Professional Documents
Culture Documents
V200R009
Issue 06
Date 2019-04-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples of the LAN services supported by the device.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Security Conventions
l Password setting
Declaration
l This manual is only a reference for you to configure your devices. The contents in the
manual, such as web pages, command line syntax, and command outputs, are based on
the device conditions in the lab. The manual provides instructions for general scenarios,
but do not cover all usage scenarios of all product models. The contents in the manual
may be different from your actual device situations due to the differences in software
versions, models, and configuration files. The manual will not list every possible
difference. You should configure your devices according to actual situations.
l The specifications provided in this manual are tested in lab environment (for example,
the tested device has been installed with a certain type of boards or only one protocol is
run on the device). Results may differ from the listed specifications when you attempt to
obtain the maximum values with multiple functions enabled on the device.
l In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
l In this document, AR series access routers include AR100-S&AR110-S&AR120-
S&AR150-S&AR160-S&AR200-S&AR1200-S&AR2200-S&AR3200-S Series.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Contents
3 VLAN Configuration.................................................................................................................. 73
3.1 Overview of VLANs.................................................................................................................................................... 73
3.2 Understanding VLANs................................................................................................................................................. 75
3.2.1 Intra-VLAN Communication.................................................................................................................................... 75
3.2.2 Inter-VLAN Communication.....................................................................................................................................77
3.2.3 Basic Concepts of VLAN.......................................................................................................................................... 82
3.2.3.1 VLAN Tags.............................................................................................................................................................82
3.2.3.2 Link and Interface Types........................................................................................................................................ 84
3.2.3.3 Default VLAN........................................................................................................................................................ 85
3.2.3.4 Adding and Removing VLAN Tags....................................................................................................................... 85
3.2.4 Intra-VLAN Layer 2 Isolation................................................................................................................................... 90
3.2.5 Inter-VLAN Layer 3 Isolation................................................................................................................................... 91
3.2.6 Management VLAN.................................................................................................................................................. 91
3.3 Application Scenarios for VLANs............................................................................................................................... 91
3.3.1 Using VLAN Assignment to Implement Layer 2 Isolation.......................................................................................92
3.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer 3 Connectivity........................................................... 92
3.3.3 Using a Traffic Policy to Implement Inter-VLAN Access Control........................................................................... 94
3.4 Summary of VLAN Configuration Tasks.....................................................................................................................95
3.5 Default Settings for VLANs......................................................................................................................................... 96
3.6 Licensing Requirements and Limitations for VLANs..................................................................................................97
3.7 Configuring VLAN.......................................................................................................................................................97
3.7.1 Configuring VLAN Assignment............................................................................................................................... 97
3.7.2 Configuring Inter-VLAN Communication.............................................................................................................. 101
3.7.3 Configuring a Traffic Policy to Implement Intra-VLAN Layer 2 Isolation............................................................ 103
3.7.4 Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation............................................................ 104
3.7.5 Configuring an mVLAN..........................................................................................................................................105
3.8 Configuration Examples for VLANs..........................................................................................................................106
3.8.1 Example for Configuring VLAN Assignment.........................................................................................................106
3.8.2 Example for Configuring VLANIF Interfaces to Implement Inter-VLAN Communication.................................. 108
3.8.3 Example for Configuring VLANIF Interfaces to Implement Intra-VLAN Communication.................................. 110
3.8.4 Example for Configuring VLANIF Interfaces to Implement Communication of Hosts on Different Network
Segments in the Same VLAN...........................................................................................................................................114
3.8.5 Example for Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation....................................... 117
3.8.6 Example for Configuring an mVLAN to Implement Remote Management........................................................... 123
3.9 Troubleshooting VLANs............................................................................................................................................ 126
3.9.1 A VLANIF Interface Fails to Be Created................................................................................................................126
3.9.2 A VLANIF Interface Goes Down........................................................................................................................... 127
3.9.3 Users in a VLAN Cannot Communicate................................................................................................................. 128
3.9.4 Directly Connected Devices Cannot Communicate................................................................................................ 130
3.10 FAQ About VLANs..................................................................................................................................................131
3.10.1 How to Create and Delete VLANs in a Batch.......................................................................................................131
3.10.2 How to Add Interfaces to a VLAN in a Batch.......................................................................................................131
3.10.3 How to Restore the Default VLAN Configuration of an Interface....................................................................... 132
3.10.4 How to Change the Link Type of an Interface...................................................................................................... 133
3.10.5 How to Verify That an Interface Is Added to a VLAN..........................................................................................133
3.10.6 How to Rapidly Query the Link Types, Default VLANs, and Allowed VLANs of All Interfaces.......................134
3.10.7 Can Multiple Network Segments Be Configured in a VLAN...............................................................................134
8 QinQ Configuration..................................................................................................................242
8.1 Overview of QinQ...................................................................................................................................................... 242
8.2 Understanding QinQ...................................................................................................................................................243
8.2.1 QinQ Fundamentals................................................................................................................................................. 243
8.2.2 Basic QinQ.............................................................................................................................................................. 245
8.2.3 Selective QinQ.........................................................................................................................................................246
8.2.4 TPID........................................................................................................................................................................ 247
8.3 Application Scenarios for QinQ................................................................................................................................. 248
8.4 Summary of QinQ Configuration Tasks..................................................................................................................... 250
8.5 Licensing Requirements and Limitations for QinQ................................................................................................... 251
8.6 Configuring QinQ Tunneling......................................................................................................................................251
8.6.1 Configuring Basic QinQ.......................................................................................................................................... 252
8.6.2 Configuring Selective QinQ.................................................................................................................................... 253
8.7 Configuring a VLAN Tag Termination Sub-interface to Connect to an L2VPN....................................................... 256
8.7.1 Configuring a Dot1q VLAN Tag Termination Sub-interface..................................................................................256
8.7.2 Configuring a QinQ VLAN Tag Termination Sub-interface................................................................................... 257
8.7.3 Configuring the L2VPN.......................................................................................................................................... 258
8.7.4 Verifying the Configuration of the Access of a Sub-interface to an L2VPN Network........................................... 258
8.8 Configuring a VLAN Tag Termination Sub-interface to Connect to an L3VPN....................................................... 258
8.8.1 Configuring a Dot1q VLAN Tag Termination Sub-interface..................................................................................259
8.8.2 Configuring a QinQ VLAN Tag Termination Sub-interface................................................................................... 259
11.2.1 Background............................................................................................................................................................330
11.2.2 Basic Concepts.......................................................................................................................................................331
11.2.3 BPDU Format........................................................................................................................................................ 338
11.2.4 STP Topology Calculation.....................................................................................................................................340
11.2.5 Improvements in RSTP..........................................................................................................................................347
11.2.6 RSTP Technology Details......................................................................................................................................353
11.3 Application Scenarios for STP/RSTP.......................................................................................................................355
11.4 Summary of STP/RSTP Configuration Tasks.......................................................................................................... 356
11.5 Default Settings for STP/RSTP................................................................................................................................ 357
11.6 Licensing Requirements and Limitations for STP....................................................................................................357
11.7 Configuring Basic STP/RSTP Functions..................................................................................................................358
11.7.1 Configuring the STP/RSTP Mode......................................................................................................................... 358
11.7.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge.................................................................. 358
11.7.3 (Optional) Setting a Priority for a Switching Device............................................................................................ 359
11.7.4 (Optional) Setting a Path Cost for a Port............................................................................................................... 360
11.7.5 (Optional) Setting a Priority for a Port.................................................................................................................. 361
11.7.6 Enabling STP/RSTP.............................................................................................................................................. 361
11.7.7 Verifying the STP/RSTP Configuration................................................................................................................ 362
11.8 Setting STP Parameters that Affect STP Convergence............................................................................................ 362
11.8.1 Setting the STP Network Diameter....................................................................................................................... 363
11.8.2 Setting the STP Timeout Interval.......................................................................................................................... 363
11.8.3 Setting the STP Timers.......................................................................................................................................... 364
11.8.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation........... 365
11.8.5 Verifying the STP/RSTP Configuration................................................................................................................ 366
11.9 Setting RSTP Parameters that Affect RSTP Convergence....................................................................................... 367
11.9.1 Setting the RSTP Network Diameter.....................................................................................................................367
11.9.2 Setting the RSTP Timeout Interval........................................................................................................................367
11.9.3 Setting RSTP Timers............................................................................................................................................. 368
11.9.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation........... 369
11.9.5 Setting the Link Type for a Port.............................................................................................................................370
11.9.6 Setting the Maximum Transmission Rate of an Interface..................................................................................... 371
11.9.7 Switching to the RSTP Mode................................................................................................................................ 371
11.9.8 Configuring Edge Ports and BPDU Filter Ports.................................................................................................... 372
11.9.9 Verifying the STP/RSTP Configuration................................................................................................................ 373
11.10 Configuring RSTP Protection Functions................................................................................................................ 373
11.10.1 Configuring BPDU Protection on a Switching Device....................................................................................... 373
11.10.2 Configuring TC Protection on a Switching Device............................................................................................. 374
11.10.3 Configuring Root Protection on a Port................................................................................................................ 374
11.10.4 Configuring Loop Protection on a Port................................................................................................................375
11.10.5 Verifying the STP/RSTP Configuration.............................................................................................................. 375
11.11 Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices.............................................. 376
11.12 Maintaining STP/RSTP.......................................................................................................................................... 377
12 MSTP Configuration...............................................................................................................388
12.1 Overview of MSTP...................................................................................................................................................389
12.2 Understanding MSTP............................................................................................................................................... 390
12.2.1 MSTP Background................................................................................................................................................ 390
12.2.2 Basic MSTP Concepts........................................................................................................................................... 392
12.2.3 MST BPDUs..........................................................................................................................................................399
12.2.4 MSTP Topology Calculation................................................................................................................................. 403
12.2.5 MSTP Fast Convergence....................................................................................................................................... 405
12.3 Application Scenarios for MSTP..............................................................................................................................406
12.4 Summary of MSTP Configuration Tasks................................................................................................................. 407
12.5 Default Settings for MSTP....................................................................................................................................... 408
12.6 Licensing Requirements and Limitations for MSTP................................................................................................ 408
12.7 Configuring Basic MSTP Functions.........................................................................................................................408
12.7.1 Configuring the MSTP Mode................................................................................................................................ 409
12.7.2 Configuring and Activating an MST Region........................................................................................................ 409
12.7.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge.................................................................. 411
12.7.4 (Optional) Configuring a Priority for a Switching Device in an MSTI.................................................................412
12.7.5 (Optional) Configuring a Path Cost of a Port in an MSTI.....................................................................................413
12.7.6 (Optional) Configuring a Port Priority in an MSTI............................................................................................... 414
12.7.7 Enabling MSTP..................................................................................................................................................... 414
12.7.8 Verifying the Basic MSTP Configuration............................................................................................................. 415
12.8 Configuring MSTP Parameters on an Interface....................................................................................................... 416
12.8.1 Setting the MSTP Network Diameter....................................................................................................................416
12.8.2 Setting the MSTP Timeout Interval.......................................................................................................................417
12.8.3 Setting the Values of MSTP Timers...................................................................................................................... 417
12.8.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation........... 418
12.8.5 Setting the Link Type of a Port..............................................................................................................................419
12.8.6 Setting the Maximum Transmission Rate of an Interface..................................................................................... 420
12.8.7 Switching to the MSTP Mode............................................................................................................................... 420
12.8.8 Configuring a Port as an Edge Port and BPDU Filter Port................................................................................... 421
12.8.9 Setting the Maximum Number of Hops in an MST Region..................................................................................423
12.8.10 Verifying the Configuration of the MSTP Parameters on an Interface............................................................... 423
12.9 Configuring MSTP Protection Functions................................................................................................................. 423
13 SEP Configuration...................................................................................................................439
13.1 Overview of SEP...................................................................................................................................................... 440
13.2 Understanding SEP...................................................................................................................................................440
13.2.1 Principles of SEP................................................................................................................................................... 440
13.2.2 Basic Concepts of SEP.......................................................................................................................................... 443
13.2.3 SEP Implementation Mechanisms.........................................................................................................................447
13.3 Applications Scenarios for SEP................................................................................................................................459
13.3.1 Open-Ring Networking......................................................................................................................................... 459
13.3.2 Closed-Ring Networking....................................................................................................................................... 460
13.3.3 Multi-Ring Networking......................................................................................................................................... 461
13.3.4 Hybrid SEP+MSTP Ring Networking.................................................................................................................. 462
13.3.5 SEP Multi-Instance................................................................................................................................................463
13.4 Summary of SEP Configuration Tasks..................................................................................................................... 464
13.5 Licensing Requirements and Limitations for SEP................................................................................................... 465
13.6 Configuring Basic SEP Functions............................................................................................................................ 466
13.6.1 Configuring a SEP Segment.................................................................................................................................. 466
13.6.2 Configuring a Control VLAN................................................................................................................................466
13.6.3 Creating a Protected Instance................................................................................................................................ 467
13.6.4 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface.....................................468
13.6.5 Verifying the Basic SEP Configuration................................................................................................................. 470
13.7 Specifying an Interface to Block.............................................................................................................................. 471
13.7.1 Setting an Interface Blocking Mode...................................................................................................................... 471
other institutions to identify vendors, and bits 24 to 47 are the unique ID assigned by vendors
to identify their network adapters.
MAC addresses fall into the following types:
l Physical MAC address: uniquely identifies a terminal on an Ethernet network and is the
globally unique hardware address.
l Broadcast MAC address: indicates all terminals on a LAN. The broadcast address is all
1s (FF-FF-FF-FF-FF-FF).
l Multicast MAC address: indicates a group of terminals on a LAN. All the MAC
addresses with the 8 bit as 1 are multicast MAC addresses (for example,
01-00-00-00-00-00), excluding the broadcast MAC address.
Dynamic MAC address l Dynamic MAC address l You can check whether
entry entries are obtained by data is forwarded
learning source MAC between two connected
addresses of packets on devices by checking
an interface, and can be dynamic MAC address
aged. entries.
l Dynamic MAC address l You can obtain the
entries are lost after a number of
system restart, LPU hot communicating users
swap, or LPU reset. connected to an
interface by checking
the number of specified
dynamic MAC address
entries.
Static MAC address entry l Static MAC address When static MAC address
entries are manually entries are configured,
configured and delivered authorized users can use
to each LPU. Static MAC network resources and
address entries never age. other users are prevented
l The static MAC address from using the bound MAC
entries saved in the addresses to initiate attacks.
system are not lost after a
system restart, LPU hot
swap, or LPU reset.
l After an interface is
statically bound to a
MAC address, other
interfaces discard packets
from this source MAC
address.
l Each static MAC address
entry can have only one
outbound interface.
l Statically binding an
interface to a MAC
address does not affect the
learning of dynamic MAC
address entries on the
interface.
0011-0022-0034 10 GE
0011-0022-0034 20 GE
0011-0022-0035 30 Eth-Trunk20
0011-0022-0035 huawei GE
Functions
A MAC address table is used for unicast forwarding of packets. In Figure 1-1, when packets
sent from PC1 to PC3 reach the router, the router searches its MAC address table for the
destination MAC address MAC3 and VLAN 10 in the packets to obtain outbound interface
Port3. The router then forwards packets to PC3 from Port3.
Router
PC1 Port1 Port2
Port3
MAC3 MAC1 VLAN10 Type Data MAC PC3
3 M
AC1
VL AN
10
Type
Data
PortA
As shown in Figure 1-2, HostA sends a data frame to RouterA. When receiving the data
frame, RouterA obtains the source MAC address (HostA's MAC address) and VLAN ID of
the frame.
l If the MAC address entry does not exist in the MAC address table, SwitchA adds an
entry with the new MAC address, PortA, and VLAN ID to the MAC address table.
l If the MAC address entry exists in the MAC address table, SwitchA resets the aging
timer of the MAC address entry and updates the entry.
NOTE
l If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC address entry is
Eth-TrunkA.
l All interfaces of a router belong to VLAN 1 by default. If the default VLAN is not changed, the
VLAN ID of all MAC address entries is VLAN 1.
l The router does not learn the BPDU MAC address similar to 0180-c200-xxxx.
MAC address entry learning and update are triggered on a device only when the device
receives data frames.
1 2 3 4
0 T T T T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
As shown in Figure 1-3, the aging time of MAC address entries is set to T. At t1, packets with
source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an interface, which has joined
VLAN 1. If no entry with MAC address 00e0-fc00-0001 and VLAN 1 exists in the MAC
address table, the MAC address is learned as a dynamic MAC address entry in the MAC
address table, and the hit flag of the entry is set to 1.
The device checks all dynamic MAC address entries at an interval of T.
1. At t2, if the device finds that the hit flag of the matching dynamic MAC address entry
with MAC address 00e0-fc00-0001 and VLAN 1 is 1, the device sets the hit flag to 0 but
does not delete the MAC address entry.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the device
between t2 and t3, the hit flag of the matching MAC address entry is always 0.
3. At t3, the device finds that the hit flag of the matching MAC address entry is 0. The
device considers that the aging time of the MAC address entry has expired and deletes
the MAC address entry.
The minimum holdtime of a dynamic MAC address entry ranges from T to 2T on the device.
You can set the aging time of MAC address entries to control the life cycle of dynamic MAC
address entries in a MAC address table.
The device provides the following MAC address learning control methods to address the
preceding issue:
Disabling MAC After MAC address learning is l In most cases, attack packets
address learning disabled on a VLAN or an sent by a hacker enter the
on a VLAN or an interface, the device does not device through the same
interface learn new dynamic MAC address interface. Therefore, you can
entries on the VLAN or interface. use either of the two methods
The dynamic MAC address to prevent attack packets from
entries learned before are aged using up MAC address entry
out when the aging time expires. resources on the device.
They can also be manually l The method of limiting the
deleted using commands. number of learned MAC
Limiting the The device can only learn a address entries on a VLAN or
number of learned specified number of MAC an interface can also be used
MAC address address entries on a VLAN or an to limit the number of access
entries on a VLAN interface. users.
or an interface When the number of learned
MAC address entries reaches the
limit, the device reports an alarm
to notify the network
administrator.
After that, the device cannot
learn new MAC address entries
on the VLAN or interface and
discards the packets with source
MAC addresses out of the MAC
address table.
MAC address flapping does not occur frequently on a network unless a network loop occurs.
If MAC address flapping frequently occurs on your network, you can quickly locate the fault
and eliminate the loops according to alarms and MAC address flapping records.
Network
Port1
MAC:11-22-33 RouterA
SwitchB SwitchC
Broadca
st strom
Incorrect
connection Data flow
As shown in Figure 1-5, Switch B should not be connected to Switch C. When the two
switches are connected, Router, Switch B, and Switch C form a loop. When Port1 of Router A
receives a broadcast packet, Router A forwards the packet to Switch B. The packet is then
sent to Port2 of Router A. Router A detects that the source MAC address of the packet flaps
from Port1 to Port2. If the MAC address flaps between the two ports frequently, Router A
considers that MAC address flapping occurs.
NOTE
l MAC address flapping detection allows a device to detect changes in traffic based on learned MAC
addresses, but the device cannot obtain the entire network topology. It is recommended that this function
be used on an interface when the interface connects to a user network where loops may occur.
You can enable MAC address flapping detection on the Router to detect MAC address
flapping and discover loops.
Network
Router
LSW1 LSW2
Incorrect connection
MAC addresses and Configure static MAC address entries 1.7.1 Configuring a
interfaces need to be to bind MAC addresses and interfaces, Static MAC Address
bound statically. improving security of authorized users. Entry
Aging of dynamic Set the aging time according to your 1.7.3 Setting the Aging
MAC address entries needs. Set the aging time to a large Time of Dynamic
needs to be flexibly value or 0 (not to age dynamic MAC MAC Address Entries
controlled. address entries) on a stable network;
set a short aging time in other
situations.
MAC address MAC address flapping occurs when a 1.8 Configuring MAC
flapping needs to be MAC address is learned by two Address Flapping
detected. interfaces in the same VLAN and the Detection
MAC address entry learned later
overrides the earlier one.
MAC address flapping detection
enables a switch to check whether any
MAC address flaps between interfaces
and determine whether a loop occurs.
When MAC address flapping occurs,
the switch sends an alarm to the NMS.
The network maintenance personnel
can locate the loop based on the alarm
information and historical records for
MAC address flapping. This greatly
improves network maintainability. If
the network connected to the switch
does not support loop prevention
protocols, configure the switch to shut
down the interfaces where MAC
address flapping occurs to reduce the
impact of MAC address flapping on
the network.
The switch needs to A faulty host or device may send 1.9 Configuring the
discard packets with packets with an all-0 source or Router to Discard
an all-0 source or destination MAC address to a router. Packets with an All-0
destination MAC Configure the switch to discard such MAC Address
address. packets and send an alarm to the NMS
so that the network administrator can
locate the faulty host or device based
on the alarm information.
Licensing Requirements
MAC is a basic feature of a router and is not under license control.
Feature Limitations
When deploying a MAC address on the router, pay attention to the following:
l Dynamic MAC address entries can be learned on an interface only after the interface is
added to an existing VLAN.
l Each static MAC address entry can have only one outbound interface.
l When the aging time of dynamic MAC address entries is set to 0, dynamic MAC address
entries do not age. To age MAC address entries, delete the aging time configuration.
Context
MAC addresses and interfaces are bound statically in static MAC address entries.
A device cannot distinguish packets from authorized and unauthorized users when it learns
source MAC addresses of packets to maintain the MAC address table. This causes network
risks. If an unauthorized user uses the MAC address of an authorized user as the source MAC
address of attack packets and connects to another interface of the device, the device learns an
incorrect MAC address entry. As a result, packets destined for the authorized user are
forwarded to the unauthorized user. To improve security, you can create static MAC address
entries to bind MAC addresses of authorized users to specified interfaces. This prevents
unauthorized users from intercepting data of authorized users.
l A static MAC address entry will not be aged out. After being saved, a static MAC
address entry will not be lost after a system restart, and can only be deleted manually.
l The VLAN bound to a static MAC address entry must have been created and assigned to
the interface bound to the entry.
l The MAC address in a static MAC address entry must be a unicast MAC address, and
cannot be a multicast or broadcast MAC address.
l A static MAC address entry takes precedence over a dynamic MAC address entry. The
system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run system-view
----End
Context
To protect a device or network against MAC address attacks from hackers, configure MAC
addresses of untrusted users as blackhole MAC addresses. The device then directly discards
the received packets of which the source or destination MAC addresses match the blackhole
MAC address entries.
Procedure
Step 1 Run system-view
NOTE
The AR111-S, AR121-S and AR151-S2 forward packets with the source MAC address as the blackhole
MAC address.
The WAN-side Interface of the AR2204-27GE-S, when the source MAC addresses of packets are
blackhole MAC addresses, the device forwards packets and does not discard them.
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards forward packets with the source MAC address as
the blackhole MAC address.
----End
Context
To prevent explosive increase of MAC address entries, set the aging time for dynamic MAC
address entries.
Because the network topology changes frequently, the router will learn more and more MAC
addresses. Therefore, the aging time needs to be set properly for dynamic MAC address
entries so that the router can delete unneeded MAC address entries to prevent a sharp increase
of MAC address entries. A shorter aging time makes the router more sensitive to network
changes and is applicable to networks where network topology changes frequently. A longer
aging time makes the router more insensitive to network changes and is only applicable to
stable networks.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.
----End
Procedure
l Disable MAC address learning on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. (Optional) Run portswitch
The virtual Ethernet (VE) interface is switched from Layer 3 mode to Layer 2
mode.
By default, a VE interface works in Layer 3 mode.
You need to perform this operation after accessing the VE interface view.
d. Run mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
By default, the router takes the forward action after MAC address learning is
disabled. That is, the router forwards packets according to the MAC address table.
When the action is set to discard, the router looks up the source MAC address of
the packet in the MAC address table. If the source MAC address is found in the
MAC address table, the router forwards the packet according to the matching MAC
address entry. If the source MAC address is not found, the router discards the
packet.
l Disable MAC address learning in a VLAN.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
NOTE
Only the AR2200-S&AR3200-S series support disable MAC address learning in a VLAN.
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support disable MAC address learning in a
VLAN.
Context
The MAC address limiting function controls the number of access users to prevent MAC
addresses from hackers.
An insecure network is vulnerable to MAC address attacks. When hackers send a large
number of forged packets with different source MAC addresses to the router, the MAC
address table of the router will be filled with useless MAC address entries. As a result, the
router cannot learn source MAC addresses of valid packets.
You can limit the number of MAC address entries learned on the router. When the number of
learned MAC address entries reaches the limit, the router does not learn new MAC address
entries. You can also configure an action to take when the number of MAC address entries
reaches the limit. This prevents MAC address attacks and improves network security.
NOTE
Only AR2200-S&AR3200-S series support limiting the number of MAC addresses learned in a VLAN.
The AR100-S&AR110-S&AR120-S&AR160-S&AR160-S series, AR151-S2 do not support limiting the
number of MAC addresses learned.
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support limiting the number of MAC
addresses learned.
Procedure
l Limit the number of MAC address entries learned on an interface.
a. Run system-view
The maximum number of MAC address entries that can be learned on the interface
is set.
The action to take when the number of learned MAC address entries reaches the
limit is configured.
By default, the router discards packets with new MAC addresses when the number
of learned MAC address entries reaches the limit.
e. Run mac-limit alarm { disable | enable }
The router is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the router generates an alarm when the number of learned MAC address
entries reaches the limit.
l Limit the number of MAC address entries learned in a VLAN.
a. Run system-view
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not limited.
d. Run mac-limit alarm { disable | enable }
The router is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the router generates an alarm when the number of learned MAC address
entries reaches the limit.
----End
Context
After MAC address flapping detection is configured in a VLAN, the device checks all MAC
addresses in the VLAN to detect MAC address flapping. When MAC address flapping occurs
on an interface, the device blocks the interface or MAC address, or reports an alarm according
to the configuration.
NOTE
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support MAC address flapping detection.
Only the AR151-S, AR151G-U-S, AR151W-P-S, AR201-S, AR207-S, AR1220–S, AR1220W-L, and
AR1220L-S support MAC address flapping detection.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
A VLAN is created and the VLAN view is displayed.
Step 3 Run loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times |
alarm-only }
MAC address flapping detection is configured in the VLAN.
When detecting MAC address flapping in a VLAN, the device can take either of the following
actions:
l Block the interface or MAC address. When block-mac is specified in the command, the
router does not block the interface but blocks the traffic from the flapping MAC address.
l Send an alarm to the NMS.
----End
Follow-up Procedure
After MAC address flapping detection is configured in a VLAN, the device checks all MAC
addresses in the VLAN to detect MAC address flapping. If MAC address flapping occurs on
an interface, the system blocks the interface if it is configured to do so. After a specified
period of time, the system unblocks the interface. If no MAC address flapping is detected
within 20 seconds, the system unblocks the interface and starts a new round of detection. If
MAC address flapping is detected again within 20 seconds, the system blocks the interface.
This process repeats for a specified number of times. If MAC address flapping persists, the
interface is permanently blocked.
After an interface or a MAC address is permanently blocked because of MAC address
flapping, you must run the reset loop-detect eth-loop command in the corresponding VLAN
if you want to restore the interface or MAC address.
1. Run the system-view command to enter the system view.
2. Run the reset loop-detect eth-loop vlan vlan-id { all | interface interface-type interface-
number | mac-address mac-address } command to unblock the specified interface or
MAC address.
Before using the reset loop-detect eth-loop command, run the display loop-detect eth-loop
command to check the blocked interface or MAC address.
Context
A faulty network device may send packets with an all-0 source or destination MAC address to
the router. You can configure the router to discard such packets and send an alarm to the
network management system (NMS). You can locate the faulty device according to the alarm.
You can configure the router to discard packets with an all-0 source or destination MAC
address.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run drop illegal-mac enable
The router is configured to discard packets with an all-0 MAC address.
By default, the router does not discard packets with an all-0 MAC address.
NOTE
NOTE
The router sends only one alarm after receiving packets with an all-0 MAC address. To enable the router
to send an alarm again after receiving packets with an all-0 MAC address, run the drop illegal-mac
alarm command.
----End
Action Command
Display MAC address entries learned in a display mac-address dynamic vlan vlan-id
VLAN.
Display statistics on MAC address entries. l Display the total statistics: display mac-
address total-number
l Display the statistics of various types of
MAC address entries: display mac-
address summary
Networking Requirements
As shown in Figure 1-7, the MAC address of PC1 is 0002-0002-0002, and the MAC address
of PC2 is 0003-0003-0003. The LSW connects the PCs to the Router. The LSW is connected
to Ethernet2/0/1 of the Router, which belongs to VLAN 2. The MAC address of the server is
0004-0004-0004. The server is connected to Ethernet2/0/2 of the Router, which belongs to
VLAN 2. The network requires the following configurations:
l To prevent hackers from using MAC addresses to attack the network, configure a static
MAC address entry for each user host on the Router.
l To prevent unauthorized users from using the server's MAC address to intercept data,
configure a static MAC address entry for the server on the Router.
l Set the aging time for the dynamic MAC address entries to 500 seconds.
