting MLD
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2710SI/S2700EI/
S2720EI/S2750EI
Not supported
S3700
S3700SI/S3700EI/S3700HI
Not supported
S5700
Not supported
S5720S-SI/S5720SI
V200R008
S5700EI

S5710EI

S5700HI

S5710HI

S5720EI
V200R007
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
S6700
Issue 11 (2016-07-22)

167

Switches
7 IP Multicast

l
MLD-capable switches support MLD configuration on physical interfaces that have been
switched to Layer 3 mode using the undo portswitch command since V200R005. This
configuration, however, is not supported on the S5720S-SI and S5720SI.
Before configuring MLD, enable IPv6.
If both Layer 2 and Layer 3 multicast services are required in a VLAN, enable MLD on
the corresponding VLANIF interface first, and then enable MLD Snooping in the
VLAN. If MLD Snooping is enabled in the VLAN first, MLD cannot be enabled on the
VLANIF interface.
7.3 PIM (IPv4)

l
Multicast source
multicast source.



IGMP querier

l
Issue 11 (2016-07-22)
Receiver
168

Switches
7 IP Multicast
Generally, PIM (IPv4) is configured on a device that needs to run PIM (IPv4) to monitor and
maintain multicast forwarding paths.
License Support
PIM (IPv4) is a basic feature of a switch and is not under license control.
Version Support
Table 7-3 Products and minimum versions supporting PIM (IPv4)
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2710SI/S2700EI/
S2720EI/S2750EI
Not supported
S3700
S3700SI
Not supported
S3700EI

S3700HI

Not supported
S5720S-SI/S5720SI
V200R008
S5700EI

S5710EI

S5700HI

S5710HI

S5720EI
V200R007
S5720HI
V200R006
S5700
Issue 11 (2016-07-22)

169

Switches
7 IP Multicast
Series
Product Model
Minimum Version
Required
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
PIM (IPv4)-capable switches support PIM (IPv4) configuration on physical interfaces

that have been switched to Layer 3 mode using the undo portswitch command since
V200R005. This configuration, however, is not supported on the S5720S-SI and
S5720SI.
Only the following products and versions support the PIM (IPv4) multi-instance feature:
V200R005C01: S6700EI and S5700HI
V200R005C03: S5710HI
PIM (IPv4) can be configured in a VPN instance, but the VPN instance cannot be bound
to a physical interface that has been switched to Layer 3 mode using the undo
portswitch command.
PIM-DM and PIM-SM cannot be configured simultaneously in a VPN instance or the

public network instance.
The VLANIF interface corresponding to the super VLAN cannot be used as an inbound
interface of multicast data packets, that is, interface facing the multicast source.
If both Layer 2 and Layer 3 multicast services are required in a VLAN, enable
PIM(IPv4) on the corresponding VLANIF interface first, and then enable IGMP
snooping in the VLAN. If IGMP snooping is enabled in the VLAN first, PIM(IPv4)
cannot be enabled on the VLANIF interface.
7.4 PIM (IPv6)

l
Multicast source

:
Issue 11 (2016-07-22)

170

Switches
7 IP Multicast
MLD querier
MLD snooping device

Receiver
The "IPv6 PIM Configuration" chapter describes how to configure IPv6 PIMon a Layer 3
device.
License Support
IPv6 PIM is a basic feature of a switch and is not under license control.
Version Support
Table 7-4 Products and minimum versions supporting IPv6 PIM
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2710SI/S2700EI/
S2720EI/S2750EI
Not supported
S3700
S3700SI/S3700EI/S3700HI
Not supported
S5700
Not supported
S5720S-SI/S5720SI
V200R008
S5700EI

S5710EI

S5700HI


171

Switches
Series
S6700
7 IP Multicast
Product Model
Minimum Version
Required
S5710HI

S5720EI
V200R007
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
IPv6 PIM-capable switches support IPv6 PIM configuration on physical interfaces that
have been switched to Layer 3 mode using the undo portswitch command since
V200R005. This configuration, however, is not supported on the S5720S-SI and
S5720SI.
Before configuring IPv6 PIM, enable IPv6.
IPv6 PIM-DM and IPv6 PIM-SM cannot be configured simultaneously on a switch.
If both Layer 2 and Layer 3 multicast services are required in a VLAN, enable
PIM(IPv6) on the corresponding VLANIF interface first, and then enable MLD
Snooping in the VLAN. If MLD Snooping is enabled in the VLAN first, PIM(IPv6)
cannot be enabled on the VLANIF interface.
7.5 MSDP
l
Multicast source
multicast source.


Issue 11 (2016-07-22)

172

Switches
7 IP Multicast

IGMP querier

Receiver
The "MSDP Configuration" chapter describes how to configure MSDP on a Layer 3 device.
License Support
MSDP is a basic feature of a switch and is not under license control.
Version Support
Table 7-5 Products and minimum versions supporting MSDP
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2710SI/S2700EI/
S2720EI/S2750EI
Not supported
S3700
S3700SI
Not supported
S3700EI
Not supported
S3700HI

Not supported
S5720S-SI/S5720SI
V200R008
S5700
Issue 11 (2016-07-22)

173

Switches
Series
S6700
7 IP Multicast
Product Model
Minimum Version
Required
S5700EI

S5710EI

S5700HI

S5710HI

S5720EI
V200R007
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Only the following products and versions support the MSDP multi-instance feature:
V200R005C01: S6700EI and S5700HI
V200R005C03: S5710HI
7.6 Multicast VPN

l
Multicast source
multicast source.

Issue 11 (2016-07-22)

174

Switches
7 IP Multicast
l


IGMP querier

Receiver
The "Multicast VPN Configuration" chapter describes how to configure multicast VPN on a
provider edge (PE) device.
License Support
Multicast VPN is a basic feature of a switch and is not under license control.
Version Support
Table 7-6 Products and minimum versions supporting multicast VPN
Issue 11 (2016-07-22)
Series
Product
S1700
S1720
Not supported
S2700
S2700SI/S2710SI/S2700EI/
S2720EI/S2750EI
Not supported
S3700
S3700SI/S3700EI/S3700HI
Not supported

175

Switches
7 IP Multicast
Series
Product
S5700
S5700S-LI/S5700LI/S5710-C-LI/
S5710-X-LI/S5700SI/S5720S-SI/
S5720SI/S5700EI/S5710EI/
S5720EI/S5720HI
Not supported
S5700HI
V200R005C01 (The S5700HI is

versions.)
S5710HI
V200R005C02 (The S5710HI is

versions.)
S6700EI/S6720EI/S6720S-EI
Not supported
S6700

l
Multicast domain (MD) based multicast VPN on the switch does not support PIM-SM in
the SSM model used on the public network.
The switch does not support multicast VPN on an inter-AS BGP/MPLS IPv4 VPN
network.
The switch does not support multicast VPN on an BGP/MPLS IPv6 VPN network.

The following elements comprise a typical IPv4 multicast network:
l
Multicast source: sends multicast data to receiver hosts. For example, a video server is a
multicast source.
IPv4 Protocol Independent Multicast (PIM) device: uses the IPv4 PIM protocol to
generate and maintain multicast routing entries and forwards multicast data based on
multicast routing entries. On an IPv4 multicast network, all Layer 3 devices must run
IPv4 PIM; otherwise, multicast forwarding paths cannot be established.
Multicast Source Discovery Protocol (MSDP) device: forwards multicast data from one
PIM network to another. For example, if multicast data needs to be transmitted between
two autonomous systems (ASs), the devices at the borders of each AS must run the
MSDP protocol.
Multicast VPN device: enables multicast data on a private network to be transmitted over
a public network. For example, if two sites of a VPN network need to exchange
multicast data across a public network, multicast VPN must be configured on the PE
devices.
IGMP querier: exchanges IGMP messages with receiver hosts to create and maintain
Issue 11 (2016-07-22)

176

Switches
7 IP Multicast
IGMP snooping device: listens on IGMP messages exchanged between upstream Layer 3
multicast devices and receiver hosts to create and maintain Layer 2 multicast forwarding
entries, which are used for accurate multicast data forwarding on a Layer 2 network. To
prevent broadcasting of multicast packets on a Layer 2 network and conserve network
bandwidth, configuring IGMP snooping on Layer 2 devices is recommended.
Receiver: A receiver can be a PC, a set top box, or any device with a multicast client
installed so that users can receive multicast data.
Generally, multicast route management (IPv4) is configured on a device running PIM (IPv4)
to monitor and maintain multicast forwarding paths.
License Support
Multicast route management (IPv4) is a basic feature of a switch and is not under license
control.
Version Support
Table 7-7 Products and minimum versions supporting multicast route management (IPv4)
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2710SI/S2700EI/
S2720EI/S2750EI
Not supported
S3700
S3700SI
Not supported
S3700EI

S3700HI

Not supported
S5720S-SI/S5720SI
V200R008
S5700EI

S5710EI

S5700HI

S5700
Issue 11 (2016-07-22)

177

Switches
Series
S6700
7 IP Multicast
Product Model
Minimum Version
Required
S5710HI

S5720EI
V200R007
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Multicast route management (IPv4)-capable switches support multicast route

management (IPv4) configuration on physical interfaces that have been switched to
Layer 3 mode using the undo portswitch command since V200R005. This
Only the following products and versions support configuration of multicast route
management (IPv4) in a VPN instance:
V200R005C01: S6700EI and S5700HI
V200R005C03: S5710HI
When configuring multicast route management (IPv4) in a VPN instance, ensure that the
VPN instance is not bound to a physical interface that has been switched to Layer 3
mode using the undo portswitch command.

l
Multicast source

:
Issue 11 (2016-07-22)

178

Switches
7 IP Multicast
MLD querier
MLD snooping device

Receiver
Generally, multicast route management (IPv6) is configured on a device running PIM (IPv6)
to monitor and maintain multicast forwarding paths.
License Support
Multicast route management (IPv6) is a basic feature of a switch and is not under license
control.
Version Support
Table 7-8 Products and minimum versions supporting multicast route management (IPv6)
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2710SI/S2700EI/
S2720EI/S2750EI
Not supported
S3700
S3700SI/S3700EI/S3700HI
Not supported
S5700
Not supported
S5720S-SI/S5720SI
V200R008
S5700EI

S5710EI


179

Switches
Series
S6700
7 IP Multicast
Product Model
Minimum Version
Required
S5700HI

S5710HI

S5720EI
V200R007
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Multicast route management (IPv6)-capable switches support multicast route

management (IPv6) configuration on physical interfaces that have been switched to
Layer 3 mode using the undo portswitch command since V200R005. This
Before configuring multicast route management (IPv6), enable IPv6.
7.9 IGMP Snooping

l
Multicast source
multicast source.


Issue 11 (2016-07-22)

180

Switches
7 IP Multicast

IGMP querier

Receiver
The "IGMP Snooping Configuration" section describes how to configure IGMP snooping on
a Layer 2 device.
License Support
IGMP snooping is a basic feature of a switch and is not under license control.
Version Support
Table 7-9 Products and minimum versions supporting controllable multicast
Issue 11 (2016-07-22)
Series
Product Model
S1700
S1720

in V200R007 and V200R008
versions.)
S2700
S2700SI/S2710SI
Not supported
S2700EI

versions.)
S2720EI

V200R008 versions.)
S2750EI
V200R003

181

Switches
7 IP Multicast
Series
Product Model
S3700
S3700SI/S3700EI

versions.)
S3700HI

versions.)
S5700LI/S5700S-LI
V200R001
S5710-C-LI

versions.)
S5710-X-LI
V200R008
S5700SI/S5700EI

versions.)
S5720SI/S5720S-SI
V200R008
S5710EI

versions.)
S5700HI

versions.)
S5710HI

versions.)
S5720EI
V200R007
S5720HI
V200R006
S6700EI

versions.)
S6720EI
V200R008
S6720S-EI
V200R009
S5700
S6700

When configuring IGMP snooping, pay attention to the following points:
l
Issue 11 (2016-07-22)
Because IGMP snooping is a Layer 2 multicast feature, all the IGMP snooping
configurations on interfaces mentioned in this chapter are performed on Layer 2 physical
interfaces, including Eth-Trunk interfaces.
182

Switches
7 IP Multicast
On the S5720HI, learning of multicast group memberships can be configured on a

WLAN-ESS interface from versions of V200R005 to V200R008.
If a switch running IGMP snooping receives IGMPv1 or IGMPv2 Report messages with
SSM group addresses (default range: 232.0.0.0/8), the switch does not create Layer 2
multicast forwarding entries.
On a ring network running IGMP snooping, if the downstream port of a device is

configured as a static router port, downstream ports of all devices on the ring network
must be configured as static router ports. Otherwise, multicast traffic cannot be
forwarded normally if the Layer 2 network topology changes. Therefore, it is not
recommended to configure downstream ports as static router ports.
Only the following products and versions support VSI-based IGMP snooping:
S5700HI: V200R001C01 to V200R005
S5710EI: V200R002 to V200R005
S5720EI: V200R009
S5710HI: V200R003 to V200R005
S5720HI: V200R009
S6700EI: V200R005
S6720EI: V200R008 and later versions
S6720S-EI: V200R009
VSI-based IGMP snooping depends on the MPLS feature.

Among S5720EI switches running V200R009C00 and later versions, only some switches
support the MPLS feature. Run the display device capability command on the switch to
check the switch's software and hardware capabilities. The switch supports the MPLS
feature only when chips also support the MPLS feature.
The VSI-based IGMP snooping feature is applicable only to Martini VPLS networking.
The switch supports only MAC address-based multicast forwarding when VSI-based
IGMP snooping is configured.
When configuring VSI-based IGMP snooping, make sure that an AC-side interface on
the VPLS network cannot be a physical Ethernet interface that has been switched to
Layer 3 mode using the undo portswitch command.
If both Layer 2 and Layer 3 multicast services are required in a VLAN, enable IGMP
and PIM(IPv4) on the corresponding VLANIF interface first, and then enable IGMP
snooping in the VLAN. If IGMP snooping is enabled in the VLAN first, IGMP and
PIM(IPv4) cannot be enabled on the VLANIF interface.
7.10 MLD Snooping

l
Multicast source

:
Issue 11 (2016-07-22)

183

Switches
7 IP Multicast
l
MLD querier
MLD snooping device

Receiver
The "MLD Snooping Configuration" chapter describes how to configure MLD snooping on a
Layer 2 device.
License Support
MLD snooping is a basic feature of a switch and is not under license control.
Version Support
Table 7-10 Products and minimum versions supporting MLD snooping
Series
Product Model
S1700
S1720

in V200R007 and V200R008
versions.)
S2700
S2700EI

versions.)
S2720EI

V200R008 versions.)
S2750EI
V200R003
S3700SI/S3700EI

versions.)
S3700
Issue 11 (2016-07-22)

184

Switches
Series
S5700
S6700
7 IP Multicast
Product Model
S3700HI

versions.)
S5700LI/S5700S-LI
V200R001
S5710-C-LI

versions.)
S5710-X-LI
V200R008
S5700SI/S5700EI

versions.)
S5720SI/S5720S-SI
V200R008
S5710EI

versions.)
S5700HI

versions.)
S5710HI

versions.)
S5720EI
V200R007
S5720HI
V200R006
S6700EI

versions.)
S6720EI
V200R008
S6720S-EI
V200R009

l
All the MLD snooping configurations on interfaces mentioned in this chapter are
performed on Layer 2 physical interfaces, including Eth-Trunk interfaces.
If both Layer 2 and Layer 3 multicast services are required in a VLAN, enable MLD and
PIM(IPv6) on the corresponding VLANIF interface first, and then enable MLD
Snooping in the VLAN. If MLD Snooping is enabled in the VLAN first, MLD and
PIM(IPv6) cannot be enabled on the VLANIF interface.
Issue 11 (2016-07-22)

185

Switches
7 IP Multicast
7.11 Static Multicast MAC Address

l
Multicast source
multicast source.



IGMP querier

Receiver

l
Multicast source

:
Issue 11 (2016-07-22)

186

Switches
7 IP Multicast
l
MLD querier
MLD snooping device

Receiver
Static multicast MAC address binding is a Layer 2 multicast feature. Similar to IGMP/MLD
snooping, this feature is also used to reduce bandwidth consumption caused by broadcast of
multicast data packets on a Layer 2 network.
License Support
Static multicast MAC address binding is a basic feature of a switch and is not under license
control.
Version Support
Table 7-11 Products and minimum versions supporting static multicast MAC addresses
Series
Product Model
S1700
S1720

in V200R007 and V200R008
versions.)
S2700
S2700SI/S2700EI
Not supported
S2720EI

V200R008 versions.)
S2750EI
V200R003
S3700SI/S3700EI
Not supported
S3700HI

versions.)
S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

187

Switches
Series
S6700
7 IP Multicast
Product Model
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700SI

versions.)
S5720S-SI/S5720SI
V200R008
S5700EI

versions.)
S5710EI

versions.)
S5700HI

versions.)
S5710HI

versions.)
S5720EI
V200R007
S5720HI
V200R006
S6700EI

versions.)
S6720EI
V200R008
S6720S-EI
V200R009

When configuring static multicast MAC addresses, pay attention to the following points:
l
Static multicast MAC address binding is a Layer 2 multicast feature, so all the static
multicast MAC address configurations on interfaces mentioned in this chapter are
performed on Layer 2 physical interfaces, including Eth-Trunk interfaces.
A static multicast MAC address you configure must be a multicast MAC address with
the rightmost bit as 1 (xxxx xxx1).
The VLAN specified in the static multicast MAC address configuration command cannot
be a super-VLAN, leased line VLAN, control VLAN of a Smart Ethernet Protocol (SEP)
segment, or control VLAN of a Rapid Ring Protection Protocol (RRPP) ring.
In V100R006 and V200R001, IP multicast MAC addresses (IPv4 multicast MAC

addresses starting with 0x01-00-5e or IPv6 multicast MAC addresses starting with
0x3333) cannot be configured as static multicast MAC addresses.
Issue 11 (2016-07-22)

188

Switches
7 IP Multicast
In V200R002 and later versions, IP multicast MAC addresses (IPv4 multicast MAC
addresses starting with 0x01-00-5e or IPv6 multicast MAC addresses starting with
0x3333) can be configured as static MAC addresses. When configuring an IP multicast
MAC address as a static multicast MAC address on an interface, ensure that IGMP/MLD
snooping is not enabled in the VLAN to which the interface belongs.
Before configuring static multicast MAC addresses on an interface of the S5700S-28XLI-AC, S5700S-52X-LI-AC, S5710-X-LI, S5700SI, S5720S-SI, and S5720SI, set the
multicast data forwarding mode to MAC address based mode in the VLAN to which the
interface belongs.
7.12 Multicast VLAN Replication

l
Multicast source
multicast source.