Eth2/0/1
LSW VLAN2
PC1 PC2
MAC: MAC:
0002-0002-0002 0003-0003-0003
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on the Router and add the interfaces to the VLANs.
2. Configure static MAC address entries.
3. Set the aging time for the dynamic MAC address entries.
Procedure
Step 1 Add static MAC address entries.
Step 2 Set the aging time for the dynamic MAC address entries.
[Router] mac-address aging-time 500
# Run the display mac-address command in any view to check whether the static MAC
address entries are successfully added to the MAC address table.
[Router] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/Bridge/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/- Eth2/0/1 static
0003-0003-0003 2/- Eth2/0/1 static
0004-0004-0004 2/- Eth2/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 3
# Run the display mac-address aging-time command to check whether the aging time for
dynamic entries is set successfully.
[Router] display mac-address aging-time
Aging time: 500 seconds
----End
Configuration Files
Router configuration file
#
sysname Router
#
vlan batch 2
#
mac-address aging-time 500
#
interface Ethernet2/0/1
port hybrid tagged vlan 2
#
interface Ethernet2/0/2
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
mac-address static 0002-0002-0002 Ethernet2/0/1 vlan 2
mac-address static 0003-0003-0003 Ethernet2/0/1 vlan 2
mac-address static 0004-0004-0004 Ethernet2/0/2 vlan 2
#
return
Networking Requirements
As shown in Figure 1-8, the Router receives packets from an unauthorized PC that has the
MAC address of 0005-0005-0005 and belongs to VLAN 3. This MAC address entry can be
configured as a blackhole MAC address entry so that the Router filters out packets from the
unauthorized PC.
Router
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN to implement Layer 2 forwarding.
2. Configure a blackhole MAC address entry to filter out packets from the unauthorized
PC.
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 3
[Router-vlan3] quit
# Run the display mac-address blackhole command in any view to check whether the
blackhole MAC address entry is successfully added to the MAC address table.
[Router] display mac-address blackhole
-------------------------------------------------------------------------------
MAC Address VLAN/Bridge Learned-From Type
-------------------------------------------------------------------------------
0005-0005-0005 3/- - blackhole
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files
Router configuration file
#
sysname Router
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
Networking Requirements
As shown in Figure 1-9, Ethernet2/0/1 and Ethernet2/0/2 of the Router are connected to
LSWs. One LSW is connected to individual users, and the other is connected to enterprise
users. To prevent MAC address attacks and limit the number of access users on the Router,
configure MAC address limiting rules on Ethernet2/0/1 and Ethernet2/0/2.
IP
network
Router
Eth2/0/1 Eth2/0/2
……
LSW LSW
Individual Enterprise
user user
Configuration Roadmap
The configuration roadmap is as follows:
1. Set the limit on the number of MAC addresses learned by the interfaces.
2. Set the action performed when the limit is reached.
Procedure
Step 1 Configure MAC address limiting rules on the interfaces.
<Huawei> system-view
[Huawei] interface ethernet 2/0/1
[Huawei-Ethernet2/0/1] mac-limit maximum 4 action discard alarm enable
[Huawei-Ethernet2/0/1] quit
[Huawei] interface ethernet 2/0/2
[Huawei-Ethernet2/0/2] mac-limit maximum 100 action discard alarm enable
[Huawei-Ethernet2/0/2] quit
-----------------------------------------------------------------------
----End
Configuration Files
Configuration file of the Router
#
interface Ethernet2/0/1
mac-limit maximum 4
#
interface Ethernet2/0/2
mac-limit maximum 100
#
return
Networking Requirements
As shown in Figure 1-10, Ethernet2/0/1 and Ethernet2/0/2 of the Router are connected to
LSWs. The LSWs are connected to users, including a few IP phone users and many computer
users. IP phone users are in VLAN 100, and computer users are in VLAN 200. To prevent
MAC address attacks and save MAC address table space, configure a rule to limit the number
of MAC addresses learned in VLAN 200.
IP
network
Router
Eth2/0/1 Eth2/0/2
……
LSW LSW
VLAN100 VLAN200
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on the Router and add the interfaces to the VLANs.
2. Set the limit on the number of MAC addresses learned in the VLAN 200.
Procedure
Step 1 Configure a MAC address limiting rule in the VLAN 200.
# Add Ethernet2/0/1 to VLAN 100 and VLAN 200; add Ethernet2/0/2 to VLAN 200.
<Huawei> system-view
[Huawei] vlan batch 100 200
[Huawei] interface ethernet 2/0/1
[Huawei-Ethernet2/0/1] port link-type trunk
[Huawei-Ethernet2/0/1] port trunk allow-pass vlan 100 200
[Huawei-Ethernet2/0/1] quit
# Run the display mac-limit command in any view to check whether the MAC address
limiting rule is successfully configured.
<Huawei> display mac-limit
-----------------------------------------------------------------------
PORT VLAN Maximum Action Alarm
-----------------------------------------------------------------------
- 200 500 forward enable
-----------------------------------------------------------------------
----End
Configuration Files
Router configuration file
#
vlan batch 100 200
#
vlan 200
mac-limit maximum 500
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
return
Fault Description
MAC address entries cannot be learned on the device, so Layer 2 forwarding fails.
Procedure
Step 1 Check that the configurations on the interface are correct.
Run the display mac-address command in any view to check whether the binding
relationships between the MAC address, VLAN, and interface are correct.
<Huawei> display mac-address
-------------------------------------------------------------------------------
MAC Address VLAN/Bridge Learned-From Type
-------------------------------------------------------------------------------
0025-9e80-2494 1/- Eth2/0/0 dynamic
-------------------------------------------------------------------------------
Total items displayed = 1
If not, re-configure the binding relationships between the MAC address, VLAN, and
interface.
If yes, go to step 2.
Step 2 Check whether a loop on the network causes MAC address flapping.
Generally, MAC address flapping is caused by loops. You can run the loop-detect eth-loop
command in the VLAN view to enable the MAC flapping detection function. The router
checks whether a MAC address moves from one interface to another in the VLAN.
Use either of the following methods to prevent MAC address flapping:
l Remove the loop from the network.
If no loop exists, go to step 3.
Step 3 Check whether the interface is blocked by a loop prevention protocol.
Run the display stp brief command in any view to check whether the interface participates in
STP calculation and check the interface status.
Run the display sep topology command in any view to check whether the interface
participates in STP calculation and check the interface status.
If the interface status is incorrect, check the STP or SEP configuration.
If the interface status is correct, go to step 4.
Step 4 Check that MAC address learning is enabled.
Check whether MAC address learning is enabled in the interface view and the VLAN view.
[Huawei-Ethernet2/0/0] display this
#
interface Ethernet2/0/0
mac-address learning disable
port hybrid tagged vlan 10
undo negotiation auto
speed 100
#
return
[Huawei-vlan10] display this
#
vlan 10
mac-address learning disable
#
return
If the command output contains mac-address learning disable, MAC address learning is
disabled on the interface or VLAN.
l If MAC address learning is disabled, run the undo mac-address learning disable
command in the interface view or VLAN view to enable MAC address learning.
l If MAC address learning is enabled on the interface, go to step 4.
Step 5 Check whether any blackhole MAC address entry or MAC address limiting is configured.
If a blackhole MAC address entry or MAC address limiting is configured, the interface
discards packets.
l Blackhole MAC address entry
Run the display mac-address blackhole command to check whether any blackhole
MAC address entry is configured.
[Huawei] display mac-address blackhole
------------------------------------------------------------------------------
-
MAC Address VLAN/Bridge Learned-From Type
------------------------------------------------------------------------------
-
0001-0001-0001 3333/- - blackhole
------------------------------------------------------------------------------
-
Total items displayed = 1
If a blackhole MAC address entry is displayed, run the undo mac-address blackhole
command to delete it.
l MAC address limiting on the interface or VLAN
– Run the display this command in the interface view or VLAN view. If the
command output contains mac-limit maximum, the number of learned MAC
addresses is limited. Run either of the following commands:
n Run the undo mac-limit command in the interface view or VLAN view to
cancel MAC address limiting.
n Run the mac-limit command in the interface view or VLAN view to increase
the maximum number of learned MAC address entries.
– Run the display this command in the interface view. If the command output
contains port-security max-mac-num or port-security enable, the number of
secure dynamic MAC addresses is limited on the interface. Run either of the
following commands:
NOTE
By default, the limit on the number of secure dynamic MAC addresses is 1 after port
security is enabled.
n Run the undo port-security enable command in the interface view to disable
port security.
n Run the port-security max-mac-num command in the interface view to
increase the maximum number of secure dynamic MAC address entries on the
interface.
If the fault persists, go to step 5.
Step 6 Check whether the number of learned MAC address entries has reached the maximum value
supported by the router.
Run the display mac-address summary command to check the number of MAC address
entries in the MAC address table.
l If the number of learned MAC address entries has reached the maximum value supported
by the router, no MAC address entry can be created. Run the display mac-address
command to view all MAC address entries.
– If the number of MAC address entries learned on an interface is much larger than
the number of devices on the network connected to the interface, a user on the
network may maliciously update the MAC address table. Check the device
connected to the interface:
n If the interface is connected to a device, run the display mac-address
command on the device to view its MAC address table. Locate the interface
connected to the malicious user host based on the displayed MAC address
entries. If the interface that you find is connected to another device, repeat this
step until you find the user of the malicious user.
n If the interface is connected to a computer, perform either of the following
operations after obtaining permission from the administrator:
○ Disconnect the computer. When the attack stops, connect the computer to
the network again.
○ Run the port-security enable command on the interface to enable port
security or run the mac-limit command to set the maximum number of
MAC addresses that the interface can learn to 1.
n If the interface is connected to a hub, perform either of the following
operations:
○ Configure port mirroring or other tools to observe packets received by the
interface. Analyze the packet types to locate the attacking computer.
Disconnect the computer after obtaining permission from the
administrator. When the attack stops, connect the computer to the hub
again.
○ Disconnect computers connected to the hub one by one after obtaining
permission from the administrator. If the fault is rectified after a computer
is disconnected, the computer is the attacker. After it stops the attack,
connect it to the hub again.
– If the number of MAC addresses on the interface is equal to or smaller than the
number of devices connected to the interface, the number of devices connected to
the router has exceeded the maximum supported by the router. Adjust network
deployment.
----End
l The device does not receive packets because the link is Down, the interface does not join
the VLAN, the interface participates in spanning tree calculation and is blocked, and so
on.
l Loops cause MAC address flapping.
l MAC address learning is disabled or corresponding Sticky MAC address entries already
exist.
l The number of learned MAC address entries has reached the maximum.
l The static or blackhole route is configured.
Link aggregation is a technology that bundles multiple Ethernet links into a logical link to
increase bandwidth, improve reliability, and load balance traffic.
2.1 Overview of Link Aggregation
This section describes definition and purpose of link aggregation.
2.2 Understanding Link Aggregation
This section describes principles of link aggregation.
2.3 Application Scenarios for Link Aggregation
This section describes application environments of Ethernet link aggregation.
2.4 Summary of Link Aggregation Configuration Tasks
The device supports the manual load balancing mode and Link Aggregation Control Protocol
(LACP) mode.
2.5 Licensing Requirements and Limitations for Link Aggregation
This section describes the notes about configuring an Eth-Trunk.
2.6 Default Settings for Link Aggregation
This section describes default parameter settings of link aggregation.
2.7 Configuring Link Aggregation in Manual Load Balancing Mode
Link aggregation implements load balancing, increases bandwidth, and improves transmission
reliability.
2.8 Configuring Link Aggregation in LACP Mode
Link aggregation implements load balancing, increases bandwidth, and improves transmission
reliability.
2.9 Creating an Eth-Trunk Sub-interface
Sub-interfaces can be configured on a Layer 3 Eth-Trunk. When Layer 3 devices connect to
Layer 2 devices in different VLANs through the Layer 3 Eth-Trunk, sub-interfaces must be
configured on the Eth-Trunk to identify packets from different VLANs and to enable users in
different VLANs to communicate with each other.
2.10 Maintaining Link Aggregation
This section describes how to maintain link aggregation, including monitoring the link
aggregation running status and clearing LACPDU statistics.
2.11 Configuration Examples for Link Aggregation
This section provides several configuration examples of link aggregation.
2.12 Troubleshooting Link Aggregation
This section describes common configuration errors.
2.13 FAQ About Link Aggregation
This section describes the FAQ of link aggregation.
Definition
Ethernet link aggregation, also called Eth-Trunk, bundles multiple physical links to form a
logical link to increase link bandwidth. The bundled links back up each other, increasing
reliability.
Purpose
As the network scale expands increasingly, users propose increasingly high requirements on
Ethernet backbone network bandwidth and reliability. Originally, to increase the bandwidth,
users use high-speed cards or devices supporting high-speed interface cards to replace old
interface cards or devices. This solution, however, is costly and inflexible.
Link aggregation helps increase bandwidth by bundling a group of physical interfaces into a
single logical interface, without having to upgrade hardware. In addition, link aggregation
provides link backup mechanisms, greatly improving link reliability.
Link aggregation has the following advantages:
l Increased bandwidth
The bandwidth of the link aggregation interface is the sum of bandwidth of member
interfaces.
l Higher reliability
When an active link fails, traffic on this active link is switched to another active link,
improving reliability of the link aggregation interface.
l Load balancing
In a link aggregation group (LAG), traffic is load balanced among active links of
member interfaces.
2.2.1 Concepts
As shown in Figure 2-1, DeviceA and DeviceB are connected through three Ethernet physical
links. The three Ethernet physical links are bundled into an Eth-Trunk link, and the bandwidth
of the Eth-Trunk link is the sum of bandwidth of the three Ethernet physical links. The three
Ethernet physical links back up each other, improving reliability.
Eth-Trunk
DeviceA DeviceB
The upper threshold for the number of active interfaces is inapplicable to the manual load
balancing mode.
l Lower threshold for the number of active interfaces
When the number of active interfaces falls below this threshold, an Eth-Trunk goes
Down. This guarantees the Eth-Trunk a minimum available bandwidth.
For example, if the Eth-Trunk is required to provide a minimum bandwidth of 2 Gbit/s
and each member link's bandwidth is 1 Gbit/s, the minimum number of Up member links
must be set to 2 or larger.
l Link aggregation mode
There are two link aggregation modes: manual and LACP. Table 2-1 compares the two
modes.
Data forwarding Generally, all links are Generally, some links are
active links. All active active links. All active
links participate in data links participate in data
forwarding. If one active forwarding. If an active
link fails, traffic is load link fails, the system
balanced among the selects a link among
remaining active links. inactive links as the active
link. That is, the number
of links participating in
data forwarding remains
unchanged.
Fault detection This mode can only detect This mode can detect
member link member link
disconnections, but cannot disconnections and other
detect other faults such as faults such as link layer
link layer faults and faults and incorrect link
incorrect link connections. connections.
NOTE
For more information, see 2.2.2 Link Aggregation in Manual Mode and 2.2.3 Link Aggregation in
LACP Mode.
In manual mode, you must manually create an Eth-Trunk and add member interfaces to the
Eth-Trunk. In this mode, LACP is not required. The manual mode applies to the scenario
where a high link bandwidth between two directly connected devices is required but the
remote device does not support the LACP protocol. This mode can increase bandwidth,
enhance reliability, and implement load balancing.
As shown in Figure 2-2, an Eth-Trunk is created between DeviceA and DeviceB. In manual
mode, three active links participate in data forwarding and load balance traffic. When one link
becomes faulty, the remaining two links load balance traffic.
DeviceA DeviceB
A%
B% Eth-Trunk
C%
A%+B%+C%=100%
One link is faulty
DeviceA DeviceB
D%
E% Eth-Trunk
D%+E%=100%
Background
An Eth-Trunk in manual load balancing mode can increase the bandwidth. However, the
manual mode can only detect member link disconnections, but cannot detect other faults such
as link layer faults and incorrect link connections.
The Link Aggregation Control Protocol (LACP) can improve fault tolerance of the Eth-Trunk,
provide backup, and ensure high reliability of member links.
LACP uses a standard negotiation mechanism for a switching device so that the switching
device can create and start the aggregated link based on its configuration. After the aggregated
link is created, LACP maintains the link status. If an aggregated link's status changes, LACP
adjusts or removes the link.
For example, in Figure 2-3, four interfaces on DeviceA are bundled into an Eth-Trunk and the
Eth-Trunk is connected to the corresponding interfaces on DeviceB. Because an interface on
DeviceA is incorrectly connected to an interface on DeviceC, DeviceA may incorrectly send
data destined for DeviceB to DeviceC. However, the Eth-Trunk in manual load balancing
mode cannot detect this fault in a timely manner.
If LACP is enabled on DeviceA and DeviceB, the Eth-Trunk correctly selects active links to
forward data after negotiation. Data sent by DeviceA can reach DeviceB.
DeviceA DeviceB
Eth-Trunk
DeviceC
Concepts
l LACP system priority
LACP system priorities are set on devices at both ends of an Eth-Trunk. In LACP mode,
active member interfaces selected by both devices must be consistent; otherwise, an
LAG cannot be established. To keep active member interfaces consistent at both ends,
set a higher priority for one end so that the other end selects active member interfaces
based on the selection of the end with a higher priority. The smaller the LACP system
priority value, the higher the LACP system priority.
l LACP interface priority
Interface LACP priorities are set to prioritize interfaces of an Eth-Trunk. Interfaces with
higher priorities are selected as active interfaces. The smaller the LACP interface priority
value, the higher the LACP interface priority.
l M:N backup of member interfaces
In LACP mode, LACP is used to negotiate parameters to determine active links in an
LAG. This mode is also called the M:N mode, where M refers to the number of active
links and N refers to the number of backup links. This mode guarantees high reliability
and allows traffic to be load balanced among M active links.
As shown in Figure 2-4, M+N links with the same attributes (in the same LAG) are set
up between two devices. When data is transmitted over the aggregated link, traffic is
load balanced among M active links and no data is transmitted over N backup links.
Therefore, the actual bandwidth of the aggregated link is the sum of the M links'
bandwidth, and the maximum bandwidth of the aggregated link is the sum of the M+N
links' bandwidth.
If one of M links fails, LACP selects a link from N backup links to replace the faulty
link. The actual bandwidth of the aggregated link is still the sum of M links' bandwidth,
but the maximum bandwidth of the aggregated link is the sum of the (M+N-1) links'
bandwidth.
DeviceA DeviceB
Eth-Trunk
Eth-Trunk 1 Eth-Trunk 1
Active link
Backup link
M:N backup is mainly applied in situations where the bandwidth of M links must be
assured and a fault tolerance mechanism is in place. If an active link fails, the system
selects the backup link with the highest priority as the active link.
If no available backup link is found and the number of active links is smaller than the
lower threshold for the number of active interfaces, the system shuts down the LAG.
LACPDU
Actor
l LACP preemption
When LACP preemption is enabled, interfaces with higher priorities in an LAG function
as active interfaces.
As shown in Figure 2-8, Port 1, Port 2, and Port 3 are member interfaces of an Eth-
Trunk; DeviceA acts as the Actor; the upper threshold for the number of active interfaces
is 2; LACP priorities of Port 1, Port 2, and Port 3 are 10, 20, and 30 respectively. When
LACP negotiation is complete, Port 1 and Port 2 are selected as active interfaces because
their LACP priorities are higher, and Port 3 is used as the backup interface.
b. Select the backup link with the highest priority among N backup links to replace the
faulty active link.
c. The highest priority backup link becomes the active link and begins forwarding
data.
Forwarding Principle
As shown in Figure 2-9, the Eth-Trunk is located between the MAC address layer and the
LLC sub-layer, that is, data link layer.
LLC
Data link Eth-Trunk
layer
MAC
Physical layer PHY
The Eth-Trunk module maintains a forwarding table that consists of the following entries:
l HASH-KEY value
The HASH-KEY value is calculated through the hash algorithm based on the MAC
address or IP address in a packet.
l Interface number
Eth-Trunk forwarding entries are relevant to the number of member interfaces in an Eth-
Trunk. Different HASH-KEY values map different outbound interfaces.
For example, an Eth-Trunk supports a maximum of eight member interfaces. If physical
interfaces 1, 2, 3, and 4 are bundled into an Eth-Trunk, the Eth-Trunk forwarding table
contains four entries, as shown in Figure 2-10. In the Eth-Trunk forwarding table, the
HASH-KEY values are 0, 1, 2, and 3, and the corresponding interface numbers are 1, 2,
3, and 4.
HASH-KEY 0 1 2 3
PORT 1 2 3 4
The Eth-Trunk module forwards a packet according to the Eth-Trunk forwarding table:
1. The Eth-Trunk module receives a packet from the MAC sub-layer, and then extracts its
source/destination MAC address or IP address.
2. The Eth-Trunk module calculates the HASH-KEY value using the hash algorithm.
3. Based on the HASH-KEY value, the Eth-Trunk module searches the Eth-Trunk
forwarding table for the interface number, and then sends the packet from the
corresponding interface.
You can use the following load balancing modes according to the actual networking:
When configuring a load balancing mode, pay attention to the following points:
l The load balancing mode is only valid for the outbound interface of traffic. If traffic of
the inbound interface is uneven, change the load balancing mode of the uplink outbound
interface.
l Data flows should be load balanced among all active links as much as possible. If data
flows are transmitted over one link, traffic congestion may occur and service running is
affected.
For example, when data packets have only one destination MAC address and IP address,
use load balancing based on the source MAC address and IP address of packets. If load
balancing based on the destination MAC address and IP address is used, traffic is
transmitted over one link, causing congestion.
Core
Network
PE-AGG
Eth-Trunk 1
UPE
VoIP DATA
IPTV
You can determine the working mode for the Eth-Trunk according to the following situations:
l If devices at both ends of the Eth-Trunk support LACP, the LACP mode is
recommended.
l If the device at either end of the Eth-Trunk does not support LACP, you must use the
manual load balancing mode.
QoS can be implemented on an Eth-Trunk as a common interface. At both ends (UPE and PE-
AGG) of Eth-Trunk 1, traffic shaping, congestion management, and congestion avoidance can
be performed for outgoing traffic, ensuring that packets of high priorities are sent in a timely
manner.
Configure link aggregation In LACP mode, you must 2.8 Configuring Link
in LACP mode. manually create an Eth- Aggregation in LACP
Trunk and add interfaces to Mode
the Eth-Trunk. LACP
determines active interfaces
by negotiating parameters in
LACPDUs. LACP provides
backup links and ensures
high reliability of member
links
Licensing Requirements
Ethernet link aggregation is a basic feature of a router and is not under license control.
Feature Limitations
When deploying Link Aggregation on the router, pay attention to the following:
l AR100-S, AR110-S, AR120-S, AR150-S2, and AR160-S series do not support link
aggregation.
Before an Eth-Trunk Is Configured:
l Member interfaces cannot be configured with some services. For example, the link type
of a member interface cannot be modified, and static MAC address entries cannot be
configured.
NOTE
The 4GE-2S, 4ES2G-S, and 4ES2GP-S do not support link aggregation in manual load balancing mode.
Context
Eth-Trunks increase bandwidth and improve transmission reliability. You can configure Layer
2 and Layer 3 Eth-Trunks based on network applications.
Procedure
l Create a Layer 2 Eth-Trunk.
a. Run system-view
By default, an Eth-Trunk uses the system MAC address. When the MAC address of
the Eth-Trunk and the MAC address of another interface overlap and a MAC
address conflict occurs, run this command to configure a MAC address for the
Layer 3 Eth-Trunk.
f. (Optional) Run mtu mtu
----End
Context
Link aggregation can work in manual load balancing mode and LACP mode.
In manual load balancing mode, you must manually create an Eth-Trunk and add member
interfaces to the Eth-Trunk. All active links forward data and evenly load balance traffic. The
manual load balancing mode is used when the peer device does not support LACP.
When an Eth-Trunk changes from manual load balancing mode to LACP mode, the Eth-
Trunk can contain member interfaces. When an Eth-Trunk changes from LACP mode to
manual load balancing mode, ensure that the Eth-Trunk has no member interface.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run mode manual load-balance
A working mode of the Eth-Trunk is configured.
By default, an Eth-Trunk works in manual load balancing mode.
Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the
local end works in manual load balancing mode, the remote end must use the manual load
balancing mode.
----End
NOTE
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support the member interfaces of multiple
Eth-Trunks deployed on different cards.
Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run system-view
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be
added to the Eth-Trunk, interfaces with smaller IDs are added to the Eth-Trunk successfully
but those with larger IDs will fail to be added.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run system-view
----End
Follow-up Procedure
You can configure Eth-Trunk member interfaces to send trap messages after the Eth-Trunk
member interface status changes. After the device receives a trap message, check whether the
device fails or recovers.
If you need to know the status change of the member interface of a specified Eth-Trunk, run
the trunk-member trap in private-mib enable command to enable Eth-Trunk member
interfaces to use the proprietary MIB to send trap messages. The trap messages sent by using
the proprietary MIB carry Eth-Trunk IDs, whereas the trap messages sent by using the public
MIB do not carry Eth-Trunk IDs.
NOTE
After the trunk-member trap in private-mib enable command is configured, Eth-Trunk member
interfaces only use the proprietary MIB to send trap messages. To view these trap messages, use the
Huawei proprietary MIB.
Context
The lower threshold for the number of active interfaces affects the status and bandwidth of an
Eth-Trunk. To ensure that the Eth-Trunk functions properly and is less affected by member
link status changes, set the lower threshold for the number of active interfaces.
When the number of active interfaces falls below the lower threshold, the Eth-Trunk goes
Down. This ensures that the Eth-Trunk has a minimum available bandwidth.
The upper threshold for the number of active interfaces is inapplicable to the manual load
balancing mode.
Procedure
Step 1 Run system-view
The lower threshold for the number of active interfaces on the local router can be different
from that on the remote router.
----End
Context
Perform the following steps on the device to configure a load balancing mode for an Eth-
Trunk.
NOTE
Procedure
l Configure a Layer 2 Eth-Trunk.
a. Run system-view
Eth-Trunk member interfaces use flow-based load balancing. The local and remote
ends can use different load balancing modes, without affecting each other.
NOTE
All Layer 2 Eth-Trunks in the system must use the same load balancing mode. If the load
balancing mode of one Eth-Trunk is changed, all the other Eth-Trunks use the new load
balancing mode and do not support the dst-ip, src-ip and src-dst-ip parameters.
l Configure a Layer 3 Eth-Trunk.
a. Run system-view
Eth-Trunk member interfaces use flow-based load balancing. The local and remote
ends can use different load balancing modes, without affecting each other.
----End
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
Context
Eth-Trunks increase bandwidth and improve transmission reliability. You can configure Layer
2 and Layer 3 Eth-Trunks based on network applications.
Procedure
l Create a Layer 2 Eth-Trunk.
a. Run system-view
The system view is displayed.
b. Run interface eth-trunk trunk-id
A Layer 2 Eth-Trunk is created.
By default, no Eth-Trunk is created.
l Create a Layer 3 Eth-Trunk.
a. Run system-view
The system view is displayed.
b. Run interface eth-trunk trunk-id
By default, no Eth-Trunk is created.
c. Run undo portswitch
The Eth-Trunk is configured to work in Layer 3 mode.
By default, the Eth-Trunk works in Layer 2 mode.
d. Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the Layer 3 Eth-Trunk.
By default, no IP address is configured for the Layer 3 Eth-Trunk.
e. (Optional) Run mac-address mac-address
A MAC address is configured for the Layer 3 Eth-Trunk.
By default, an Eth-Trunk uses the system MAC address. When the MAC address of
the Eth-Trunk and the MAC address of another interface overlap and a MAC
address conflict occurs, run this command to configure a MAC address for the
Layer 3 Eth-Trunk.
f. (Optional) Run mtu mtu
----End
Context
Link aggregation can work in manual load balancing mode or LACP mode depending on
whether LACP is used.
In LACP mode, you must manually create an Eth-Trunk and add interfaces to the Eth-Trunk.
However, LACP determines active interfaces through negotiation.
When an Eth-Trunk changes from manual load balancing mode to LACP mode, the Eth-
Trunk can contain member interfaces. When an Eth-Trunk changes from LACP mode to
manual load balancing mode, ensure that the Eth-Trunk has no member interface.
Procedure
Step 1 Run system-view
Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the
local end works in LACP mode, the remote end must use the LACP mode.
----End
Context
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
NOTE
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support the member interfaces of multiple
Eth-Trunks deployed on different cards.
Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run system-view
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be
added to the Eth-Trunk, interfaces with smaller IDs are added to the Eth-Trunk successfully
but those with larger IDs will fail to be added.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run system-view
----End
Follow-up Procedure
You can configure Eth-Trunk member interfaces to send trap messages after the Eth-Trunk
member interface status changes. After the device receives a trap message, check whether the
device fails or recovers.
If you need to know the status change of the member interface of a specified Eth-Trunk, run
the trunk-member trap in private-mib enable command to enable Eth-Trunk member
interfaces to use the proprietary MIB to send trap messages. The trap messages sent by using
the proprietary MIB carry Eth-Trunk IDs, whereas the trap messages sent by using the public
MIB do not carry Eth-Trunk IDs.
NOTE
After the trunk-member trap in private-mib enable command is configured, Eth-Trunk member
interfaces only use the proprietary MIB to send trap messages. To view these trap messages, use the
Huawei proprietary MIB.
2.8.4 (Optional) Setting the Upper and Lower Thresholds for the
Number of Active Interfaces
Context
The number of Up member links affects the status and bandwidth of an Eth-Trunk. To ensure
that the Eth-Trunk functions properly and is less affected by member link status changes, set
the following thresholds.
l Lower threshold for the number of active interfaces: When the number of active
interfaces falls below this threshold, the Eth-Trunk goes Down. This guarantees the Eth-
Trunk a minimum available bandwidth.
l Upper threshold for the number of active interfaces: It is used for improving network
reliability with assured bandwidth. When the number of active interfaces reaches this
threshold, you can add new member interfaces to the Eth-Trunk, but excess member
interfaces enter the Down state.
Procedure
Step 1 Run system-view
----End
Context
Perform the following steps on the device to configure a load balancing mode for an Eth-
Trunk.
NOTE
Procedure
l Configure a Layer 2 Eth-Trunk.
a. Run system-view
The system view is displayed.
b. Run load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
A load balancing mode is configured for the Eth-Trunk.
By default, the load balancing mode of a Layer 2 Eth-Trunk is src-dst-mac.
Eth-Trunk member interfaces use flow-based load balancing. The local and remote
ends can use different load balancing modes, without affecting each other.
NOTE
All Layer 2 Eth-Trunks in the system must use the same load balancing mode. If the load
balancing mode of one Eth-Trunk is changed, all the other Eth-Trunks use the new load
balancing mode and do not support the dst-ip, src-ip and src-dst-ip parameters.
l Configure a Layer 3 Eth-Trunk.
a. Run system-view
Eth-Trunk member interfaces use flow-based load balancing. The local and remote
ends can use different load balancing modes, without affecting each other.
----End
Context
LACP system priority differentiates priorities of devices at both ends. In LACP mode, active
interfaces selected by devices at both ends must be consistent; otherwise, the LAG cannot be
set up. To keep active interfaces consistent at both ends, you can set the priority of one device
to be higher than that of the other device so that the other device can select active interfaces
according to those selected by the device with a higher priority.
Procedure
Step 1 Run system-view
If the lacp priority command used to set the LACP interface priority is executed in the
system view, the Eth-Trunk in LACP mode may alternate between Up and Down. To prevent
this situation, run the lacp priority-command-mode command in the system view to set the
configuration mode of the LACP system priority to system-priority. This mode can be used
to differentiate the LACP system priority and LACP interface priority.
Step 3 Use either of the following methods to set the LACP system priority based on the
configuration mode.
l default mode
Run the lacp priority priority command to set the LACP system priority.
l system-priority mode
Run the lacp system-priority priority command to set the LACP system priority.
A smaller LACP priority value indicates a higher priority. By default, the LACP system
priority is 32768.
The end with a smaller priority value functions as the Actor. If the two ends have the same
priority, the end with a smaller MAC address functions as the Actor.
----End
Context
In LACP mode, LACP interface priorities are set to prioritize interfaces of the same device.
Interfaces with higher priorities are selected as active interfaces.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The member interface view is displayed.
Step 3 Run lacp priority priority
The LACP priority of the member interface is configured.
By default, the LACP interface priority is 32768. A smaller priority value indicates a higher
LACP priority.
By default, the system selects active interfaces based on interface priorities. However, low-
speed member interfaces with high priorities may be selected as active interfaces. To select
high-speed member interfaces as active interfaces, run the lacp selected { priority | speed }
command to configure the system to select active interfaces based on the interface rate.
----End
Context
The LACP preemption function ensures that the interface with the highest LACP priority
always functions as an active interface. For example, the interface with the highest priority
becomes inactive due to a failure. If LACP preemption is enabled, the interface becomes
active again after it recovers; if LACP preemption is disabled, the interface cannot become
active interface after it recovers.
The LACP preemption delay is the period during which an inactive interface switches to
active. The LACP preemption delay prevents instable data transmission on an Eth-Trunk link
due to frequent status changes of some links.
Procedure
Step 1 Run system-view
The system view is displayed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run lacp timeout { fast [ user-defined user-defined ] | slow }
The timeout interval at which LACPDUs are received is set.
By default, the timeout interval at which an Eth-Trunk receives LACPDUs is 90 seconds.
l After you run the lacp timeout command, the local end notifies the remote end of the
timeout interval by sending LACPDUs. When fast is specified, the interval for sending
LACPDUs is 1 second. When slow is specified, the interval for sending LACPDUs is 30
seconds.
l The timeout interval for receiving LACPDUs is three times the interval for sending
LACPDUs. When fast is specified, the timeout interval for receiving LACPDUs is 3
seconds. When slow is specified, the timeout interval for receiving LACPDUs is 90
seconds.
l You can use different modes of the timeout interval at the two ends. However, to
facilitate maintenance, you are advised to use the same mode at both ends.
----End
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information
about Eth-Trunk member interfaces.
l Run the display trunk resource command to check Eth-Trunk resources that have been
used on a device.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
An Eth-Trunk is created and the Eth-Trunk interface view is displayed.
Step 3 Run undo portswitch
A Layer 3 Eth-Trunk is configured.
Step 4 Run quit
The system view is displayed.
Step 5 Run interface eth-trunk trunk-id.subnumber
An Eth-Trunk sub-interface is created.
subnumber specifies the number of a sub-interface. The value ranges from 1 to 4096.
Step 6 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the sub-interface.
When configuring multiple IP addresses for an Eth-Trunk sub-interface, use the sub keyword
to indicate the IP addresses configured after the first one.
----End
Context
During routine maintenance, run the following commands in any view to check the LAG
operating status.
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.
l Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type interface-
number ] ] command to check the statistics about LACPDUs sent and received in LACP
mode.
l Run the display interface eth-trunk [ trunk-id ] command to check the Eth-Trunk
status.
l Run the display trunkmembership eth-trunk trunk-id command to check information
about member interfaces of an Eth-Trunk.
----End
Context
The cleared LACPDU statistics cannot be restored. Exercise caution when you run the reset
command.
Procedure
l Run the reset lacp statistics eth-trunk [ trunk-id [ interface interface-type interface-
number ] ] command in the user view to clear statistics about LACPDUs received and
sent.
l Run the reset lacp error packet statistics command in the user view to clear statistics
on error LACPDUs.
----End
NOTE
The ping test applies to scenarios where two devices are directly connected through an Eth-Trunk.
Pre-configuration Tasks
Before using ping to monitor the reachability of Layer 3 Eth-Trunk member interfaces,
complete the following task:
l Running the undo portswitch command to configure the Eth-Trunk to work in Layer 3
mode and configuring an IP address for the Layer 3 Eth-Trunk
Procedure
Step 1 Enable the receive end to monitor Layer 3 Eth-Trunk member interfaces.
1. Run system-view
The system view is displayed.
2. Run trunk member-port-inspect
The receive end is enabled to monitor Layer 3 Eth-Trunk member interfaces.
By default, the receive end is disabled from monitoring Layer 3 Eth-Trunk member
interfaces.
NOTE
The trunk member-port-inspect command takes effect for all Layer 3 Eth-Trunks on a device. To
test the connectivity of Eth-Trunks, disable this function after detection of Eth-Trunk member
interfaces is completed. If this function is not disabled, the device keeps monitoring Eth-Trunk
member interfaces, which consumes a lot of system resources.
Step 2 Enable the transmit end to monitor Layer 3 Eth-Trunk member interfaces.
1. Run ping [ ip ] [ -a source-ip-address | -c count | -d | -h ttl-value | -i interface-type
interface-number | -m time | -p pattern | -q | -r | -s packetsize | -system-time | -t timeout |
-v | -vpn-instance vpn-instance-name ] * host [ ip-forwarding ]<Huawei> ping -a
192.168.1.1 -i gigabitethernet 1/0/1 10.1.1.2 PING 10.1.1.2: 56 data bytes, press
CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=254 time=2 ms Reply
from 10.1.1.2: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 10.1.1.2: bytes=56
Sequence=3 ttl=254 time=2 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=254
time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=254 time=2 ms --- 10.1.1.2
ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-
trip min/avg/max = 1/1/2 ms
The transmit end is enabled to monitor the reachability of Layer 3 Eth-Trunk member
interfaces.
NOTE
When testing the reachability of Layer 3 Eth-Trunk member interfaces, you must specify the -a and -i
parameters in the ping command. -a and -i indicate the source IP address and source interface of ICMP
Echo Request packets respectively.
Networking Requirements
As shown in Figure 2-12, RouterA and RouterB connect to devices in VLAN 10 and VLAN
20 through Ethernet links, and heavy traffic is transmitted between RouterA and RouterB.
RouterA and RouterB can provide higher link bandwidth to implement inter-VLAN
communication. Reliability of data transmission needs to be ensured.
VLAN10 VLAN20
VLAN20 VLAN10
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.
2. Create VLANs and add interfaces to the VLANs.
3. Configure a load balancing mode to ensure that traffic is load balanced among Eth-Trunk
member interfaces.
Procedure
Step 1 Create an Eth-Trunk on RouterA and add member interfaces to the Eth-Trunk. The
configuration of RouterB is similar to the configuration of RouterA, and is not mentioned
here.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface Eth-Trunk1
[RouterA-Eth-Trunk1] trunkport ethernet 1/0/1 to 1/0/3
[RouterA-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs. The configuration of RouterB is similar to
the configuration of RouterA, and is not mentioned here.
# Create VLAN 10 and VLAN 20, and add interfaces to VLAN 10 and VLAN 20.
[RouterA] vlan batch 10 20
[RouterA] interface ethernet 1/0/4
[RouterA-Ethernet1/0/4] port link-type trunk
[RouterA-Ethernet1/0/4] port trunk allow-pass vlan 10
[RouterA-Ethernet1/0/4] quit
[RouterA] interface ethernet 1/0/5
[RouterA-Ethernet1/0/5] port link-type trunk
[RouterA-Ethernet1/0/5] port trunk allow-pass vlan 20
[RouterA-Ethernet1/0/5] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through.
[RouterA] interface Eth-Trunk1
[RouterA-Eth-Trunk1] port link-type trunk
[RouterA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Configure a load balancing mode for Eth-Trunk 1. The configuration of RouterB is similar to
the configuration of RouterA, and is not mentioned here.
[RouterA] load-balance src-dst-mac
# Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is
created and whether member interfaces are added.
[RouterA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-
DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Ports In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
Ethernet1/0/1 Up 1
Ethernet1/0/2 Up 1
Ethernet1/0/3 Up 1
# The preceding command output shows that Eth-Trunk 1 has three member interfaces:
Ethernet1/0/1, Ethernet1/0/2, and Ethernet1/0/3. The member interfaces are all in Up state.
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
interface Ethernet1/0/1
eth-trunk 1
#
interface Ethernet1/0/2
eth-trunk 1
#
interface Ethernet1/0/3
eth-trunk 1
#
interface Ethernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10
#
interface Ethernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
#
return
vlan batch 10 20
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
interface Ethernet1/0/1
eth-trunk 1
#
interface Ethernet1/0/2
eth-trunk 1
#
interface Ethernet1/0/3
eth-trunk 1
#
interface Ethernet1/0/4
port link-type trunk
port trunk allow-pass vlan 20
#
interface Ethernet1/0/5
port link-type trunk
port trunk allow-pass vlan 10
#
return
Networking Requirements
To increase the bandwidth and improve the connection reliability, you can configure an LAG
on two directly connected routers, as shown in Figure 2-13. The requirements are as follows:
l The LAG contains three member links. Two links function as active links to implement
load balancing, and the other link functions as the backup link.
l When a fault occurs on an active link, the backup link replaces the faulty one to ensure
nonstop services.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create an Eth-Trunk on each router and configure the Eth-Trunk to work in LACP mode.
2. Add member interfaces to the Eth-Trunk.
3. Set the LACP system priority and determine the Actor.
4. Set the maximum number of active interfaces in the Eth-Trunk.
5. Set LACP interface priorities and determine active links.
Procedure
Step 1 Create Eth-Trunk 1 and configure Eth-Trunk 1 to work in LACP mode.
# Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
# Configure RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface eth-trunk 1
[RouterB-Eth-Trunk1] mode lacp-static
[RouterB-Eth-Trunk1] quit
# Configure RouterB.
[RouterB] interface ethernet 2/0/1
[RouterB-Ethernet2/0/1] eth-trunk 1
[RouterB-Ethernet2/0/1] quit
[RouterB] interface ethernet 2/0/2
[RouterB-Ethernet2/0/2] eth-trunk 1
[RouterB-Ethernet2/0/2] quit
[RouterB] interface ethernet 2/0/3
[RouterB-Ethernet2/0/3] eth-trunk 1
[RouterB-Ethernet2/0/3] quit
Step 3 Set the LACP system priority on RouterA to 100 so that RouterA becomes the Actor.
[RouterA] lacp priority 100
Step 5 Set LACP interface priorities and determine active links on RouterA.
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] lacp priority 100
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] lacp priority 100
[RouterA-Ethernet2/0/2] quit
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState
Ethernet2/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
Ethernet2/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100
Ethernet2/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey
PortState
Ethernet2/0/1 100 00e0-fca8-0417 100 6145 2865
11111100
Ethernet2/0/2 100 00e0-fca8-0417 100 6146 2865
11111100
Ethernet2/0/3 100 00e0-fca8-0417 32768 6147 2865
11110000
According to the preceding information, the system priority of RouterA is 100, which is
higher than the system priority of RouterB; Ethernet2/0/1 and Ethernet2/0/2 are active
interfaces and are in Selected state; Ethernet2/0/3 is in Unselect state. That is, load balancing
and redundancy are implemented.
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
lacp priority 100
#
interface Eth-Trunk1
mode lacp-static
max active-linknumber 2
#
interface Ethernet2/0/1
eth-trunk 1
lacp priority 100
#
interface Ethernet2/0/2
eth-trunk 1
lacp priority 100
#
interface Ethernet2/0/3
eth-trunk 1
#
return
#
interface Ethernet2/0/1
eth-trunk 1
#
interface Ethernet2/0/2
eth-trunk 1
#
interface Ethernet2/0/3
eth-trunk 1
#
return
Networking Requirements
RouterA and RouterB are connected by two Layer 3 Ethernet interfaces. To increase link
bandwidth and improve reliability, you can create an Eth-Trunk on each router and add the
Layer 3 Ethernet interfaces to the Eth-Trunk.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a Layer 3 Eth-Trunk on each device and configure an IP address for each Eth-
Trunk.
2. Add Ethernet interfaces to the Eth-Trunk.
Procedure
Step 1 Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
interface Eth-Trunk1
undo portswitch
ip address 10.1.1.1 255.255.255.0
#
interface Ethernet1/0/0
eth-trunk 1
#
interface Ethernet2/0/0
eth-trunk 1
#
return
Fault Description
Traffic is unevenly load balanced among Eth-Trunk member interfaces due to the incorrect
load balancing mode.
Procedure
1. Run the display eth-trunk command to check whether the load balancing mode of the
Eth-Trunk meets networking requirements. For example, source or destination IP
address-based load balancing is not recommended in Layer 2 networking.
2. Run the load-balance command to set an appropriate load balancing mode.
l Manual load balancing mode: This mode allows you to manually add interfaces to an
Eth-Trunk. All the member interfaces are in forwarding state and perform load
balancing.
l LACP mode: This mode allows the AR to select active links by negotiating parameters
using LACP. In LACP mode, you need to manually set up an Eth-Trunk and add
interfaces to the Eth-Trunk.
Before adding a new member interface, ensure that the type of the new member interface is the same as that
of other member interfaces and there is no configuration on the new member interface.
1. Run the shutdown command in the interface view to configure the new member
interface in Down state.
NOTE
If the new member interface that joins the Eth-Trunk is not configured to be Down, a temporary loop
may occur. As a result, services are affected.
2. Run either of the following commands to add the new member interface to the Eth-
Trunk.
– Run the eth-trunk trunk-id command in the interface view.
– Run the trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> command in the Eth-Trunk interface view.
3. After member interfaces at both ends join the Eth-Trunk, run the undo shutdown
command in the interface view to enable the new member interfaces.
3 VLAN Configuration
This chapter describes how to configure VLAN technology. VLAN technology provides
broadcast domain isolation, security hardening, flexible networking, and high extensibility.
3.1 Overview of VLANs
3.2 Understanding VLANs
3.3 Application Scenarios for VLANs
3.4 Summary of VLAN Configuration Tasks
3.5 Default Settings for VLANs
3.6 Licensing Requirements and Limitations for VLANs
3.7 Configuring VLAN
3.8 Configuration Examples for VLANs
3.9 Troubleshooting VLANs
3.10 FAQ About VLANs
Purpose
Ethernet technology implements data communication over shared media based on Carrier
Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a
large number of hosts, collision becomes a serious problem and can lead to broadcast storms.
As a result, network performance deteriorates, or can even result in a complete breakdown.
Using switches to connect LANs can mitigate collisions, but cannot isolate broadcast packets
or improve network quality.
VLAN technology divides a physical LAN into multiple VLANs to isolate broadcast
domains. Hosts within a VLAN can communicate with each other but cannot communicate
directly with hosts in other VLANs. Consequently, broadcast packets are confined to within a
single VLAN.
Router1 Router2
VLAN 2 VLAN 3
Figure 3-1 shows a typical VLAN networking environment. Device Router1 and device
Router2 are deployed in different locations (for example, on different floors of a building).
Each device is connected to two PCs belonging to different VLANs, which likely belong to
different entities or companies.
Benefits
VLAN technology offers the following benefits:
l Limits broadcast domains. Broadcast domains are limited to conserve bandwidth and
improve network efficiency.
l Enhances LAN security. Packets from different VLANs are transmitted separately. Hosts
in a VLAN cannot communicate directly with hosts in another VLAN.
l Improves network robustness. A fault in a VLAN does not affect hosts in other VLANs.
l Allows flexible definition of virtual groups. With VLAN technology, hosts in different
geographical locations can be grouped together, thereby simplifying network
construction and maintenance.
After VLANs are assigned, broadcast packets are forwarded at Layer 2 in the same VLAN.
That is, users in the same VLAN can directly communicate at Layer 2. There are two intra-
VLAN communication scenarios depending on whether hosts in the same VLAN connect to
the same or multiple devices.
Router
IF_1 IF_2
Access Access
Host_1 VLAN2 VLAN2 Host_2
MAC:1-1-1 MAC:2-2-2
IP:10.1.1.2 IP:10.1.1.3
Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the router):
1. Host_1 determines that the destination IP address is on the same network segment as its
IP address, and therefore broadcasts an ARP Request packet to obtain the MAC address
of Host_2. The ARP Request packet carries the all-F destination MAC address and
destination IP address of 10.1.1.3 (Host_2's IP address).
2. When the packet reaches IF_1 on the Router, the Router detects that the ARP Request
packet is untagged and adds VLAN 2 (PVID of IF_1) to the packet. The Router then
adds the binding of the source MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) to
its MAC address table.
3. The Router does not find a MAC address entry matching the destination MAC address
and VLAN ID of the ARP Request packet, so it broadcasts the ARP Request packet to
all interfaces that allow VLAN 2 (IF_2 in this example).
4. Before sending the ARP Request packet, IF_2 on the Router removes the tag with
VLAN 2 from the packet.
5. Host_2 receives the ARP Request packet and records the mapping between the MAC
address and IP address of Host_1 in the ARP table. Then Host_2 compares the
destination IP address with its own IP address. If they are the same, Host_2 sends an
ARP Reply packet. The ARP Reply packet carries Host_2's MAC address of 2-2-2 and
Host_1's IP address of 10.1.1.2 as the destination IP address.
6. After receiving the ARP Reply packet, IF_2 on the Router tags the packet with VLAN 2.
7. The Router adds the mapping between the source MAC address, VLAN ID, and
interface (2-2-2, 2, IF_2) to its MAC address table, and then searches for an entry in its
MAC address table based on the destination MAC address and VLAN ID (1-1-1, 2). The
entry is found because the mapping has been recorded before (see step 5). The Router
forwards the ARP Reply packet to IF_1.
8. Before forwarding the ARP Reply packet to IF_1, the Router removes the tag with
VLAN 2 from the packet.
9. Host_1 receives the ARP Reply packet and records the mapping between the MAC
address and IP address of Host_2 in the ARP table.
Host_1 and Host_2 have learned the MAC address of each other, so they directly fill the
destination MAC address fields of packets with the learned MAC addresses of the packets in
subsequent communication.
In the preceding networking, if hosts in the same VLAN are on different network segments,
they encapsulate the gateway's MAC address into packets, hosts can communicate through
VLANIF interfaces (with primary and secondary IP addresses configured). The principles are
similar to those in Inter-VLAN Communication Through the Same Device, and are not
mentioned here.
Host_1 Host_2
MAC:1-1-1 MAC:2-2-2
IP:10.1.1.2 IP:10.1.1.3
Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on Router_1 and Router_2):
1. The first two steps are similar to steps 1 and 2 in Intra-VLAN Communication
Through the Same Device. After the two steps are complete, Host_1 broadcasts the
ARP Request packet to IF_2 on Router_1.
2. IF_2 on Router_1 transparently transmits the ARP Request packet to IF_2 on Router_2
without removing the tag of the packet, because the VLAN ID of the packet is different
from the PVID of IF_2 on Router_1.
3. After receiving the ARP Request packet, IF_2 on Router_2 determines that VLAN 2 is
an allowed VLAN and accepts the packet.
4. Following the four steps similar to steps 3 to 6 in Intra-VLAN Communication
Through the Same Device, Router_2 forwards the ARP Reply packet of Host_2 to
IF_2. IF_2 on Router_2 transparently transmits the ARP Reply packet to IF_2 on
Router_1, because IF_2 is a trunk interface and its PVID is different from the VLAN ID
of the packet.
5. After receiving the ARP Reply packet, IF_2 on Router_1 determines that VLAN 2 is an
allowed VLAN and accepts the packet. Subsequent steps are similar to steps 7 to 9 in
Intra-VLAN Communication Through the Same Device.
In addition to transmitting frames from multiple VLANs, a trunk link can transparently
transmit frames without adding or removing the tags of the packets.
In the preceding networking, if hosts in the same VLAN are on different network segments,
hosts can communicate through VLANIF interfaces. The principles are similar to those in
Inter-VLAN Communication Through the Same Device, and are not mentioned here.
isolates broadcast domains. In real-world applications, hosts in different VLANs often need to
communicate, so inter-VLAN communication needs to be implemented to resolve this.
Similar to intra-VLAN communication described in 3.2.1 Intra-VLAN Communication,
inter-VLAN communication goes through three phases: packet transmission from the source
host, Ethernet switching in a device, and adding and removing VLAN tags during the
exchange between devices. According to the Ethernet switching principle, broadcast packets
are only forwarded in the same VLAN and hosts in different VLANs cannot directly
communicate at Layer 2. Layer 3 routing or VLAN translation technology is required to
implement inter-VLAN communication.
host' MAC address in packets. The device determines that packets should be forwarded at
Layer 2. Layer 2 switching is performed only in the same VLAN, and broadcast packets
cannot reach different VLANs. In this case, the device cannot obtain destination hosts' MAC
addresses and therefore cannot forward packets to the destination host.) On a network, VLAN
aggregation can allow hosts on the same network segment in different VLANs to
communicate.
VLAN aggregation, also known as super-VLAN, associates a super-VLAN with multiple sub-
VLANs. The sub-VLANs share the IP address of the super-VLAN as the gateway IP address
to implement Layer 3 connectivity with an external network. Proxy ARP can be enabled
between sub-VLANs to implement Layer 3 connectivity between sub-VLANs. VLAN
aggregation conserves IP addresses in inter-VLAN Layer 3 communication.
VLAN aggregation applies to scenarios where multiple VLANs share a gateway. For details
about VLAN aggregation, see 4 VLAN Aggregation Configuration.
Figure 3-4 Using VLANIF interfaces to implement inter-VLAN communication through the
same device
VLANIF2 VLANIF3
IP: 10.1.1.1/24 IP: 10.2.2.1/24
MAC: 3-3-3 Router MAC: 4-4-4
IF_1 IF_2
Access Access
VLAN2 VLAN3
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.2.2.2
Gateway address: 10.1.1.1 Gateway address: 10.2.2.1
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the router):
1. Host_1 determines that the destination IP address is on a different network segment from
its own IP address, and therefore sends an ARP Request packet to request the gateway
MAC address. The ARP Request packet carries the destination IP address of 10.1.1.1
(gateway's IP address) and all-F destination MAC address.
2. When the ARP Request packet reaches IF_1 on the Router, the Router tags the packet
with VLAN 2 (PVID of IF_1). The Router then adds the mapping between the source
MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) in its MAC address table.
3. The Router detects that the packet is an ARP Request packet and the destination IP
address is the IP address of VLANIF 2. The Router then encapsulates VLANIF 2's MAC
address of 3-3-3 into the ARP Reply packet and removes the tag with VLAN 2 from the
packet before sending it from IF_1. In addition, the Router adds the binding of the IP
address and MAC address of Host_1 in its ARP table.
4. After receiving the ARP Reply packet from the Router, Host_1 adds the binding of the
IP address and MAC address of VLANIF 2 on the Router in its ARP table and sends a
packet to the Router. The packet carries the destination MAC address of 3-3-3 and
destination IP address of 10.2.2.2 (Host_2's IP address).
5. After the packet reaches IF_1 on the Router, the Router tags the packet with VLAN 2.
6. The Router updates its MAC address table based on the source MAC address, VLAN ID,
and inbound interface of the packet, and compares the destination MAC address of the
packet with the MAC address of VLANIF 2. If they are the same, the Router determines
that the packet should be forwarded at Layer 3 and searches for a Layer 3 forwarding
entry based on the destination IP address. If no entry is found, the Router sends the
packet to the CPU. The CPU then searches for a routing entry to forward the packet.
7. The CPU looks up the routing table based on the destination IP address of the packet and
detects that the destination IP address matches a directly connected network segment
(network segment of VLANIF 3). The CPU continues to look up its ARP table but finds
no matching ARP entry. Therefore, the Router broadcasts an ARP Request packet with
the destination address of 10.2.2.2 to all interfaces in VLAN 3. Before sending the ARP
Request packet from IF_2, the Router removes the tag with VLAN 2 from the packet.
8. After receiving the ARP Request packet, Host_2 detects that the IP address is its own IP
address and sends an ARP Reply packet with its own. Additionally, Host_2 adds the
mapping between the MAC address and IP address of VLANIF 3 to its ARP table.
9. After IF_2 on the Router receives the ARP Reply packet, IF_2 tags the packet with
VLAN 3 to the packet and adds the binding of the MAC address and IP address of
Host_2 in its ARP table. Before forwarding the packet from Host_1 to Host_2, the
Router removes the tag with VLAN 3 from the packet. The Router also adds the binding
of Host_2's IP address, MAC address, VLAN ID, and outbound interface in its Layer 3
forwarding table.
The packet sent from Host_1 then reaches Host_2. The packet transmission process from
Host_2 to Host_1 is similar. Subsequent packets between Host_1 and Host_2 are first sent to
the gateway (Router), and the Router forwards the packets at Layer 3 based on its Layer 3
forwarding table.
Router_1 Router_2
Trunk
VLAN4
IF_2 IF_2
IF_1 Access Access IF_1
VLAN2 VLAN3
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.2.2
Gateway address: 10.1.1.1 Gateway address: 10.1.2.1
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on Router_1 and Router_2):
1. The first six steps are similar to steps 1 to 6 in inter-VLAN communication when hosts
connect to the same device. After the steps are complete, Router_1 sends the packet to
its CPU and the CPU looks up the routing table.
2. The CPU of Router_1 looks up the routing table based on the destination IP address of
10.1.2.2 and finds a matching entry with the network segment 10.1.2.0/24 corresponding
to VLANIF 3 and the next hop IP address 10.1.4.2. The CPU continues to look up its
ARP table but finds no matching ARP entry. Therefore, Router_1 broadcasts an ARP
Request packet with the destination address of 10.1.4.2 to all interfaces in VLAN 4. IF_2
on Router_1 transparently transmits the ARP Request packet to IF_2 on Router_2
without removing the tag from the packet.
3. After the ARP Request packet reaches Router_2, Router_2 finds that the destination IP
address of the ARP Request packet is the IP address of VLANIF 4. Router_2 then sends
an ARP Reply packet with the MAC address of VLANIF 4 to Router_1.
4. IF_2 on Router_2 transparently transmits the ARP Reply packet to Router_1. After
Router_1 receives the ARP Reply packet, it adds the binding of the MAC address and IP
address of VLANIF4 in its ARP table.