IGMP querier

Receiver
Issue 11 (2016-07-22)

189

Switches
7 IP Multicast

l
Multicast source

:
MLD querier
MLD snooping device

Receiver
Multicast VLAN replication is a Layer 2 multicast feature that can be configured on a device
running IGMP/MLD snooping.
License Support
Multicast VLAN replication is a basic feature of a switch and is not under license control.
Version Support
Table 7-12 Products and minimum versions supporting multicast VLAN replication
Series
Product Model
S1700
S1720

in V200R007 and V200R008
versions.)
NOTE
The S1720 supports N-to-N multicast
VLAN replication based on user VLANs in
V200R009 and later versions.
S2700
Issue 11 (2016-07-22)
S2700SI/S2710SI
Not supported

190

Switches
Series
7 IP Multicast
Product Model
S2700EI

versions.)
NOTE
The S2700EI does not support N-to-N
multicast VLAN replication based on user
VLANs and interface-based multicast
VLAN replication.
S2720EI

V200R008 versions.)
NOTE
VLANs.
S2750EI
V200R003
NOTE
VLANs.
S3700
S5700
S3700SI/S3700EI

versions.)
S3700HI

versions.)
S5700LI/S5700S-LI
V200R001
NOTE
The S5700LI and S5700S-LI support N-toN multicast VLAN replication based on
user VLANs since V200R005.
Issue 11 (2016-07-22)
S5710-C-LI

versions.)
S5710-X-LI
V200R008
S5700SI/S5700EI

versions.)
S5720SI/S5720S-SI
V200R008
S5710EI

versions.)

191

Switches
Series
S6700
7 IP Multicast
Product Model
S5700HI

versions.)
S5710HI

versions.)
S5720EI
V200R007
S5720HI
V200R006
S6700EI

versions.)
S6720EI
V200R008
S6720S-EI
V200R009

l
Because multicast VLAN replication is a Layer 2 multicast feature, all the configurations
on interfaces mentioned in this chapter are performed on Layer 2 physical interfaces,
including Eth-Trunk interfaces.
Set an appropriate TTL value for multicast data packets sent from a multicast source to
ensure that these multicast data packets carry a TTL value larger than 1 when arriving at
the switch through multicast VLAN. Otherwise, the multicast data packets may not be
copied to user VLANs.
On a switch, except those using MAC address-based forwarding as the default Layer 2
multicast forwarding mode, a VLAN cannot be configured as a multicast VLAN after the
multicast data forwarding mode in the VLAN is set to MAC address-based forwarding
using the l2-multicast forwarding-mode command.
7.13 Controllable Multicast

l
Multicast source
multicast source.

Issue 11 (2016-07-22)

192

Switches
7 IP Multicast


IGMP querier

Receiver

l
Multicast source

:
MLD querier
MLD snooping device

l
Issue 11 (2016-07-22)
Receiver
193

Switches
7 IP Multicast
Controllable multicast is a Layer 2 multicast feature that needs to be configured on a device
running IGMP/MLD snooping.
License Support
Controllable multicast is a basic feature of a switch and is not under license control.
Version Support
Table 7-13 Products and minimum versions supporting controllable multicast
Series
Product Model
S1700
S1720

in V200R007 and V200R008
versions.)
S2700
S2700SI/S2710SI
Not supported
S2700EI

versions.)
S2720EI

V200R008 versions.)
S2750EI
V200R003
S3700SI/S3700EI

versions.)
S3700HI

versions.)
S5700LI/S5700S-LI
V200R001
S5710-C-LI

versions.)
S5710-X-LI
V200R008
S5700SI/S5700EI

versions.)
S5720SI/S5720S-SI
V200R008
S3700
S5700
Issue 11 (2016-07-22)

194

Switches
Series
S6700
7 IP Multicast
Product Model
S5710EI

versions.)
S5700HI

versions.)
S5710HI

versions.)
S5720EI
V200R007
S5720HI
V200R006
S6700EI

versions.)
S6720EI
V200R008
S6720S-EI
V200R009

Before configuring controllable multicast, configure IGMP/MLD snooping.
7.14 Multicast Network Management

l
Multicast source
multicast source.



Issue 11 (2016-07-22)

195

Switches
7 IP Multicast
l
IGMP querier

Receiver

l
Multicast source

:
MLD querier
MLD snooping device

Receiver
Multicast network management is a network management feature that can be configured on a

device running a multicast protocol.
License Support
Multicast network management is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

196

Switches
7 IP Multicast
Version Support
Table 7-14 Products and minimum versions supporting multicast network management
Series
Product Model
S1700
S1720

in V200R007 and V200R008
versions.)
S2700
S2700SI/S2710SI/S2700EI
Not supported
S2720EI

V200R008 versions.)
S2750EI
V200R003
S3700
S3700SI/S3700EI/S3700HI
Not supported
S5700
S5700LI/S5700S-LI
V200R002
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700SI

versions.)
S5720SI/S5720S-SI
V200R008
S5700EI

versions.)
S5710EI

versions.)
S5700HI

versions.)
S5710HI

versions.)
S5720EI
V200R007
S5720HI
V200R006
S6700EI

versions.)
S6720EI
V200R008
S6700
Issue 11 (2016-07-22)

197

Switches
Series
7 IP Multicast
Product Model
S6720S-EI
V200R009

None
Issue 11 (2016-07-22)

198

Switches
8 MPLS
MPLS
About This Chapter

8.1 Static LSP
8.2 MPLS LDP
8.3 MPLS QoS
8.4 MPLS TE
Issue 11 (2016-07-22)

199

Switches
8 MPLS
8.1 Static LSP

License Support
MPLS is a basic feature of a switch and is not under license control.
Version Support
Table 8-1 Products and minimum version supporting static LSPs
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R009
S5720SI/S5720S-SI
Not supported
S3700
S5700
Issue 11 (2016-07-22)

200

Switches
Series
8 MPLS
Product Model
Minimum Version
Required
S5700HI

S5710HI

S5720HI
V200R007C10
The function is not
supported in V200R008.
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

If the command output displays NO for hardware support for MPLS when you run the
display device capability command on the S5720EI switch, the switch does not support
MPLS. In this case, you need to pay attention to the following points:
l
MPLS cannot be enabled on the S5720EI switch. If the switch has been added to a stack,
MPLS cannot be enabled on the stack.
The S5720EI switch cannot be added to a stack running MPLS.
8.2 MPLS LDP

License Support
MPLS is not under license control.
Issue 11 (2016-07-22)

201

Switches
8 MPLS
Version Support
Table 8-2 Products and minimum version supporting MPLS LDP
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R009
S5720SI/S5720S-SI
Not supported
S5700HI

S5710HI

S5720HI
V200R007C10
S3700
S5700
The function is not

S6700
Issue 11 (2016-07-22)
S6700EI


202

Switches
Series
8 MPLS
Product Model
Minimum Version
Required
S6720EI
V200R008
S6720S-EI
V200R009

When configuring MPLS LDP on the switch, pay attention to the following points:
l
In V200R003 and earlier versions, VLANIF interfaces on the device support MPLS
LDP.
MPLS cannot be enabled on the S5720EI switch. If the switch has been added to a
stack, MPLS cannot be enabled on the stack.
8.3 MPLS QoS

License Support
MPLS QoS is a basic feature of a switch and is not under license control.
Version Support
Table 8-3 Products and minimum version supporting MPLS QoS
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700
Issue 11 (2016-07-22)

203

Switches
Series
S5700
8 MPLS
Product Model
Minimum Version
Required
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R009
S5720SI/S5720S-SI
Not supported
S5700HI

S5710HI

S5720HI
V200R007C10
The function is not
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
MPLS cannot be enabled on the S5720EI switch. If the switch has been added to a stack,
MPLS cannot be enabled on the stack.
Issue 11 (2016-07-22)

204

Switches
8 MPLS
8.4 MPLS TE
License Support
MPLS TE is a basic feature of a switch and is not under license control.
Version Support
Table 8-4 Products and minimum version supporting MPLS TE
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R009
S5720SI/S5720S-SI
Not supported
S3700
S5700
Issue 11 (2016-07-22)

205

Switches
Series
8 MPLS
Product Model
Minimum Version
Required
S5700HI

S5710HI

S5720HI
V200R007C10
The function is unsupported
in V200R008.
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

When configuring MPLS TE on the switch, pay attention to the following point:
l
In V200R003 and earlier versions, VLANIF interfaces on the device support MPLS TE.
MPLS cannot be enabled on the S5720EI switch. If the switch has been added to a
stack, MPLS cannot be enabled on the stack.
When configuring TE FRR, pay attention to the following points:

l
Dynamic TE tunnels using bandwidth reserved in Shared Explicit (SE) style support TE
FRR, but static TE tunnels do not.
If TE FRR is enabled in a scenario where MPLS TE tunnels transmit VPN services, you
must configure PHP when the MP node is the egress node of the primary CR-LSP.
In V200R005 and earlier versions, TE FRR can be performed during the RSVP GR
process. This protects traffic on the primary tunnel and speeds up troubleshooting in the
situation where a traffic switchover or a reboot is triggered after a fault occurs on a PLR,
the PLR's upstream node, an MP, or the MP's downstream node, while the outbound
interface of a primary tunnel on the PLR fails.
During the RSVP GR process, FRR switching is triggered if the outbound interface of a
primary tunnel on the PLR goes Down.
When configuring tunnel protection groups on the device, pay attention to the following
points:
l
Issue 11 (2016-07-22)
In a tunnel protection group, one or more tunnels can be protected.

206

Switches
8 MPLS
In a protection group, a maximum of 16 primary tunnels can be protected.
Tunnel-specific attributes in a tunnel protection group are independent from each other.
For example, a protection tunnel with the bandwidth 50 Mbit/s can protect a working
tunnel with the bandwidth 100 Mbit/s.
TE FRR can be enabled to protect the working tunnel.

NOTE
A tunnel protection group and TE FRR cannot be configured simultaneously on the ingress node
of a primary tunnel.
A protection tunnel cannot be protected by other tunnels or be enabled with TE FRR.
When you configure BFD for MPLS TE on the device, pay attention to the following points:
l
BFD can detect faults in static and dynamic CR-LSPs.
BFD for LSP can function properly though the forward path is an LSP and the backward
path is an IP link. The forward path and the backward path must be established over the
same link; otherwise, if a fault occurs, BFD cannot identify the faulty path. Before
deploying BFD, ensure that the forward and backward paths are over the same link so
that BFD can correctly identify the faulty path.
Issue 11 (2016-07-22)

207

Switches
9 VPN
VPN
About This Chapter

9.1 GRE
9.2 BGP/MPLS IP VPN
9.3 BGP/MPLS IPv6 VPN
9.4 VLL
9.5 PWE3
9.6 VPLS
Issue 11 (2016-07-22)

208

Switches
9 VPN
9.1 GRE
License Support
GRE is a basic feature of a switch and is not under license control.
Version Support
Table 9-1 Products and minimum version supporting GRE
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R007C00 (The
V200R007C10.)
S3700
S5700
Issue 11 (2016-07-22)

209

Switches
Series
S6700
9 VPN
Product Model
Minimum Version
Required
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
Not supported
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
9.2 BGP/MPLS IP VPN

License Support
BGP/MPLS IP VPN is a basic feature of a switch and is not under license control.
Version Support
Table 9-2 Products and minimum version supporting BGP/MPLS IP VPN
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported

210

Switches
Series
S3700
9 VPN
Product Model
Minimum Version
Required
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI

NOTE
Only the MCE function is
supported.
S5700
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI

NOTE
supported.
S5710EI

NOTE
In V200R001, only the MCE
function is supported.
S5720EI
V200R007
NOTE
In V200R007C00, and
V200R008, only the MCE
S5700HI

NOTE
In V200R001, only the MCE
S5710HI
Issue 11 (2016-07-22)


211

Switches
Series
9 VPN
Product Model
Minimum Version
Required
S5720HI
V200R006
NOTE
In V200R006,
V200R007C00,and
V200R008, only the MCE
S5720SI/S5720S-SI
V200R008
NOTE
supported.
S6700
S6700EI

NOTE
In V100R006, V200R001,
V200R002, and V200R003,
only the MCE function is
supported.
S6720EI
V200R008
S6720S-EI
V200R009

When configuring BGP/MPLS IP VPN on the switch, pay attention to the following points:
When NAC authentication is configured on the main interface, BGP/MPLS IP VPN on the
corresponding sub-interfaces becomes invalid.
9.3 BGP/MPLS IPv6 VPN

License Support
BGP/MPLS IPv6 VPN is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

212

Switches
9 VPN
Version Support
Table 9-3 Products and minimum version supporting BGP/MPLS IPv6 VPN
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI

S3700
NOTE
Only the IPv6 MCE function
is supported.
S5700
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

NOTE
In V200R001, only the IPv6
MCE function is supported.
S5720EI
V200R007
NOTE
In V200R007C00, and
V200R008, only the IPv6
Issue 11 (2016-07-22)

213

Switches
Series
9 VPN
Product Model
Minimum Version
Required
S5700HI

NOTE
In V200R001, only the IPv6
S5710HI

S5720HI
V200R006
NOTE
In V200R006,
V200R007C00,and
V200R008, only the IPv6
S5720SI/S5720S-SI
V200R008
NOTE
Only the IPv6 MCE function
is supported.
S6700
S6700EI

NOTE
In V100R006, V200R001,
V200R002, and V200R003,
only the IPv6 MCE function is
supported.
S6720EI
V200R008
S6720S-EI
V200R009

None.
9.4 VLL
License Support
VLL is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

214

Switches
9 VPN
Version Support
Table 9-4 Products and minimum version supporting VLL
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R009
S5700HI

S5710HI

S5720HI
V200R007C10
S3700
S5700
NOTE
The function is unsupported in
V200R008.
S6700
Issue 11 (2016-07-22)
S5720SI/S5720S-SI
Not supported
S6700EI


215

Switches
Series
9 VPN
Product Model
Minimum Version
Required
S6720EI
V200R008
S6720S-EI
V200R009

When configuring VLL on the switch, pay attention to the following points:
l
Do not add the PW to VLAN 1. If the PW is added to VLAN 1, the AC joins VLAN 1 in
untagged mode and VLAN tags of packets are removed.
By default, link type negotiation is enabled globally on the device. If a VLANIF

interface is used as an AC-side interface for VLL, the configuration conflicts with link
type negotiation. In this case, run the lnp disable command in the system view to disable
link type negotiation.
After receiving Layer 2 protocol packets such as STP, VBST, SMLK, LBT/LBDT,
LACP, 3AH, 1AG, Y.1731, HGMP, LLDP, DLDP, GVRP, HVRP, DAD, LNP, VCMP,
and BFD packets from an AC interface, a PE device determines whether it needs to
process the packets. If not (for example, Layer 2 protocols are disabled), the PE device
transparently transmits the Layer 2 protocol packets through the VLL.
If L2VPN is configured on the device, the AC-side outbound interface does not support
IP address-based load balancing when the interface is an Eth-Trunk interface.

9.5 PWE3
License Support
PWE3 is a basic feature of a switch and is not under license control.
Version Support
Table 9-5 Products and minimum version supporting PWE3
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported

216

Switches
Series
S3700
S5700
9 VPN
Product Model
Minimum Version
Required
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R009
S5700HI

S5710HI

S5720HI
V200R007C10
NOTE
The function is not supported
in V200R008.
S6700
Issue 11 (2016-07-22)
S5720SI/S5720S-SI
Not supported
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

217

Switches
9 VPN

When configuring PWE3 on the switch, pay attention to the following points:
l
Do not add the PW to VLAN 1. If the PW is added to VLAN 1, the AC-side interface
joins VLAN 1 in untagged mode and VLAN tags of packets are removed.
By default, link type negotiation is enabled globally on the device. If a VLANIF

interface is used as an AC-side interface for PWE3, the configuration conflicts with link
type negotiation. In this case, run the lnp disable command in the system view to disable
link type negotiation.