5. Before forwarding the packet of Host_1 to Router_2, Router_1 changes the destination
MAC address of the packet to the MAC address of VLANIF 4 on Router_2 and the
source MAC address to the MAC address of VLANIF 4 on itself. In addition, Router_1
records the forwarding entry (10.1.2.0/24, next hop IP address, VLAN, and outbound
interface) in its Layer 3 forwarding table. Similarly, the packet is transparently
transmitted to IF_2 on Router_2.
6. After Router_2 receives packets of Host_1 forwarded by Router_1, the steps similar to
steps 6 to 9 in inter-VLAN communication when hosts connect to the same device
are performed. In addition, Router_2 records the forwarding entry (Host_2's IP address,
MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table.
VLAN Damping
In a specified VLAN where a VLANIF interface has been configured, when all interfaces in
the VLAN go Down, the VLAN becomes Down. The interface Down event is reported to the
VLANIF interface, causing the VLANIF interface status change.
To avoid network flapping due to the status change of the VLANIF interface, you can enable
VLAN damping on the VLANIF interface and set a delay after which the VLANIF interface
goes Down.
With VLAN damping enabled, when the last Up interface in the VLAN goes Down, the
Down event will be reported to the VLANIF interface after a delay (the delay can be set as
required). If an interface in the VLAN goes Up during the delay, the status of the VLANIF
interface keeps unchanged. That is, the VLAN damping function postpones the time at which
the VLAN reports a Down event to the VLANIF interface, avoiding unnecessary route
flapping.
A VLAN tag contains four fields. Table 3-1 describes the fields.
TPID 2 Tag Protocol Identifier (TPID), The value 0x8100 indicates an 802.1Q-
bytes indicating the frame type. tagged frame. An 802.1Q-incapable
device discards the 802.1Q frames.
IEEE 802.1Q protocol defines the
value of the field as 0x8100. However,
manufacturers can define their own
TPID values and users can then modify
the value to realize interconnection of
devices from different manufacturers.
PRI 3 bits Priority (PRI), indicating the The value ranges from 0 to 7. A larger
frame priority. value indicates a higher priority. If
congestion occurs, the device sends
packets with higher priorities first.
CFI 1 bit Canonical Format Indicator The value 0 indicates that the MAC
(CFI), indicating whether a address is encapsulated in canonical
MAC address is encapsulated in format, and the value 1 indicates that
canonical format over different the MAC address is encapsulated in
transmission media. CFI is used non-canonical format. The CFI field
to ensure compatibility between has a fixed value of 0 on Ethernet
Ethernet and token ring networks.
networks.
VID 12 VLAN ID (VID), indicating the VLAN IDs range from 0 to 4095. The
bits VLAN to which a frame values 0 and 4095 are reserved, and
belongs. therefore valid VLAN IDs range from
1 to 4094.
The device identifies the VLAN that a frame belongs to according to the information
contained in the VID field. Broadcast frames are forwarded only in the local VLAN. That is, a
broadcast domain is confined to within a single VLAN.
All frames processed in a router carry VLAN tags. On a live network, some devices
connected to a router can only receive and send untagged frames. To enable communication
between the Router and these devices, the Router interface must be able to identify the
untagged frames and add or remove VLAN tags from the frames. Hosts in the same VLAN
may be connected to different Routers, and more than one VLAN may span multiple Routers.
To enable communication between hosts, interfaces between Routers must be able to identify
and send VLAN frames.
To accommodate different connections and networking, the device defines three interface
types (access, trunk, and hybrid) and two link types (access and trunk), as shown in Figure
3-7.
2
4
Router Router
Hub Hub
Access link
Trunk link Untagged frame
Access interface 2 Tagged frame, VID=2
Trunk interface 3 Tagged frame, VID=3
4 Tagged frame, VID=4
Hrbrid interface
Link Types
As shown in Figure 3-7, Ethernet links fall into the following types, depending on the number
of allowed VLANs:
l Access link
An access link can transmit data frames of only one VLAN. It connects a device to a user
terminal, such as a host or server. Generally, user terminals do not need to know the
VLANs to which they belong and cannot identify tagged frames; therefore, only
untagged frames are transmitted along an access link.
l Trunk link
A trunk link can transmit data frames from multiple VLANs. It connects devices. Frames
on a trunk link must be tagged so that other network devices can correctly identify
VLAN information in the frames.
Interface Types
As shown in Figure 3-7, Ethernet interfaces are classified into the following types depending
on the objects connected to them and the way they process frames:
l Access interface
An access interface often connects to a user terminal such as a user host or server that
cannot identify VLAN tags, or is used when VLANs do not need to be differentiated.
Access interfaces can only receive and send untagged frames, and can add only a unique
VLAN tag to untagged frames.
l Trunk interface
A trunk interface often connects to a switch, router, AP, or voice terminal that can
receive and send tagged and untagged frames simultaneously. It allows tagged frames
from multiple VLANs and untagged frames from only one VLAN.
l Hybrid interface
A hybrid interface can connect to not only a user terminal (such as a user host or server)
or network device (such as a hub) that cannot identify tags, but also a switch, router,
voice terminal, or AP that can receive and send tagged and untagged frames. It allows
tagged frames from multiple VLANs. Frames sent out from a hybrid interface are tagged
or untagged according to the VLAN configuration.
Hybrid and trunk interfaces are interchangeable in some scenarios, yet hybrid interfaces
are required in certain specific scenarios. For example, if an interface connects to
different VLAN network segments (such as the router interface connected to a hub in
Figure 3-7 ), the interface must be a hybrid interface because it needs to add tags to
untagged frames of multiple VLANs.
The default VLAN ID of an interface is called the port default VLAN ID (PVID). Frames
processed in a device all carry VLAN tags. When the device receives an untagged frame, it
adds a VLAN tag to the frame according to the default VLAN of the interface that receives
the frame.
For details on how to add or remove tags when the interface receives and sends frames, see
3.2.3.4 Adding and Removing VLAN Tags.
Each interface has a default VLAN. By default, the default VLAN ID of all interfaces is
VLAN 1. You can change the default VLAN ID as required.
l The default VLAN of an access interface is the VLAN allowed by the access interface.
You can change the default VLAN of an access interface to change the allowed VLAN.
l Trunk and hybrid interfaces allow multiple VLANs but have only one default VLAN.
Default VLAN and VLANs allowed by the trunk and hybrid interfaces should be
configured separately.
Ethernet data frames are tagged or untagged based on the interface type and default VLAN.
The following describes how access, trunk, and hybrid interfaces process data frames.
Access Interface
Figure 3-8 and Figure 3-9 shows how an access interface adds and removes VLAN tags.
No
Carry tag?
Yes
Same No
Discard
VID and PVID?
Yes
Accept it and add
Accept the frame
PVID
Further
processing
Remove tag
Trunk Interface
Figure 3-10 and Figure 3-11 shows how a trunk interface adds and removes VLAN tags.
No
Carry tag?
Yes
Yes
Further
processing
No
Same as PVID?
Yes
Hybrid Interface
Figure 3-12 and Figure 3-13 shows how a hybrid interface adds and removes VLAN tags.
No
Carry tag?
Yes
No
Add the PVID Is VID allowed? Discard
Yes
Further
processing
No Does device
add tag to it?
Yes
Access Accepts an untagged l Accepts the tagged After the PVID tag is
port frame and adds a tag with frame if the frame's stripped, the frame is
the default VLAN ID to VLAN ID matches the transmitted.
the frame. default VLAN ID.
l Discards the tagged
frame if the frame's
VLAN ID differs from
the default VLAN ID.
Hybrid l Adds a tag with the l Accepts a tagged If the frame's VLAN
port default VLAN ID to an frame if the VLAN ID ID is permitted by the
untagged frame and carried in the frame is port, the frame is
accepts the frame if the permitted by the port. transmitted. The port
port permits the default l Discards a tagged can be configured
VLAN ID. frame if the VLAN ID whether to transmit
l Adds a tag with the carried in the frame is frames with tags.
default VLAN ID to an denied by the port.
untagged frame and
discards the frame if
the port denies the
default VLAN ID.
l Access, trunk, and hybrid interfaces add VLAN tags to received untagged frames. Trunk
and hybrid interfaces determine whether to accept untagged frames depending on
whether VLANs specified by the VLAN IDs in the frames are allowed, whereas an
access interface accepts the untagged frames unconditionally.
l Access, trunk, and hybrid interfaces determine whether to accept tagged frames
depending on whether VLANs specified by the VLAN IDs in the frames are allowed (the
VLAN ID allowed by an access interface is the default VLAN ID).
l Interfaces send frames as follows:
– An access interface directly removes VLAN tags from frames before sending the
frames.
– A trunk interface removes VLAN tags from frames only when their VLAN IDs are
the same as the PVID on the interface.
– A hybrid interface determines whether to remove VLAN tags from frames based on
the interface configuration.
Frames sent by an access interface are all untagged. On a trunk interface, only frames of
one VLAN are sent with tags, and frames of other VLANs are sent without tags. On a
hybrid interface, you can specify the VLANs of which frames are sent with or without
tags.
Port Isolation
Port isolation can isolate interfaces in a VLAN. You can add interfaces to a port isolation
group to disable Layer 2 packet transmission between the interfaces. Interfaces in different
port isolation groups or out of port isolation groups can exchange packets with other
interfaces. In addition, interfaces can be isolated unidirectionally, providing more secure and
flexible networking.
For details about port isolation, see Configuring Interface Isolation in Huawei AR Series
Access Routers Configuration Guide - Interface Management.
MUX VLAN
Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources using
VLANs. It can implement inter-VLAN communication and intra-VLAN isolation.
For example, an enterprise has the following requirements:
l Employees can communicate with each other but customers are isolated.
l Both employees and customers can access enterprise servers.
You can deploy the MUX VLAN to meet the preceding requirements.
For details about the MUX VLAN feature, see 5 MUX VLAN Configuration.
The device supports intra-VLAN Layer 2 isolation based on MQC and simplified ACL-based
traffic policies. For details about MQC and simplified ACL-based traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in Huawei AR Series
Access Routers Configuration Guide - QoS.
After inter-VLAN Layer 3 connectivity is implemented between two VLANs, all users in the
VLANs can communicate. In some scenarios, communication between some users needs to
be prevented or only unidirectional communication is allowed. For example, user hosts and
servers often use unidirectional communication, and visitors to an enterprise are often allowed
to access only the Internet or some servers. In these scenarios, you need to configure inter-
VLAN isolation.
Inter-VLAN isolation is often implemented using a traffic policy. You can define traffic
classifiers on a device to match packets with certain characteristics and associate the traffic
classifiers with the permit or deny behavior in a traffic policy. The device then permits or
rejects the packets matching the traffic classifiers. This technology implements flexible inter-
VLAN isolation.
The device supports inter-VLAN Layer 3 isolation based on MQC and simplified ACL-based
traffic policies. For details about MQC and simplified ACL-based traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in Huawei AR Series
Access Routers Configuration Guide - QoS.
To enhance security, you can configure the VLAN as the management VLAN (mVLAN).
Access or Dot1q tunnel interfaces cannot be added to the mVLAN. (The VLANs not specified
as the mVLAN are service VLANs.) Access and Dot1q tunnel interfaces are often connected
to users. When these interfaces are prevented from joining the mVLAN, users connected to
the interfaces cannot log in to the device, improving device security.
Router1
Router2
To isolate services and ensure service security of different companies, add interfaces
connected to the companies to different VLANs. Each company has a virtual router and each
VLAN is a virtual work group.
Figure 3-15 Using VLANIF interfaces to implement inter-VLAN communication through the
same device
Router
VLANIF2 VLANIF3
Switch_1 Switch_2
Department 1 Department 2
PC_1 PC_2
VLAN2 VLAN3
Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently
transmit VLAN packets to Router, and configure a VLANIF interface for each VLAN on
Router to allow communication between VLAN 2 and VLAN 3.
Router_1 Router_2
Layer 3 network
VLANIF2 VLANIF3
Switch Switch
Department 1 Department 2
PC_1 PC_2
VLAN2 VLAN3
Assign VLANs on the switches, and configure the switches to transparently transmit VLAN
packets to Router_1 and Router_2. Configure a VLANIF interface for each user VLAN and
Internet
Router_0
VLANIF100
Router
VLANIF10 VLANIF30
VLANIF20
After the central router (Router) is configured with VLANIF 10, VLANIF 20, VLANIF 30,
and VLANIF 100 and a route to the Router_0, employees, visitors, and servers can access the
Internet and communicate with each other. To control access rights of visitors, configure a
traffic policy on the central router and define the following rules:
l ACL rule 1: denies the packets sent from the IP network segment of visitors to the IP
segment of employees.
l ACL rule 2: permits the packets from the IP network segment of visitors to the IP
address of Server_1, and denies the packets from the IP network segment of visitors and
to the IP segment of servers.
l ACL rule 3: denies the packets from the IP network segment of employees to the IP
segment of visitors.
l ACL rule 4: denies the packets from the IP network segment of servers to the IP segment
of visitors.
Apply the traffic policy to the inbound and outbound direction of the central router interface
connected to the visitor area. Visitors can then only access Server_1 and cannot communicate
with employees.
Assign VLANs
Configure VLANIF
Configure MQC-based
interfaces to
intra-VLAN Layer 2 Configure VLAN
implement inter-VLAN
isolation
communication
Configure MQC to
implement inter-VLAN
isolation
3.7.1 Configuring VLAN VLANs can isolate the hosts that do not need to
Assignment communicate with each other, which improves network
security, reduces broadcast traffic, and mitigates broadcast
storms.
3.7.2 Configuring Inter- After VLANs are assigned, users in different VLANs
VLAN Communication cannot directly communicate with each other. If users in
different VLANs need to communicate, configure VLANIF
interfaces to implement inter-VLAN Layer 3 connectivity.
3.7.3 Configuring a Traffic After VLANs are assigned, users in the same VLAN can
Policy to Implement Intra- directly communicate with each other. If some users in the
VLAN Layer 2 Isolation same VLAN need to be isolated, configure MQC-based
intra-VLAN Layer 2 isolation.
NOTE
Intra-VLAN isolation can also be implemented using port
isolation. For details about port isolation, see Configuring
Interface Isolation in Huawei AR Series Access Routers
Configuration Guide - Interface Management.
VLA VLAN 1 that interfaces join in untagged mode (port hybrid untagged
N vlan 1)
that
an
interf
ace
joins
Damping time 0s
Licensing Requirements
VLAN is a basic feature of a router and is not under license control.
Feature Limitations
When deploying VLAN on the router, pay attention to the following:
l You are advised to plan service and management VLANs so that any broadcast storms in
service VLANs do not affect device management.
l In practice, specify VLANs from which packets need to be transparently transmitted by a
trunk interface. Do not use the port trunk allow-pass vlan all command if possible.
l All interfaces join VLAN 1 by default. When unknown unicast, multicast, or broadcast
packets of VLAN 1 exist on the network, broadcast storms may occur. When VLAN 1 is
used, pay attention to the following points:
– Remove the interfaces that do not need to join VLAN 1 from VLAN 1 to prevent
loops.
– You are advised to remove interfaces from VLAN 1 in Eth-Trunk or ring
networking.
– When connecting to an access device, to prevent broadcast storms in VLAN 1, do
not configure the uplink interface of the access device to transparently transmit
packets from VLAN 1.
Context
VLANs can isolate the hosts that do not need to communicate with each other, which
improves network security, reduces broadcast traffic, and mitigates broadcast storms.
After an interface is added to a VLAN, the interface can forward packets from the VLAN.
Interface-based VLAN assignment allows hosts in the same VLAN to communicate and
prevents hosts in different VLANs from communicating, so broadcast packets are limited in a
VLAN.
Ethernet interfaces are classified into access, trunk, and hybrid interfaces according to the
objects connected to the Ethernet interfaces and number of VLANs from which untagged
frames are permitted (see Interface Types):
l Access interface
The router processes only tagged frames and an access interface connected to devices
only receive and send untagged frames, so the access interface needs to add a VLAN tag
to received frames. That is, you must configure the default VLAN for the access
interface. After the default VLAN is configured, the access interface joins the VLAN.
An access interface needs to process only untagged frames. If a user connects a
switching device to a user-side interface without permission, the user-side interface may
receive tagged frames. You can configure the user-side interface to discard tagged
frames, preventing unauthorized access.
l Trunk interface
When a trunk interface connects to a device such as an AP or a voice terminal that can
receive and send tagged and untagged frames simultaneously, you need to configure the
default VLAN for the trunk interface so that the trunk interface can add the VLAN tag to
untagged frames.
l Hybrid interface
When a hybrid interface connects to an AP, a voice terminal, a hub, a host, or a server
that sends untagged frames to the router, you need to configure the default VLAN for the
hybrid interface so that the hybrid interface can add the VLAN tag to untagged frames.
Frames sent by a router all carry VLAN tags. In some scenarios, VLAN tags need to be
removed from frames sent by a hybrid interface. A trunk interface allows untagged
packets from only one VLAN, so the interface must be configured as hybrid.
By default, the type of an interface is hybrid, the default VLAN is VLAN 1, and an interface
joins VLAN 1 in untagged mode.
Procedure
l Configuring the default VLAN for an access interface
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
c. Run quit
Return to the system view.
d. Run interface interface-type interface-number
The view of the Ethernet interface to be added to the VLAN is displayed.
e. (Optional) Run portswitch
The virtual Ethernet (VE) interface is switched from Layer 3 mode to Layer 2
mode.
By default, a VE interface works in Layer 3 mode.
You need to perform this operation after accessing the VE interface view.
When the VLAN allowed by an interface is the default VLAN of the interface, packets from the
VLAN are forwarded in untagged mode.
l Configuring the default VLAN for a hybrid interface
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
c. Run quit
Return to the system view.
d. Run interface interface-type interface-number
The view of the Ethernet interface to be added to the VLAN is displayed.
e. (Optional) Run portswitch
The virtual Ethernet (VE) interface is switched from Layer 3 mode to Layer 2
mode.
By default, a VE interface works in Layer 3 mode.
You need to perform this operation after accessing the VE interface view.
f. Run port link-type hybrid
The Ethernet interface is configured as the hybrid interface.
g. Run the following commands as required.
n Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is added to the VLAN in untagged mode.
n Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is added to the VLAN in tagged mode.
h. (Optional) Run port hybrid pvid vlan vlan-id
The default VLAN is configured for the hybrid interface.
This step is not supported in the VE interface view.
----End
Configuration Tips
Creating VLANs in a batch
To create multiple VLANs in a batch, run the vlan batch command in the system view.
For example:
l Create 10 contiguous VLANs: VLANs 11 to 20.
<Huawei> system-view
[Huawei] vlan batch 11 to 20
l Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to 30.
<Huawei> system-view
[Huawei] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four incontiguous VLAN ranges.
# After a name is configured for a VLAN, you can directly enter the VLAN view using the
name.
[Huawei] vlan vlan-name huawei
[Huawei-vlan10] quit
To perform the same VLAN configuration for multiple Ethernet interfaces, use the port group,
which can reduce the workload. To add access interfaces to a VLAN in a batch, you can also
run the port interface-type { interface-number1 [ to interface-number2 ] }&<1-10> command
in the VLAN view. For details, see 3.10.2 How to Add Interfaces to a VLAN in a Batch.
If the VLAN planning of an interface is changed, you need to delete the original VLAN
configuration of the interface. If many incontiguous VLANs are configured on the interface,
you need to delete the original VLAN configuration multiple times. To reduce deletion
operations, restore the default VLAN configuration of the interface. For details, see 3.10.3
How to Restore the Default VLAN Configuration of an Interface.
When the interface planning changes or the current interface type is different from the
configured one, the interface type needs to be changed. For details, see 3.10.4 How to
Change the Link Type of an Interface.
Deleting a VLAN
If a VLAN is not in use, you are advised to delete it immediately by running the command
undo vlan vlan-id or undo vlan batch vlan-id1 to vlan-id2, in order to save VLAN resources
and reduce packets on a network.
Context
After VLANs are assigned, users in the same VLAN can communication with each other
while users in different VLANs cannot. If some users in different VLANs need to
communicate, configure inter-VLAN communication.
A VLANIF interface is a Layer 3 logical interface and can implement inter-VLAN Layer 3
connectivity. It is simple to configure a VLANIF interface, so the VLANIF interface is the
most commonly used technology. Each VLAN corresponds to a VLANIF interface. After an
IP address is configured for a VLANIF interface, the VLANIF interface is used as the
gateway of the VLAN and forwards packets across network segments at Layer 3 based on IP
addresses.
If a VLAN goes Down because all interfaces in the VLAN go Down, the system immediately
reports the VLAN Down event to the corresponding VLANIF interface, instructing the
VLANIF interface to go Down. To avoid network flapping caused by the change of the
VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last
interface in Up state in a VLAN goes Down, the device enabled with VLAN damping starts a
delay timer and informs the corresponding VLANIF interface of the VLAN Down event after
the timer expires. If an interface in the VLAN goes Up during the delay, the VLANIF
interface remains Up.
The Maximum Transmission Unit (MTU) determines the maximum number of bytes each
time a sender can send. If the size of packets exceeds the MTU supported by a receiver or a
transit node, the receiver or transit node fragments the packets or even discards them,
aggravating the network transmission load. To avoid this problem, set the MTU of the
VLANIF interface.
After configuring bandwidth for a VLANIF interface, you can use the NMS to query the
bandwidth. This facilitates traffic monitoring.
NOTE
Pre-configuration Tasks
Before configuring inter-VLAN communication, complete the following tasks:
Procedure
Step 1 Run system-view
A VLANIF interface goes Up only when at least one physical interface in the corresponding
VLAN is in Up state.
Each VLANIF interface can be configured with one primary IP address and multiple
secondary IP addresses. A maximum of 31 secondary IP addresses can be configured.
NOTE
An IP address of a VLANIF interface can be statically configured or dynamically obtained using DHCP.
For details about DHCP, see DHCP Configuration in Huawei AR Series Access Routers Configuration
Guide - IP Services.
----End
Only the VLANIF interface in Up state can forward packets at Layer 3. When the VLANIF
interface goes Down, rectify the fault according to 3.9.2 A VLANIF Interface Goes Down.
Context
After VLANs are assigned, users in the same VLAN can communication with each other. If
users in a VLAN need to be isolated unidirectionally or bidirectionally, configure a traffic
policy.
A traffic policy is configured by binding traffic classifiers to traffic behaviors. The device
classifies packets according to packet information, and associates a traffic classifier with a
traffic behavior to reject the packets matching the traffic classifier, implementing intra-VLAN
isolation.
Router provides intra-VLAN Layer 2 isolation based on MQC and based on the simplified
ACL-based traffic policy.
Pre-configuration Tasks
Before configuring a traffic policy to implement intra-VLAN Layer 2 isolation, complete the
following task:
l 3.7.1 Configuring VLAN Assignment
Procedure
l Configure MQC to implement intra-VLAN Layer 2 isolation.
Perform the following MQC configurations to implement intra-VLAN Layer 2 isolation:
For details about how to configure MQC, see Configuring Packet Filtering in Huawei AR
Series Access Routers Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement intra-VLAN Layer 2
isolation.
For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in Huawei AR Series Access Routers
Configuration Guide - QoS.
----End
Context
After inter-VLAN Layer 3 connectivity is configured, if some users in different VLANs
require unidirectional access or need to be isolated, configure inter-VLAN Layer 3 isolation.
Router provides inter-VLAN Layer 3 isolation based on MQC and based on the simplified
ACL-based traffic policy. You can select one of them according to your needs.
Pre-configuration Tasks
Before configuring a traffic policy to implement inter-VLAN Layer 3 isolation, complete the
following task:
Procedure
l Configure MQC to implement inter-VLAN Layer 3 isolation.
For details about how to configure MQC, see Configuring Packet Filtering in Huawei AR
Series Access Routers Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement inter-VLAN Layer 3
isolation.
For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in Huawei AR Series Access Routers
Configuration Guide - QoS.
----End
Context
Management VLAN (mVLAN) allows you to use the VLANIF interface of the mVLAN to
log in to the management router to manage devices in a centralized manner.
To use a remote network management system (NMS) to manage devices in a centralized
manner, configure a management IP address on the device. You can then log in to the device
in Telnet mode and manage the device by using the management IP address. The management
IP address can be configured on a management interface or VLANIF interface. If a user-side
interface is added to the VLAN, users connected to the interface can also log in to the device.
This brings security risks to the device.
After a VLAN is configured as an mVLAN, no access interface or Dot1q tunnel interface can
be added to the VLAN. Access and Dot1q tunnel interfaces are often connected to users.
When these interfaces are prevented from joining the mVLAN, users connected to the
interfaces cannot log in to the device, improving device security.
Generally, a VLANIF interface needs to be configured with only one management IP
addresses. In specified scenarios, for example, users in the same mVLAN belong to multiple
different network segments, you need to configure a primary management IP address and
multiple secondary management IP addresses.
You can only log in to the local device using the management interface, whereas you can log
in to both local and remote devices using a VLANIF interface of an mVLAN. When logging
in to the remote device using the VLANIF interface of an mVLAN, you need to configure
VLANIF interfaces on both local and remote devices and assign IP addresses on the same
network segment to them.
Pre-configuration Tasks
Before configuring an mVLAN, complete the following task:
l 3.7.1 Configuring VLAN Assignment
NOTE
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
The VLAN view is displayed.
Step 3 Run management-vlan
----End
Follow-up Procedure
Log in to the router to implement centralized management through the NMS. Select either of
the following login modes according to your needs:
l To manage local devices, log in to the local router using Telnet, STelnet. For details, see
Configuring Telnet Login, Configuring STelnet Login in Huawei AR Series Access
Routers Configuration Guide – Basic Configurations.
l To manage remote devices, log in to the local device using Telnet or STelnet and log in
to remote devices using Telnet or STelnet from the local device. For details, see
(Optional) Using Telnet to Log In to Another Device From the Local Device, or
(Optional) Using STelnet to Log In to Another Device from the Local Device in Huawei
AR Series Access Routers Configuration Guide – Basic Configurations.
The login IP address is the IP address of the VLANIF interface of an mVLAN.
Networking Requirements
As shown in Figure 3-19, multiple user terminals are connected to devices in an enterprise.
Users who use the same service access the enterprise network using different devices.
To ensure the communication security and avoid broadcast storms, the enterprise wants to
allow users who use the same service to communicate with each other and isolate users who
use different services.
Configure interface-based VLAN assignments on the device and add interfaces connected to
terminals of users who use the same service to the same VLAN. Users in different VLANs
communicate at Layer 2, and users in the same VLAN can communicate directly.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces connecting to user terminals to VLANs to isolate
Layer 2 traffic between users who use different services.
2. Configure the type of link between RouterA and RouterB and VLANs to allow users
who use the same service to communicate.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on RouterA, and add interfaces connected to user terminals to
different VLANs. The configuration of RouterB is similar to that of RouterA, and is not
mentioned here.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan batch 2 3
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 2
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type access
[RouterA-Ethernet2/0/2] port default vlan 3
[RouterA-Ethernet2/0/2] quit
Step 2 Configure the type of the interface connected to RouterB on RouterA and VLANs. The
configuration of RouterB is similar to that of RouterA, and is not mentioned here.
# Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24; add
User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
# Only User1's and User2's terminals can ping each other, and only User3's and User4's
terminals can ping each other.
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 2 to 3
#
interface Ethernet2/0/1
port link-type access
port default vlan 2
#
interface Ethernet2/0/2
port link-type access
port default vlan 3
#
interface Ethernet2/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
Eth2/0/0 Eth2/0/1
VLANIF10 VLANIF20
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
User1 User2
10.10.10.3/24 10.10.20.3/24
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
Procedure
Step 1 Configure the router.
# Create VLANs.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 10 20
----End
Configuration Files
Router configuration file
#
sysname Router
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 10
#
interface Ethernet2/0/1
port link-type access
port default vlan 20
#
return
Router_1 Router_2
Eth2/0/2 Eth2/0/2
OSPF
Eth2/0/1 Eth2/0/1
Eth2/0/1 Eth2/0/1
VLAN10 VLAN10
Configuration Roadmap
The configuration roadmap is as follows:
1. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
2. Configure IP addresses for VLANIF interfaces to implement Layer 3 connectivity.
3. Configure basic OSPF functions to implement interworking.
Procedure
Step 1 Configure Router_1.
# Create VLAN 10, add Eth2/0/1 to VLAN 10 in untagged mode and Eth2/0/2 to VLAN 10 in
tagged mode. The configuration of Router_4 is similar to that of Router_3, and is not
mentioned here.
<Huawei> system-view
[Huawei] sysname Router_3
[Router_3] vlan batch 10
[Router_3] interface ethernet 2/0/1
[Router_3-Ethernet2/0/1] port link-type access
[Router_3-Ethernet2/0/1] port default vlan 10
[Router_3-Ethernet2/0/1] quit
[Router_3] interface ethernet 2/0/2
[Router_3-Ethernet2/0/2] port link-type trunk
[Router_3-Ethernet2/0/2] port trunk allow-pass vlan 10
[Router_3-Ethernet2/0/2] quit
----End
Configuration Files
l Router_1 configuration file
#
sysname Router_1
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
Networking Requirements
On the enterprise network shown in Figure 3-22, hosts in the same VLAN belong to network
segments of 10.1.1.1/24 and 10.1.2.1/24. Hosts on the two network segments are required to
access the Internet through the Router and communicate.
Internet
Router_1 10.10.10.2/24
VLANIF10
Eth2/0/3 Primary IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
Router VLANIF20
10.10.10.1/24
Eth2/0/1 Eth2/0/2
VLAN10
Host1 Host2
10.1.1.2/24 10.1.2.2/24
Configuration Roadmap
If only one IP address is configured for the VLANIF interface on the Router, only hosts on
one network segment can access the Internet through the Router. To enable all hosts on the
LAN can access the Internet through the Router, configure a secondary IP address for the
VLANIF interface. To enable hosts on the two network segments to communicate, the hosts
on the two network segments need to use the primary and secondary IP addresses of the
VLANIF interface as default gateway addresses.
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to the VLANs.
2. Configure VLANIF interfaces and assign IP addresses to them so that hosts on the two
network segments can communicate.
3. Configure a routing protocol so that hosts can access the Internet through the Router.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs on Router.
# Create VLAN 10 and VLAN 20.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 10 20
NOTE
----End
Configuration Files
Router configuration file
#
sysname Router
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
#
interface Vlanif20
ip address 10.10.10.1 255.255.255.0
#
interface Ethernet2/0/1
port link-type access
port default vlan 10
#
interface Ethernet2/0/2
port link-type access
port default vlan 10
#
interface Ethernet2/0/3
port link-type trunk
port trunk allow-pass vlan 20
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.10.10.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 3-23, to ensure communication security, a company assigns visitors,
employees, and servers to VLAN 10, VLAN 20, and VLAN 30 respectively. The
requirements are as follows:
l Employees, visitors, and servers can access the Internet.
l Visitors can access only the Internet, and cannot communicate with employees in any
other VLANs.
l Employee A can access all resources in the server area, and other employees can access
port 21 (FTP service) of server A.
Internet
Router
VLANIF100
Eth2/0/4 10.1.100.1/24
Eth2/0/1 Eth2/0/3
Router_4 Eth2/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of
visitors, employees, and servers.
2. Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
3. Configure a routing protocol so that visitors, employees, and servers can access the
Internet through the Router.
4. Configure and apply a traffic policy so that employee A can access all resources in the
server area, other employees can access only port 21 (FTP service) of server A,
employees can access only servers, and visitors can access only the Internet.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of visitors,
employees, and servers.
# Create VLAN 10 on Router_1, add Eth2/0/1 to VLAN 10 in untagged mode and Eth2/0/2 to
VLAN 10 in tagged mode. The configurations of Router_2 and Router_3 are similar to the
configuration of Router_1, and are not mentioned here.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 10
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 on Router_4, and add Eth2/0/1-
Eth2/0/4 to VLAN 10, VLAN 20, VLAN 30, and VLAN 100 in tagged mode.
<Huawei> system-view
[Huawei] sysname Router_4
[Router_4] vlan batch 10 20 30 100
[Router_4] interface ethernet 2/0/1
[Router_4-Ethernet2/0/1] port link-type trunk
[Router_4-Ethernet2/0/1] port trunk allow-pass vlan 10
[Router_4-Ethernet2/0/1] quit
[Router_4] interface ethernet 2/0/2
[Router_4-Ethernet2/0/2] port link-type trunk
[Router_4-Ethernet2/0/2] port trunk allow-pass vlan 20
[Router_4-Ethernet2/0/2] quit
[Router_4] interface ethernet 2/0/3
[Router_4-Ethernet2/0/3] port link-type trunk
[Router_4-Ethernet2/0/3] port trunk allow-pass vlan 30
[Router_4-Ethernet2/0/3] quit
[Router_4] interface ethernet 2/0/4
[Router_4-Ethernet2/0/4] port link-type trunk
[Router_4-Ethernet2/0/4] port trunk allow-pass vlan 100
[Router_4-Ethernet2/0/4] quit
Step 2 Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
# On Router_4, Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 and assign IP
addresses of 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.100.1/24 to them respectively.
[Router_4] interface vlanif 10
[Router_4-Vlanif10] ip address 10.1.1.1 24
[Router_4-Vlanif10] quit
[Router_4] interface vlanif 20
[Router_4-Vlanif20] ip address 10.1.2.1 24
[Router_4-Vlanif20] quit
[Router_4] interface vlanif 30
[Router_4-Vlanif30] ip address 10.1.3.1 24
[Router_4-Vlanif30] quit
[Router_4] interface vlanif 100
[Router_4-Vlanif100] ip address 10.1.100.1 24
[Router_4-Vlanif100] quit
Step 3 Configure a routing protocol so that visitors, employees, and servers can access the Internet
through the Router.
# Configure basic OSPF functions on Router_4 and configure OSPF to advertise network
segments of hosts and the network segment between Router_4 and the router.
[Router_4] ospf
[Router_4-ospf-1] area 0
[Router_4-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Router_4-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[Router_4-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[Router_4-ospf-1-area-0.0.0.0] network 10.1.100.0 0.0.0.255
[Router_4-ospf-1-area-0.0.0.0] quit
[Router_4-ospf-1] quit
NOTE
Step 4 Configure and apply a traffic policy to control access of employees, visitors, and servers.
1. Configure ACLs to define flows.
# Configure ACL 3000 on Router_4 to prevent visitors from accessing employees' PCs
and servers.
[Router_4] acl 3000
[Router_4-acl-adv-3000] rule deny ip destination 10.1.2.1 0.0.0.255
[Router_4-acl-adv-3000] rule deny ip destination 10.1.3.1 0.0.0.255
[Router_4-acl-adv-3000] quit
# Configure ACL 3001 on Router_4 so that employee A can access all resources in the
server area and other employees can access only port 21 of server A.
[Router_4] acl 3001
[Router_4-acl-adv-3001] rule permit tcp destination 10.1.3.2 0 destination-
port eq 21
[Router_4-acl-adv-3001] rule permit ip source 10.1.2.2 0 destination 10.1.3.1
0.0.0.255
[Router_4-acl-adv-3001] rule deny ip destination 10.1.3.1 0.0.0.255
[Router_4-acl-adv-3001] quit
4. Configure traffic policies and associate traffic classifiers with the traffic behavior in the
traffic policies.
# Create traffic policies p_custom, and p_staff on Router_4, and associate traffic
classifiers c_custom, and c_staff with traffic behavior b1.
[Router_4] traffic policy p_custom
[Router_4-trafficpolicy-p_custom] classifier c_custom behavior b1
[Router_4-trafficpolicy-p_custom] quit
[Router_4] traffic policy p_staff
[Router_4-trafficpolicy-p_staff] classifier c_staff behavior b1
[Router_4-trafficpolicy-p_staff] quit
5. Apply the traffic policies to control access of employees, visitors, and servers.
# On Router_4, apply traffic policies p_custom, and p_staff in the inbound direction of
VLANIF 10, and VLANIF 20 respectively.
[Router_4] interface vlanif 10
[Router_4-Vlanif10] traffic-policy p_custom inbound
[Router_4-Vlanif10] quit
[Router_4] interface vlanif 20
[Router_4-Vlanif20] traffic-policy p_staff inbound
[Router_4-Vlanif20] quit
----End
Configuration Files
l Router_1 configuration file
#
sysname Router_1
#
vlan batch 10
#
interface Ethernet2/0/1
port link-type access
port default vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
interface Ethernet2/0/4
port link-type trunk
port trunk allow-pass vlan 100
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.100.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 3-24, users need to securely log in to the Router for remote management.
There is no idle management interface on the Router.
PC Router
Configuration Roadmap
A management interface or VLANIF interface of an mVLAN can be used to log in to the
device for remote management. The device has no idle management interface, so the mVLAN
is used. STelnet is used to ensure login security. The configuration roadmap is as follows:
1. Configure an mVLAN on the Router and add an interface to the mVLAN.
2. Configure a VLANIF interface and assign an IP address to it on the Router.
3. Enable STelnet on the Router and configure an SSH user.
4. Log in to the Router using STelnet from a user PC.
NOTE
l The user PC needs to be configured with the software for logging in to the SSH server, key pair
generation software, and public key conversion software.
l To ensure device security, change the password periodically.
Procedure
Step 1 Configure an mVLAN and add an interface to the mVLAN.
# Create VLAN 10 on the Router and specify VLAN 10 as the mVLAN, and add Eth2/0/0 to
VLAN 10 in tagged mode.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 10
[Router-vlan10] management-vlan
[Router-vlan10] quit
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type trunk
[Router-Ethernet2/0/0] port trunk allow-pass vlan 10
[Router-Ethernet2/0/0] quit
Step 2 Configure a VLANIF interface and assign an IP address to the VLANIF interface.
# Create VLANIF 10 on the Router and configure the IP address of 10.10.10.2/24 for it.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.10.10.2 24
[Router-Vlanif10] quit
# Create an SSH user named client001 on the Router and configure password
authentication.
[Router] aaa
[Router-aaa] local-user client001 password irreversible-cipher Huawei@123
[Router-aaa] local-user client001 privilege level 3
[Router-aaa] local-user client001 service-type ssh
[Router-aaa] quit
[Router] ssh user client001 authentication-type password
NOTE
The PC connects to Router through the intermediate device. The intermediate device needs to
transparently transmit packets from mVLAN 10 and has a route from 10.1.1.1/24 to 10.10.10.2/24.
# Run the Putty software on the user PC. The dialog box shown in Figure 3-25 is displayed.
Enter 10.10.10.2 (IP address of the Router) and select SSH.
# Click Open. On the page that is displayed on the Router, enter the user name and password,
and press Enter.
login as: client001
SSH server: User Authentication
Using keyboard-interactive authentication.
Password:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2014-02-25 05:45:41+00:00.
<Router>
# The user can successfully log in to the Router for remote management.
----End
Configuration Files
Router configuration file
#
sysname Router
#
vlan batch 10
#
vlan 10
management-vlan
#
aaa
local-user client001 password irreversible-cipher %^%#EqZEVTq=/
@T2XM0q0W{Ec[Fs2@&4YII@-=(lbr[K>4Dq76]3#BgqMOAxu^%$%^%#
local-user client001 privilege level 3
local-user client001 service-type ssh
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
#
user-interface vty 0 14
authentication-mode aaa
#
return
Fault Symptom
When a user attempts to create a VLANIF interface, the system displays an error message. As
a result, the VLANIF interface fails to be created.
Procedure
Step 1 Check the error message during VLANIF interface creation.
Rectify the fault according to the error message. See Table 3-5.
Error: The VLAN does not exist. The VLAN is not created Run the vlan vlan-id
on the device. command to create a
Run the display vlan VLAN corresponding to
summary command to the VLANIF interface and
check whether the value then create a VLANIF
of the static vlan field is interface.
the VLAN corresponding
to the VLANIF interface.
Step 2 If the fault persists, collect alarms and logs and contact Huawei technical support personnel.
----End
The interface is not added to the VLAN. Run the following commands as required.
NOTE l Run the port default vlan vlan-id
l The port trunk pvid vlan vlan-id command command in the interface view to add an
only configures the PVID on a trunk access interface to a VLAN.
interface, but does not add a trunk interface
to a VLAN. l Run the port trunk allow-pass vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10> |
l The port hybrid pvid vlan vlan-id command
only configures the PVID on a hybrid all } command in the interface view to
interface, but does not add a hybrid interface add a trunk interface to a VLAN.
to a VLAN. l You can add a hybrid interface to a
VLAN in tagged or untagged mode.
– Run the port hybrid tagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in tagged mode.
– Run the port hybrid untagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in untagged
mode.
The physical status of all interfaces added to Rectify this fault. A VLANIF interface goes
the VLAN is Down. Up as long as one interface in the VLAN is
Up.
The VLANIF interface is shut down. Run the undo shutdown command in the
VLANIF interface view to start the
VLANIF interface.
Fault Symptom
Users in a VLAN cannot communicate.
Procedure
Step 1 Check that the interfaces connected to user terminals are in Up state.
Run the display interface interface-type interface-number command in any view to check the
status of the interfaces.
Whether the Run the display vlan vlan-id command in any view to check whether
VLAN has been the VLAN has been created. If not, run the vlan command in the
created system view to create the VLAN.
Whether the Run the display vlan vlan-id command in any view to check whether
interfaces are the VLAN contains the interfaces. If not, add the interfaces to the
added to the VLAN.
VLAN NOTE
If the interfaces are located on different devices, add the interfaces connecting
the devices to the VLAN.
The default type of an interface is Hybrid. You can run the port link-type
command to change the link type of an interface.
l Add an access interface to the VLAN by using either of the
following methods:
– Run the port default vlan command in the interface view.
– Run the port command in the VLAN view.
l Add a trunk interface to the VLAN.
Run the port trunk allow-pass vlan command in the interface
view.
l Add a hybrid interface to the VLAN by using either of the
following methods:
– Run the port hybrid tagged vlan command in the interface
view.
– Run the port hybrid untagged vlan command in the interface
view.
After the preceding operations, if the MAC address entries are correct, go to Step 5.
Run the interface interface-type interface-number command in the system view to enter the
interface view, and then run the display this command to check whether port isolation is
configured on the interface.
l If port isolation is not configured, go to Step 6.
l If port isolation is configured, run the undo port-isolate enable command on the
interface to disable port isolation. If the fault persists, go to Step 6.
Step 6 Check whether correct static Address Resolution Protocol (ARP) entries are configured on the
user terminals. If the static ARP entries are incorrect, modify them. Otherwise, go to Step 7.
Step 7 Collect logs and alarms and contact Huawei technical support personnel.
----End
Fault Symptom
As shown in Figure 3-26, the IP address of VLANIF 10 on Router_2 cannot be pinged from
Router_1. Similarly, the IP address of VLANIF 10 on Router_1 cannot be pinged from
Router_2.
Procedure
Step 1 Check whether the VLANIF interface is Up.
Run the display interface vlanif vlan-id command on Router_1 and Router_2 and check the
current state and Line protocol current state fields.
l If the value of any one of the two fields is DOWN, the VLANIF interface is Down.
Rectify this fault according to 3.9.2 A VLANIF Interface Goes Down.
l If the value of the two fields is UP, the VLANIF interface is Up. Go to Step 2.
Step 2 Check whether the connected Ethernet interfaces between devices join a VLAN.
Run the display vlan vlan-id command on Router_1 and Router_2 and check the Interface
field. Check whether the connected Ethernet interfaces exist in the VLAN.
l If the connected Ethernet interfaces do not exist in the VLAN, add the connected
Ethernet interfaces to the VLAN.
l If the connected Ethernet interfaces exist in the VLAN and at least one of them joins the
VLAN in untagged mode, change the untagged mode to tagged mode.
l If none of the preceding configurations exists, go to Step 3.
Step 3 Check whether the PVID values on the connected Ethernet interface between devices are the
same.
Run the display port vlan interface-type interface-number command on Router_1 and
Router_2 to check the PVID values.
l If the PVID values are different, change them to be the same.
l If the PVID values are the same, go to Step 4.
Step 4 Collect logs and alarms and contact Huawei technical support personnel.
----End
– Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to 30.
<Huawei> system-view
[Huawei] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four incontiguous VLAN ranges.
l Run the undo vlan batch command in the system view to delete VLANs in a batch.
– Delete VLANs 10 to 20.
<Huawei> system-view
[Huawei] undo vlan batch 10 to 20
<Huawei> system-view
[Huawei] port-group pg1
[Huawei-port-group-pg1] group-member Ethernet 2/0/1 to Ethernet 2/0/5
[Huawei-port-group-pg1] port link-type access
[Huawei-port-group-pg1] port default vlan 10
NOTE
l Hybrid interface
# Add Eth2/0/1-Eth2/0/5 to VLAN 10 and VLAN 20 in a batch.
<Huawei> system-view
[Huawei] port-group pg1
[Huawei-port-group-pg1] group-member Ethernet 2/0/1 to Ethernet 2/0/5
[Huawei-port-group-pg1] port link-type hybrid
[Huawei-port-group-pg1] port hybrid tagged vlan 10
[Huawei-port-group-pg1] port hybrid untagged vlan 20
The default VLAN configuration of an interface involves the default VLAN of the interface
and the VLAN that the interface joins. By default, the default VLAN of an interface is VLAN
1 and an interface joins VLAN 1 in untagged mode.
Run the display this command in the interface view to check the link type of the interface,
and perform the following operations to restore the default VLAN configuration of the
interface.
NOTE
The default VLAN configuration of an interface involves the default VLAN of the interface and the
VLAN that the interface joins. By default, the default VLAN of an interface is VLAN 1 and an interface
joins VLAN 1 in untagged mode.
Run the display this command in the interface view to check the link type of the interface, and perform
the following operations to restore the default VLAN configuration of the interface.
l Restore the default VLAN configuration of an access interface.
<Huawei> system-view
[Huawei] interface Ethernet 2/0/0
[Huawei-Ethernet2/0/0] undo port default vlan
Interface Physical
Ethernet2/0/0 UP
The Link Type field indicates the link type of an interface, the PVID field indicates the
default VLAN, and the Trunk VLAN List field indicates the list of VLANs allowed by a
trunk interface or VLANs that hybrid interfaces join in tagged mode. The value is displayed
as - if the link type of the interface is access or the hybrid interface does not join the VLAN in
tagged mode.
Figure 3-27 Communication for hosts on multiple network segments in the same VLAN
Router
VLANIF10
Primagry IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
Eth2/0/1 Eth2/0/2
VLAN10
Host_1 Host_2
10.1.1.2/24 10.1.2.2/24
After the preceding configurations are performed, Host_1 and Host_2 can communicate.
This chapter describes how to configure VLAN aggregation. VLAN aggregation implements
communication of hosts on the same network segment in different VLANs. A network can
significantly save IP addresses with VLAN aggregation technology.
4.1 Overview of VLAN Aggregation
4.2 Understanding VLAN Aggregation
4.3 Application Scenarios for VLAN Aggregation
4.4 Default Settings for VLAN Aggregation
4.5 Licensing Requirements and Limitations for VLAN Aggregation
4.6 Configuring VLAN Aggregation
4.7 Configuration Examples for VLAN Aggregation
4.8 FAQ About VLAN Aggregation
Purpose
VLAN technology is widely applied to packet switching networks because it is capable of
flexibly controlling broadcast domains and is easy to deploy. Usually, a router uses a Layer 3
logical interface in each VLAN to allow hosts in different broadcast domains to communicate.
This wastes IP addresses. On a subnet corresponding to a VLAN, the subnet ID, directed
broadcast address, and subnet default gateway address cannot be used as IP addresses of hosts
in the VLAN. In addition, the number of hosts on a subnet may be less than the number of IP
addresses available in the subnet. These remaining IP addresses are essentially wasted
because they cannot be used by other VLANs.
As shown in Figure 4-1, VLAN 2 requires 10 host addresses. The subnet 10.1.1.0/28 with a
28-bit mask is assigned to VLAN 2, where 10.1.1.0 is the subnet ID, 10.1.1.15 is the directed
broadcast address, and 10.1.1.1 is the default gateway address. Hosts cannot use these three
addresses, but the other 13 addresses ranging from 10.1.1.2 to 10.1.1.14 are available to them.
VLAN 2 requires only 10 IP addresses, the remaining 3 IP addresses cannot be used by other
VLANs and are wasted. If more VLANs are added, more IP addresses will be wasted.
VLANIF3:10.1.1.17
VLAN aggregation is used to solve the preceding problem. VLAN aggregation maps each
sub-VLAN to a broadcast domain, associates a super-VLAN with multiple sub-VLANs, and
assigns only one IP subnet to the super-VLAN. This ensures that all sub-VLANs share the IP
address of the associated super-VLAN as the gateway IP address, effectively implementing
Layer 3 connectivity.
Sub-VLANs share one gateway address so that the number of subnet IDs, subnet default
gateway addresses, and directed broadcast IP addresses used is reduced. The switch assigns IP
addresses to hosts in sub-VLANs according to the actual number of hosts, ensuring that each
sub-VLAN is used as an independent broadcast domain to implement isolation. Therefore,
VLAN aggregation conserves IP addresses and implements flexible addressing.
with an external network. In addition, Proxy ARP is used to implement Layer 3 connectivity
between sub-VLANs. This technology isolates broadcast domains and saves IP addresses.
l Sub-VLAN: contains only physical interfaces, and is used to isolate broadcast domains.
A sub-VLAN cannot be used for creating a Layer 3 VLANIF interface. Hosts in each
sub-VLAN use the VLANIF interface of the associated super-VLAN to communicate
with external devices at Layer 3.
l Super-VLAN: is only used for creating a Layer 3 VLANIF interface and contains no
physical interface. It corresponds to the subnet gateway. Unlike a VLANIF interface that
is Up as long as a physical interface in a common VLAN is Up, a VLANIF interface in a
super-VLAN is Up as long as a physical interface in any associated sub-VLAN is Up.
A super-VLAN can contain one or more sub-VLANs. A sub-VLAN does not occupy an
independent subnet. IP addresses of hosts in any sub-VLAN of a super-VLAN belong to the
subnet corresponding to the sub-VLAN.
That is, sub-VLANs share the same gateway. VLAN aggregation reduces subnet IDs, subnet
default gateway addresses, and directed broadcast IP addresses, allows different broadcast
domains to use the same subnet address, implements flexible addressing, and conserves IP
addresses.
The network topology used in 4.1 Overview of VLAN Aggregation is used as an example.
Configure VLAN 10 as the super-VLAN, assign the subnet address 10.1.1.0/24 to VLAN 10,
and configure VLAN 2, VLAN 3, and VLAN 4 as sub-VLANs of super-VLAN 10, as shown
in Figure 4-2.
NOTE
For details about proxy ARP, see Proxy ARP in Huawei AR Series Access Routers Configuration Guide
- IP Services.
The networking in Figure 4-2 is used as an example. Assuming that Host_1 in sub-VLAN 2
needs to communicate with Host_2 in sub-VLAN 3, enable proxy ARP on the VLANIF
interface of super-VLAN 10, as shown in Figure 4-3.
Figure 4-3 Using proxy ARP to implement Layer 3 communication between sub-VLANs
Super-VLAN10
Router VLANIF10:10.1.1.1/24
Proxy ARP
(10.1.1.0/24 of VLANIF 10), and broadcasts an ARP Request packet to all sub-VLANs
in super-VLAN 10, requesting the MAC address of Host_2 in sub-VLAN 3.
4. After receiving the ARP Request packet, Host_2 in sub-VLAN 3 sends an ARP Reply
packet.
5. After receiving the ARP Reply packet, the Router encapsulates its MAC address into the
ARP Reply packet and sends it to Host_1 in sub-VLAN 2.
6. Subsequent packets sent by Host_1 in sub-VLAN 2 to Host_2 in sub-VLAN 3 are first
sent to the gateway. The gateway then performs Layer 3 forwarding.
The packets sent by Host_2 in sub-VLAN 3 to Host_1 in sub-VLAN 2 are processed in the
same way as the packets sent by Host_1 in sub-VLAN 2 to Host_2 in sub-VLAN 3.
As shown in Figure 4-4, user hosts and servers are on different network segments, sub-
VLANs 2 to 4 and VLAN 10 are configured on Router_1, and VLAN 10 and VLAN 20 are
configured on Router_2.
Figure 4-4 Layer 3 communication between hosts in sub-VLANs and on an external network
Router_2 VLANIF20
10.1.2.1/24
VLANIF10
10.1.10.2/24
Server
10.1.2.2/24
VLANIF10
10.1.10.1/24
Super-VLAN4
Router_1 VLANIF4
10.1.1.1/24
Host_1 Host_2
Sub-VLAN2 Sub-VLAN3
10.1.1.2/24 10.1.1.12/24
When Host_1 in sub-VLAN 2 wants to communicate with the server connected to Router_2,
the packet forwarding process is as follows (assume that a route to 10.1.2.0/24 has been
configured on Router_1, a route to 10.1.1.0/24 has been configured on Router_2, and no
Layer 3 forwarding entry exists on the two devices):
1. Host_1 compares the server's IP address (10.1.2.2) with its network segment 10.1.1.0/24
and finds that they are on different network segments. Host_1 then sends an ARP
Request packet to its gateway to request the gateway's MAC address. The ARP Request
packet carries an all-F destination MAC address and destination IP address 10.1.1.1.
2. After receiving the ARP Request packet, Router_1 searches the mapping between the
super-VLAN and sub-VLANs. Router_1 then sends an ARP Reply packet with the MAC
address of VLANIF 4 (corresponding to super-VLAN 4) from an interface of sub-VLAN
2 to Host_1.
3. After learning the gateway's MAC address, Host_1 sends a packet with the destination
MAC address as the MAC address of VLANIF 4 (corresponding to super-VLAN 4) and
destination IP address of 10.1.2.2.
4. After receiving the packet from Host_1, Router_1 determines that the packet should be
forwarded at Layer 3 according to the mapping between the super-VLAN and sub-
VLANs and destination MAC address. Router_1 searcher its Layer 3 forwarding table
for a matching entry, but no entry is found. Router_1 sends the packet to the CPU, and
the CPU searches its routing table and obtains the next hop address of 10.1.10.2 and the
outbound interface of VLANIF 10. Router_1 determines the outbound interface
according to the ARP entry and MAC address entry, and sends the packet to Router_2.
5. Router_2 sends the packet to server according to the Layer 3 forwarding process.
After receiving the packet from Host_1, the server sends a response packet with the
destination IP address of 10.1.1.2 and destination MAC address as the MAC address of
VLANIF 20 on the Router_2. The process is as follows:
1. The response packet reaches Router_1 according to the Layer 3 forwarding process.
When the response packet reaches Router_1, the destination MAC address is changed to
the MAC address of VLANIF 10 on Router_1.
2. After receiving the packet, Router_1 determines that the packet should be forwarded at
Layer 3 according to the destination MAC address. Router_1 searcher its Layer 3
forwarding table for a matching entry, but no entry is found. Router_1 sends the packet
to the CPU, and the CPU searches its routing table and obtains the next hop address of
10.1.1.2 and the outbound interface of VLANIF 4. Router_1 searches the mapping
between the super-VLAN and sub-VLANs and determines that the packet should be sent
to Host_1 from an interface in sub-VLAN 2 according to the ARP entry and MAC
address entry.
3. The response packet reaches Host_1.
Figure 4-5 Layer 2 communication between hosts in sub-VLANs and on an external network
Internet
Router_2
Trunk IF_1
Allowed VLAN=2,3 IF_3
Super-VLAN4
Router_1 VLANIF4
10.1.1.1/24
IF_1 IF_2
Host_1 Host_2
Sub-VLAN2 Sub-VLAN3
10.1.1.2/24 10.1.1.12/24
The tag with VLAN 2 is added to packets sent from Host_1 to Router_1. Although sub-
VLAN 2 belongs to super-VLAN 4, Router_1 does not change the tag with VLAN 2 to the
tag with VLAN 4 in packets. That is, packets sent from IF_3 of Router_1 still carry VLAN 2.
Router_1 itself does not send packets from VLAN 4. When another device sends packets from
VLAN 4 to Router_1, Router_1 discards the packets because there is no physical interface
corresponding to super-VLAN 4 on Router_1. Actually, IF_3 on Router_1 does not allow
packets from super-VLAN 4. For other devices, only sub-VLAN 2 and sub-VLAN 3 are
valid, and all packets are exchanged in the VLANs.
The communication between Router_1 configured with VLAN aggregation and other devices
is similar to normal Layer 2 communication without using the super-VLAN, and is not
described here.
Internet
Router
Proxy ARP
Super-VLAN2 Super-VLAN3
VLAN aggregation can be deployed to meet the preceding requirements. Deploy super-
VLAN 2 and super-VLAN 3 on the router, and add sub-VLAN 21 and sub-VLAN 22 to
super-VLAN 2 and sub-VLAN 31 and sub-VLAN 32 to super-VLAN 3. After IP addresses
are assigned to super-VLAN 2 and super-VLAN 3 on the router, users in department 1 and
department 2 can access the Internet using the IP address of super-VLAN 2, and users in
department 3 and department 4 can access the Internet using the IP address of super-VLAN 3.
VLAN aggregation implements Internet access for each department and conserves IP
addresses.
Configure proxy ARP in super-VLAN 2 and super-VLAN 3 on the router to implement
communication between department 1 and department 2, and between department 3 and
department 4.
Licensing Requirements
VLAN aggregation is a basic feature of a router and is not under license control.
Feature Limitations
When deploying VLAN aggregation on the router, pay attention to the following:
l VLAN 1 cannot be configured as a super-VLAN.
l A physical interface cannot be added to a VLAN configured as a super-VLAN.
l A traffic policy takes effect in a super-VLAN only after the traffic policy is configured in
all sub-VLANs of the super-VLAN.
l The VLAN terminated by a sub-interface cannot be configured as a super-VLAN or sub-
VLANs.
l An IP address must have been assigned to the VLANIF interface corresponding to the
super-VLAN. Otherwise, proxy ARP cannot take effect.