9.6 VPLS
License Support
VPLS is a basic feature of a switch and is not under license control.
Version Support
Table 9-6 Products and minimum version supporting VPLS
Series
Product Model
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S3700
S5700
Issue 11 (2016-07-22)

218

Switches
Series
9 VPN
Product Model
Minimum Version
Required
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R009
S5700HI

S5710HI

S5720HI
V200R007C10
NOTE
The function is unsupported in
V200R008.
S6700
S5720SI/S5720S-SI
Not supported
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

When configuring VPLS on the switch, pay attention to the following points:
l
Do not add the PW to VLAN 1. If the PW is added to VLAN 1, the AC joins VLAN 1 in
untagged mode and VLAN tags of packets are removed.
If an interface is used as an VPLS AC-side interface and a multicast inbound interface at

the same time, multicast data cannot be forwarded normally on this interface.
After receiving Layer 2 protocol packets such as STP, VBST, SMLK, LBT/LBDT,
LACP, 3AH, 1AG, Y.1731, HGMP, LLDP, DLDP, GVRP, HVRP, DAD, LNP, VCMP,
and BFD packets from an AC interface, a PE device determines whether it needs to
process the packets. If not (for example, Layer 2 protocols are disabled), the PE device
transparently transmits the Layer 2 protocol packets through the VPLS.
Issue 11 (2016-07-22)

219

Switches
Issue 11 (2016-07-22)
9 VPN


220

Switches
10 WLAN-AC
10
WLAN-AC
About This Chapter

10.1 WLAN Service
10.2 WLAN Security
10.3 Radio Resource Management
10.4 Spectrum Analysis
10.5 Roaming
10.6 WLAN QoS
10.7 WDS
10.8 Mesh
10.9 Vehicle-Ground Communication
10.10 Tag Location
10.11 Terminal Location
10.12 Bluetooth Location
10.13 Dual-Link Backup
10.14 N+1 Backup
Issue 11 (2016-07-22)

221

Switches
10 WLAN-AC
10.1 WLAN Service

AP
l
APs mentioned in this document are Huawei AP products. You are advised to use
Huawei APs to connect to the AC.
You can run the display ap-type command to check the default AP types supported by
the device.
Product Software Version
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
License Support
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the
number of online APs supported by the device, apply for and purchase a license from the
agent.
l
AP resource license-16AP for WLAN access controller
Version Support
Table 10-1 Products and minimum version supporting the WLAN service
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
S1700 series switches
Not supported
Not supported

222

Switches
10 WLAN-AC
Series
Product Model
Minimum Version
Required
Not supported
S5720HI
V200R006
NOTE
Among all S5700 series
switches, only the S5720HI
supports WLAN features.
Not supported

Packets transmitted on a WLAN include management packets and service data packets.
l
It is recommended that you use different VLANs for the management VLAN and service
VLAN.
You are not advised to use VLAN 1 as the management VLAN or service VLAN.
In tunnel forwarding mode, management VLAN and service VLAN must be different.
In actual WLAN networking, management VLANs and service VLANs must be properly
planned. The following example assumes that an AP connects to an AC through a Layer 2
network.
l
In direct forwarding mode, ensure that the AP can exchange management VLAN packets
with the AC and exchange service VLAN packets with upstream devices.
In tunnel forwarding mode, ensure that the AP can exchange management VLAN
packets with the AC and the AC can exchange service VLAN packets with upstream
devices.
Networking restrictions
l
In tunnel forwarding mode, the AC and AP do not support IP packet fragmentation.
In the AC + AP networking, to prevent loops, port flapping, or AP disconnection, do no

use Smart Link, equal-cost routing, or port protection services.
The AC cannot manage APs through VPNs. That is, the source interface does not need to
be added to a VPN.
The AC and AP exchange CAPWAP packets to communicate. To prevent CAPWAP packet

attacks from affecting normal device communication, you can configure local attack defense
on devices. To configure local attack defense, specify a trusted AP source address in an ACL
rule and then configure a whitelist in the attack defense policy or configure user-defined flows
to limit the rate of specified CAPWAP packets. For details, see Local Attack Defense
Configuration.
10.2 WLAN Security

AP
Issue 11 (2016-07-22)

223

Switches
10 WLAN-AC
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
AAA server
l
Huawei servers such as the Policy Center and Agile Controller or third-party AAA
servers perform authentication, accounting, and authorization on users.
Portal server
l
Huawei servers such as the Policy Center and Agile Controller or third-party Portal
servers, receive authentication requests from Portal clients, provide free Portal services
and a web authentication interface, and exchange authentication information of the
authentication clients with access devices. This component is required only in Portal
authentication mode.
License Support
agent.
l
Issue 11 (2016-07-22)

224

Switches
10 WLAN-AC
Version Support
Table 10-2 Products and minimum version supporting WLAN security
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Not supported

WIDS/WIPS
l
APs that have WDS or Mesh services configured cannot work in monitor mode.
If WIDS, spectrum analysis, background neighbor probing, or terminal location is

enabled on a radio, the radio cannot be used to establish a WDS bridge or Mesh link.
V200R006C00, V200R007C00, and V200R008C00: When an AP working in hybrid

mode periodically scans channels, services may be interrupted for a short time. The AP
can only take the countermeasures on the channel used by WLAN services. To take
countermeasures on all channels, you need to configure the AP to work in monitor mode.
However, the WLAN services are unavailable in this mode.
V200R009C00: When an AP working in normal mode periodically scans channels,

services may be interrupted for a short time. The AP working in normal mode can only
take the countermeasures on the channel used by WLAN services. To take
countermeasures on all channels, you need to configure the AP to work in monitor mode.
However, WLAN services are unavailable in this mode.
V200R006C00, V200R007C00, and V200R008C00: The configured WIDS or WIPS

takes effect on an AP only after a service set is bound to the AP on the AC and the AC
delivers the configurations to the AP.
Security Policy
l
The AP7030DE and AP9330DN do not support WAPI.
10.3 Radio Resource Management

AP
Issue 11 (2016-07-22)

225

Switches
10 WLAN-AC
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
License Support
agent.
l
Version Support
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Issue 11 (2016-07-22)

226

Switches
10 WLAN-AC
Series
Product Model
Minimum Version
Required
Not supported

Configuring Radio Calibration
l
Radio calibration does not take effect on radios enabled with WDS or Mesh functions.
When configuring 40 MHz or 80 MHz calibration bandwidth, check whether channels of

the corresponding bandwidth exist under the country code.
To ensure a good calibration effect, you are advised to configure at least three calibration
channels.
When configuring a radio calibration set, avoid using radar channels.
Configuring Load Balancing

The load balancing function applies to scenarios where there is a high degree of overlap
between APs' coverage ranges. If APs engaged in load balancing are far from each other, a
STA may connect to a distant AP, which affects wireless experience of users.
When the load difference between APs reaches the load difference threshold, some STAs may
access the network slowly because the APs will reject access requests of STAs according to
the load balancing algorithm. If a STA continues sending association requests to an AP, the
AP allows the STA to associate when the number of consecutive association attempts of the
STA exceeds the maximum number of rejection times.
In static load balancing mode, APs providing the same services are manually added to a load
balancing group. When a STA needs to access a WLAN, it sends an Association Request
packet to an AC through an AP. The AC determines whether to permit access from the STA
according to a load balancing algorithm. The implementation of static load balancing must
meet the following conditions.
l
If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
Each load balancing group supports a maximum of 16 AP radios.
Configuring Band Steering

l
To allow an STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
Single-radio devices do not support the band steering function.
The AP2010DN does not support the band steering function.
Configuring Dynamic EDCA Parameter Adjustment

The AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, and AP6310SN-GN do not
supprot this function.
Configuring Automatic Per Packet Power Adjustment
The AP7030DE and AP9330DN do not support this function.
Configuring the Smart Antenna Function
Issue 11 (2016-07-22)

227

Switches
10 WLAN-AC
Models supporting smart antenna: AP7030DE and AP7050DE.
The smart antenna function cannot take effect if beamforming or MU-MIMO has been
configured.
10.4 Spectrum Analysis

AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
License Support
agent.
l
Issue 11 (2016-07-22)

228

Switches
10 WLAN-AC
Version Support
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Not supported

Configuring Spectrum Analysis
l
The AP3010DN-AGN, and AP9330DN do not support this function.
Spectrum analysis can be enabled only on one radio at one time.
If WDS and Mesh services are configured on an AP radio, WIDS, spectrum analysis, or
WLAN location on the radio does not take effect.
10.5 Roaming
AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
Issue 11 (2016-07-22)

229

Switches
10 WLAN-AC
AP Software Version
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
Client
l
To implement the fast roaming feature, the client must support fast roaming technology.
License Support
agent.
l
Version Support
Table 10-5 Products and minimum version supporting roaming
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Not supported

l
The APs on which WLAN roaming is implemented must use the same SSID and security
profiles, and the security profiles must have the same configurations.
In direct forwarding mode, if the ARP entry of a user is not aged out in time on the
access device connected to the AP after the user roams, services of the user will be
temporarily interrupted. You are advised to enable STA address learning on the AC.
Issue 11 (2016-07-22)

230

Switches
10 WLAN-AC
After the function is enabled, the AP will send a gratuitous ARP packet to the access
device so that the access device can update ARP entries in a timely manner. This ensures
nonstop service transmission during user roaming.
You can use either of the following methods to enable STA address learning according to
the version of your product:
run the learn client ip-address enable command in the service set view.
10.6 WLAN QoS

AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
License Support
agent.
l
Issue 11 (2016-07-22)

231

Switches
10 WLAN-AC
Version Support
Table 10-6 Products and minimum version supporting WLAN QoS
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Not supported

Configuring WMM
By default, WMM is disabled on a terminal. To implement the WMM function, you must
enable WMM on terminals and devices concurrently.
Configuring Priority Mapping
The tunnel priority mapping is applicable to scenarios where data packets are transmitted in
tunnel forwarding mode.
10.7 WDS
AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
Issue 11 (2016-07-22)

232

Switches
10 WLAN-AC
AP Software Version
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
License Support
agent.
l
Version Support
Table 10-7 Products and minimum version supporting WDS
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Not supported

l
Issue 11 (2016-07-22)
The AD9430DN-24 central AP (including the mapping RRUs), AD9430DN-12 central

AP (including the mapping RRUs), AP2010DN, AP2030DN, AP7030DE, AP9330DN,
and AP6310SN-GN do not support the WDS function.
233

Switches
10 WLAN-AC
On a WDS or Mesh network, an 802.11ac AP cannot interoperate with non-802.11ac

APs regardless of the radio types used by the AP. Only 802.11ac APs can interoperate
with each other.
NOTE
Among all WDS- or Mesh-capable APs, the AP5030DN, AP5130DN, AP8130DN, AP8030DN,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE, AP7050DNE, AP4030TN, AP4050DN-E, and AP4050DN-HD are 802.11ac APs.
If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency band and
used for WDS or Mesh services, the software version of the AP connected to the
AP8130DN must be V200R005C10 or a later version.
When planning a WDS network, pay attention to the following:
Only one root node exists on the WDS network.
A middle node sets up WDS links only with the leaf node and root node. Middle
nodes do not set up WDS links between each other.
Each WDS link allows a maximum of three hops (a 3-hop WDS link includes a root
node, a middle node, and a leaf node).
Each node on the WDS link supports a maximum of six subnodes.
This section provides only WDS configurations. After the WDS configuration is
complete, APs can connect to an AC through wireless bridges. To use WLAN services,
you still need to configure basic WLAN services. For details, see WLAN Service
Configuration.
When WDS is configured on dual-band APs, the root AP and leaf AP cannot use radio 0
or radio 1 simultaneously to establish a WDS link.
Ensure that the root, middle, and leaf nodes are bound to the same bridge profile;
otherwise, WDS links cannot be set up or the existing WDS links get disconnected.
When configuring the WDS function, ensure that WDS nodes use the same channel.
The security profile used by WDS or Mesh links supports only the security policy
WPA2+PSK+CCMP.
You are advised to configure different names for the profiles used to configure the WDS
function than the profiles used to configure the WLAN service. These profiles are the
WMM profile, radio profile, and security profile. This configuration facilitates
maintenance on wireless bridges and WLAN service.
Avoid using radar channels to configure WDS links; otherwise, the following problems
may occur:
Establishing WDS links on radar channels takes several minutes or several ten
minutes longer than establishing WDS links on non-radar channels.
Radar signals cause disconnection of established WDS links.
A WDS bridge profile supports a maximum of 256 VLANs.
The WLAN Mesh function and WLAN WDS function are mutually exclusive. If the
WLAN WDS function has been configured, the WLAN Mesh function cannot be
configured.
During WDS network planning, if dual-band APs function as WDS nodes, AP radios
bound to WDS bridge profiles cannot be configured to work in monitor mode; if singleband APs function as WDS nodes, AP radios cannot work in monitor mode.

Issue 11 (2016-07-22)

234

Switches
10 WLAN-AC
In V200R006, if you set the CAPWAP heartbeat interval or the number of heartbeat
packet transmissions to a small value using the capwap keep-alive interval intervalvalue or capwap keep-alive times times-value command, WDS or Mesh links may fail
to be established. Therefore, you are advised to use the default values.
In V200R007 and later versions, if you set the CAPWAP heartbeat interval or the
number of heartbeat packet transmissions to a small value using the capwap echo
interval interval-value or capwap echo times times-value command, WDS or Mesh
links may fail to be established. Therefore, you are advised to use the default values.
In V200R006, if WDS or Mesh is enabled simultaneously with dual-link backup, the AC

sends CAPWAP heartbeat packets three times at an interval of 25 seconds by default.
This may cause unstable WDS or Mesh links and result in user access failures. You are
advised to run the capwap keep-alive times times-value command to set the number of
heartbeat packet transmissions to 6 or a larger value.
In V200R007 and later versions, if WDS or Mesh is enabled simultaneously with duallink backup, the AC sends CAPWAP heartbeat packets three times at an interval of 25
seconds by default. This may cause unstable WDS or Mesh links and result in user
access failures. You are advised to run the capwap echo times times-value command to
set the number of heartbeat packet transmissions to 6 or a larger value.
10.8 Mesh
AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
License Support
Issue 11 (2016-07-22)

235

Switches
10 WLAN-AC
agent.
l
Version Support
Table 10-8 Products and minimum version supporting Mesh
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Not supported

l
The AP2010DN, AP2030DN, AP7030DE, AP9330DN, and AP6310SN-GN do not

support the Mesh function.
On a WDS or Mesh network, an 802.11ac AP cannot interoperate with non-802.11ac

APs regardless of the radio types used by the AP. Only 802.11ac APs can interoperate
with each other.
NOTE
Among all WDS- or Mesh-capable APs, the AP5030DN, AP5130DN, AP8130DN, AP8030DN,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE, AP7050DNE, AP4030TN, AP4050DN-E, and AP4050DN-HD are 802.11ac APs.
If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency band and
used for WDS or Mesh services, the software version of the AP connected to the
AP8130DN must be V200R005C10 or a later version.
This section provides only Mesh configurations. After the Mesh configuration is
complete, APs can connect to an AC through Mesh links. To use WLAN services, you
still need to configure basic WLAN services. For details, see WLAN Service
Configuration.
When Mesh is configured on dual-band APs, any two adjacent APs cannot use radio 0 or
radio 1 simultaneously to establish a Mesh link.
When configuring the Mesh function, ensure that Mesh nodes use the same bandwidth
and channel.
Issue 11 (2016-07-22)

236

Switches
10 WLAN-AC
The security profile used by WDS or Mesh links supports only the security policy
WPA2+PSK+CCMP.
You are advised to configure different names for the profiles used to configure the Mesh
function than the profiles used to configure the WLAN service. These profiles are the
WMM profile, radio profile, and security profile. This configuration facilitates
maintenance on the Mesh network and WLAN service.
The WLAN Mesh function and WLAN WDS function are mutually exclusive. If the
WLAN WDS function has been configured, the WLAN Mesh function cannot be
configured.
During Mesh network planning, if dual-band APs function as Mesh nodes, AP radios
bound to Mesh profiles cannot be configured to work in monitor mode; if single-band
APs function as Mesh nodes, AP radios cannot work in monitor mode.
Avoid using radar channels to configure Mesh links; otherwise, the following problems
may occur:
Establishing Mesh links on radar channels takes several minutes or several ten
minutes longer than establishing Mesh links on non-radar channels.
Radar signals cause disconnection of established Mesh links.

In V200R006, if you set the CAPWAP heartbeat interval or the number of heartbeat
packet transmissions to a small value using the capwap keep-alive interval intervalvalue or capwap keep-alive times times-value command, WDS or Mesh links may fail
to be established. Therefore, you are advised to use the default values.
In V200R007 and later versions, if you set the CAPWAP heartbeat interval or the
number of heartbeat packet transmissions to a small value using the capwap echo
interval interval-value or capwap echo times times-value command, WDS or Mesh
links may fail to be established. Therefore, you are advised to use the default values.
In V200R006, if WDS or Mesh is enabled simultaneously with dual-link backup, the AC

sends CAPWAP heartbeat packets three times at an interval of 25 seconds by default.
This may cause unstable WDS or Mesh links and result in user access failures. You are
advised to run the capwap keep-alive times times-value command to set the number of
heartbeat packet transmissions to 6 or a larger value.
In V200R007 and later versions, if WDS or Mesh is enabled simultaneously with duallink backup, the AC sends CAPWAP heartbeat packets three times at an interval of 25
seconds by default. This may cause unstable WDS or Mesh links and result in user
access failures. You are advised to run the capwap echo times times-value command to
set the number of heartbeat packet transmissions to 6 or a larger value.
If an MP connects to a wired network, ensure that the MP does not communicate with
MPPs at Layer 2 through the wired network; otherwise, the MP connects to MPPs
through both Mesh links and wired links, which causes a network loop.
Starting from V200R007, the Mesh profile supports FWA and vehicle-ground fast link
handover, which are mutually exclusive.
Issue 11 (2016-07-22)

237

Switches
10 WLAN-AC
10.9 Vehicle-Ground Communication

AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C10
V200R005C20
License Support
agent.
l
Version Support
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported

238

Switches
Series
10 WLAN-AC
Product Model
Minimum Version
Required
S5720HI
V200R007
NOTE
Not supported

l
The vehicle-ground fast link handover network is a single-hop Layer 2 Mesh network
composed of the AC, trackside APs, and vehicle-mounted APs.
The AC is deployed on the ground network to manage and control trackside APs.
Trackside APs are Fit APs deployed along the track. They function as MPPs and
communicate with the AC in wired mode at Layer 2.
Vehicle-mounted APs: are Fat APs deployed in the front and rear of a train. They
function as MPs to set up Mesh links with trackside APs.
Each vehicle-mounted AP can only use one radio for vehicle-ground communications at
one time.
On a vehicle-ground fast link handover network, the AP9131DN (Fit AP) or AP9132DN
(Fit AP) is usually used as the trackside AP and the AP9131DN (Fat AP) or AP9132DN
(Fat AP) as the vehicle-mounted AP. If other AP models are used as the vehicle-mounted
and trackside APs, they must comply with the same 802.11 standards, for example, both
802.11ac APs or 802.11n APs.
10.10 Tag Location

AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
Issue 11 (2016-07-22)

239

Switches
10 WLAN-AC
AP Software Version
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
Location server
l
Computes the RFID tag location using a location algorithm (for example, three-point
positioning) after receiving the location information and provides the computed data to
user systems, including the system management software and image software.
License Support
agent.
l
Version Support
Table 10-10 Products and minimum version supporting WLAN location
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Not supported

WLAN Location of AeroScout Tags and AeroScout MUs
l
Issue 11 (2016-07-22)
The AP9330DN does not support Tag location.

240

Switches
10 WLAN-AC
The AP3010DN-AGN, AP6310SN-GN, and AP9330DN do not support AeroScout MU

location.
When configuring the AC as the destination to which the AP reports location

information:
Configure the port number used by the AC to communicate with the AeroScout
location server.
Ensure that the port number configured on the AeroScout location server is the
same as that used by AC to communicate with the AeroScout location server.
When configuring the AeroScout location server as the destination to which the AP
reports location information, ensure that the port number used by the AP to report
location information is the same as that configured on the AeroScout location server.
The port number used by the AP to report location information cannot be the same as
that used by the AC to communicate with the location server.
If the location server runs the Linux system and has URPF enabled, the server must be
able to successfully ping the source IP address that the AC uses to send packets.
WLAN Location of Ekahau Tags

l
The AP9330DN does not support Tag location.
When configuring the AC as the destination to which the AP reports location

information:
Configure the port number used by the AC to communicate with the Ekahau
location server and the IP address of the Ekahau location server on the AC.
Ensure that the port number configured on the Ekahau location server is the same as
that used by AC to communicate with the Ekahau location server.
When configuring the Ekahau location server as the destination to which the AP reports
location information, ensure that the port number used by the AP to report location
information is the same as that configured on the Ekahau location server.
The port number used by the AP to report location information cannot be the same as
that used by the AC to communicate with the location server.
If the location server runs the Linux system and has URPF enabled, the server must be
able to successfully ping the source IP address that the AC uses to send packets.
10.11 Terminal Location

AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
Issue 11 (2016-07-22)

241

Switches
10 WLAN-AC
AP Software Version
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
eSight
l
Functions as the location server and display terminal in the location system. The location
server computes the signal transmission model according to locations of APs and
obstacles, and calculates locations of terminals, rogue APs, or Wi-Fi interference sources
based on the RSSI information collected by each AP. The display terminal draws maps
and displays locations of the devices on the map.
The Wi-Fi terminal location function is applicable to eSight in V300R005C00.
App server
l
An app server obtains location results from a location server and pushes information to
Bluetooth terminals based on the location results.
License Support
agent.
l
Version Support
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported

242

Switches
Series
10 WLAN-AC
Product Model
Minimum Version
Required
S5720HI
V200R006
NOTE
Not supported

Wi-Fi Terminal Location
l
The AP3010DN-AGN, AP6310SN-GN, and AP9330DN do not support Wi-Fi terminal

location.
Locating a terminal requires at least three APs to scan signals on the WLAN.
To use the terminal location function to locate unauthorized STAs, rogue APs and
bridges, and ad-hoc devices, you need to enable WIDS. To use the terminal location
function to locate authorized STAs, you do not need to enable WIDS.
10.12 Bluetooth Location

AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
BLE device
l
A BLE device is a Bluetooth signal generator that periodically sends BLE broadcast
frames to surrounding devices. The frame content complies with the iBeacon protocol.
Currently, only BLE devices from Xuntong Technology Co., Ltd are supported.
eSight
l
Issue 11 (2016-07-22)
Functions as the location server and display terminal in the location system. The location
server computes the signal transmission model according to locations of APs and
obstacles, and calculates locations of terminals, rogue APs, or Wi-Fi interference sources
based on the RSSI information collected by each AP. The display terminal draws maps
and displays locations of the devices on the map.
243

Switches
10 WLAN-AC
The Bluetooth location function is supported by eSight V300R006C00.
License Support
agent.
l
Version Support
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Not supported

Bluetooth Location
l
Currently, only the AP4050DN-E and AP7050DE support the Bluetooth location
function, while only the AP4050DN-E supports the Bluetooth broadcast function.
Bluetooth terminals must support BLE 4.0 or later versions and can properly report
received RSSI information to the location server through apps.
After the Bluetooth monitoring function is enabled, APs will obtain battery power
information about surrounding BLE devices at 02:00 of the AC system time, which is
off-peak hours of WLAN services. If the system time is different from the actual time,
obtaining battery power information may interrupt WLAN services. To prevent such an
issue, configure the system time correctly on the AC.
Issue 11 (2016-07-22)

244

Switches
10 WLAN-AC
10.13 Dual-Link Backup

AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
V200R005C00
License Support
agent.
l
Version Support
Table 10-13 Products and minimum version supporting dual-link backup
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
Not supported
Not supported

245

Switches
10 WLAN-AC
Series
Product Model
Minimum Version
Required
Not supported
S5720HI
V200R006
NOTE
Not supported

l
WLAN service configurations (for example, WMM profile, radio profile, radio, traffic
profile, security profile, and security policies) of the same AP must be consistent on the
active and standby ACs; otherwise, the AP cannot work properly after an active/standby
AC switchover.
When an active/standby switchover is implemented between two ACs, STAs using open
system authentication remain connected to APs while STAs using other authentication
modes are disconnected and need to go online again.
10.14 N+1 Backup

AP
l
the device.
AP Software Version
V200R009C00
V200R007C00
V200R006C20
V200R006C10
V200R008C00
V200R005C30
V200R005C20
V200R005C10
V200R007
V200R005C20
V200R005C10
V200R006
Issue 11 (2016-07-22)
V200R005C00

246

Switches
10 WLAN-AC
License Support
agent.
l
Version Support
Table 10-14 Products and minimum version supporting N+1 backup
Series
Product Model
Minimum Version
Required
Not supported
Not supported
Not supported
S5720HI
V200R006
NOTE
Not supported

l
WLAN service configurations (for example, radio profile, radio, traffic profile, security
profile, and security policies) of the same AP must be consistent on the active and
standby ACs; otherwise, the AP cannot work properly after an active/standby AC
switchover.
All WLAN service configurations on the active AC must also be performed on the
standby AC.
N+1 backup cannot be configured concurrently with dual-link backup.
Issue 11 (2016-07-22)

247

Switches
11 Reliability
11
Reliability
About This Chapter

11.1 BFD
11.2 VRRP
11.3 DLDP
11.4 Smart Link and Monitor Link
11.5 MAC Swap Loopback
11.6 EFM
11.7 CFM
11.8 Y.1731
Issue 11 (2016-07-22)

248

Switches
11 Reliability
11.1 BFD
Other network elements are required to support BFD functions.
License Support
BFD is a basic feature of a switch and is not under license control.
Version Support
Table 11-1 Products and minimum version supporting BFD
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI

S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI

S5710EI

S3700
S5700
Issue 11 (2016-07-22)

249

Switches
Series
S6700
11 Reliability
Product
Minimum Version
Required
S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

If a loop occurs on the path detected by BFD, the change of the network topology where the
loop exists may cause the BFD session to flap at one time.
11.2 VRRP
Other network elements are required to support VRRP functions.
License Support
VRRP is a basic feature of a switch and is not under license control.
Version Support
Table 11-2 Products and minimum version supporting VRRP
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported

250

Switches
Series
S3700
S5700
S6700
Issue 11 (2016-07-22)
11 Reliability
Product
Minimum Version
Required
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI

S3700HI

S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI

S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

251

Switches
11 Reliability

l
In V200R003 and earlier versions, VRRP can be only configured on the VLANIF
interface.
Starting from V200R005, VRRP can be configured on the VLANIF interface and Layer
3 Ethernet interface.
VRRP groups must use different virtual IP addresses. The virtual IP address of a VRRP
group must be on the same network segment as the IP address of the interface where the
VRRP group is configured.
Devices of a VRRP group must be configured with the same VRID.
If devices in a VRRP group use different VRRP versions, VRRP packets may fail to be
forwarded.
If both VRRP and static ARP are configured on a VLANIF interface, a Dot1q
termination sub-interface, a QinQ termination sub-interface, or an Ethernet interface on a
device, an IP address mapped to a static ARP entry cannot be used as a virtual IP
address. If a VRRP virtual IP address is an IP address mapped to a static ARP entry on
the device, the device generates incorrect host routes, affecting traffic forwarding.
The virtual MAC address of a VRRP group cannot be configured as a static or blackhole
MAC address.
In V200R008 and earlier versions, VRRP commands cannot be configured on subinterfaces.
A maximum of 24 VRRP groups can be configured on the S3700EI, and a maximum of

64 VRRP groups can be configured on other models. In later versions of V200R003, the
set vrrp max-group-number max-group-number command can be used to adjust the
maximum number of VRRP groups.
11.3 DLDP
Other network elements are required to support DLDP functions.
License Support
DLDP is a basic feature of a switch and is not under license control.
Version Support
Table 11-3 Products and minimum version supporting DLDP
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

and V200R008.)

252

Switches
Series
Product
Minimum Version
Required
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S3700
S5700
Issue 11 (2016-07-22)
11 Reliability

253

Switches
Series
S6700
11 Reliability
Product
Minimum Version
Required
S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

DLDP cannot be configured on logical interfaces.
In earlier versions of V200R005, DLDP cannot be configured on Layer 3 interfaces.
In earlier versions of V200R005, DLDP cannot be configured on member interfaces of a
Layer 3 Eth-Trunk.
On the S2720EI, S2750EI, S5700LI, and S5700S-LI, DLDP can be enabled on a maximum of
128 interfaces.
11.4 Smart Link and Monitor Link

Other network elements are required to support Smart Link and Monitor Link functions.
License Support
Smart Link and Monitor Link are basic features of a switch and are not under license control.
Version Support
Table 11-4 Products and minimum version supporting Smart Link and Monitor Link
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported

254

Switches
Series
S3700
S5700
Issue 11 (2016-07-22)
11 Reliability
Product
Minimum Version
Required
S2720EI
V200R006 (The S2720 is

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008

255

Switches
11 Reliability
Series
Product
Minimum Version
Required
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
11.5 MAC Swap Loopback

License Support
MAC swap loopback is a basic feature of a switch and is not under license control.
Version Support
Table 11-5 Products and minimum version supporting MAC swap loopback
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

and V200R008.)
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700
Issue 11 (2016-07-22)

256

Switches
Series
S5700
S6700
Issue 11 (2016-07-22)
11 Reliability
Product
Minimum Version
Required
S3700EI

S3700HI

S5700LI/S5700S-LI
V200R003
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

257

Switches
11 Reliability

l
The MAC swap loopback test cannot be used with the ACL (including the ACL used in
CAR, traffic statistics, and 802.1p priority re-marking) that matches the source and
destination MAC addresses of loopback test packets.
After ALS is configured on the S6700, MAC swap loopback becomes ineffective. When
MAC swap loopback needs to be configured on the S6700, do not configure ALS.
11.6 EFM
Other network elements are required to support EFM functions.
License Support
EFM is a basic feature of a switch and is not under license control.
Version Support
Table 11-6 Products and minimum version supporting EFM
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported
S2700EI

S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S3700
Issue 11 (2016-07-22)

258

Switches
11 Reliability
Series
Product
Minimum Version
Required
S5700
S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
S6700

l
EFM cannot be configured on logical interfaces.
In earlier versions of V200R005, EFM cannot be configured on Layer 3 interfaces.
In earlier versions of V200R005, EFM cannot be configured on member interfaces of a

Layer 3 Eth-Trunk.
The S6720EI and S6720S-EI can only initiate EFM OAM remote loopback requests.
Issue 11 (2016-07-22)

259

Switches
11 Reliability
11.7 CFM
Other network elements are required to support CFM functions.
License Support
CFM is a basic feature of a switch and is not under license control.
Version Support
Table 11-7 Products and minimum version supporting CFM
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported
S2700EI

S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S3700
S5700
Issue 11 (2016-07-22)

260

Switches
Series
S6700
11 Reliability
Product
Minimum Version
Required
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI
Not supported
S6720EI
V200R008
S6720S-EI
V200R009

The S5700HI is inapplicable to the scenario where one MEP is configured at the local end and
multiple RMEPs are configured at the remote end.
11.8 Y.1731
Other network elements are required to support Y.1731 functions.
License Support
Y.1731 is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

261

Switches
11 Reliability
Version Support
Table 11-8 Products and minimum version supporting Y.1731
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI
Not supported
S3700EI

S3700HI

S5700LI/S5700S-LI
V200R003
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S3700
S5700
Issue 11 (2016-07-22)

262

Switches
Series
S6700
11 Reliability
Product
Minimum Version
Required
S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI
Not supported
S6720EI
V200R008
S6720S-EI
V200R009

l
The device supports AIS only when CFM is configured to work in standard mode.
The S5700SI does not support proactive one-way or two-way frame delay measurement.
By default, the S2720, S2750, S5700EI, S5700LI, S5710-X-LI, S5720SI, S5720S-SI,

and S5700S-LI do not trust any packet priorities. Before running the packet-priority
command to configure the 802.1p priority of 802.1ag packets in an MA, run the trust
command to configure the priority to be trusted.
If there are high requirements for Y.1731 performance, the S5700HI series is
recommended.
Issue 11 (2016-07-22)

263

Switches
12
12 User Access and Authentication
User Access and Authentication
About This Chapter

12.1 AAA
12.2 NAC (Common Mode)
This section provides the points of attention when configuring NAC.
12.3 NAC (Unified Mode)
12.4 Policy Association
This section provides the points of attention when configuring policy association.
Issue 11 (2016-07-22)

264

Switches
12.1 AAA
Table 12-1 Components involved in AAA networking
Role
Product Model
Description
AAA server
Huawei servers or thirdparty AAA servers
Performs authentication,
accounting, and
authorization on users.
License Support
AAA is a basic feature of a switch and is not under license control.
Version Support
Table 12-2 Products and minimum version supporting AAA
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI/S2700EI
V100R005 (The S2700SI

versions.)
S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI/S3700EI
V100R005 (The S3700SI

versions.)
S3700HI

S3700
Issue 11 (2016-07-22)

265

Switches
Series
Product
Minimum Version
Required
S5700
S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI/S5700SI
V100R005 (The S5700SI

versions.)
S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
S6700

To prevent data transmission risks between the device and the RADIUS or HWTACACS
server, you are advised to deploy the device and RADIUS or HWTACACS server in a
security domain.
12.2 NAC (Common Mode)

Issue 11 (2016-07-22)

266

Switches

Table 12-3 Components involved in NAC networking
Role
Product Model
Description
AAA server
accounting, and
Portal server
Huawei servers or thirdparty Portal servers
Receives authentication
requests from Portal clients,
provides free portal services
and an interface based on
web authentication, and
exchanges authentication
information of the
authentication clients with
access devices.
This component is required
only in external Portal
NOTE
When Huawei's Agile Controller functions as the server, the minimum version required is V100R001C00.
If a Huawei switch needs to function as a DHCP server and assign IP addresses to terminals based on the
static MAC-IP binding relationship delivered by the Agile Controller, the switch must run V200R009C00 or a
later version, and the Agile Controller must run V100R002C00SPC105 or a later version.
License Support
NAC is a basic feature of the device and is not under license control.
Version Support
Table 12-4 Products and minimum version supporting NAC
Issue 11 (2016-07-22)
Series
Product Model
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

and V200R008.)
S2700
S2700SI
Not supported
S2700EI


267

Switches
Series
S3700
S5700
S6700
Issue 11 (2016-07-22)
Product Model
Minimum Version
Required
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI/S3700EI
V100R005 (The S3700SI

versions.)
S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI/S5700SI
V100R005 (The S5700SI

versions.)
S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

268

Switches

l
The common NAC mode does not apply to wireless users. To use NAC to control
wireless user access, switch the NAC configuration mode to unified mode.
NAC can be implemented for users in a VPN, but not for users with the same IP
addresses in different VPNs.
NAC authentication cannot be enabled both on a Layer 2 Ethernet interface and the
VLANIF interface of the VLAN to which the Layer 2 Ethernet interface belongs.
It is recommended that you do not enable authentication and configure authenticationrelated parameters on a Layer 2 Ethernet interface and the VLANIF interface of the
VLAN to which the Layer 2 Ethernet interface belongs, respectively.
In 802.1x authentication, if there is a Layer 2 switch between the 802.1x-enabled device

and users, the 802.1x authentication packet transparent transmission function must be
enabled on the Layer 2 switch. Otherwise, the users cannot pass authentication.
In V200R005, when NAC is configured on the main interface, service functions on its
sub-interface are affected.
During LNP negotiation, NAC users cannot go online before the interface link type
becomes stable. If the interface link type is negotiated again and the negotiation result
changes, the online NAC users are forced to go offline.
In the current version, terminals using MAC address authentication do not support
switching between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP
address after passing the authentication, you are advised to enable either IPv4 or IPv6 on
the terminal.
If a terminal uses Portal authentication or combined authentication (including Portal

authentication), the device cannot authorize a VLAN to the terminal.
If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP
process to request an IP address after VLAN-based authorization is successful or the
authorization VLAN changes.
When the remark (user group view) and voice-vlan remark commands are used
together to modify the user packet priority in V200R008, if the services conflict:
For S5720HI, the priority configured using the remark (user group view)
For S5720EI and S6720EI, the priority configured using the voice-vlan remark
For the S1720, S2750EI, S5700LI/S5700S-LI, S5710-C-LI, S5710-X-LI, S5700SI, and