Context
In VLAN aggregation, physical interfaces can be added to a sub-VLAN but no VLANIF
interface can be created for the sub-VLAN. All the interfaces in a sub-VLAN use the same IP
address of the VLANIF interface corresponding to a super-VLAN. VLAN aggregation
reduces subnet IDs, subnet default gateway addresses, and directed broadcast IP addresses,
allows the device to assign IP addresses to hosts in sub-VLANs according to the actual
number of hosts, ensures that each sub-VLAN is used as independent broadcast domain to
implement isolation, saves IP addresses, and implements flexible addressing.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
----End
Context
A super-VLAN consists of several sub-VLANs. No physical interface can be added to a
super-VLAN, but a VLANIF interface can be configured for the super-VLAN and an IP
address can be assigned to the VLANIF interface.
NOTE
Procedure
Step 1 Run system-view
A super-VLAN is created.
Before adding sub-VLANs to a super-VLAN, ensure that these sub-VLANs are not
configured with VLANIF interfaces.
----End
Context
The IP address of the VLANIF interface corresponding to a super-VLAN must contain the
subnets that users in sub-VLANs belong to. All the sub-VLANs use the IP address of the
VLANIF interface corresponding to the super-VLAN, thereby saving IP addresses.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run ip address ip-address { mask | mask-length }
An IP address is assigned to the VLANIF interface.
----End
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other at the network layer.
PCs in common VLANs can communicate with each other at the network layer using
different gateway addresses. VLAN aggregation enables PCs in a super-VLAN to use the
same subnet address and gateway address. Because PCs in different sub-VLANs belong to
one subnet, they communicate with each other only at Layer 2 but not Layer 3. These PCs are
isolated from each other at Layer 2. Consequently, PCs in different sub-VLANs cannot
communicate with each other.
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another
sub-VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are
created, proxy ARP must be enabled to allow the super-VLAN to forward or process ARP
Request and Reply packets. Proxy ARP allows PCs in sub-VLANs to communicate with each
other at the network layer.
NOTE
After proxy ARP is enabled on the VLANIF interface corresponding to a super-VLAN, hosts in all sub-
VLANs of the super-VLAN can communicate.
VLAN aggregation simplifies configurations for the network where many VLANs are
configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface vlanif vlan-id
The view of the VLANIF interface corresponding to the super-VLAN is displayed.
Step 3 Run arp-proxy inter-sub-vlan-proxy enable
Proxy ARP is enabled between sub-VLANs.
----End
Internet
Router
Eth2/0/1
VLAN10
RouterB Super-VLAN 4
Eth2/0/5
Eth2/0/5
RouterA
Eth2/0/1 Eth2/0/4
Eth2/0/2 Eth2/0/3
VLAN2 VLAN3
Configuration Roadmap
Configure VLAN aggregation on RouterB to add VLANs of different departments to a super-
VLAN so that PCs in different departments can access the Internet using the super-VLAN.
Deploy proxy ARP in the super-VLAN so that PCs in different departments can
communicate. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on RouterA and RouterB, add PCs of different
departments to different VLANs, and configure interfaces to transparently transmit
packets from VLANs to RouterB.
2. Configure a super-VLAN, a VLANIF interface, and a static route on RouterB so that
PCs in different departments can access the Internet.
3. Configure proxy ARP in the super-VLAN on RouterB so that PCs in different
departments can communicate at Layer 3.
Procedure
Step 1 Configure VLANs and interfaces on RouterA and RouterB, add PCs of different departments
to different VLANs, and configure interfaces to transparently transmit packets from VLANs
to RouterB.
1. Configure RouterA.
# Configure Eth2/0/1 as an access interface. The configurations of Eth2/0/2, Eth2/0/3,
and Eth2/0/4 are similar to the configuration of Eth2/0/1, and are not mentioned here.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] quit
2. Configure RouterB.
# Create VLAN 2, VLAN 3, VLAN 4, and VLAN 10 and configure the interface of
RouterB connected to RouterA to transparently transmit packets from VLAN 2 and
VLAN 3 to RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] vlan batch 2 3 4 10
[RouterB] interface ethernet 2/0/5
[RouterB-Ethernet2/0/5] port link-type trunk
[RouterB-Ethernet2/0/5] port trunk allow-pass vlan 2 3
[RouterB-Ethernet2/0/5] quit
# Create and configure VLANIF 4 so that PCs in different departments can access the Internet
using super-VLAN 4.
[RouterB] interface vlanif 4
[RouterB-Vlanif4] ip address 10.1.1.1 255.255.255.0
[RouterB-Vlanif4] quit
# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the IP
address for connecting RouterB and the router (egress gateway).
[RouterB] interface vlanif 10
[RouterB-Vlanif10] ip address 10.10.1.1 255.255.255.0
[RouterB-Vlanif10] quit
# Configure a static route to the router on RouterB so that PCs can access the Internet.
[RouterB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
----End
Configuration Files
l RouterA configuration file
#
sysname RouterA
#
vlan batch 2 to 3
#
interface Ethernet2/0/1
port link-type access
port default vlan 2
#
interface Ethernet2/0/2
port link-type access
port default vlan 2
#
interface Ethernet2/0/3
port link-type access
port default vlan 3
#
interface Ethernet2/0/4
port link-type access
port default vlan 3
#
interface Ethernet2/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
This chapter describes how to configure Multiplex VLAN (MUX VLAN). MUX VLAN
allows communication between some users, and prohibits communication between other
users.
5.1 Overview of MUX VLANs
5.2 Licensing Requirements and Limitations for MUX VLANs
5.3 Default Settings for MUX VLANs
5.4 Configuring MUX VLANs
5.5 Configuration Examples for MUX VLANs
Basic Concepts
A MUX VLAN consists of principal VLANs and subordinate VLANs; subordinate VLANs
are classified into separate VLANs and group VLANs. See Table 5-1 for a description of
these roles.
Enterprise Enterprise
employee customer
Licensing Requirements
MUX VLAN is a basic feature of a router and is not under license control.
Feature Limitation
When deploying MUX VLAN on the router, pay attention to the following:
Only the AR2220-S, AR2240-S, AR2220E-S, AR2240C-S, and AR3200-S series support
MUX VLAN.
Only the 8FE1GE, 24ES2GP, and 24GE cards support MUX VLAN.
Context
Interfaces in a principal VLAN can communicate with other interfaces in the same MUX
VLAN.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run vlan vlan-id
A VLAN is created and the VLAN view is displayed. If the VLAN already exists, the VLAN
view is displayed.
The VLAN ID ranges from 1 to 4094. To create VLANs in a batch, run the vlan batch { vlan-
id1 [ to vlan-id2 ] } &<1-10> command. Then run the vlan vlan-id command to enter the
view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configure names for the VLANs to facilitate VLAN
management.
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
----End
Context
A VLAN associated with a group interface is called a group VLAN. Group interfaces in a
group VLAN can communicate with each other.
Procedure
Step 1 Run system-view
A principal VLAN can be configured with a maximum of 128 subordinate group VLANs.
The VLAN ID assigned to a subordinate group VLAN cannot be used to configure a VLANIF
interface, VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
----End
Context
A VLAN associated with separate interfaces is called a separate VLAN. Interfaces in a
separate VLAN cannot communicate with each other.
Procedure
Step 1 Run system-view
A principal VLAN can be configured with only one subordinate separate VLAN.
The subordinate group VLAN and subordinate separate VLAN of the same MUX VLAN
must be unique.
----End
Context
After the MUX VLAN function is enabled on an interface, the principal VLAN and
subordinate VLAN can communicate with each other; interfaces in a group VLAN can
communicate with each other; interfaces in a separate VLAN cannot communicate with each
other.
Pre-configuration Tasks
Before enable MUX VLAN function, complete the following task:
l The port has been added to only a VLAN. If the port has been added to multiple VLANs,
the MUX VLAN function cannot be enabled on this port.
l The port has been added to a principal or subordinate VLAN in untagged mode as an
access or hybrid interface.
Procedure
Step 1 Run system-view
NOTE
l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface
will compromise the performance of the MUX VLAN function.
l MUX VLAN and port security cannot be configured on the same interface.
l MUX VLAN and MAC address authentication cannot be configured on the same interface.
l MUX VLAN and 802.1x authentication cannot be configured on the same interface.
----End
Procedure
l Run the display mux-vlan command to check information about the MUX VLAN.
----End
Networking Requirements
An enterprise forbids communication between some departments and allows communication
between other departments. All employees in the enterprise are allowed to access certain
servers.
The MUX VLAN function can be configured to meet the preceding requirements. The
enterprise needs to add the servers to the principal VLAN, add the hosts that need to
communicate to a group VLAN, and add the hosts that need to be isolated to a separate
VLAN. Employing this function reduces the needed VLAN IDs.
As shown in Figure 5-2, Ethernet 2/0/1 is connected to Server A; Ethernet 2/0/2 is connected
to Host B; Ethernet 2/0/3 is connected to Host C; Ethernet 2/0/4 is connected to Host D;
Ethernet 2/0/5 is connected to Host E. To meet the preceding requirements, the enterprise
needs to perform the following configurations: configure VLAN 2 as a principal VLAN and
add Ethernet 2/0/1 to VLAN 2; configure VLAN 3 as a subordinate group VLAN and add
Ethernet 2/0/2 and Ethernet 2/0/3 to VLAN 3; configure VLAN 4 as a subordinate separate
VLAN and add Ethernet 2/0/4 and Ethernet 2/0/5 to VLAN 4.
Eth2/0/1
Router
Eth2/0/2 Eth2/0/5
Eth2/0/3 Eth2/0/4
Configuration Roadmap
The configuration roadmap is as follows:
4. Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
Procedure
Step 1 Configure the MUX VLAN function.
# Create VLAN 2, VLAN 3, and VLAN 4.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 2 3 4
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] port default vlan 2
[Router-Ethernet2/0/1] port mux-vlan enable
[Router-Ethernet2/0/1] quit
[Router] interface ethernet 2/0/2
[Router-Ethernet2/0/2] port link-type access
[Router-Ethernet2/0/2] port default vlan 3
[Router-Ethernet2/0/2] port mux-vlan enable
[Router-Ethernet2/0/2] quit
[Router] interface ethernet 2/0/3
[Router-Ethernet2/0/3] port link-type access
[Router-Ethernet2/0/3] port default vlan 3
[Router-Ethernet2/0/3] port mux-vlan enable
[Router-Ethernet2/0/3] quit
[Router] interface ethernet 2/0/4
[Router-Ethernet2/0/4] port link-type access
[Router-Ethernet2/0/4] port default vlan 4
[Router-Ethernet2/0/4] port mux-vlan enable
[Router-Ethernet2/0/4] quit
[Router] interface ethernet 2/0/5
[Router-Ethernet2/0/5] port link-type access
[Router-Ethernet2/0/5] port default vlan 4
[Router-Ethernet2/0/5] port mux-vlan enable
[Router-Ethernet2/0/5] quit
Configuration Files
Configuration file of the Router
#
sysname Router
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Ethernet2/0/1
port link-type access
port default vlan 2
port mux-vlan enable
#
interface Ethernet2/0/2
port link-type access
port default vlan 3
port mux-vlan enable
#
interface Ethernet2/0/3
port link-type access
port default vlan 3
port mux-vlan enable
#
interface Ethernet2/0/4
port link-type access
port default vlan 4
port mux-vlan enable
#
interface Ethernet2/0/5
port link-type access
port default vlan 4
port mux-vlan enable
#
return
Networking Requirements
An enterprise forbids communication between some departments and allows communication
between other departments. All employees in the enterprise are allowed to access certain
servers.
The MUX VLAN function can be configured to meet the preceding requirements. The
enterprise needs to add the servers to the principal VLAN, add the hosts that are allowed to
communicate to a group VLAN, and add the hosts that need to be isolated to a separate
VLAN. Employing this function reduces the needed VLAN IDs.
When employees connect to servers through multiple devices, inter-device MUX VLAN can
be configured.
As shown in Figure 5-3, Ethernet2/0/1 of each Router is connected a server, Ethernet2/0/2 to
Ethernet2/0/5 are connected to PCs. The Routers use Ethernet2/0/6 to communicate with each
other. To meet the preceding requirements, the enterprise needs to perform the following
configurations on the Routers: configure VLAN 2 as a principal VLAN and add Ethernet2/0/1
to VLAN 2; configure VLAN 3 as a subordinate group VLAN and add Ethernet2/0/2 and
Ethernet2/0/3 to VLAN 3; configure VLAN 4 as a subordinate separate VLAN and add
Ethernet2/0/4 and Ethernet2/0/5 to VLAN 4. Configure Ethernet2/0/6 to allow VLAN 2,
VLAN 3, and VLAN 4 to pass through.
Eth2/0/1 Eth2/0/1
Eth2/0/6 Eth2/0/6
RouterA RouterB
/3 2
Eth h2/0/4
2/0 /2
Et h2/0/
/
Eth th2/0
Eth 2/0
Et
h2
/3
Et
2/0
h
/0/
2/0
Et
E
/5
5
4
HostA HostB HostC HostD HostE HostF HostG HostH
VLAN3 VLAN4 VLAN3 VLAN4
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the principal VLAN.
2. Configure the subordinate group VLAN.
3. Configure the subordinate separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
5. Configure the interfaces between RouterA and RouterB to allow the principal VLAN and
subordinate VLANs to pass through.
Procedure
Step 1 Configure the MUX VLAN function on RouterA.
# Create VLAN 2, VLAN 3, and VLAN 4.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan batch 2 3 4
# Add Ethernet2/0/1 to Ethernet2/0/5 to VLANs and enable the MUX VLAN function on the
interfaces.
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
# Configure Ethernet2/0/6 to allow the principal VLAN and subordinate VLANs to pass
through.
[RouterA] interface ethernet 2/0/6
[RouterA-Ethernet2/0/6] port link-type trunk
[RouterA-Ethernet2/0/6] port trunk allow-pass vlan 2 to 4
[RouterA-Ethernet2/0/6] quit
# Add Ethernet2/0/1 to Ethernet2/0/5 to VLANs and enable the MUX VLAN function on the
interfaces.
[RouterB] interface ethernet 2/0/1
[RouterB-Ethernet2/0/1] port link-type access
[RouterB-Ethernet2/0/1] port default vlan 2
[RouterB-Ethernet2/0/1] port mux-vlan enable
[RouterB-Ethernet2/0/1] quit
[RouterB] interface ethernet 2/0/2
[RouterB-Ethernet2/0/2] port link-type access
[RouterB-Ethernet2/0/2] port default vlan 3
[RouterB-Ethernet2/0/2] port mux-vlan enable
[RouterB-Ethernet2/0/2] quit
[RouterB] interface ethernet 2/0/3
[RouterB-Ethernet2/0/3] port link-type access
[RouterB-Ethernet2/0/3] port default vlan 3
[RouterB-Ethernet2/0/3] port mux-vlan enable
[RouterB-Ethernet2/0/3] quit
[RouterB] interface ethernet 2/0/4
[RouterB-Ethernet2/0/4] port link-type access
[RouterB-Ethernet2/0/4] port default vlan 4
# Configure Ethernet2/0/6 to allow the principal VLAN and subordinate VLANs to pass
through.
[RouterB] interface ethernet 2/0/6
[RouterB-Ethernet2/0/6] port link-type trunk
[RouterB-Ethernet2/0/6] port trunk allow-pass vlan 2 to 4
[RouterB-Ethernet2/0/6] quit
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate group 3
subordinate separate 4
#
interface Ethernet2/0/1
port link-type access
port default vlan 2
port mux-vlan enable
#
interface Ethernet2/0/2
port link-type access
port default vlan 3
port mux-vlan enable
#
interface Ethernet2/0/3
port link-type access
port default vlan 3
port mux-vlan enable
#
interface Ethernet2/0/4
port link-type access
port default vlan 4
port mux-vlan enable
#
interface Ethernet2/0/5
port link-type access
port default vlan 4
#
sysname RouterB
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate group 3
subordinate separate 4
#
interface Ethernet2/0/1
port link-type access
port default vlan 2
port mux-vlan enable
#
interface Ethernet2/0/2
port link-type access
port default vlan 3
port mux-vlan enable
#
interface Ethernet2/0/3
port link-type access
port default vlan 3
port mux-vlan enable
#
interface Ethernet2/0/4
port link-type access
port default vlan 4
port mux-vlan enable
#
interface Ethernet2/0/5
port link-type access
port default vlan 4
port mux-vlan enable
#
interface Ethernet2/0/6
port link-type trunk
port trunk allow-pass vlan 2 to 4
#
return
This chapter describes how to configure VLAN termination. The VLAN termination function
includes two sub-functions: Dot1q termination and QinQ termination. It implements inter-
VLAN Layer 3 connectivity on a LAN and interworking of users across an ISP network.
6.1 Overview of VLAN Termination
This section describes the definition, classification, and purpose of VLAN termination.
6.2 Application Scenarios for VLAN Termination
6.3 Summary of VLAN Termination Configuration Tasks
6.4 Default Settings for VLAN Termination
6.5 Licensing Requirements and Limitations for VLAN Termination
This section describes the product models that support VLAN termination and notes about
configuring VLAN termination.
6.6 Configuring a Dot1q Termination Sub-interface to Implement Inter-VLAN
Communication
When a router connects to users located in different VLANs through a Layer 3 Ethernet
interface, configure Dot1q termination sub-interfaces on this Layer 3 Ethernet interface to
implement inter-VLAN communication.
6.7 Configuring a Dot1q Termination Sub-interface and Connecting It to an L2VPN
When users are connected through an L2VPN and each packet that CEs send to PEs carries
one VLAN tag, configure a Dot1q termination sub-interface and connect it to the L2VPN.
6.8 Configuring a Dot1q Termination Sub-interface and Connecting It to an L3VPN
When users are connected through an L3VPN and each packet that CEs send to PEs carries
one VLAN tag, configure a Dot1q termination sub-interface and connect it to the L3VPN.
6.9 Configuring a QinQ Termination Sub-interface and Connecting It to an L2VPN
When users are connected through an L2VPN and each packet that CEs send to PEs carries
double VLAN tags, configure a QinQ termination sub-interface and connect it to the L2VPN.
6.10 Configuring a QinQ Termination Sub-interface and Connecting It to an L3VPN
When users are connected through an L3VPN and each packet that CEs send to PEs carries
double VLAN tags, configure a QinQ termination sub-interface and connect it to the L3VPN.
Definition
VLAN termination is a VLAN tag processing mechanism. After VLAN termination is
enabled on a device, the device identifies VLAN tags in received packets, removes single or
double tags from the packets, and then forwards packets at Layer 3 or takes other actions.
These VLAN tags are only useful before termination, and are not used in Layer 3 forwarding
or other processing.
A device with VLAN termination enabled processes incoming and outgoing packets as
follows:
l Removes VLAN tags from the packets received on interfaces, and then forwards the
packets at Layer 3 or takes other actions.
l Adds VLAN tags to the packets that will be sent out through interfaces.
Classification
Depending on the modes in which VLAN tagged packets are processed, VLAN termination
has the following sub-functions:
l Dot1q termination: removes the outer VLAN tag from the received single-tagged or
double-tagged packets, and adds a VLAN tag to the packets to be sent by an interface.
l QinQ termination: removes double VLAN tags from the received double-tagged packets,
and adds double VLAN tags to the packets to be sent by an interface.
Generally, VLAN termination is configured on sub-interfaces. A sub-interface that terminates
single tags in packets is called a Dot1q termination sub-interface, and a sub-interface that
terminates double tags in packets is called a QinQ termination sub-interface.
NOTE
Dot1q and QinQ VLAN tag termination sub-interfaces do not support transparent transmission of
packets that do not contain a VLAN tag, and discard received packets that do not contain a VLAN tag.
Purpose
After VLANs are assigned on a network, hosts in the same VLAN can communicate with
each other at Layer 2, whereas hosts in different VLANs cannot. You can use VLANIF
interfaces on a router to implement inter-VLAN Layer 3 connectivity. As shown in Figure
6-1, when a router uses only one Layer 3 Ethernet interface to connect to users or a network,
this interface needs to transmit packets from multiple VLANs. A VLANIF interface cannot
provide this function. You can virtualize a Layer 3 Ethernet interface into multiple logical
sub-interfaces. The Layer 3 Ethernet interface is the main interface for the logical sub-
interfaces.
Router
Port1.1 Port1.2
VLAN Trunk
Switch
By default, a Layer 3 Ethernet sub-interface treats received VLAN packets as invalid packets
and discards them; therefore, VLAN termination needs to be configured on the Layer 3
Ethernet sub-interface so that the sub-interface can remove VLAN tags from packets.
Port1.1 Port1.2
VLAN Trunk
Switch
ISP
PE1 PWE3/VLL PE2
Port1.1 Port1.1
CE1 CE2
Branch 1 Branch 2
Single-tagged packet
Dot1q termination and PWE3/VLL are deployed on sub-interfaces of PE1 and PE2. When the
outer VLAN tag of data packets sent by CE1 to PE1 matches the Dot1q termination
configuration on Port1.1, PE1 encapsulates double MPLS labels into the packets and forwards
the packets to the carrier's PWE3/VLL network. The VLAN tags are invisible on the carrier's
PWE3/VLL network. Before sending packets, PE2 removes double MPLS labels from the
packets. PE2 then forwards the packets to CE2 according to the Dot1q termination
configuration on Port1.1. CE2 then forwards packets to user hosts to implement interworking
of different branches, and so on.
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
PE1 PE2
Port1.1 ISP Port1.1
MPLS L3VPN
Port1.2 Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
Dot1q termination and L3VPN are deployed on sub-interfaces of PE1 and PE2. When
receiving data packets from CE1, PE1 removes the outer VLAN tag from the packets
according to the Dot1q termination on Port1.1, binds the outer VLAN tag to the VPN instance
VPN1, and then connects to the L3VPN. After the packets reach PE2, PE2 determines that the
packets are destined for CE3 according to the VPN instance. PE2 adds the outer VLAN tag to
the packets according to the configuration of Port1.1, and then forwards the packets. The
packets then reach user hosts through CE3 to implement interworking, and so on.
ISP
PE1 PWE3/VLL PE2
Port1.1 Port1.1
CE1 CE2
Branch 1 Branch 2
Double-tagged packet
QinQ termination and PWE3/VLL are deployed on sub-interfaces of PE1 and PE2. When
inner and outer VLAN tags of data packets sent by CE1 to PE1 match the QinQ termination
configuration on Port1.1, PE1 encapsulates double MPLS labels into the packets and forwards
the packets to the carrier's PWE3/VLL network. The VLAN tags are invisible on the carrier's
PWE3/VLL network. Before sending packets, PE2 removes double MPLS labels from the
packets. PE2 then forwards the packets to CE2 according to the QinQ termination
configuration on Port1.1. CE2 then forwards packets to user hosts to implement interworking
of different branches, and so on.
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
PE1 PE2
Port1.1 ISP Port1.1
MPLS L3VPN
Port1.2 Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
QinQ termination and L3VPN are deployed on sub-interfaces of PE1 and PE2. When
receiving data packets from CE1, PE1 removes the inner and outer VLAN tags from the
packets according to the QinQ termination on Port1.1, binds the inner and outer VLAN tags
to the VPN instance VPN1, and then connects to the L3VPN. After the packets reach PE2,
PE2 determines that the packets are destined for CE3 according to the VPN instance. PE2
adds inner and outer VLAN tags to the packets according to the configuration of Port1.1, and
then forwards the packets. The packets then reach user hosts through CE3 to implement
interworking, and so on.
6.6 Configuring A router connects to user hosts residing in different VLANs through a
a Dot1q Layer 3 Ethernet interface, and these user hosts need to communicate
Termination with each other.
Sub-interface to
Implement
Inter-VLAN
Communication
6.7 Configuring A carrier's network provides the L2VPN service for users. PEs
a Dot1q function as user access devices and connect to CEs through sub-
Termination interfaces to access user networks. The data packets that CEs send to
Sub-interface PEs carry one VLAN tag. Interworking is required between user
and Connecting networks.
It to an L2VPN
6.8 Configuring A carrier's network provides the L3VPN service for users. PEs
a Dot1q function as user access devices and connect to CEs through sub-
Termination interfaces to access user networks. The data packets that CEs send to
Sub-interface PEs carry one VLAN tag. Interworking is required between user
and Connecting networks.
It to an L3VPN
6.9 Configuring A carrier's network provides the L2VPN service for users. PEs
a QinQ function as user access devices and connect to CEs through sub-
Termination interfaces to access user networks. The data packets that CEs send to
Sub-interface PEs carry double VLAN tags. Interworking is required between user
and Connecting networks.
It to an L2VPN
6.10 Configuring A carrier's network provides the L3VPN service for users. PEs
a QinQ function as user access devices and connect to CEs through sub-
Termination interfaces to access user networks. The data packets that CEs send to
Sub-interface PEs carry double VLAN tags. Interworking is required between user
and Connecting networks.
It to an L3VPN
Licensing Requirements
VLAN termination is a basic feature of a router and is not under license control.
Feature Limitations
l Termination sub-interfaces cannot be configured on an Eth-Trunk member interface.
l You are advised to add member interfaces to an Eth-Trunk and configure termination
sub-interfaces on the Eth-Trunk in sequence. Termination sub-interfaces can be
configured successfully on an Eth-Trunk only when all series of cards where member
interfaces reside support termination sub-interfaces.
l The VLAN IDs terminated by a sub-interface cannot be created in the system view or be
displayed using a display command.
l When VLAN IDs terminated by a sub-interface are used for Layer 3 forwarding, only
the first VLAN takes effect even if multiple inner VLAN IDs are specified.
l The VLAN terminated by a sub-interface cannot be configured as a super-VLAN or sub-
VLANs.
Context
When a router connects to users on different network segments across different VLANs,
configure Dot1q termination and IP addresses for the sub-interfaces to implement Layer 3
connectivity.
NOTE
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding sub-interface as the default gateway address.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number.subinterface-number
The sub-interface view is displayed.
Step 3 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is assigned to the sub-interface.
----End
Pre-configuration Tasks
Before configuring a Dot1q termination sub-interface and connecting it to an L2VPN,
complete the following tasks:
l Connecting devices correctly
l Configuring VLANs to which CEs belong and basic Layer 2 forwarding so that each
packet sent from CEs to PEs carries one VLAN tag
Procedure
Step 1 On the PE device, run:
system-view
NOTE
----End
Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display vll ccc [ ccc-name | type local ] command to check CCC connection
information.
l Run the display mpls static-l2vc command to check static VC information.
l Run the display mpls l2vc command to check local VC information.
l Run the display mpls l2vc remote-info command to check remote VC information.
----End
Pre-configuration Tasks
Before configuring a Dot1q termination sub-interface and connecting it to an L3VPN,
complete the following tasks:
l Connecting devices correctly
l Configuring VLANs to which CEs belong and basic Layer 2 forwarding so that each
packet sent from CEs to PEs carries one VLAN tag
Context
When a VPN connects to an ISP network through a sub-interface, the sub-interface needs to
remove VLAN tags of the packets that the VPN has sent to the ISP network. When each
packet that CEs send to PEs carries one VLAN tag, the sub-interface terminates the single
VLAN tag. This sub-interface is called Dot1q termination sub-interface.
Procedure
Step 1 On the PE device, run:
system-view
NOTE
----End
Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
VPN instance information.
----End
Pre-configuration Tasks
Before configuring a QinQ termination sub-interface and connecting it to an L2VPN,
complete the following tasks:
l Connecting devices correctly
l Configuring VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags
Procedure
Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. When data packets sent by CEs to PEs carry double VLAN
tags, the sub-interface terminates double VLAN tags. This sub-interface is called QinQ
termination sub-interface.
Procedure
Step 1 Run system-view
----End
NOTE
A QinQ termination sub-interface can be bound to a VLL that provides homogeneous or heterogeneous
transport in the following modes:
l Local CCC connection
l Remote CCC connection
l Remote SVC connection
l Remote Martini connection
Procedure
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
l Run the display vll ccc [ ccc-name | type local ] command to check CCC connection
information.
l Run the display mpls static-l2vc command to check static VCs information.
l Run the display mpls l2vc command on the PE to check VCs information on the local
PE.
l Run the display mpls l2vc remote-info command on the PE to check the VCs
information on the remote PE.
----End
Pre-configuration Tasks
Before configuring a QinQ termination sub-interface and connecting it to an L3VPN,
complete the following tasks:
l Connecting devices correctly
l Configuring VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags
Procedure
tags, the sub-interface terminates double VLAN tags. This sub-interface is called QinQ
termination sub-interface.
Procedure
Step 1 Run system-view
----End
Configure L3VPN on the CE, PE, and P. For details, see "BGP/MPLS IP VPN Configuration"
in Huawei AR Series Access Routers Configuration Guide - VPN.
Procedure
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
VPN instance information.
----End
Networking Requirements
An enterprise's departments are located on different network segments and use the same
services such as Internet access and VoIP. To allow the departments in different VLANs to use
the same service, inter-VLAN communication must be implemented.
In the networking example shown in Figure 6-7, both department 1 and department 2 located
in different VLANs and network segments need to use the Internet access service, and users
in department 1 and department 2 need to communicate with each other.