S5720SI/S5720S-SI, simplified ACLs and traffic classification rules in traffic policies
have higher priorities than rules defined in NAC configuration. If configurations in
simplified ACLs or traffic policies conflict with the NAC function, the device processes
packets based on configurations in simplified ACLs and traffic behaviors in traffic
policies.
If the S2720, S2750, S5700-10P-LI-AC, or S5700-10P-PWR-LI-AC functions as a

Layer 3 gateway and NAC is enabled on physical interfaces configured with Layer 3
services, you must enable Layer 3 hardware forwarding for IPv4 packets. For details
about how to configure Layer 3 hardware forwarding for IPv4 packets, see Configuring
Layer 3 Hardware Forwarding of IPv4 Packets.
Only MAC address authentication users who send packets with double VLAN tags
support ISP VLAN authorization in the Layer 2 BNG scenario. MAC address
Issue 11 (2016-07-22)

269

Switches
authentication users who send packets with single VLAN tags do not support ISP VLAN
authorization in the Layer 2 BNG scenario.
l
The number of NAC users cannot exceed the maximum number of MAC address entries
supported by the switch.
12.3 NAC (Unified Mode)


Role
Product Model
Description
AAA server
accounting, and
Portal server
information of the
access devices.
NOTE
License Support
NAC is a basic feature of the device and is not under license control.
Issue 11 (2016-07-22)

270

Switches
Version Support
Table 12-6 Products and minimum version supporting NAC
Series
Product Model
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

and V200R008.)
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R005
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
V200R005
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700EI/S5700SI
V200R005 (The S5700SI

versions.)
S5710EI

S5720EI
V200R007
S5700HI

S5710HI

S5720HI
V200R006
S5720SI/S5720S-SI
V200R008
S3700
S5700
Issue 11 (2016-07-22)

271

Switches
Series
Product Model
Minimum Version
Required
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
If a terminal has both IPv4 and IPv6 addresses, only the IPv4 address can be used for
user detection and update of the user entry corresponding to the IPv6 address. The IPv6
address cannot be used for update of the user entry corresponding to the IPv4 address.
NAC can be implemented for users in a VPN, but not for users with the same IP
addresses in different VPNs.
NAC authentication cannot be enabled both on a Layer 2 Ethernet interface (or WLANESS interface or VAP profile) and the VLANIF interface of the VLAN to which the
Layer 2 Ethernet interface (or WLAN-ESS interface or VAP profile) belongs.
In versions earlier than V200R009C00 (that is, before NAC modular configuration is
supported), it is recommended that you do not enable authentication and configure
authentication-related parameters on a Layer 2 Ethernet interface (or WLAN-ESS
interface) and the VLANIF interface of the VLAN to which the Layer 2 Ethernet
interface (or WLAN-ESS interface) belongs, respectively.
After Portal authentication and MAC address authentication are configured on a

VLANIF interface, PPPoE authentication cannot be configured on the interface.
In V200R005, when NAC is configured on the main interface, service functions on its
sub-interface are affected.
During LNP negotiation, NAC users cannot go online before the interface link type
becomes stable. If the interface link type is negotiated again and the negotiation result
changes, the online NAC users are forced to go offline.
In V200R007 and later versions, the authorization VLAN function is not supported after
users join pre-connections in policy association and SVF scenarios.
In versions earlier than V200R007, the switch can directly process protocol packets sent
to it before a user is successfully authenticated, and no authentication-free rule is
required. In V200R007 and later versions, an authentication-free rule must be configured
only when DNS protocol packets are sent to the S5720HI for processing.
If the user ACL specified in the traffic-filter inbound acl acl-number command or the
user ACL delivered by the authentication server is incorrectly configured to block all
user traffic, the switch cannot be connected and network-side protocols such as OSPF
and BGP are interrupted.
The configuration notes about authorization are as follows:
Issue 11 (2016-07-22)
If the authentication server authorizes multiple attributes to the device and the
attributes overlap, the authorized attributes take effect based on the minimum
authorization rule.
272

Switches
For example, the authentication server authorizes a VLAN and a service scheme to
the device, and VLAN parameters are configured in the service scheme on the
device, the VLAN authorized by the authentication server takes effect.
The authorization priority of the authentication server is higher than that in the
authentication domain. If the attribute authorized by the authentication server and
that authorized by the authentication domain conflict, the attribute authorized by the
authentication server takes effect. If the attribute authorized by the authentication
server and that authorized by the authentication domain do not conflict, both
attributes take effect.
For example, user VLAN 20 is configured in service scheme A on the device, and
service scheme A is bound to the user authentication domain. After the user
authentication succeeds, the authentication server authorizes VLAN 10 to the
device. In this scenario, the attribute authorized by the authentication server takes
effect preferentially. Assume that traffic policing is configured in service scheme A
on the device, and service scheme A is bound to the user authentication domain.
After the user authentication succeeds, the authentication server authorizes VLAN
10 to the device. In this scenario, both the attribute authorized by the authentication
server and that authorized by the authentication domain take effect.
If a terminal uses Portal authentication or combined authentication (including Portal

authentication), the device cannot authorize a VLAN to the terminal.
If a terminal obtains an IP address using DHCP, you need to manually trigger the
DHCP process to request an IP address after VLAN-based authorization is
successful or the authorization VLAN changes.
If the direct forwarding mode is used, the device does not support UCL group-based
authorization for wireless users.
In 802.1x authentication, if there is a Layer 2 switch between the 802.1x-enabled device

and users, the 802.1x authentication packet transparent transmission function must be
enabled on the Layer 2 switch. Otherwise, the users cannot pass authentication.
In the current version, terminals using MAC address authentication do not support
switching between IPv4 and IPv6. To ensure that a terminal can normally obtain an IP
address after passing the authentication, you are advised to enable either IPv4 or IPv6 on
the terminal.
If the S2720, S2750, S5700-10P-LI-AC, or S5700-10P-PWR-LI-AC functions as a

Layer 3 gateway and NAC is enabled on physical interfaces configured with Layer 3
services, you must enable Layer 3 hardware forwarding for IPv4 packets. For details
about how to configure Layer 3 hardware forwarding for IPv4 packets, see Configuring
Layer 3 Hardware Forwarding of IPv4 Packets.
Only MAC address authentication users who send packets with double VLAN tags
support ISP VLAN authorization in the Layer 2 BNG scenario. MAC address
authentication users who send packets with single VLAN tags do not support ISP VLAN
authorization in the Layer 2 BNG scenario.
The number of NAC users cannot exceed the maximum number of MAC address entries
supported by the switch.
In an inter-AC roaming scenario, the NAC configurations of the two ACs must be the
same.
On the S5720HI, you must configure a terminal with one MAC address and multiple IP
addresses as a static user and enable the function of identifying static users through IP
addresses so that the terminal can go online and obtain authorization information.
Models excluding the S5720HI do not support authentication for terminals with one
MAC address and multiple IP addresses.
Issue 11 (2016-07-22)

273

Switches
12.4 Policy Association

This section provides the points of attention when configuring policy association.

Role
Product Model
Description
AAA server
accounting, and
Portal server
information of the
access devices.
NOTE
License Support
Policy association is a basic feature of a switch and is not under license control.
Version Support
Table 12-8 Products and minimum version supporting policy association
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR
Not supported
S2700
S2700SI
Not supported

274

Switches
Series
S3700
S5700
S6700
Product
Minimum Version
Required
S2700EI
Not supported
S2710SI
Not supported
S2720EI
V200R009
S2750EI
V200R007
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
V200R007
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700SI
Not supported
S5700EI
Not supported
S5710EI
Not supported
S5720EI
V200R007
S5700HI
Not supported
S5710HI
Not supported
S5720HI
V200R007
S5720SI/S5720S-SI
V200R008
S6700EI
Not supported
S6720EI/S6720S-EI
V200R009

l
Issue 11 (2016-07-22)
Before deploying the policy association solution, you need to understand hardware
requirements such as models of control devices and access devices. Table 12-9 describes
the hardware requirements of policy association.

275

Switches
Table 12-9 Hardware requirements

Role
Model
Remarks
Control device
l S12700
A control device can be a

single device or a cluster
of two devices or a stack
of multiple devices.
l S9700
l S7700
l S6720EI
l S6720S-EI
l S5720HI
Access device
l S2720EI
l S2750EI
l S5700LI
l S5700S-LI
l S5710-X-LI
An access device can be a

single device or a stack of
multiple devices. The
devices in a stack must
have the same model and
interface type.
l S5720EI
l S5720SI
l S5720S-SI
l S6720EI
l S6720S-EI
l E600
Policy association allows a user gateway to function as the control device. In addition,
only policy association between the control device and access devices is supported, and
configuration association is not supported.
Policy association is applicable only to wired users and does not allow online users to
switch from one access device or access interface to another.
Policy association is not supported on an IPv6 network, in which authentication cannot

be triggered through DHCPv6 or ND packets.
In policy association, the management VLAN of a CAPWAP tunnel connects access

devices to the network. It is not recommended to perform other service configurations
except basic configurations in the management VLAN and the corresponding VLANIF
interface. If such configurations are performed, access devices may fail to connect to the
network.
The information about the control point is as follows:
Issue 11 (2016-07-22)
The control point can be configured on a Layer 2 physical interface or VLANIF

interface. When the VLANIF interface is configured as the NAC authentication
interface, the VLANIF interface and its mapping physical interface must be
configured as control points. However, NAC authentication cannot be configured
on the physical interface.
The information about NAC authentication is as follows:
Policy association is supported only in the NAC unified mode.
Policy association does not support internal Portal, PPPoE authentication, Layer 3
Portal authentication, and access mode multi-share.
276

Switches
Policy association cannot be configured on some interface of the access device

when local authentication is configured on other interfaces of the access device.
In policy association, the user authentication method depends on the authentication

method and sequence configured on the control device.
In policy association, users cannot go online when NAC authentication is

configured on the control device, not on the access device. It is recommended that
authentication users and non-authentication users be divided into different VLANs
in networking and the authentication free rules be configured based on the VLANs
to allow the access of authentication-free users.
In policy association, to enable users to obtain some network rights before

authentication succeeds, perform the following operations: Run the free-rule ruleid destination any source any command on the access device to enable all network
access rights for the users. Then run the authentication event action authorize
command on the control device to configure the network access rights for the users
before authentication succeeds.
The information about the name of an access device is as follows:
Issue 11 (2016-07-22)
The actual name of an access device may differ from the name displayed on the
control device (using the display as all command). When an access device goes
online, its name is processed as follows:
n
If the access device uses the default name, its name is changed to default
name-MAC address of the access device on the control device.
If the access device name contains spaces or double quotation masks ("), the
spaces are changed to en dashes and the double quotation masks (") are
changed to single quotation masks (') on the control device.
The name of an access device is case-insensitive. The access device names viewed
on the control device are in lowercase letters. If the name of an access device is not
changed on the control device when the access device attempts to go online, the
access device fails to go online and a name conflict alarm is generated. If the name
of an access device is set to be the same as the actual access device name when the
access device is properly running, a name conflict alarm is generated and the access
device will not go offline.

277

Switches
13 Security
13
Security
About This Chapter

13.1 ACL
13.2 Local Attack Defense
13.3 MFF
13.4 Attack Defense
13.5 Traffic Suppression and Storm Control
13.6 ARP Security
13.7 Port Security
13.8 DHCP Snooping
13.9 ND Snooping
13.10 PPPoE+
13.11 IPSG
13.12 SAVI
13.13 URPF
13.14 Keychain
13.15 MPAC
Issue 11 (2016-07-22)

278

Switches
13 Security
13.1 ACL
License Support
ACL is a basic feature of a switch and is not under license control.
Version Support
Table 13-1 Products and minimum version supporting ACL
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

and V200R008.)
S2700
S2700SI
Not supported
S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

279

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
If an ACL rule that you want to create already exists, the system does not create the rule
again.
Repeated ACL names can only be used between basic ACL and basic ACL6, and
between advanced ACL and advanced ACL6.
The match order of an ACL affects packet matching results. Therefore, consider the
match order when configuring rules. If the match-order parameter is not specified when
you create an ACL, the default match order config is used.
When the first rule of an ACL is created without the rule-id parameter specified, the
device uses the step value as the rule ID. If an ACL has the rules with manually
Issue 11 (2016-07-22)

280

Switches
13 Security
configured IDs and a new rule is added without the rule-id parameter specified, the
system allocates the minimum multiple of the step value which is greater than the largest
rule ID in the ACL to this new rule. In addition, a rule ID must be an integer. This rule is
located at the bottom of the ACL. For example, an ACL contains rule 5 and rule 12, and
the default step is 5. When a new rule needs to be added to the ACL, the system allocates
ID 15 to this new rule (15 is greater than 12 and is the minimum multiple of 5).
l
If the rule-id parameter is not specified when you configure an ACL6, the device
automatically allocates rule IDs. The allocated rule IDs start from 0 and increase by 1
each time a rule is created. If a rule ID is in use, the next one is allocated. For example, if
an ACL6 contains rule 0, rule 1, and rule 3, the system allocates 2 to a new rule when the
rule-id is not manually specified.
An ACL rule cannot be bound to a nonexistent time range.
To associate a time range with an ACL rule, ensure that the system time of the device is
the same as that of other devices on the network; otherwise, the rule cannot take effect.
When the source source-address source-wildcard or destination destination-address

destination-wildcard parameter is specified in a rule, the IP address wildcard mask
(source-wildcard or destination-wildcard) is an inverse mask similar to the IP address
inverse subnet mask.
If the vpn-instance vpn-instance-name parameter is not specified for an ACL rule, the
device matches the packets of both public and private networks.
Apply an ACL to a correct direction of an interface. If an ACL is applied to an inbound

direction of an interface, the device matches the packets received by this interface
against ACL rules; if an ACL is applied to an outbound direction of an interface, the
device matches the packets sent by this interface against ACL rules.
If the specified rule ID already exists and the new rule conflicts with the original rule,
the new rule replaces the original rule.
When you use the undo rule command to delete an ACL rule, the rule ID must exist. If
the rule ID is unknown, use the display acl command to view the rule ID.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a
simplified traffic policy references a specified rule in an ACL, this command does not
take effect.) Exercise caution when you run the undo rule command.
To configure the ACL resource allocation mode for an S5720HI, run the assign
resource-template acl-mode command.
Table 13-2 ACL specifications in different resource allocation modes
Issue 11 (2016-07-22)
Resource
Allocation Mode
Number of IPv4
ACLs
Number of IPv6
ACLs
Number of Layer
2 ACLs
dual-ipv4-ipv6
16K
8K
16K
l2-ipv4
32K
32K
l2-ipv6
16K
16K
l2
64K
ipv4
64K

281

Switches
13 Security
13.2 Local Attack Defense

License Support
Local attack defense is a basic feature of a switch and is not under license control.
Version Support
Table 13-3 Products and minimum version supporting local attack defense
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

282

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

The attack source tracing function of local attack defense is valid to only IPv4 packets.
The user-level rate limiting is available in the S5720HI of V200R009.
It is recommended that you disable user-level rate limiting on the network-side interfaces of
an access switch and a gateway switch. The user-level rate limiting is enabled on interfaces by
default.
Issue 11 (2016-07-22)

283

Switches
13 Security
13.3 MFF
License Support
MFF is a basic feature of a switch and is not under license control.
Version Support
Table 13-4 Products and minimum version supporting MFF
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

and V200R008.)
S2700
S2700SI
Not supported
S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

284

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

MFF can be enabled in a maximum of 64 VLANs on the S6720EI, S6720S-EI, S5720HI and
S5720EI, and 32 VLANs on other models.
When the number of MFF-enabled VLANs reaches the limit, the MFF function can still be
enabled in other VLANs if there are ample ACL resources on the device.
13.4 Attack Defense

Issue 11 (2016-07-22)

285

Switches
13 Security

License Support
Attack defense is a basic feature of a switch and is not under license control.
Version Support
Table 13-5 Products and minimum version supporting attack defense
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

S2750EI
V200R003
S3700SI
Not supported
S3700EI
Not supported
S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S3700
S5700
Issue 11 (2016-07-22)

286

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None
13.5 Traffic Suppression and Storm Control

License Support
Traffic suppression and storm control are basic features of a switch and are not under license
control.
Issue 11 (2016-07-22)

287

Switches
13 Security
Version Support
Table 13-6 Products and minimum version supporting traffic suppression and storm control
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

and V200R008.)
S2700
S2700SI

S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S3700
S5700
Issue 11 (2016-07-22)

288

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

Features Supported by the Device
Table 13-7 describes the traffic suppression and storm control features supported by the
device.
Table 13-7 Features supported by the device
View
Traffic Suppression and Storm Control

Features Supported by the Device
Interface view
l Traffic suppression for broadcast,

unknown multicast, and unknown
unicast packets
l Storm control for broadcast, unknown
multicast, and unknown unicast packets
l Traffic suppression for ICMP packets
VLAN view
Traffic suppression for broadcast packets
Difference between Traffic Suppression and Storm Control

Issue 11 (2016-07-22)

289

Switches
13 Security
Traffic suppression and storm control prevent broadcast storms caused by broadcast, unknown
multicast, and unknown unicast packets. However, they use different methods to control
traffic:
l
In traffic suppression, rate thresholds are configured for three types of incoming packets
on interfaces. The system discards the traffic exceeding the threshold and forwards the
traffic within the threshold. In this way, the system limits the traffic rate in an acceptable
range. In addition, traffic suppression can block outgoing packets on interfaces.
In storm control, rate thresholds are configured for three types of incoming packets only
on interfaces. When the traffic exceeds the threshold, the system rejects the packets of
this particular type on the interface or shuts down the interface.
NOTE
For incoming packets of the same type on an interface, you can configure either traffic suppression or
storm control.
13.6 ARP Security

License Support
ARP security is a basic feature of a switch and is not under license control.
Version Support
Table 13-8 Products and minimum version supporting ARP security
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI
Not supported
S2700EI

S2710SI

S2720EI

S2750EI
V200R003

290

Switches
Series
Product
Minimum Version
Required
S3700
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
S5700
S6700
Issue 11 (2016-07-22)
13 Security

291

Switches
13 Security

When resources are sufficient, DAI can be enabled in a maximum of 10 VLANs.
13.7 Port Security

License Support
Port security is a basic feature of a switch and is not under license control.
Version Support
Table 13-9 Products and minimum version supporting port security
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

and V200R008.)
S2700
S2700SI
Not supported
S2700EI

S2710SI
Not supported
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S3700
Issue 11 (2016-07-22)

292

Switches
13 Security
Series
Product
Minimum Version
Required
S5700
S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700EI

S5700SI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
S6700

l
An interface can learn only one secure MAC address by default. Set the maximum
number of secure MAC addresses according to actual networking.
Port security cannot be used with RRPP, Smart Link, SEP, or ERPS on the same
interface; otherwise, RRPP, Smart Link, SEP, or ERPS cannot eliminate loops.
Issue 11 (2016-07-22)

293

Switches
13 Security
13.8 DHCP Snooping

License Support
DHCP snooping is a basic feature of a switch and is not under license control.
Version Support
Table 13-10 Products and minimum version supporting DHCP snooping
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI
Not supported
S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

294

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

When configuring DHCP snooping on a device, pay attention to the following points:
l
If the number of online users on the device reaches the maximum number of entries in
the DHCP snooping binding table, the offline users cannot go online.
On an S5720HI, the DHCP snooping function applies to wired users only.
13.9 ND Snooping
Issue 11 (2016-07-22)

295

Switches
13 Security

License Support
ND snooping is a basic feature of a switch and is not under license control.
Version Support
Table 13-11 Products and minimum version supporting ND snooping
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI
Not supported
S2700EI

S2710SI
Not supported
S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S3700
S5700
Issue 11 (2016-07-22)

296

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

ND snooping and adding double tags to untagged packets cannot be configured together on
the S1720GFR, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5720SI,
or S5720S-SI.
13.10 PPPoE+
License Support
PPPoE+ is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

297

Switches
13 Security
Version Support
Table 13-12 Products and minimum version supporting PPPoE+
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI
Not supported
S2700EI

S2710SI
Not supported
S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S3700
S5700
Issue 11 (2016-07-22)

298

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None
13.11 IPSG
License Support
IPSG is a basic feature of a switch and is not under license control.
Version Support
Table 13-13 Products and minimum version supporting IPSG
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI
Not supported

299

Switches
Series
S3700
S5700
Issue 11 (2016-07-22)
13 Security
Product
Minimum Version
Required
S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI


300

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
After hardware-based Layer 3 forwarding for IPv4 packets is enabled on an S2750EI,

S5700-10P-LI-AC, or S5700-10P-PWR-LI-AC in V200R008C00, an IPSG binding table
can be configured, but the IPSG function is not supported.
After hardware-based Layer 3 forwarding for IPv4 packets is enabled on an S2720EI,

S2750EI, S5700-10P-LI-AC, or S5700-10P-PWR-LI-AC in V200R009C00, an IPSG
binding table can be configured, but the IPSG function is not supported.
13.12 SAVI
License Support
SAVI is a basic feature of a switch and is not under license control.
Version Support
Table 13-14 Products and minimum version supporting SAVI
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI
Not supported
S2700EI
Not supported

301

Switches
Series
S3700
S5700
S6700
Issue 11 (2016-07-22)
13 Security
Product
Minimum Version
Required
S2710SI
Not supported
S2720EI

S2750EI
V200R003
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
V200R002
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

302

Switches
13 Security

SAVI and adding double tags to untagged packets cannot be configured together on the
S1720GFR, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, or S5720S-SI.
Before configuring the SAVI function, complete the following tasks:
l
Enable ND snooping, DHCPv6 snooping, and IP source guard if invalid IPv6 data
packets need to be filtered out.
Configuring ND Packet Validity Check if invalid ND protocol packets need to be filtered

out.
Configuring Defense Against Bogus DHCP Message Attacks if invalid DHCPv6

protocol packets need to be filtered out.
13.13 URPF
License Support
Unicast Reverse Path Forwarding (URPF) is a basic feature of a switch and is not under
license control.
Version Support
Table 13-15 Products and minimum version supporting URPF
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI

S5700LI/S5700S-LI
Not supported
S3700
S5700
Issue 11 (2016-07-22)

303

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
13.14 Keychain
Issue 11 (2016-07-22)

304

Switches
13 Security
License Support
Keychain is a basic feature of a switch and is not under license control.
Version Support
Table 13-16 Products and minimum version supporting Keychain
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
Not supported
S5700HI

S5710HI

S5720HI
V200R006
S3700
S5700
Issue 11 (2016-07-22)

305

Switches
13 Security
Series
Product
Minimum Version
Required
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

The keychain only manages authentication algorithms and keys and takes effect only after it is
applied to an application.
13.15 MPAC
License Support
MPAC is a basic feature of a switch and is not under license control.
Version Support
Table 13-17 Products and minimum version supporting MPAC
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S3700
S5700
Issue 11 (2016-07-22)

306

Switches
Series
S6700
13 Security
Product
Minimum Version
Required
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S5710EI
Not supported
S5720EI
V200R009
S5720SI/S5720S-SI
Not supported
S5700HI
Not supported
S5710HI
Not supported
S5720HI
V200R009
S6700EI
Not supported
S6720EI
V200R009
S6720S-EI
V200R009

None
Issue 11 (2016-07-22)

307

Switches
14 QoS
14
QoS
About This Chapter

14.1 MQC
14.2 Priority Mapping
14.3 Traffic Policing, Traffic Shaping, and Interface-based Rate Limiting
14.4 Congestion Avoidance and Congestion Management
14.5 ACL-based Simplified Traffic Policy
14.6 HQoS
Issue 11 (2016-07-22)

308

Switches
14 QoS
14.1 MQC
License Support
MQC is a basic feature of a switch and is not under license control.
Version Support
Table 14-1 describes the products and minimum version supporting MQC.
Table 14-1 Products and minimum version supporting MQC
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI
Not supported
S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

309

Switches
Series
S6700
14 QoS
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Issue 11 (2016-07-22)
Table 14-2 describes the specifications of MQC.

310

Switches
14 QoS
Table 14-2 Specifications of MQC

Item
Specification
Maximum number of traffic classifiers
l Earlier versions of V100R006: 255

l V100R006 to V200R002: 256
l V200R003 and later versions: 512
Maximum number of if-match rules in a

traffic classifier
1024
Maximum number of traffic behaviors
256
Maximum number of traffic policies
256
Maximum number of traffic classifiers

bound to a traffic policy
256
If the ACL rule matches the VPN instance name of packets, the ACL-based traffic policy
fails to be delivered.
When permit and other actions are configured in a traffic behavior, these actions are
performed in sequence. The deny action conflicts with other actions in a traffic behavior.
When deny is configured, other configured actions, except traffic statistics collection
and flow mirroring, do not take effect.
If you specify a packet filtering action for packets matching an ACL rule, the system first
checks the action defined in the ACL rule. If the ACL rule defines permit, the action
taken for the packets depends on whether deny or permit is specified in the traffic
behavior. If the ACL rule defines deny, the packets are discarded regardless of whether
deny or permit is configured in the traffic behavior. If a non-packet-filtering action is
specified for packets matching an ACL rule that defines deny, the packets are discarded,
and the action specified in the traffic classifier, except disabling MAC address learning,
traffic statistics collection and flow mirroring, does not take effect.
The remark 8021p inner-8021p command applies only to the inbound direction.
If a traffic policy containing remark 8021p is applied to the outbound direction on an

interface, the VLAN of the interface must work in tagged mode.
The MAC address specified in a destination MAC address re-marking action must be a
unicast MAC address.
If a traffic policy containing remark vlan-id is applied to the outbound direction on an

interface, the VLAN of the interface must work in tagged mode.
A traffic policy containing remark 8021p inner-8021p, remark local-precedence,

remark ip-precedence, or remark destination-mac cannot be applied to the outbound
direction.
In V200R005 and later versions, a traffic policy containing redirect cpu allows the
device to redirect the traffic matching traffic classification rules to the CPU, affecting
system performance. Exercise caution when you apply such a traffic policy.
In V200R006 and earlier versions, if traffic is redirected to an interface in Down state,

traffic is dropped on the interface and cannot be switched to the original forwarding path.
In V200R007 and later versions, if traffic is redirected to an interface in Down state and
forced is specified in the redirection command, traffic is dropped on the interface and
cannot be switched to the original forwarding path. If forced is not specified, the
redirection action does not take effect.
Issue 11 (2016-07-22)

311

Switches
14 QoS
A traffic policy can be applied to the system, a VLAN, or an interface. When a traffic
policy needs to be applied in multiple views, apply the traffic policy in the interface
view, VLAN view, and system view in sequence.
When packets match multiple traffic policies, the following rules apply:
If traffic classification rules in the traffic policies are of the same type (all userdefined ACL rules, Layer 2 rules, or Layer 3 rules), only one traffic policy takes
effect. The precedence of the traffic policies depends on the objects to which they
are applied: interface > VLAN > global. That is, the traffic policy applied to an
interface has the highest priority, whereas the traffic policy applied to the system
has the lowest priority. When different traffic policies are applied in the same view,
the precedence of the policies depends on the configuration sequence.
On the S5700EI, S5700HI, S5710EI, S5710HI, S5720EI, S5720HI, and S6700: If

traffic classification rules in the traffic policies are of different types and the actions
do not conflict, all the traffic policies take effect. If actions conflict, the precedence
of the traffic policies depends on precedence of rules in the policies: Layer 2 rule +
Layer 3 rule > Layer 3 rule > Layer 2 rule > user-defined ACL rule.
On the S5720SI, S5720S-SI, S5710-X-LI, S5710-C-LI, S5700SI, S5700LI,

S5700S-LI, S2750EI, S2720EI, and S1720GFR: If traffic classification rules in the
traffic policies are of different types, only one traffic policy takes effect. The
precedence of the traffic policies depends on the objects to which they are applied:
interface > VLAN > global. That is, the traffic policy applied to an interface has the
highest priority, whereas the traffic policy applied to the system has the lowest
priority. If traffic policies apply to the same object, the traffic policy that contains
the rule with the highest priority takes effect.
It is recommended that you configure traffic policies in descending order of priority;

otherwise, traffic policies may not take effect immediately. For details about traffic
classification rules, see Traffic classification rules in Introduction to MQC.
l
Applying traffic policies consumes ACL resources. If there are no sufficient ACL
resources, some traffic policies may fail to be applied. For example, if an if-match rule in
a traffic policy occupies one ACL, M ACL resources will be used to apply the traffic
policy to M interfaces. When a traffic policy is applied to L VLANs, L ACLs are
occupied. When a traffic policy is applied to the system, one ACL is occupied. Table
14-3 describes the ACL resource usage of if-match rules.
Table 14-3 ACLs occupied by traffic classification rules
Traffic Classification Rule
ACL Resource Usage
if-match vlan-id start-vlan-id [ to endvlan-id ] (S5720SI, S5720S-SI, S5710-XLI, S5710-C-LI, S5700SI, S5700EI,
S5700LI, S5700S-LI, S2750EI, S2720EI,
and S1720GFR)
Rules are delivered according to the

VLAN ID range, and multiple ACLs are
occupied. You can run the display acl
division start-id to end-id command to
check how ACL resources are used in a
specified VLAN range.
if-match cvlan-id start-vlan-id [ to endvlan-id ] [ vlan-id vlan-id ] (S5700EI,

S5700HI, S5710EI, S5710HI, S5720EI,
S5720HI, and S6700)
Issue 11 (2016-07-22)

312

Switches
14 QoS
Traffic Classification Rule
ACL Resource Usage
if-match acl { acl-number | acl-name }
Uplink: When the range resources are

exhausted (there are 32 ranges for each
card), rules containing range port-start
port-end are delivered and multiple ACLs
are occupied. Each rule containing tcpflag established occupies two ACLs.(In
V200R006 and later versions, the uplink
ACL resource usage on the S5720HI is
similar to the downlink ACL resource
usage.)
if-match ipv6 acl { acl-number | aclname }
Downlink: Rules containing range portstart port-end are delivered according to

the port number range, and multiple
ACLs are occupied. In other situations,
one rule occupies one ACL. You can run
the display acl division start-id to end-id
command to check how ACL resources
are used in a specified port number range.
Other if-match rules
Each rule occupies one ACL resource.
14.2 Priority Mapping

License Support
Priority mapping is a basic feature of a switch and is not under license control.
Version Support
Table 14-4 describes the products and minimum version supporting priority mapping.
Table 14-4 Products and minimum version supporting priority mapping
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI


313

Switches
Series
S3700
S5700
Issue 11 (2016-07-22)
14 QoS
Product
Minimum Version
Required
S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI


314

Switches
Series
S6700
14 QoS
Product
Minimum Version
Required
S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

None.
14.3 Traffic Policing, Traffic Shaping, and Interface-based

Rate Limiting
License Support
Traffic policing, traffic shaping, and interface-based rate limiting are basic features of the
switch, and are not under license control.
Version Support
Table 14-5 describes the products and minimum version supporting traffic policing and traffic
shaping.
Table 14-5 Products and minimum version supporting traffic policing and traffic shaping
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI
Not supported

315

Switches
Series
14 QoS
Product
Minimum Version
Required
S2700EI

S2710SI
Traffic policing: V100R006

Traffic shaping: not
supported
NOTE
The S2710SI is unavailable in
S3700
S5700
Issue 11 (2016-07-22)
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008

316

Switches
Series
S6700
14 QoS
Product
Minimum Version
Required
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
Table 14-6 describes the products and minimum version supporting interface-based rate
limiting.
Table 14-6 Products and minimum version supporting interface-based rate limiting
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI

NOTE
interface-base rate limiting in
the inbound direction.
S2700EI

S2710SI

NOTE
interface-base rate limiting in
the inbound direction.
Issue 11 (2016-07-22)

317

Switches
Series
S3700
S5700
Issue 11 (2016-07-22)
14 QoS
Product
Minimum Version
Required
S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006

318

Switches
14 QoS
Series
Product
Minimum Version
Required
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Table 14-7 describes traffic policing, traffic shaping, and interface-based rate limiting
supported by different switch models.
Table 14-7 Traffic policing, traffic shaping, and interface-based rate limiting supported
by different switch models
Issue 11 (2016-07-22)
Device
Model
MQCbased
Traffic
Policing
Hierarchic
al Traffic
Policing
Queuebased
Traffic
Shaping
Inbound
Interfacebased
Rate
Limiting
Outbound
Interfacebased
Rate
Limiting
S1720GFR
Supported
Not
supported
Supported
Supported
Supported
S2720EI
Supported
Not
supported
Supported
Supported
Supported
S2750EI
Supported
Not
supported
Supported
Supported
Supported
S5700LI/
S5700S-LI
Supported
Not
supported
Supported
Supported
Supported
S5710-X-LI
Supported
Not
supported
Supported
Supported
Supported
S5720HI
Supported
Supported
Supported
Supported
Supported
S5720EI
Supported
Supported
Supported
Supported
Supported
S5720SI/
S5720S-SI
Supported
Not
supported
Supported
Supported
Supported
S6720EI
Supported
Supported
Supported
Supported
Supported
S6720S-EI
Supported
Supported
Supported
Supported
Supported
To limit the rate of packets from different VLANs, configure rate limiting based on
VLAN IDs. When a traffic policy is applied to a VLAN, the traffic policy is valid for all
interfaces in the VLAN.
319

Switches
14 QoS
After rate limiting is configured on the device, the Internet access may be slow or packet
loss may occur on the downstream device. The rate limit needs to be set properly.
Traffic policing, traffic shaping, and interface-based rate limiting are valid only for data
packets and are invalid for protocol packets, so that the device performance is not
affected.
Traffic suppression in a VLAN, inbound interface-based rate limiting, traffic policy

containing rate limiting, and simplified ACL-based traffic policy containing rate limiting
share CAR resources of the device. When CAR resources are insufficient, some of the
preceding functions may fail to be configured. Run the display acl resource [ slot slotid ] command to view the usage of CAR resources.
The inbound traffic statistics takes effect before interface-based rate limiting. That is,
you cannot check whether interface-based rate limiting takes effect according to the
traffic statistics. Run the display qos statistics interface interface-type interface-number
inbound command on the S5720EI, S5720HI, S6720EI, and S6720S-EI to view traffic
statistics after rate limiting is configured.
When traffic policing and another flow action are defined in different traffic behaviors of
the same traffic policy and priorities of matching traffic classifiers are different, if
packets match multiple traffic classifiers, only the action corresponding to the highpriority traffic classifier takes effect. In this case, rate limiting may fail.
14.4 Congestion Avoidance and Congestion Management

License Support
Congestion management and congestion avoidance are basic features of a switch and are not
under license control.
Version Support
Table 14-8 describes the products and minimum version supporting congestion management
and congestion avoidance.
Table 14-8 Products and minimum version supporting congestion management and
congestion avoidance
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)

320

Switches
14 QoS
Series
Product
Minimum Version
Required
S2700
S2700SI
Congestion management:
Not supported
Congestion avoidance:
V100R006
NOTE
The S2700SI is unavailable in
S3700
S5700
Issue 11 (2016-07-22)
S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI


321

Switches
Series
S6700
14 QoS
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
Issue 11 (2016-07-22)
Table 14-9 lists the specifications of congestion management and congestion avoidance.