Figure 6-7 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication
Router
GE1/0/0.1 GE2/0/0.1
10.10.10.1/24 10.10.20.1/24
Eth2/0/2 Eth2/0/2
RouterA RouterB
Eth2/0/1 Eth2/0/1
Department 1 Department 2
PC1 PC2
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
Configuration Roadmap
The configuration roadmap is as follows.
1. Configure the ID of the VLAN to which each interface belongs.
2. Configure Dot1q termination sub-interfaces.
3. Assign IP addresses to the sub-interfaces.
Procedure
Step 1 Configure VLANs on interfaces of RouterA and RouterB.
# Add the uplink interface of RouterA to VLAN 10 in tagged mode and user-side interface to
VLAN 10 in untagged mode.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan batch 10
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 10
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type trunk
[RouterA-Ethernet2/0/2] port trunk allow-pass vlan 10
[RouterA-Ethernet2/0/2] quit
# Add the uplink interface of RouterB to VLAN 20 in tagged mode and user-side interface to
VLAN 20 in untagged mode.
<Huawei> system-view
[Huawei] sysname RouterB
----End
Configuration Files
l Configuration file of the Router
#
sysname Router
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip address 10.10.10.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 20
ip address 10.10.20.1 255.255.255.0
arp broadcast enable
#
return
vlan batch 10
#
interface Ethernet2/0/1
port link-type access
port default vlan 10
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
l Configuration file of the RouterB
#
sysname RouterB
#
vlan batch 20
#
interface Ethernet2/0/1
port link-type access
port default vlan 20
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
return
Figure 6-8 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication across a network
RouterA RouterB
Eth2/0/2 Eth2/0/1
OSPF
GE1/0/0.1 GE2/0/0.1
VLAN 10 VLAN 20
PC A PC B
10.10.10.2/24 10.10.20.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VLANs that interfaces belong to.
2. Assign IP addresses to VLANIF interfaces.
3. Set the encapsulation mode of sub-interfaces.
4. Configure VLANs allowed by sub-interfaces.
5. Assign IP addresses to the sub-interfaces.
6. Configure basic OSPF functions.
NOTE
Procedure
Step 1 Configure RouterA.
# Create a VLAN.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan batch 30
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
router id 1.1.1.1
#
vlan batch 30
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip address 10.10.10.1 255.255.255.0
arp broadcast enable
#
interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 6-9, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
A Martini VLL is created between PE1 and PE2 so that user networks connected to CE1 and
CE2 can communicate.
Figure 6-9 Networking diagram for connecting a Dot1q VLAN tag termination sub-interface
to a VLL network
Loopback1 Loopback1 Loopback1
10.10.1.9/32 10.20.2.9/32 10.30.3.9/32
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
Martini
GE1/0/0 GE1/0/0
CE1 CE2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol on devices (PE and P) of the backbone network to
implement interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP for data
transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to implement VLL
access.
Procedure
Step 1 Configure IP addresses for interfaces on CEs, PEs, and the P devices according to Figure 6-9.
# Configure CE1. The configuration details of other devices are not mentioned here.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] ip address 10.100.1.1 255.255.255.0
[CE1-GigabitEthernet1/0/0.1] quit
Step 2 Configure CEs to add a VLAN tag to packets destined for PEs.
# VLAN 10 is used as an example. Configure CE1.
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[CE1-GigabitEthernet1/0/0.1] quit
# Configure CE2.
[CE2] interface gigabitethernet 1/0/0.1
[CE2-GigabitEthernet1/0/0.1] dot1q termination vid 10
[CE2-GigabitEthernet1/0/0.1] quit
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used as an example.
# Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1. The configuration details of other devices are not mentioned here.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 10.10.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
Step 4 Configure basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 10.10.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
# Configure P.
[P] mpls lsr-id 10.20.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 10.30.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 10.10.1.9
[PE2-mpls-ldp-remote-10.10.1.9] remote-ip 10.10.1.9
[PE2-mpls-ldp-remote-10.10.1.9] quit
# After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.
[PE1] display mpls ldp session
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip address 10.100.1.1 255.255.255.0
#
return
l P configuration file
#
sysname P
#
mpls lsr-id 10.20.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 6-10, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
A Martini VLL connection is set up between PE1 and PE2 to implement interworking
between CE1 and CE2.
Figure 6-10 Networking for connecting Dot1q termination sub-interfaces to a VLL network
Loopback1 Loopback1 Loopback1
10.10.1.9/32 10.20.2.9/32 10.30.3.9/32
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
Martini
GE1/0/0 GE1/0/0
CE1 CE2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an IGP on PEs and the P on the backbone network to ensure reachability
between them, and enable MPLS.
2. Use the default tunnel policy to set up LSPs for transmitting user data.
3. Enable MPLS L2VPN and create VCs on PEs.
4. On PE interfaces connected to CEs, create QinQ sub-interfaces and connect the sub-
interfaces to the VLL network.
Procedure
Step 1 Create a bridge group and add a sub-interface to the bridge group.
# The display on CE1 is used as an example. The configuration of CE2 is similar to that of
CE1, and is not mentioned here.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] bridge 1
[CE1-bridge1] quit
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] bridge 1
[CE1-GigabitEthernet1/0/0.1] bridge vlan-transmit enable
[CE1-GigabitEthernet1/0/0.1] quit
# Here, the inner VLAN ID is VLAN 10 and outer VLAN ID is VLAN 100. # The display on
CE1 is used as an example. The configuration of CE2 is similar to that of CE1, and is not
mentioned here.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] vlan stacking vid 10 pe-vid 100
[CE1-GigabitEthernet1/0/0.1] quit
# The display on PE1 is used as an example. The configuration of PE2 is similar to that of
PE1, and is not mentioned here.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE1-GigabitEthernet1/0/0.1] quit
# The display on PE1 is used as an example. The configuration of PE2 and P is similar to that
of PE1, and is not mentioned here.
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 10.10.1.9 255.255.255.255
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
[PE1-GigabitEthernet2/0/0] quit
Step 5 Configure an IGP on the MPLS backbone network. This example uses OSPF.
# Configure OSPF to advertise the loopback interface addresses of 32-bit mask length on
PE1, PE2, and P, which are used as the LSR IDs.
# The display on PE1 is used as an example. The configurations of other devices are similar to
the configuration of PE1, and are not mentioned here.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 10.10.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
Step 6 Configure basic MPLS functions and enable MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 10.10.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
# Configure the P.
[P] mpls lsr-id 10.20.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 10.30.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 10.10.1.9
[PE2-mpls-ldp-remote-10.10.1.9] remote-ip 10.10.1.9
[PE2-mpls-ldp-remote-10.10.1.9] quit
# After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session status. You can see that an LDP session is set up between PE1 and PE2.
[PE1] display mpls ldp session
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.
# On PEs, check the L2VPN connections. You can see that an L2VC connection is set up and
is in Up state.
[PE1] display mpls l2vc interface gigabitethernet 1/0/0.1
*client interface : GigabitEthernet1/0/0.1 is
up
Administrator PW : no
session state : up
AC status : up
Ignore AC state : disable
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
destination : 10.30.3.9
local group ID : 0 remote group ID : 0
local VC label : 1024 remote VC label : 1024
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --
PW template name : --
primary or secondary : primary
load balance type : flow
Access-port : false
Switchover Flag : false
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
bridge 1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
bridge 1
bridge vlan-transmit enable
vlan stacking vid 10 pe-vid 100
#
return
remote-ip 10.30.3.9
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 10.30.3.9 101
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.10.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l Configuration file of the P
#
sysname P
#
mpls lsr-id 10.20.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l Configuration file of PE2
#
sysname PE2
#
mpls lsr-id 10.30.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 10.10.1.9
remote-ip 10.10.1.9
#
interface GigabitEthernet1/0/0
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 10.10.1.9 101
#
interface LoopBack1
ip address 10.30.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
Networking Requirements
As shown in Figure 6-11, CE1 and CE3 belong to VPN-A, and CE2 and CE4 belong to VPN-
B. The VPN targets of VPN-A and VPN-B are 111:1 and 222:2 respectively. Users in
different VPNs cannot communicate with each other.
Figure 6-11 Networking diagram for connecting a Dot1q VLAN tag termination sub-interface
to an L3VPN
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
10.20.2.9/32
GE1/0/0 GE1/0/0
PE1 GE1/0/0 GE2/0/0 PE2
Loopback1 172.16.1.2/24 172.26.1.1/24 Loopback1
10.10.1.9/32 GE3/0/0 GE3/0/0 10.30.3.9/32
172.16.1.1/24 P 172.26.1.2/24
GE2/0/0 AS: 100 GE2/0/0
VPN Backbone
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.
2. Configure OSPF on PEs to implement interworking.
3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.
4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-
IBGP) on PEs to exchange VPN routing information.
5. Configure EBGP on CEs and PEs to exchange VPN routing information.
6. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to connect the Dot1q
sub-interfaces to the L3VPN.
Procedure
Step 1 Configure OSPF on the MPLS backbone network so that the PEs and P can communicate
with each other.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 10.10.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip address 172.16.1.1 24
[PE1-GigabitEthernet3/0/0] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 10.10.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<Huawei> system-view
[Huawei] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 10.20.2.9 32
[P-LoopBack1] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] ip address 172.16.1.2 24
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] ip address 172.26.1.1 24
[P-GigabitEthernet2/0/0] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.26.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.20.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. The OSPF neighbor relationship status is
Full. Run the display ip routing-table command. PEs have learned the routes to each other's
Loopback1 interface.
Step 2 Configure basic MPLS functions and MPLS LDP on the MPLS backbone network to set up
LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 10.10.1.9
[PE1] mpls
[PE1-mpls] quit
# Configure P.
[P] mpls lsr-id 10.20.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 10.30.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] mpls
[PE2-GigabitEthernet3/0/0] mpls ldp
[PE2-GigabitEthernet3/0/0] quit
# After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. The command output
shows that the Status field is Operational. Run the display mpls ldp lsp command.
Information about the established LDP LSPs is displayed.
# The display on PE1 is used as an example.
[PE1] display mpls ldp session
Step 3 Configure CEs to add a VLAN tag to packets destined for PEs.
# Here, the VLAN ID in packets sent by CE1 and CE3 is VLAN 10, and the VLAN ID in
packets sent by CE2 and CE4 is VLAN 20.
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] ip address 10.1.1.1 255.255.255.0
[CE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[CE1-GigabitEthernet1/0/0.1] quit
# Configure CE2.
<Huawei> system-view
[Huawei] sysname CE2
[CE2] interface gigabitethernet 1/0/0.1
[CE2-GigabitEthernet1/0/0.1] ip address 10.2.1.1 255.255.255.0
[CE2-GigabitEthernet1/0/0.1] dot1q termination vid 20
[CE2-GigabitEthernet1/0/0.1] quit
# Configure CE3.
<Huawei> system-view
[Huawei] sysname CE3
[CE3] interface gigabitethernet 1/0/0.1
[CE3-GigabitEthernet1/0/0.1] ip address 10.3.1.1 255.255.255.0
[CE3-GigabitEthernet1/0/0.1] dot1q termination vid 10
[CE3-GigabitEthernet1/0/0.1] quit
# Configure CE4.
<Huawei> system-view
[Huawei] sysname CE4
[CE4] interface gigabitethernet 1/0/0.1
[CE4-GigabitEthernet1/0/0.1] ip address 10.4.1.1 255.255.255.0
[CE4-GigabitEthernet1/0/0.1] dot1q termination vid 20
[CE4-GigabitEthernet1/0/0.1] quit
Step 4 Configure VPN instances on PEs and bind the instances to the interfaces connected to CEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE1-GigabitEthernet1/0/0.1] quit
[PE1] interface gigabitethernet 2/0/0.1
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24
[PE2-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE2-GigabitEthernet1/0/0.1] quit
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0.1] ip address 10.4.1.2 24
[PE2-GigabitEthernet2/0/0.1] dot1q termination vid 20
[PE2-GigabitEthernet2/0/0.1] quit
# After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to check the VPN instance configuration. Each PE can ping its connected CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 10.10.1.9 as-number 100
[PE2-bgp] peer 10.10.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 10.10.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
# After the configuration is complete, run the display bgp peer or display bgp vpnv4 all
peer command on PEs. The command output shows that a BGP peer relationship has been
established between PEs.
[PE1] display bgp peer
Step 6 Set up EBGP peer relationships between PEs and CEs and import VPN routes into BGP.
# Configure CE1. The configurations of other CEs are similar to the configuration on CE1,
and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
# After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on PEs. The command output shows that BGP peer relationships have been
established between PEs and CEs.
# The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
# CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
# For example, CE1 can ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
----End
Configuration Files
l PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 10.10.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip binding vpn-instance vpna
area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 172.26.1.0 0.0.0.255
#
return
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 20
ip address 10.4.1.1 255.255.255.0
#
bgp 65440
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return
Networking Requirements
As shown in Figure 6-12, CE1 and CE3 belong to VPN-A, and CE2 and CE4 belong to VPN-
B. The VPN targets of VPN-A and VPN-B are 111:1 and 222:2 respectively. Users in
different VPNs cannot communicate with each other.
Figure 6-12 Networking diagram for connecting a QinQ VLAN tag termination sub-interface
to an L3VPN
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
10.20.2.9/32
GE1/0/0 GE1/0/0
PE1 GE1/0/0 GE2/0/0 PE2
Loopback1 172.16.1.2/24 172.26.1.1/24 Loopback1
10.10.1.9/32 GE3/0/0 GE3/0/0 10.30.3.9/32
172.16.1.1/24 P 172.26.1.2/24
GE2/0/0 AS: 100 GE2/0/0
VPN Backbone
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.
2. Configure OSPF on PEs to implement interworking.
3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.
4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-
IBGP) on PEs to exchange VPN routing information.
5. Configure EBGP on CEs and PEs to exchange VPN routing information.
6. Configure QinQ sub-interfaces on PE interfaces connected to CEs to connect the QinQ
sub-interfaces to the L3VPN network.
Procedure
Step 1 Configure OSPF on the MPLS backbone network so that the PEs and P can communicate
with each other.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 10.10.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip address 172.16.1.1 24
[PE1-GigabitEthernet3/0/0] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 10.10.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<Huawei> system-view
[Huawei] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 10.20.2.9 32
[P-LoopBack1] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] ip address 172.16.1.2 24
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] ip address 172.26.1.1 24
[P-GigabitEthernet2/0/0] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.26.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.20.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. The command output shows that the
OSPF neighbor relationship status is Full. Run the display ip routing-table command. The
command output shows that PEs have learned the routes to the each other's Loopback1
interface.
# The display on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags: R - relay,
D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Step 2 Configure basic MPLS functions and MPLS LDP on the MPLS backbone network to set up
LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 10.10.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] mpls
[PE1-GigabitEthernet3/0/0] mpls ldp
[PE1-GigabitEthernet3/0/0] quit
# Configure P.
[P] mpls lsr-id 10.20.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 10.30.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] mpls
[PE2-GigabitEthernet3/0/0] mpls ldp
[PE2-GigabitEthernet3/0/0] quit
# After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. The command output
shows that the Status field is Operational. Run the display mpls ldp lsp command.
Information about the established LDP LSPs is displayed.
# The display on PE1 is used as an example.
[PE1] display mpls ldp session
# Configure CE2.
<Huawei> system-view
[Huawei] sysname CE2
[CE2] interface gigabitethernet 1/0/0.1
[CE2-GigabitEthernet1/0/0.1] ip address 10.2.1.1 255.255.255.0
[CE2-GigabitEthernet1/0/0.1] qinq termination pe-vid 200 ce-vid 20
[CE2-GigabitEthernet1/0/0.1] quit
# Configure CE3.
<Huawei> system-view
[Huawei] sysname CE3
[CE3] interface gigabitethernet 1/0/0.1
[CE3-GigabitEthernet1/0/0.1] ip address 10.3.1.1 255.255.255.0
[CE3-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[CE3-GigabitEthernet1/0/0.1] quit
# Configure CE4.
<Huawei> system-view
[Huawei] sysname CE4
[CE4] interface gigabitethernet 1/0/0.1
[CE4-GigabitEthernet1/0/0.1] ip address 10.4.1.1 255.255.255.0
[CE4-GigabitEthernet1/0/0.1] qinq termination pe-vid 200 ce-vid 20
[CE4-GigabitEthernet1/0/0.1] quit
Step 4 Configure VPN instances on PEs and bind the instances to the interfaces connected to CEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE1-GigabitEthernet1/0/0.1] quit
[PE1] interface gigabitethernet 2/0/0.1
[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE1-GigabitEthernet2/0/0.1] ip address 10.2.1.2 24
[PE1-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 20
[PE1-GigabitEthernet2/0/0.1] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24
[PE2-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE2-GigabitEthernet1/0/0.1] quit
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0.1] ip address 10.4.1.2 24
[PE2-GigabitEthernet2/0/0.1] qinq termination pe-vid 200 ce-vid 20
[PE2-GigabitEthernet2/0/0.1] quit
# After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to check the VPN instance configuration. Each PE can ping its connected CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 10.10.1.9 as-number 100
[PE2-bgp] peer 10.10.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 10.10.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
# After the configuration is complete, run the display bgp peer or display bgp vpnv4 all
peer command on PEs. The command output shows that a BGP peer relationship has been
established between PEs.
[PE1] display bgp peer
Step 6 Set up EBGP peer relationships between PEs and CEs and import VPN routes into BGP.
# Configure CE1. The configurations of other CEs are similar to the configuration on CE1,
and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
# Configure PE1. The configuration of PE2 is similar to the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
# After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on PEs. The command output shows that BGP peer relationships have been
established between PEs and CEs.
# The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
# CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
# For example, CE1 can ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
----End
Configuration Files
l PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 10.10.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 200 ce-vid 20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
bgp 100
peer 10.30.3.9 as-number 100
peer 10.30.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 10.30.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 10.30.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.1 as-number 65410
#
ipv4-family vpn-instance vpnb
import-route direct
peer 10.2.1.1 as-number 65420
#
ospf 1
area 0.0.0.0
network 10.10.1.9 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
mpls lsr-id 10.20.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 172.26.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.26.1.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
ip vpn-instance
vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance
vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 10.30.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/0.1
qinq termination pe-vid 200 ce-vid 20
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 172.26.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.30.3.9 255.255.255.255
#
bgp 100
peer 10.10.1.9 as-number 100
peer 10.10.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 10.10.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 10.10.1.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
peer 10.3.1.1 as-number 65430
#
ipv4-family vpn-instance vpnb
import-route direct
Purpose
Data, voice, and video services are often transmitted simultaneously over a network. Packet
loss and delay seriously affect the voice communication quality. Voice services, in particular,
require a higher forwarding priority than data or video services. When bandwidth is limited,
voice data must have transmission preference over other types of data. This can be done by
configuring a voice VLAN on the switch to transmit voice data and setting QoS parameters in
the voice VLAN so that voice data is given preference when congestion occurs.
The interface enabled with voice VLAN determines whether the incoming data is voice data
based on source MAC addresses of the data packets. If a source MAC address matches the
Organizationally Unique Identifier (OUI), the data with the source MAC address is
considered as voice data. Then the interface that receives voice data is automatically added to
the voice VLAN. In this manner, voice data can be managed more conveniently.
As shown in Figure 7-1, PC and IP Phone are all transmitted to the Router. To differentiate
voice data from other data, the IP Phone traffic is isolated through different VLANs and is
assigned a higher priority to ensure voice quality. In this case, you can configure voice VLAN
on the router. The router assigns a higher priority to voice packets tagged with the voice
VLAN ID from IP phones so that the voice packets can be preferentially forwarded and voice
quality is ensured.
Internet
IP Phone_1
IP Phone_3
IP Phone_2
PC_1 PC_3
On different interfaces of the router, you can specify different VLANs as voice VLANs. On
an interface, however, you can specify only one VLAN as a voice VLAN.
Basic Concepts
l OUI
An OUI indicates a MAC address segment.
You can perform the AND operation on a 48-bit MAC address and a mask to obtain the
OUI. The length of all 1s in the mask determines the number of matched bits between
the MAC address of a device and the OUI. For example, if the specified MAC address is
0001-0001-0001 and the mask is FFFF-FF00-0000, the OUI is 0001-0000-0000. In this
example, if the first 24 bits of the MAC address of the device match the first 24 bits of
the OUI, the interface enabled with voice VLAN considers the data from the access
device as voice data, and the device as a voice device.
l Mode in which an interface is added to a voice VLAN
Table 7-1 describes the mode in which an interface is added to a voice VLAN.
You can add different interfaces to voice VLANs in different modes, which are
independent of each other.
l Working mode of a voice VLAN
Table 7-2 shows the working mode of a voice VLAN.
Secu The inbound interface If the source MAC Transmitting voice and
re enabled with the voice address does not match service data at the same
VLAN function allows the OUI, the interface time in a voice VLAN is
only the voice packets does not change the not recommended. If a
in which the source priority of voice packets voice VLAN must
MAC address matches and prevents the voice transmit both voice and
the OUI address of the packets from being service data, ensure that
voice VLAN, and forwarded in the voice the voice VLAN works
discards non-voice VLAN. in normal mode.
packets from the voice If the source MAC
VLAN and forwards address matches the
packets from other OUI, the interface
VLANs. changes the priority of
voice packets and
allows the voice packets
to be forwarded in the
voice VLAN.
adds the voice VLAN tag and assigns a higher priority to the VoIP traffic, so the VoIP traffic
can be transmitted preferentially and voice quality is ensured.
NOTE
Internet
IP Phone_1
IP Phone_3
IP Phone_2
PC_1 PC_3
Licensing Requirements
Voice VLAN is a basic feature of a router and is not under license control.
Feature Limitations
None
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run voice-vlan mac-address mac-address mask oui-mask [ description text ]
An OUI is configured.
When configuring an OUI for a voice VLAN, note the following:
l The mac-address value cannot be all 0s or a multicast or broadcast address.
l A device can be configured with a maximum of 16 OUIs. When the device is configured
with 16 OUIs, subsequent configurations will not take effect.
l When using the undo voice-vlan mac-address mac-address command to delete an OUI,
specify the mac-address value in this command as the result of the AND operation by
using the configured MAC address and mask.
----End
Context
When source MAC addresses of packets match the OUI of a voice VLAN, the device enabled
with voice VLAN identifies voice data packets based on the source MAC addresses and
changes the priority of voice data packets to improve the voice data transmission quality.
Procedure
Step 1 Run system-view
A voice VLAN is configured and the voice VLAN function is enabled on the port.
NOTE
----End
Procedure
Step 1 Run system-view
NOTE
Access ports cannot be automatically added to a voice VLAN. To add an access port to a voice VLAN,
run the port link-type command to change the link type to trunk or hybrid.
----End
Procedure
l Security mode
a. Run the system-view command to enter the system view.
b. Run the interface interface-type interface-number command to enter the view of
interface.
c. Run the voice-vlan security enable command to configure the voice VLAN work
in security mode.
By default, a voice VLAN works in security mode.
l Normal mode
a. Run the system-view command to enter the system view.
b. Run the interface interface-type interface-number command to enter the view of
interface.
c. Run the undo voice-vlan security enable command to configure the voice VLAN
work in normal mode.
By default, a voice VLAN works in security mode.
----End
The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4
packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks.
The traffic controller on the network gateway takes actions merely based on the information
carried by the 6 bits.
Procedure
Step 1 Run system-view
An 802.1p priority and a DSCP value are configured for a voice VLAN.
By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.
NOTE
----End
Context
The switch can encapsulate voice VLAN information into LLDPDUs and send them to
connected IP phones. However, IP phones of some vendors send Cisco Discovery Protocol
(CDP) packets. You can run the voice-vlan legacy enable command to enable CDP-
compatible function so that the switch encapsulates voice VLAN information in CDP packets
and sends them to connected IP phones.
Procedure
Step 1 Run system-view
By default, ports on Huawei devices cannot communicate with voice devices of other
vendors.
----End
Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about the
voice VLAN, including the working mode, security mode, and the 802.1p priority and
DSCP value as well as the configuration of the port enabled with the voice VLAN
function.
l Run the display voice-vlan oui command to check information about the OUI of the
voice VLAN, including the mask and description of the OUI.
----End
l Create VLANs.
Context
An Organizationally Unique Identifier (OUI) is the first 24 bits of a MAC address, and is a
unique identifier assigned to a device vendor.
An OUI represents a MAC address segment that is obtained by performing the AND
operation between a 48-bit MAC address and a mask. If the first 24 bits of the MAC address
of a device are the same as an OUI, a voice VLAN-enabled port considers the device as a
voice device and data from the device as voice data.
Procedure
Step 1 Run system-view
An OUI is configured.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the interface is displayed.
Step 3 Run voice-vlan vlan-id enable
A voice VLAN is configured and the voice VLAN function is enabled on the port.
By default, the voice VLAN function is disabled on a port.
NOTE
----End
l If access ports are connected to voice devices, run the port default vlan vlan-id
command to manually add these ports to a voice VLAN.
l If trunk ports are connected to voice devices, run the port trunk allow-pass vlan vlan-id
command to manually add these ports to a voice VLAN.
l If hybrid ports are connected to voice devices, do as follows as required:
– Run the port hybrid untagged vlan vlan-id command to manually add these ports
to a voice VLAN in untagged mode.
NOTE
Only the 8FE1GE and 24GE cards support untagged packets.
– Run the port hybrid tagged vlan vlan-id command to manually add these ports to
a voice VLAN in tagged mode.
----End
Procedure
l Security mode
a. Run the system-view command to enter the system view.
b. Run the interface interface-type interface-number command to enter the view of
interface.
c. Run the voice-vlan security enable command to configure the voice VLAN work
in security mode.
By default, a voice VLAN works in security mode.
l Normal mode
a. Run the system-view command to enter the system view.
b. Run the interface interface-type interface-number command to enter the view of
interface.
c. Run the undo voice-vlan security enable command to configure the voice VLAN
work in normal mode.
By default, a voice VLAN works in security mode.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
NOTE
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
----End
Internet
IP Phone_1
MAC:0003-6B00-0001
Mask:ffff-ff00-0000
IP Phone_3
IP Phone_2
MAC:0003-6B00-0002
Mask:ffff-ff00-0000
PC_1 PC_3
286E-D400-0001
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and VLANIF interfaces on Router and configure interfaces so that users
can access the WAN.
2. Configure an OUI so that the switch adds a VLAN tag to voice packets in which the
source MAC address matches the OUI.
3. Configure a voice VLAN and set the mode in which interfaces are added to the voice
VLAN to auto so that voice data packets are transmitted in the voice VLAN with a high
priority.
Procedure
Step 1 Create VLANs and configure interfaces on the Router.
# Create VLAN 2 and VLAN 3.
<Huawei> system-view
[Huawei] vlan batch 2 3
NOTE
The configured OUI must match the MAC address of the downlink voice device.
The configuration of Eth2/0/1 is similar to the configuration of Eth2/0/0, and is not mentioned
here.
Step 4 Verify the configuration.
# Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<Huawei> display voice-vlan oui
---------------------------------------------------
# Run the display voice-vlan 2 status command to check the voice VLAN configuration,
including the status and mode in which the interface is added to the voice VLAN.
<Huawei> display voice-vlan 2 status
Voice VLAN Configurations:
-----------------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
----End
Configuration Files
Router configuration file
#
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000
#
vlan batch 2 to 3
#
interface Ethernet2/0/0
voice-vlan 2 enable
port hybrid pvid vlan 3
port hybrid untagged vlan 3
#
interface Ethernet2/0/1
voice-vlan 2 enable
port hybrid pvid vlan 3
port hybrid untagged vlan 3
#
return
Internet
IP Phone_1
MAC:0003-6B00-0001
Mask:ffff-ff00-0000
IP Phone_3
IP Phone_2
MAC:0003-6B00-0002
Mask:ffff-ff00-0000
PC_1 PC_3
286E-D400-0001
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and VLANIF interfaces on Router and configure interfaces so that users
can access the WAN.
2. Configure an OUI so that the switch adds a VLAN tag to voice packets in which the
source MAC address matches the OUI.
3. Configure a voice VLAN and set the mode in which interfaces are added to the voice
VLAN to auto so that voice data packets are transmitted in the voice VLAN with a high
priority.
Procedure
Step 1 Create VLANs and configure interfaces on the Router.
# Create VLAN 2 and VLAN 3.
<Huawei> system-view
[Huawei] vlan batch 2 3
NOTE
The configured OUI must match the MAC address of the downlink voice device.
The configuration of Eth2/0/1 is similar to the configuration of Eth2/0/0, and is not mentioned
here.
Step 4 Verify the configuration.
# Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<Huawei> display voice-vlan oui
---------------------------------------------------
OuiAddress Mask Description
---------------------------------------------------
0003-6b00-0000 ffff-ff00-0000
# Run the display voice-vlan 2 status command to check the voice VLAN configuration,
including the status and mode in which the interface is added to the voice VLAN.