322

Switches
14 QoS
Table 14-9 Specifications of congestion management and congestion avoidance

Item
Specification
Maximum number of tail drop profiles
l S1720GFR in V200R006C10: 7
l S1720GFR in V200R009: 6
l S2720EI: 6
l S2750EI in V200R005 and later
versions: 6
l S5700SI in V200R005: 7
l S5700-10P-LI: 6
l Other S5700LI models except the
S5700-10P-LI in earlier versions than
V200R009: 7
l Other S5700LI models except the
S5700-10P-LI in V200R009: 6
l S5700S-LI in earlier versions than
V200R009: 7
l S5700S-LI in V200R009: 6
l S5710-X-LI in V200R008: 7
l S5710-X-LI in V200R009: 6
l S5720SI/S5720S-SI: 6
Maximum number of WRED drop

profiles
S5720EI, S5720HI, S6720EI, and

S6720S-EI: 64
14.5 ACL-based Simplified Traffic Policy

License Support
The ACL-based simplified traffic policy is a basic feature of a switch and is not under license
control.
Version Support
Table 14-10 describes the products and minimum version supporting the ACL-based
simplified traffic policy.
Issue 11 (2016-07-22)

323

Switches
14 QoS
Table 14-10 Products and minimum version supporting the ACL-based simplified traffic
policy
Series
Product
Minimum Version
Required
S1700
S1720GFR

and V200R008.)
S2700
S2700SI
Not supported
S2700EI

S2710SI

S2720EI

and V200R008.)
S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S3700
S5700
Issue 11 (2016-07-22)

324

Switches
Series
S6700
14 QoS
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
When multiple ACL-based simplified traffic policies are configured on an interface, in a

VLAN, or in the system and the ACL referenced by one ACL-based simplified traffic
policy changes, all ACL-based simplified traffic policies will become invalid
temporarily.
If the traffic-redirect (interface view) or traffic-redirect (system view) command is

executed to redirect traffic to an interface, you are advised to use ACL rules to match
Layer 2 traffic.
Outbound ACL-based packet filtering, traffic policing, re-marking, or traffic statistics on

an interface does not take effect on the S1720GFR, S2720EI, S2750, S5700LI, S5700SLI, S5710-X-LI, S5720SI, and S5720S-SI in the following situations:
Outbound ACL-based packet filtering, traffic policing, re-marking, or traffic

statistics is configured, and the ACL is based on VLAN IDs.
VLAN mapping is also configured on the interface, and the mapped VLAN ID is
the same as the VLAN ID in the ACL.
The S5720HI does not support simplified traffic policies based on user-defined ACLs.
If the ACL rule matches the VPN instance name of packets, the simplified ACL-based
traffic policy fails to be delivered.
14.6 HQoS
Issue 11 (2016-07-22)

325

Switches
14 QoS

License Support
HQoS is a basic feature of a switch and is not under license control.
Version Support
Only the S5720HI in V200R006 and later versions supports HQoS.

l
Table 14-11 describes the specifications of HQoS.

Table 14-11 Specifications of HQoS
Item
Specifications
Maximum number of flow queues
65528
Maximum number of subscriber queues
8191
Maximum number of flow queues for

which traffic statistics can be collected
16376
Maximum number of port queues
Maximum number of flow queue WRED

drop profiles
128
Maximum number of flow queue profiles
128
Maximum number of flow mapping

profiles
The device supports only HQoS in the outbound direction.
When each service flow of different users has the same priority, the device cannot
provide congestion management for service flows based on users.
Issue 11 (2016-07-22)

326

Switches
15
15 Network Management and Monitoring
Network Management and Monitoring
About This Chapter

15.1 SNMP
15.2 RMON
15.3 LLDP
15.4 Performance Management
15.5 iPCA
15.6 NQA
15.7 Service Diagnosis
15.8 Mirroring
15.9 Packet Capture
15.10 NetStream
15.11 sFlow
Issue 11 (2016-07-22)

327

Switches
15.1 SNMP
The switch needs to work with a network management system.
License Support
SNMP is a basic feature of a switch and is not under license control.
Version Support
Table 15-1 Products and minimum version supporting SNMP
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S3700
S5700
Issue 11 (2016-07-22)

328

Switches
Series
S6700
Product
Minimum Version
Required
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

SNMPv1 does not support Inform traps, and Inform traps are not supported on IPv6 networks.
15.2 RMON
The switch needs to work with a network management system.
Issue 11 (2016-07-22)

329

Switches
License Support
RMON is a basic feature of a switch and is not under license control.
Version Support
Table 15-2 Products and minimum version supporting RMON
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S3700
S5700
Issue 11 (2016-07-22)

330

Switches
Series
S6700
Product
Minimum Version
Required
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

If the alarm variables configured in RMON alarm function are MIB variables defined in the
statistics group or history group, the Ethernet or history statistics collection must be
configured on the monitored Ethernet interface first.
15.3 LLDP
License Support
LLDP is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

331

Switches
Version Support
Table 15-3 Products and minimum version supporting LLDP
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S3700
S5700
Issue 11 (2016-07-22)

332

Switches
Series
S6700
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

By default, the device limits the rate of LLDP packets sent to the CPU. If the rate of LLDP
packets received from a neighbor within a short period exceeds the default CIR value, the
device discards the excess LLDP packets. As a result, the LLDP neighbor relationship cannot
be set up. The number of LLDP packets processed by the device per second is (CIR for LLDP
packets/Length of each LLDP packet). The LLDP packet length varies according to the type
of device sending the LLDP packets. You can modify the CIR for LLDP packets according to
the number of neighbors and rate of LLDP packets sent by the neighbors.
CPCAR values of LLDP packets, contact technical support personnel.
15.4 Performance Management

File server
License Support
Performance management is not under license control.
Issue 11 (2016-07-22)

333

Switches
Version Support
Table 15-4 Products and minimum version supporting performance management
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI/S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI/S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700EI/S5700SI
Not supported
S5710EI
Not supported
S5720EI
Not supported
S5720SI/S5720S-SI
Not supported
S5700HI
Not supported
S5710HI
Not supported
S5720HI
V200R006
S6700EI
Not supported
S6720EI
Not supported
S6720S-EI
Not supported
S3700
S5700
S6700

None.
15.5 iPCA
Other network elements also need to support iPCA.
Issue 11 (2016-07-22)

334

Switches
License Support
iPCA is a basic feature of a switch and is not under license control.
Version Support
Only the S5720HI in V200R006 or a later version supports iPCA.

l
A prerequisite for accurate network-level packet loss measurement is time

synchronization among all devices. Therefore, before configuring iPCA on edge devices
of a network, configure the Network Time Protocol (NTP) on the devices.
A prerequisite for accurate packet loss measurement on direct links is time

synchronization between the devices at two ends. Therefore, before configuring iPCA,
configure NTP on the devices at two ends.
You can specify target flows in network-level packet loss measurement, but not in
device-level packet loss measurement.
In the current version, the network-level packet loss measurement can take effect for
only known IP unicast packets but not unknown IP unicast packets. The measurement
result involving unknown IP unicast packets is inaccurate.
In the current version, packet loss measurement for direct links supports only IP unicast
packets.
In the current version, packet loss measurement for a device supports only IP unicast
packets.
Network-level hop-by-hop packet loss measurement cannot be configured for MPLS

VPN.
Network-level packet loss measurement is based on target flows. If the packet content is
modified (for example, NAT is performed on packets, packets are encapsulated in
tunnels, and packet priority is changed), the device cannot precisely match the packets,
so the measurement result may be inaccurate.
15.6 NQA
License Support
NQA is a basic feature of a switch and is not under license control.
Issue 11 (2016-07-22)

335

Switches
Version Support
Table 15-5 Products and minimum version supporting NQA
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S3700
S5700
Issue 11 (2016-07-22)

336

Switches
Series
S6700
Product
Minimum Version
Required
S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

l
If the number of running test instances reaches the maximum number supported by the
system, the start command will fail.
If you need to run the start now command for a test instance again, ensure that the last
operation has been complete.
If you specify that a test instance starts to run on schedule, ensure that the specified time
is later than the current system time; otherwise, the configuration is invalid.
15.7 Service Diagnosis

License Support
Service diagnosis is a basic feature of the device and is not under license control.
Issue 11 (2016-07-22)

337

Switches
Version Support
Table 15-6 Products and minimum version supporting service diagnosis
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI

S2750EI
V200R003
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
V200R003
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S3700
S5700
Issue 11 (2016-07-22)

338

Switches
Series
S6700
Product
Minimum Version
Required
S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

Service diagnosis affects system performance. Therefore, enable service diagnosis only when
fault locating is required. After locating faults, immediately run the undo trace enable
command to disable service diagnosis.
Users with different services have different attributes. Create diagnosis objects for different
services based on different attributes.
l
DHCP service: based on the MAC address.
AAA and NAC services: based on the MAC address, IP address, user name, user VLAN
ID, access mode, or interface number.
15.8 Mirroring
15.8.1 Involved Network Elements
The switch needs to work with a monitoring server. The mirroring server analyzes the
mirrored packets sent to it.
15.8.2 License Support

Mirroring is a basic feature of a switch and is not under license control.
15.8.3 Version Support

Table 15-7 Products and minimum version supporting mirroring
Issue 11 (2016-07-22)
Series
Product
S1700
S1720

in V200R007 and V200R008 versions.
Outbound traffic mirroring and remote
traffic mirroring are not supported.)

339

Switches
Series
Product
S2700
S2700SI

versions. Remote port mirroring, traffic
mirroring, MAC address mirroring,
and VLAN mirroring are not
supported.)
S2700EI

versions.)
S2710SI

versions. Remote port mirroring,
outbound traffic mirroring, remote
traffic mirroring, MAC address
mirroring, and VLAN mirroring are
not supported.)
S2720EI

V200R008 versions. Outbound traffic
mirroring and remote traffic mirroring
are not supported.)
S2750EI
V200R003 (Outbound traffic mirroring

and remote traffic mirroring are not
supported. Remote MAC address
mirroring is supported since
V200R005.)
S3700SI/S3700EI

versions. Outbound traffic mirroring is
not supported.)
S3700HI

not supported.)
S5700LI/S5700S-LI

supported. Remote VLAN mirroring is
supported since V200R002, and remote
MAC address mirroring is supported
since V200R005.)
S3700
S5700
Issue 11 (2016-07-22)

340

Switches
Series
Issue 11 (2016-07-22)
Product
S5710-C-LI

versions. Outbound traffic mirroring,
remote traffic mirroring, remote VLAN
mirroring and remote MAC address
mirroring are not supported.)
S5710-X-LI

supported.)
S5700SI

versions. Outbound traffic mirroring
supported. Remote VLAN mirroring is
supported since V200R002, and remote
MAC address mirroring is supported
since V200R005.)
S5720SI/S5720S-SI

supported.)
S5700EI
V100R005 (The S5700EI are

supported since V200R005.)
S5710EI

S5700HI

S5710HI

S5720EI
V200R007
S5720HI
V200R006 (MAC address mirroring

and VLAN mirroring are not
supported.)

341

Switches
Series
Product
S6700
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009
15.8.4 Number of Observing Ports

l
Configuration Modes
Observing ports can be configured one by one or in a batch since V200R005. The single
configuration and batch configuration modes can be used simultaneously. If multiple
observing ports are configured in a batch, these observing ports are bound to the same
mirrored port. Therefore, batch configuration simplifies the configuration of 1:N
mirroring. Figure 15-1 shows batch configuration of observing ports.
Figure 15-1 Configuring observing ports in a batch
Mirrored port
If multiple observing
ports are configured in a
batch, these observing
ports are bound to the
same mirrored port.
Observing ports
Inbound and outbound traffic of a

mirrored port
Calculating the Number of Remaining Observing Ports

The number of available observing ports is determined by the total number of observing
ports to which inbound and outbound packets on a mirrored port can be copied. The
numbers of observing ports to which inbound and outbound packets on a mirrored port
can be copied are calculated separately. When the inbound and outbound packets are
copied to the same observing port, the numbers of remaining observing ports for inbound
and outbound packets are both reduced by 1.
In Figure 15-2, a maximum of eight observing ports can be configured on an S5720EI.
Incoming packets on all the mirrored ports can be copied to a maximum of four
observing ports, and outgoing packets can be copied to a maximum of four observing
ports. If incoming and outgoing packets on the mirrored ports are copied to the same
observing port, the numbers of usable observing ports for incoming and outgoing packets
are both 3. Therefore, the number of usable observing ports is 6 (3 plus 3) but not 7 (8
minus 1).
Issue 11 (2016-07-22)

342

Switches
Figure 15-2 Usage of observing ports
Inbound and
outbound packets on
mirrored ports are
copied to the same
observing port.
Inbound packets are

copied to the same
observing port.
Inbound packets
on mirrored ports can
be copied to another
three observing ports.
Outbound packets
are copied to the
same observing port.
Outbound packets
on mirrored ports can
be copied to another
three observing ports.
Inbound and outbound traffic of

a mirrored port
Mirrored port
Observing port
Specifications
The following tables list the observing port specifications for different devices.
Issue 11 (2016-07-22)

343

Switches
Table 15-8 Observing port specifications for different devices in V200R003 versions
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
S2700SI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S2710SI
S2700EI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
Issue 11 (2016-07-22)
S3700SI
S3700EI
S3700HI

344

Switches
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
S5700LI and S5700S-LI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S5710-C-LI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S5700SI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
Issue 11 (2016-07-22)
S5700EI
S5710EI
S5700HI

345

Switches
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
S5710HI
S6700EI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
Table 15-9 Observing port specifications for different devices in V200R005 to

V200R009 versions
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
S1720GFR
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
Issue 11 (2016-07-22)

346

Switches
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
S2720
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S2750
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S5700LI, S5700S-LI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
Issue 11 (2016-07-22)

347

Switches
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
S5710-X-LI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S5700SI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S5720SI, S5720S-SI
1
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
Issue 11 (2016-07-22)
S5700EI
S5710EI
S5720EI

348

Switches
Issue 11 (2016-07-22)
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
S5700HI
S5710HI

349

Switches
Device
S5720HI
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
l A maximum of
64 observing
ports can be
configured in a
batch, and you
can configure a
maximum of
eight batches.
Theoretically,
incoming packets
on mirrored ports
can be copied to a
maximum of 512
(8 x 64)
observing ports.
l If one observing
port is configured
each time, the
observing port
configuration can
be performed a
maximum of
eight times, and
incoming packets
on mirrored ports
can be copied to a
maximum of
eight observing
ports.
l When single
configuration and
batch
configuration are
both used, the
observing port
configuration can
be performed a
maximum of
eight times, and
the maximum
number of
Issue 11 (2016-07-22)

Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
l A
maximu
m of 64
observin
g ports
can be
configure
d in a
batch,
and you
can
configure
a
maximu
m of
eight
batches.
Theoretic
ally,
outgoing
packets
on
mirrored
ports can
be
copied to
a
maximu
m of 512
(8 x 64)
observin
g ports.
l If one
observin
g port is
configure
d each
time, the
observin
g port
configura
tion can
Maximum
of
Observing
Ports
Supported
l A
maximu
m of 64
observin
g ports
can be
configure
d in a
batch,
and you
can
configure
a
maximu
m of
eight
batches.
Theoretic
ally, a
maximu
m of 512
(8 x 64)
observin
g ports
can be
configure
d.
l If one
observin
g port is
configure
d each
time, the
observin
g port
configura
tion can
be
performe
da
maximu
m of
350

Switches
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
observing ports to
which incoming
packets on
mirrored ports
can be copied
ranges between 8
and 512.
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
be
performe
da
maximu
m of
eight
times,
and
outgoing
packets
on
mirrored
ports can
be
copied to
a
maximu
m of
eight
observin
g ports.
l When
single
configura
tion and
batch
configura
tion are
both
used, the
observin
g port
configura
tion can
be
performe
da
maximu
m of
eight
times,
and the
Issue 11 (2016-07-22)

Maximum
of
Observing
Ports
Supported
eight
times,
and a
maximu
m of
eight
observin
g ports
can be
configure
d.
l When
single
configura
tion and
batch
configura
tion are
both
used, the
observin
g port
configura
tion can
be
performe
da
maximu
m of
eight
times,
and the
maximu
m
number
of
observin
g ports
ranges
between
8 and
512.
351

Switches
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Device
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
maximu
m
number
of
observin
g ports to
which
outgoing
packets
on
mirrored
ports can
be
copied
ranges
between
8 and
512.
Issue 11 (2016-07-22)
S6700EI
X (X 4)
4-X (X 4)
S6720EI, S6720S-EI
X (X 4)
4-X (X 4)

352

Switches
Table 15-10 Observing port specifications for different devices in V200R010 and later
versions
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
S1720GFR
6
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S2720
6
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S2750
6
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
Issue 11 (2016-07-22)

353

Switches
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
S5700LI, S5700S-LI, S5720LI,

S5720S-LI
S5710-X-LI
Device
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
6
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S5720SI, S5720S-SI
6
NOTE
Incoming
and
outgoing
packets on a
mirrored
port can
only be
copied to
the same
observing
port.
S5720EI
Issue 11 (2016-07-22)

354

Switches
Device
S5720HI
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
l A maximum of
64 observing
ports can be
configured in a
batch, and you
can configure a
maximum of
eight batches.
Theoretically,
incoming packets
on mirrored ports
can be copied to a
maximum of 512
(8 x 64)
observing ports.
l If one observing
port is configured
each time, the
observing port
configuration can
be performed a
maximum of
eight times, and
incoming packets
on mirrored ports
can be copied to a
maximum of
eight observing
ports.
l When single
configuration and
batch
configuration are
both used, the
observing port
configuration can
be performed a
maximum of
eight times, and
the maximum
number of
Issue 11 (2016-07-22)

Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
l A
maximu
m of 64
observin
g ports
can be
configure
d in a
batch,
and you
can
configure
a
maximu
m of
eight
batches.
Theoretic
ally,
outgoing
packets
on
mirrored
ports can
be
copied to
a
maximu
m of 512
(8 x 64)
observin
g ports.
l If one
observin
g port is
configure
d each
time, the
observin
g port
configura
tion can
Maximum
of
Observing
Ports
Supported
l A
maximu
m of 64
observin
g ports
can be
configure
d in a
batch,
and you
can
configure
a
maximu
m of
eight
batches.
Theoretic
ally, a
maximu
m of 512
(8 x 64)
observin
g ports
can be
configure
d.
l If one
observin
g port is
configure
d each
time, the
observin
g port
configura
tion can
be
performe
da
maximu
m of
355

Switches
Device
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
observing ports to
which incoming
packets on
mirrored ports
can be copied
ranges between 8
and 512.
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
be
performe
da
maximu
m of
eight
times,
and
outgoing
packets
on
mirrored
ports can
be
copied to
a
maximu
m of
eight
observin
g ports.
l When
single
configura
tion and
batch
configura
tion are
both
used, the
observin
g port
configura
tion can
be
performe
da
maximu
m of
eight
times,
and the
Issue 11 (2016-07-22)

Maximum
of
Observing
Ports
Supported
eight
times,
and a
maximu
m of
eight
observin
g ports
can be
configure
d.
l When
single
configura
tion and
batch
configura
tion are
both
used, the
observin
g port
configura
tion can
be
performe
da
maximu
m of
eight
times,
and the
maximu
m
number
of
observin
g ports
ranges
between
8 and
512.
356

Switches
Number of
Observing Ports to
Which Incoming
Packets on
Mirrored Ports
Can Be Copied
Device
Number of
Observing
Ports to
Which
Outgoing
Packets on
Mirrored
Ports Can
Be Copied
Maximum
of
Observing
Ports
Supported
maximu
m
number
of
observin
g ports to
which
outgoing
packets
on
mirrored
ports can
be
copied
ranges
between
8 and
512.
S6720EI, S6720S-EI
X (X 4)
4-X (X 4)
15.8.5 1:N Mirroring

l
Concept
1:N mirroring copies packets on one mirrored port to N observing ports, as shown in
Figure 15-3.
Figure 15-3 1:N mirroring
Mirrored port
Observing ports

mirrored port
Issue 11 (2016-07-22)

357

Switches
NOTE
For 1:N port mirroring, N means that packets in each direction (inbound or outbound) on a mirrored
port can be mirrored to N observing ports.
For 1:N traffic mirroring, N means that a traffic mirroring behavior bound to a traffic classifier contains
N observing ports that are configured in a batch. That is, to implement 1:N traffic mirroring, the traffic
behavior must specify an observing port group.
For 1:N VLAN mirroring or MAC address mirroring, N means that the observing port group bound to
the inbound direction of a VLAN contains N observing ports. That is, to implement 1:N VLAN
mirroring or MAC address mirroring, you must bind an observing port group to the inbound direction
of a VLAN.
This section provides the specifications of 1:N port mirroring. The N values of other 1:N mirroring
features are the same as those of 1:N port mirroring.
Specifications
Huawei S series fixed switches of V200R003 and earlier versions do not support 1:N
mirroring.
Table 15-11 lists the 1:N mirroring specifications in the inbound and outbound directions
for different devices in V200R005 and later versions. The 1:N mirroring specifications
include the numbers of observing ports to which incoming and outgoing packets on a
mirrored port can be copied.
Table 15-11 1:N mirroring specifications in the inbound and outbound directions of
different devices in V200R005 and later versions
Device
Issue 11 (2016-07-22)
Number of Observing
Ports for Incoming
Packets on a Mirrored
Port
Number of
Observing
Ports for
Outgoing
Packets on a
Mirrored Port
S1720
NA (Incoming packets on
a mirrored port can only
be copied to one
observing port.)
NA (Outgoing
packets on a
mirrored port
can only be
copied to one
observing port.)
S2720
be copied to one
observing port.)
NA (Outgoing
packets on a
mirrored port
can only be
copied to one
observing port.)
S2750
be copied to one
observing port.)
NA (Outgoing
packets on a
mirrored port
can only be
copied to one
observing port.)

358

Switches
Number of Observing
Ports for Incoming
Port
Device
Issue 11 (2016-07-22)
Number of
Observing
Ports for
Outgoing
Packets on a
Mirrored Port
S5700LI, S5700S-LI
be copied to one
observing port.)
NA (Outgoing
packets on a
mirrored port
can only be
copied to one
observing port.)
S5710-X-LI
be copied to one
observing port.)
NA (Outgoing
packets on a
mirrored port
can only be
copied to one
observing port.)
S5700SI
be copied to one
observing port.)
NA (Outgoing
packets on a
mirrored port
can only be
copied to one
observing port.)
S5720SI, S5720S-SI
be copied to one
observing port.)
NA (Outgoing
packets on a
mirrored port
can only be
copied to one
observing port.)
S5700EI
be copied to one
observing port.)
NA (Outgoing
packets on a
mirrored port
can only be
copied to one
observing port.)
S5710EI
S5720EI
S5700HI
S5710HI

359

Switches
Device
S5720HI
Number of Observing
Ports for Incoming
Port
l A maximum of 64
observing ports can be
configured in a batch,
you can configure a
maximum of eight
batches, and the
observing ports
configured in a batch
cannot be used for the
packets in the same
direction (inbound or
outbound) on the same
mirrored port.
Theoretically,
incoming packets on a
mirrored port can be
copied to a maximum
of 64 observing ports.
l Each port can be
configured as an
observing port for a
maximum of eight
times, and observing
ports cannot be used
for the packets in the
same direction
(inbound or outbound)
on the same mirrored
port. Therefore,
incoming packets on a
mirrored port can be
copied to a maximum
of one observing port.
l When observing ports
are configured one by
one and in a batch
simultaneously, the
configured observing
ports cannot be used
for the packets in the
same direction
(inbound or outbound)
on the same mirrored
port.
Issue 11 (2016-07-22)

Number of
Observing
Ports for
Outgoing
Packets on a
Mirrored Port
l A maximum
of 64
observing
ports can be
configured
in a batch,
you can
configure a
maximum of
eight
batches, and
the
observing
ports
configured
in a batch
cannot be
used for the
packets in
the same
direction
(inbound or
outbound)
on the same
mirrored
port.
Theoreticall
y, outgoing
packets on a
mirrored
port can be
copied to a
maximum of
64
observing
ports.
l Each port
can be
configured
as an
observing
port for a
maximum of
eight times,
and
360

Switches
Number of Observing
Ports for Incoming
Port
Device
Number of
Observing
Ports for
Outgoing
Packets on a
Mirrored Port
observing
ports cannot
be used for
the packets
in the same
direction
(inbound or
outbound)
on the same
mirrored
port.
Therefore,
outgoing
packets on a
mirrored
port can be
copied to a
maximum of
one
observing
port.
l When
observing
ports are
configured
one by one
and in a
batch
simultaneou
sly, the
configured
observing
ports cannot
be used for
the packets
in the same
direction
(inbound or
outbound)
on the same
mirrored
port.
Issue 11 (2016-07-22)
S6700EI
Y (Y 4)
4-Y (Y 4)
S6720EI, S6720S-EI
Y (Y 4)
4-Y (Y 4)

361

Switches
NOTE
In 1:N mirroring, if you configure either incoming or outgoing packets to be copied from a
mirrored port to multiple observing ports in batches, the packets cannot be copied to other
observing ports.
15.8.6 N:1 Mirroring

N:1 mirroring copies packets on N mirrored ports to one observing port, as shown in Figure
15-4.
Figure 15-4 N:1 mirroring
Mirrored ports
Observing port
Inbound and outbound traffic of

a mirrored port
In N:1 mirroring, the number of mirrored ports is not limited. For example, N:1 port mirroring
allows incoming or outgoing packets on multiple mirrored ports to be copied to the same
observing port.
15.8.7 M:N Mirroring

M:N mirroring copies packets on M mirrored ports to N observing ports.
An M:N mirroring rule is equivalent to multiple 1:N mirroring rules, as shown in Figure
15-5. The number of mirrored packets is not limited, and the number of observing ports is the
same as that in 1:N mirroring.
Figure 15-5 M:N mirroring
Mirrored ports
Observing ports

mirrored port
Issue 11 (2016-07-22)

362

Switches
15.8.8 Limitations
l
Issue 11 (2016-07-22)
Support for the mirroring function:
Only the S5710EI, S5720EI, S5700HI, S5710HI, S5720HI, S6700EI, S6720S-EI,

and S6720EI series switches support 1:N mirroring in V200R005 and later
versions.
All switch models support N:1 mirroring.
Only the S5710EI, S5720EI, S5700HI, S5710HI, S5720HI, S6700EI, S6720S-EI,

and S6720EI series switches support M:N mirroring in V200R005 and later
versions.
In a stack, packets can be mirrored from one member switch to another.
Packets mirrored to an observing port cannot be mirrored again in the same device.
The S5720HI does not support VLAN mirroring or MAC address mirroring. You
can configure traffic mirroring with traffic classification rules VLAN ID and MAC
address.
On the S5700LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5700SI, S5720SI,

S5720S-SI, S5720HI, S1720, S2720, S2750, a physical port cannot be configured
as an observing port and mirrored port simultaneously.
Since V200R005, all the models, except S1720, S2720, S2750, S5700S-LI,
S5700LI, S5710-C-LI, S5710-X-LI, S5700SI, S5720S-SI, S5720SI, and S5700EI,
allow Eth-Trunk interfaces to be configured as observing ports.
Notes about mirroring of outgoing packets:
VLAN mirroring and MAC address mirroring do not apply to outgoing packets.
On switches of versions earlier than V200R005, S5700EI, S6700EI, S6720EI, and

S6720S-EI of V200R005 and later versions, the copy of outgoing packets may be
different from the original packets because the mirroring operation is performed
before other forwarding operations on the original packets. For example, if the
DSCP value of the original packets needs to be changed, the copied packets are
different from the original packets because they have been copied to the observing
port before the change.
On a switch that supports outbound mirroring (except S5720EI and S5720HI),

outbound mirroring conflicts with other traffic behaviors. That is, after outbound
mirroring is configured on a port, other traffic behaviors cannot be configured on
the port.
Other configuration notes:
Observing ports are only used to forward mirrored traffic, so you are advised not to
configure other services on observing ports. If other services are configured on
observing ports, mirrored traffic and other service traffic on the observing ports
may affect each other.
If mirroring is configured on a device, too many mirrored packets occupy much

internal forwarding bandwidth and affect other services. If mirrored ports and
observing ports provide different bandwidth, for example, 1000 Mbit/s on mirrored
ports and 100 Mbit/s on observing ports, observing ports may fail to forward all
mirrored packets in a timely manner because of insufficient bandwidth. As a result,
packet loss will occur.
When configuring Layer 2 remote port mirroring, you are not advised to perform
other service configuration in the VLAN associated with the observing port, that is,
the VLAN used to transmit mirrored packets to the monitoring device.
363

Switches
On the S5700LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5700SI, S5720SI,

S5720S-SI, S1720, S2720, S2750, both port mirroring and traffic mirroring take
effect if they are configured simultaneously for the same packets. On other switch
models, traffic mirroring takes precedence over port mirroring.
An observing port in blocked state can still forward mirrored packets.
During the traffic mirroring configuration, the deny parameter cannot be configured
in the ACL referenced in a traffic classifier. To mirror only specified service
packets, configure the permit parameter in the ACL.
15.9 Packet Capture

License Support
Packet capture is a basic feature of a switch and is not under license control.
Version Support
Table 15-12 Products and minimum version supporting packet capture
Series
Product
Minimum Version
Required
S1700
S1720
V200R006 (The S1720 is

S2700
S2700SI

S2700EI

S2710SI

S2720EI

S2750EI
V200R003
S3700SI

S3700
Issue 11 (2016-07-22)

364

Switches
Series
S5700
S6700
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S3700EI

S3700HI

S5700LI/S5700S-LI
V200R001
S5710-C-LI

V200R002 and later
versions.)
S5710-X-LI
V200R008
S5700SI

S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
V200R006
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

365

Switches

l
The packet capture configuration is not saved in the configuration file, and becomes
invalid after a packet capture instance is complete.
Different packet capture instances cannot be executed simultaneously. That is, a new
packet capture instance can be executed only when the previous one is complete.
Fast ICMP reply packets cannot be captured.
The 802.1ag and VBST packets cannot be captured.
15.10 NetStream
The switch needs to work with a NetStream server.
License Support
NetStream is a basic feature of a switch and is not under license control.
Version Support
Table 15-13 Products and minimum version supporting NetStream
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported
S2700EI
Not supported
S2710SI
Not supported
S2720EI
Not supported
S2750EI
Not supported
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
Not supported
S5710-C-LI
Not supported
S5710-X-LI
Not supported
S5700SI
Not supported
S5700EI
Not supported
S3700
S5700
Issue 11 (2016-07-22)

366

Switches
Series
S6700
Product
Minimum Version
Required
S5710EI

S5720EI
Not supported
S5720SI/S5720S-SI
Not supported
S5700HI

S5710HI

S5720HI
V200R006
S6700EI
Not supported
S6720EI
Not supported
S6720S-EI
Not supported

Only V9 supports the NetStream interface index mapping function.
15.11 sFlow
The switch needs to work with an sFlow server.
License Support
sFlow is a basic feature of a switch and is not under license control.
Version Support
Table 15-14 Products and minimum version supporting sFlow
Issue 11 (2016-07-22)
Series
Product
Minimum Version
Required
S1700
S1720
Not supported
S2700
S2700SI
Not supported

367

Switches
Series
S3700
S5700
S6700
Issue 11 (2016-07-22)
Product
Minimum Version
Required
S2700EI
Not supported
S2710SI
Not supported
S2720EI

S2750EI
V200R003
S3700SI
Not supported
S3700EI
Not supported
S3700HI
Not supported
S5700LI/S5700S-LI
V200R003
S5710-C-LI
Not supported
S5710-X-LI
V200R008
S5700SI
Not supported
S5700EI

S5710EI

S5720EI
V200R007
S5720SI/S5720S-SI
V200R008
S5700HI

S5710HI

S5720HI
Not supported
S6700EI

S6720EI
V200R008
S6720S-EI
V200R009

368

Switches

Flow and Counter sampling can only take effect on physical interfaces. In addition, they
cannot take effect on Eth-Trunk, but can take effect on member interfaces of an Eth-Trunk.
Issue 11 (2016-07-22)

369

Switches
16 Free Mobility
16
Free Mobility
About This Chapter

16.1 Free Mobility
This section provides the points of attention when configuring free mobility.
Issue 11 (2016-07-22)

370

Switches
16 Free Mobility
16.1 Free Mobility

This section provides the points of attention when configuring free mobility.

Table 16-1 Involved network element of free mobility
Function
Switch Version
Agile Controller Version
Free Mobility 1.0
V200R006C00&V200R007
C00
V100R001C00
Free Mobility 2.0
V200R008C00 and later

versions
V100R002C00 and later

versions
NOTE
To use the free mobility function on a VPN, connect switches in V200R008C00 and later versions to the
Agile Controller in V100R002C00 and later versions.
License Support
Free mobility is a basic feature of the switch and is not under license control.
Version Support
NOTE
To use the free mobility function on a VPN, connect switches in V200R008C00 and later versions to the
Agile Controller in V100R002C00 and later versions.
Table 16-2 Products and minimum version supporting free mobility

Product Series
Product
Minimum Version
Required
S5700
S5720HI
V200R006C00

l
Issue 11 (2016-07-22)
Before configuring free mobility on the switch, configure one or more combinations of
802.1x authentication, MAC address authentication, or Portal authentication in NAC
unified mode. For details, see NAC Configuration (Unified Mode) in the
371

Switches
16 Free Mobility
S1720&S2700&S5700&S6720 Series Ethernet Switches Configuration Guide - User

Access and Authentication.
l
Issue 11 (2016-07-22)
When the controller delivers a UCL group name that is not supported by the switch, the
switch cannot parse the group name. A UCL group name that can be supported by the
switch must be consistent with the value of group-name in the ucl-group group-index
[ name group-name ] command.

372

S1720&amp;S2700&amp;S3700&amp;S5700&amp;S6700 Product Use Precautions

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

S1720&amp;S2700&amp;S3700&amp;S5700&amp;S6700 Product Use Precautions

Uploaded by

Copyright:

Available Formats

S1720&S2700&S3700&S5700&S6700 Series

Product Use Precautions

HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2016. All rights reserved.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Industrial Base

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Series Ethernet

About This Document

About This Document

Data configuration engineers

Network monitoring engineers

System maintenance engineers

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Series Ethernet

About This Document

NOTE is used to address information not

The keywords of a command line are in boldface.

Command arguments are in italics.

Items (keywords or arguments) in brackets [ ] are optional.

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

Optional items are grouped in braces and separated by

Optional items are grouped in brackets and separated by

The parameter before the & sign can be repeated 1 to n

A line starting with the # sign is comments.

Interface Numbering Conventions

S1720&S2700&S3700&S5700&S6700 Series Ethernet

About This Document

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Series Ethernet

About This Document

Changes in Issue 11 (2016-07-22)

Changes in Issue 10 (2016-06-30)

Changes in Issue 09 (2016-05-20)

Changes in Issue 08 (2015-12-10)

Changes in Issue 07 (2015-10-23)

Changes in Issue 06 (2015-07-31)

Changes in Issue 05 (2015-06-12)

Changes in Issue 04 (2015-04-30)

Changes in Issue 03 (2015-02-12)

Changes in Issue 02 (2015-01-15)

Changes in Issue 01 (2014-10-25)

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Series Ethernet

2 Device Management .................................................................................................................. 12

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Series Ethernet

4.18 LBDT........................................................................................................................................................................ 112

6 IP Unicast Routing.................................................................................................................... 141

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Series Ethernet

12 User Access and Authentication........................................................................................... 264

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Series Ethernet

15 Network Management and Monitoring ............................................................................. 327

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Series Ethernet

16 Free Mobility ........................................................................................................................... 370

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Series Ethernet

About This Chapter

Huawei Proprietary and Confidential

S1720&S2700&S3700&S5700&S6700 Product Use Precautions

S1720&S2700&S3700&S5700&S6700 Product Use Precautions