<Huawei> display voice-vlan 2 status
Voice VLAN Configurations:
-----------------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
-----------------------------------------------------------
Port Information:
-----------------------------------------------------------
Port Add-Mode Security-Mode Legacy
-----------------------------------------------------------
Ethernet2/0/1 Manual Security Disable
Ethernet2/0/0 Manual Security Disable
----End
Configuration Files
Router configuration file
#
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000
#
vlan batch 2 to 3
#
interface Ethernet2/0/0
voice-vlan 2 enable
voice-vlan mode manual
port hybrid pvid vlan 3
port hybrid untagged vlan 2 to 3
#
interface Ethernet2/0/1
voice-vlan 2 enable
7.9.1 How Can I Change the Voice Vlan Priority on the AR?
The voice VLAN priorities of low-end and high-end ARs are configured in the following
methods:
l High-end AR(such as the AR2200-S and AR3200-S) whose chips support ACL: After an
interface is added to the voice VLAN, the ACL sets the priority of a packet to 6 by
default, or you can run the voice-vlan remark { 8021p 8021p-value| dscp dscp-value }*
command to change the priority.
l Low-end ARs (such as the AR160-S, AR200-S and AR1200-S) whose chips do not
support ACL: You can change the VLAN priority only by running the vlan vlan-id
priority new-priority-value command.
8 QinQ Configuration
Definition
QinQ expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged packets. It
allows services in a private VLAN to be transparently transmitted over a public network. A
packet transmitted on the backbone network carries two 802.1Q tags: a public VLAN tag and
a private VLAN tag.
Purpose
Ethernet is widely used on ISP networks, but 802.1Q VLANs are unable to identify and
isolate large numbers of users on metro Ethernet networks because the 12-bit VLAN tag field
defined in IEEE 802.1Q only identifies a maximum of 4096 VLANs. QinQ was developed to
expand VLAN space beyond 4096 VLANs so that a larger number of users can be identified
on a metro Ethernet network.
QinQ technology encapsulates an 802.1Q tag to an 802.1Q packet. With this extra tag, the
number of VLANs increases to 4094 x 4094.
In addition to expanding VLAN space, QinQ is applied in other scenarios with the
development of metro Ethernet networks and carriers' requirements on refined service
operation. The outer and inner VLAN tags can be used to differentiate packets based on users
and services. For example, the inner tag represents a user, while the outer tag represents a
service. Moreover, QinQ functions as a simple and practical VPN technology by transparently
transmitting private VLAN services over a public network. It extends core MPLS VPN
services to metro Ethernet networks and implements an end-to-end VPN.
Benefits
QinQ offers the following benefits:
l Extends the VLAN space to isolate and identify more users.
l Facilitates service deployment by allowing the inner and outer tags to represent different
information. For example, the inner tag identifies a user and the outer tag identifies a
service.
l Allows ISPs to implement refined service operation by providing diversified
encapsulation and termination modes.
QinQ
Encapsulation
DA SA 802.1Q TAG 802.1Q TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 4 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
QinQ Encapsulation
QinQ encapsulation changes a single-tagged packet into a double-tagged packet.
QinQ encapsulation falls into basic QinQ and selective QinQ depending on the data
encapsulated. Basic QinQ refers to interface-based QinQ, and selective QinQ includes VLAN
ID-based QinQ and 802.1p priority-based QinQ.
l Interface-based QinQ encapsulation
This encapsulation mode is also called QinQ tunneling. It encapsulates packets arriving
at the same interface with the same outer VLAN tag, and therefore cannot distinguish
users and services at the same time.
l VLAN ID-based QinQ encapsulation
This encapsulation mode determines whether to add outer VLAN tags and which outer
VLAN tags to add based on data flows.
Traffic can be classified based on VLAN ID ranges if a customer uses different VLAN
IDs for different services. For example, PC users access the Internet through VLANs 101
to 200, IPTV users through VLANs 201 to 300, and VoIP users through VLANs 301 to
400. When receiving service data, the underlayer provider edge (UPE) adds outer tag
100 to packets from PCs, outer tag 300 to packets from IPTV users, and outer tag 500 to
packets from VoIP users.
l 802.1p priority-based QinQ encapsulation
This encapsulation mode determines whether to add outer VLAN tag and which outer
VLAN tags to add based on priorities of data flows.
For example, when different services of a user have different priorities, these services
can be transmitted over different data channels based on priorities.
QinQ Implementation
QinQ can be implemented in either of the following ways:
1. Basic QinQ
Basic QinQ is implemented based on interfaces. After basic QinQ is configured on an
interface, the device adds the default VLAN tag of this interface to all packets regardless
of whether the packets carry VLAN tags.
The Dot1q and QinQ termination sub-interfaces cannot transparently transmit untagged packets. They
directly discard untagged packets.
QinQ VLAN tag termination sub-interfaces provide different functions in different scenarios.
50
20
to
10
10
to
20
PE1 PE2
50
Network
50 20
to 10
10 to
50
20 CE2
CE1
Enterprise A Enterprise A
Branch 1 Branch 2
VLAN 10 to 50 VLAN 10 to 50
Enterprise A has different services, so different VLANs are assigned. Basic QinQ is
configured on the CE interface connected to the carrier network. The outer VLAN 20 is added
to the packet passing through the CE interface and removed after the packet reaches another
branch. Traffic between two branches is transparently transmitted on the public network so
that users using the same service in different branches of enterprise A can communicate and
users using different services are isolated.
30
20
to
50
10
10
21
to
to
31
31
20
30
PE1
to
PE2
21
50
Network
30 20
to
10 50 10
to
20 to 21 30
CE1 31 31 CE2
21 to
50
Enterprise A Enterprise A
Branch 1 Branch 2
VLAN 10 to 50 Data: VLAN 10 to 30 VLAN 10 to 50
Voice: VLAN 31 to 50
Enterprise A has different services, so different VLANs are assigned. Data services are
transmitted in VLAN 10 to VLAN 30, and voice services are transmitted in VLAN 31 to
VLAN 50.
Selective QinQ is configured on the user-side interface of the CE to add outer VLAN 20 to
packets with VLAN IDs 10 to 30, and outer VLAN 21 to packets with VLAN IDs 31 to 50,
and the device is configured to increase the priority of voice packets. Traffic between two
branches can be transparently transmitted through the public network so that users using the
same service in different branches of enterprise A can communicate, users using different
services are isolated, and voice services are transmitted preferentially.
8.2.4 TPID
The Tag Protocol Identifier (TPID) specifies the protocol type of a VLAN tag. The TPID
value defined in IEEE 802.1Q is 0x8100.
Figure 8-4 shows the Ethernet packet format defined in IEEE 802.1Q. An IEEE 802.1Q tag,
containing the TPID, lies between the Source Address field and the Length/Type field. A
device checks the TPID value in a received packet to determine whether the VLAN tag is an
S-VLAN tag or C-VLAN tag. The device compares the configured TPID value with the TPID
value in the packet. For example, if a frame carries the VLAN tag with TPID 0x8100 but the
TPID configured for a customer network on a device is 0x8200, the device considers the
frame untagged.
Carrier's systems may use different TPID values in outer VLAN tags. When a Huawei device
needs to interoperate with such a carrier system, set the TPID value to the value used by the
carrier so that QinQ packets sent from the Huawei device can be transmitted across the carrier
network. To prevent errors in packet forwarding and processing, do not set the TPID to any of
values listed in Table 8-1.
ARP 0x0806
RARP 0x8035
IP 0x0800
IPv6 0x86DD
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
LACP 0x8809
802.1x 0x888E
HGMP 0x88A7
Reserved 0xFFFD/0xFFFE/0xFFFF
Basic QinQ
As shown in Figure 8-5, enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs
are assigned. To save public VLAN IDs, it is required that traffic between two branches of
enterprise A be transparently transmitted through the public network, users using the same
service in different branches of enterprise A be allowed to communicate, and users using
different services be isolated. You can configure QinQ on the network-side interface of the CE
to meet the preceding requirements.
50
20
to
10
10
to
PE1 20 PE2
50
Network
50 20
to 10
10 to
50
20 CE2
CE1
Enterprise A Enterprise A
Branch 1 Branch 2
VLAN 10 to 50 VLAN 10 to 50
Selective QinQ
As shown in Figure 8-6, enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs
are assigned. Data services are transmitted in VLAN 10 to VLAN 30, and voice services are
transmitted in VLAN 31 to VLAN 50. To save public VLAN IDs, it is required that traffic
between two branches of enterprise A be transparently transmitted through the public
network, users using the same service in different branches of enterprise A be allowed to
communicate, users using different services be isolated, and voice services be transmitted
preferentially. You can configure selective QinQ on the user-side interface of the CE to meet
the preceding requirements.
30
20
to
50
10
10
21
to
to
31
31
20
30
PE1
to
PE2
21
50
Network
30 20
to
10 50 10
to
20 to 21 30
CE1 31 31 CE2
21 to
50
Enterprise A Enterprise A
Branch 1 Branch 2
VLAN 10 to 50 Data: VLAN 10 to 30 VLAN 10 to 50
Voice: VLAN 31 to 50
Configure QinQ tunneling This section describes how 8.6 Configuring QinQ
to configure QinQ Tunneling
tunneling, including basic
QinQ and selective QinQ.
Set the TPID value in an To enable interoperation 8.9 Configuring the TPID
outer VLAN tag between devices from Value in an Outer VLAN
different vendors, set the Tag
same TPID value in outer
VLAN tags on the devices.
Licensing Requirements
QinQ is a basic feature of a router and is not under license control.
Feature Limitations
When deploying QinQ on the router, pay attention to the following:
l Before configuring QinQ on an interface, add the interface to a network bridge. If the
interface is deleted from the network bridge, the QinQ configuration is also deleted from
the interface.
l You can configure only QinQ, selective QinQ, or VLAN mapping on a sub-interface.
NOTE
Only the AR100-S, AR110-S, AR120-S, AR150-S, AR160-S, AR200-S series routers support QinQ
tunneling.
Only the AR1200-S, AR2200-S, AR3200-S series routers support termination sub-interface access to the
VPN.
Context
Dot1q tunnel isolates a carrier network from a user network and is widely used when users
connect to a carrier network. When private networks connect to a carrier network through CEs
and PEs, run the vlan dot1q-tunnel command on CE interfaces connected to PEs so that the
CE interfaces add the outer VLAN tag allocated by the carrier to user packets. This
implementation saves VLAN IDs and allows user packets to be transparently transmitted on
the carrier network.
Procedure
l Configure basic QinQ on a sub-interface.
a. Run system-view
NOTE
NOTE
The vlan dot1q-tunnel command can be only executed at one time on a sub-
interface and the VLAN specified by tunnel-vlan-id must be allowed by the sub-
interface.
Procedure
l Configure VLAN ID-based VLAN stacking.
– Configure VLAN ID-based VLAN stacking on a Layer 3 sub-interface.
i. Run system-view
The VLANs allowed by all sub-interfaces of the same main interface cannot overlap.
The vlan stacking default command can be executed on only one sub-interface of each
main interface. Packets are forwarded through the default sub-interface when the packets do
not match VLAN stacking entries on other sub-interfaces.
– Configure VLAN ID-based VLAN stacking on a Layer 2 VE interface.
i. Run system-view
The system view is displayed.
ii. Run interface virtual-ethernet ve-number
A VE interface is created and the VE interface view is displayed.
iii. Run portswitch
The VE interface is switched from Layer 3 to Layer 2.
iv. Run port link-type hybrid
The link type of the interface is set to hybrid.
By default, the link type of an interface is hybrid.
v. Run vlan stacking vid low-ce-vid [ to high-ce-vid ] pe-vid pe-vid-
value[ remark-8021p 8021p-val ]
VLAN ID-based VLAN stacking is configured on the Layer 2 VE interface.
NOTE
l VLAN stacking and VLAN mapping can take effect, but VLAN IDs of multiple
CEs must be unique, VLAN IDs in the original and mapped tags must be different,
and VLAN IDs of multiple PEs must be unique.
l Layer 2 Ethernet interfaces support only VLAN ID-based VLAN stacking, and do
not support VLAN stacking based on 802.1p priorities or VLAN IDs and 802.1p
priorities.
l When VLAN stacking is canceled on a Layer 2 Ethernet interface, the VLAN ID
range allowed must be the same as the configured VLAN ID range.
l This command can be configured on an interface multiple times, and a maximum
of 128 VLAN stacking entries can be configured on all interfaces.
l Configure 802.1p priority-based selective QinQ.
a. Run system-view
NOTE
NOTE
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface { ethernet | gigabitethernet } interface-number.subinterface-number
The Ethernet sub-interface view is displayed.
Step 3 Run dot1q termination vid low-pe-vid [ to high-pe-vid ]
The sub-interface is configured to terminate single-tagged packets.
NOTE
NOTE
You can run this command on a sub-interface only after the L2VPN function is enabled on the sub-
interface.
For details on how to configure VLL, see "VLL Configuration" and "VPLS Configuration" in the AR
Configuration Guide - VPN.
----End
Asymmetrical Strips the double tags. Strips two tags and adds one
tag.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface { ethernet | gigabitethernet } interface-number.subinterface-number
The Ethernet sub-interface view is displayed.
Step 3 Run qinq termination l2 { symmetry | asymmetry }
A mode of the QinQ VLAN tag termination sub-interface is configured.
By default, a QinQ termination sub-interface uses the asymmetrical mode.
Step 4 Run qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
The sub-interface is configured to terminate double-tagged packets.
NOTE
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface { ethernet | gigabitethernet } interface-number.subinterface-number
The Ethernet sub-interface view is displayed.
Step 3 Run ip binding vpn-instance vpn-instance-name
A VPN instance is bound to the sub-interface.
Step 4 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the Ethernet sub-interface.
NOTE
When two or more IP addresses are configured for an Ethernet interface, use sub to specify the second
IP address and subsequent IP addresses.
NOTE
----End
Procedure
Step 1 Run system-view
The system view is displayed.
NOTE
When two or more IP addresses are configured for an Ethernet interface, use sub to specify the second
IP address and subsequent IP addresses.
NOTE
----End
Configure L3VPN functions on the CE, PE, and P. For details, see "BGP/MPLS IP VPN
Configuration" in the Huawei AR Series Access Routers Configuration Guide - VPN.
Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check the Dot1q sub-interface
configuration.
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check the QinQ sub-interface
configuration.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
information about a VPN instance.
----End
Context
Devices from different vendors or in different network plans may use different TPID values in
VLAN tags of VLAN packets. To adapt to an existing network plan, the device supports TPID
value configuration. You can set the TPID value on the device to be the same as the TPID
value in the network plan to ensure compatibility with the current network.
NOTE
l To implement interoperability with a non-Huawei device, ensure that the protocol type in the outer
VLAN tag added by the router can be identified by the non-Huawei device.
l The qinq protocol command identifies incoming packets, and adds or changes the TPID value of
outgoing packets.
l The protocol ID configured on an interface by the qinq protocol command must be different from
other commonly used protocol IDs; otherwise, the interface cannot distinguish packets of these
protocols. For example, protocol-id cannot be set to 0x0806, which is the ARP protocol ID.
Procedure
Step 1 Run system-view
----End
Networking Requirements
As shown in Figure 8-7, enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs
are assigned.
GE0/0/1 GE0/0/0
VL
20
AN
AN
20
PE1
VL Network PE2
GE0/0/0 GE0/0/0
0 VL
2 AN
AN GE0/0/1 20
VL GE0/0/1
CE2
CE1
GE0/0/0 GE0/0/0
Enterprise A Enterprise A
Branch 1 Branch 2
VLAN 10 to 50 VLAN 10 to 50
Configuration Roadmap
The configuration roadmap is as follows:
You can configure the basic QinQ function on a CE connected to a PE and implement
communication between two branches of enterprise A through VLAN 20 provided by the
carrier.
1. Create a bridge group and add a sub-interface to the bridge group.
2. Configure VLANs allowed by the sub-interface.
3. Configure basic QinQ on the CE interface connected to the PE so that the CE can add the
S-VLAN tag to user packets.
4. Add interfaces of the PE and P to VLAN 20 so that packets from VLAN 20 are allowed
to pass through.
Procedure
Step 1 Create a bridge group and add a sub-interface to the bridge group.
# Create a bridge group and add a sub-interface to the bridge group on CE1. The
configuration of CE2 is similar to that of CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] bridge 1
[CE1-bridge1] quit
[CE1] interface gigabitethernet 0/0/0.1
[CE1-GigabitEthernet0/0/0.1] bridge 1
[CE1-GigabitEthernet0/0/0.1] bridge vlan-transmit enable
Step 4 Add interfaces on PE1, PE2, and P to VLAN 20 in trunk mode. The configurations of PE2
and P are similar to the configuration of PE1.
# Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 in trunk mode.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 0/0/0
[PE1-GigabitEthernet0/0/0] port link-type trunk
[PE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet0/0/0] quit
[PE1] interface gigabitethernet 0/0/1
[PE1-GigabitEthernet0/0/1] port link-type trunk
[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 20
[PE1-GigabitEthernet0/0/1] quit
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
bridge 1
#
interface GigabitEthernet0/0/0.1
bridge 1
bridge vlan-transmit enable
vlan allow-pass vid 10 to 50
vlan dot1q-tunnel 20
#
return
interface GigabitEthernet0/0/0.1
bridge 1
bridge vlan-transmit enable
vlan allow-pass vid 10 to 50
vlan dot1q-tunnel 20
#
return
l P configuration file
#
sysname P
#
vlan batch 20
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
return
Networking Requirements
As shown in Figure 8-8, enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs
are assigned. Data services are transmitted in VLAN 10 to VLAN 30, and voice services are
transmitted in VLAN 31 to VLAN 50.
GE0/0/1 GE0/0/0
GE0/0/1 GE0/0/1
CE1 CE2
GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/1
Enterprise A Enterprise A
Branch 1 Branch 2
VLAN 10 to 50 Data: VLAN 10 to 30 VLAN 10 to 50
Voice: VLAN 31 to 50
Configuration Roadmap
The configuration roadmap is as follows:
You can configure selective QinQ on the CE user-side interface and implement
communication between two branches of enterprise A through VLAN 60 and VLAN 61
provided by the carrier.
1. Create a bridge group and add sub-interfaces to the bridge group.
2. Configure VLANs allowed by the user-side sub-interfaces of the CE, configure the CE
user-side interface to add different outer VLAN tags to packets with different user
VLAN IDs, and re-mark voice services with high priority.
3. Add the CE interface connected to the PE, PE interface, and P interface to VLAN 20 and
VLAN 21 so that packets from VLAN 20 and VLAN 21 are allowed to pass through.
Procedure
Step 1 Create a bridge group and add sub-interfaces to the bridge group.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] bridge 1
[CE1-bridge1] quit
[CE1] interface gigabitethernet 0/0/1.1
[CE1-GigabitEthernet0/0/1.1] bridge 1
[CE1-GigabitEthernet0/0/1.1] bridge vlan-transmit enable
[CE1-GigabitEthernet0/0/1.1] quit
[CE1] interface gigabitethernet 0/0/1.2
[CE1-GigabitEthernet0/0/1.2] bridge 1
[CE1-GigabitEthernet0/0/1.2] bridge vlan-transmit enable
[CE1-GigabitEthernet0/0/1.2] quit
# The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 2 Configure CE1 user-side interface to add VLAN tags to user packets and re-mark voice
services with high priority.
[CE1] interface gigabitethernet 0/0/1.1
[CE1-GigabitEthernet0/0/1.1] vlan stacking vid 10 to 30 pe-vid 60
[CE1-GigabitEthernet0/0/1.1] quit
[CE1] interface gigabitethernet 0/0/1.2
[CE1-GigabitEthernet0/0/1.2] vlan stacking vid 31 to 50 pe-vid 61 remark-8021p 7
[CE1-GigabitEthernet0/0/1.2] quit
# The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 3 Add sub-interfaces of GE0/0/0 on CE1 to bridge 1, VLAN 60, and VLAN 61. Add GE0/0/0
and GE0/0/1 on PE1 to VLAN 60 and VLAN 61 in trunk mode.
# Add sub-interfaces of GE0/0/0 on CE1 to bridge 1, VLAN 60 and VLAN 61 in trunk mode.
The configuration of CE2 is similar to that of CE1. For details, see the configuration files.
[CE1] vlan batch 60 to 61
[CE1] interface gigabitethernet 0/0/0
[CE1] interface gigabitethernet 0/0/0.33
[CE1-GigabitEthernet0/0/0.33] bridge 1
[CE1-GigabitEthernet0/0/0.33] bridge vlan-transmit enable
[CE1-GigabitEthernet0/0/0.33] vlan allow-pass vlan 60 61
[CE1-GigabitEthernet0/0/0.33] quit
# Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 60 and VLAN 61 in trunk mode. The
configurations of PE2 and P are similar to the configuration of PE1, and are not mentioned
here.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] vlan batch 60 to 61
[PE1] interface gigabitethernet 0/0/0
[PE1-GigabitEthernet0/0/0] port link-type trunk
[PE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 60 61
[PE1-GigabitEthernet0/0/0] quit
[PE1] interface gigabitethernet 0/0/1
[PE1-GigabitEthernet0/0/1] port link-type trunk
[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 60 61
[PE1-GigabitEthernet0/0/1] quit
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
vlan batch 60 to 61
#
bridge 1
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0.33
bridge 1
bridge vlan-transmit enable
vlan allow-pass vlan 60 61
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.1
bridge 1
bridge vlan-transmit enable
vlan stacking vid 10 to 30 pe-vid 60
#
interface GigabitEthernet0/0/1.2
bridge 1
bridge vlan-transmit enable
vlan stacking vid 31 to 50 pe-vid 61 remark 8021p 7
#
return
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0.33
bridge 1
bridge vlan-transmit enable
vlan allow-pass vlan 60 61
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.1
bridge 1
bridge vlan-transmit enable
vlan stacking vid 10 to 30 pe-vid 60
#
interface GigabitEthernet0/0/1.2
bridge 1
bridge vlan-transmit enable
vlan stacking vid 31 to 50 pe-vid 61 remark 8021p 7
#
return
l P configuration file
#
sysname P
#
vlan batch 60 to 61
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 60 to 61
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 60 to 61
#
return
Figure 8-9 Networking diagram for connecting a Dot1q VLAN tag termination sub-interface
to a VLL network
Loopback1 Loopback1 Loopback1
10.10.1.9/32 10.20.2.9/32 10.30.3.9/32
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
Martini
GE1/0/0 GE1/0/0
CE1 CE2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol on devices (PE and P) of the backbone network to
implement interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP for data
transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to implement VLL
access.
Procedure
Step 1 Configure IP addresses for interfaces on CEs, PEs, and the P devices according to Figure 8-9.
# Configure CE1. The configuration details of other devices are not mentioned here.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] ip address 10.100.1.1 255.255.255.0
[CE1-GigabitEthernet1/0/0.1] quit
Step 2 Configure CEs to add a VLAN tag to packets destined for PEs.
# VLAN 10 is used as an example. Configure CE1.
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[CE1-GigabitEthernet1/0/0.1] quit
# Configure CE2.
[CE2] interface gigabitethernet 1/0/0.1
[CE2-GigabitEthernet1/0/0.1] dot1q termination vid 10
[CE2-GigabitEthernet1/0/0.1] quit
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used as an example.
# Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1. The configuration details of other devices are not mentioned here.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 10.10.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
Step 4 Configure basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 10.10.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
# Configure P.
[P] mpls lsr-id 10.20.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 10.30.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 10.10.1.9
[PE2-mpls-ldp-remote-10.10.1.9] remote-ip 10.10.1.9
[PE2-mpls-ldp-remote-10.10.1.9] quit
# After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.
# Check L2VPN connections on PEs. You can see that an L2VC connection has been set up
and is in Up state.
[PE1] display mpls l2vc interface gigabitethernet 1/0/0.1
*client interface : GigabitEthernet1/0/0.1 is up
Administrator PW : no
session state : up
AC status : up
Ignore AC state : disable
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
destination : 10.30.3.9
local group ID : 0 remote group ID : 0
local VC label : 1024 remote VC label : 1024
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip address 10.100.1.1 255.255.255.0
#
return
#
mpls ldp
#
mpls ldp remote-peer 10.30.3.9
remote-ip 10.30.3.9
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
mpls l2vc 10.30.3.9 101
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.10.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
mpls lsr-id 10.20.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l PE2 configuration file
#
sysname PE2
#
mpls lsr-id 10.30.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 10.10.1.9
remote-ip 10.10.1.9
#
interface GigabitEthernet1/0/0
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 10
mpls l2vc 10.10.1.9 101
#
interface LoopBack1
ip address 10.30.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
Figure 8-10 Networking diagram for configuring a sub-interface for dot1q VLAN tag
termination to access a VLL network
Loopback1 Loopback1 Loopback1
10.10.1.9/32 10.20.2.9/32 10.30.3.9/32
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
Martini
GE1/0/0 GE1/0/0
CE1 CE2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a routing protocol on devices (PE and P) of the backbone network to
implement interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP for data
transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure QinQ sub-interfaces on PE interfaces connected to CEs to implement VLL
access.
Procedure
Step 1 Configure IP addresses for interfaces on CEs, PEs, and P according to Figure 8-10.
# CE1 is used as an example. The configuration details of other devices are not mentioned
here.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] ip address 10.100.1.1 255.255.255.0
[CE1-GigabitEthernet1/0/0.1] quit
# Configure CE2.
[CE2] interface gigabitethernet 1/0/0.1
[CE2-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[CE2-GigabitEthernet1/0/0.1] quit
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used as an example.
# Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# PE1 is used as an example. The configuration details of other devices are not mentioned
here.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 10.10.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
Step 4 Configure basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 10.10.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
# Configure P.
[P] mpls lsr-id 10.20.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 10.30.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
# Configure PE1.
[PE1] mpls ldp remote-peer 10.30.3.9
[PE1-mpls-ldp-remote-10.30.3.9] remote-ip 10.30.3.9
[PE1-mpls-ldp-remote-10.30.3.9] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 10.10.1.9
[PE2-mpls-ldp-remote-10.10.1.9] remote-ip 10.10.1.9
[PE2-mpls-ldp-remote-10.10.1.9] quit
After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
qinq termination pe-vid 100 ce-vid 10
ip address 10.100.1.1 255.255.255.0
#
return
Networking Requirements
As shown in Figure 8-11, CE1 and CE3 belong to VPN-A, and CE2 and CE4 belong to VPN-
B. The VPN targets of VPN-A and VPN-B are 111:1 and 222:2 respectively. Users in
different VPNs cannot communicate with each other.
Figure 8-11 Networking diagram for connecting a Dot1q VLAN tag termination sub-interface
to an L3VPN
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
10.20.2.9/32
GE1/0/0 GE1/0/0
PE1 GE1/0/0 GE2/0/0 PE2
Loopback1 172.16.1.2/24 172.26.1.1/24 Loopback1
10.10.1.9/32 GE3/0/0 GE3/0/0 10.30.3.9/32
172.16.1.1/24 P 172.26.1.2/24
GE2/0/0 AS: 100 GE2/0/0
VPN Backbone
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.
2. Configure OSPF on PEs to implement interworking.
3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.
4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-
IBGP) on PEs to exchange VPN routing information.
5. Configure EBGP on CEs and PEs to exchange VPN routing information.
6. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to connect the Dot1q
sub-interfaces to the L3VPN.
Procedure
Step 1 Configure OSPF on the MPLS backbone network so that the PEs and P can communicate
with each other.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 10.10.1.9 32
[PE1-LoopBack1] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] ip address 172.16.1.1 24
[PE1-GigabitEthernet3/0/0] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 10.10.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure P.
<Huawei> system-view
[Huawei] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 10.20.2.9 32
[P-LoopBack1] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] ip address 172.16.1.2 24
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] ip address 172.26.1.1 24
[P-GigabitEthernet2/0/0] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.26.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 10.20.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 10.30.3.9 32
[PE2-LoopBack1] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] ip address 172.26.1.2 24
[PE2-GigabitEthernet3/0/0] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.26.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 10.30.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. The OSPF neighbor relationship status is
Full. Run the display ip routing-table command. PEs have learned the routes to each other's
Loopback1 interface.
# The display on PE1 is used as an example.
[PE1] display ip routing-table
Route Flags: R - relay,
D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Step 2 Configure basic MPLS functions and MPLS LDP on the MPLS backbone network to set up
LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 10.10.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 3/0/0
[PE1-GigabitEthernet3/0/0] mpls
[PE1-GigabitEthernet3/0/0] mpls ldp
[PE1-GigabitEthernet3/0/0] quit
# Configure P.
[P] mpls lsr-id 10.20.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] mpls
[P-GigabitEthernet1/0/0] mpls ldp
[P-GigabitEthernet1/0/0] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 10.30.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 3/0/0
[PE2-GigabitEthernet3/0/0] mpls
[PE2-GigabitEthernet3/0/0] mpls ldp
[PE2-GigabitEthernet3/0/0] quit
# After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. The command output
shows that the Status field is Operational. Run the display mpls ldp lsp command.
Information about the established LDP LSPs is displayed.
# The display on PE1 is used as an example.
[PE1] display mpls ldp session
Step 3 Configure CEs to add a VLAN tag to packets destined for PEs.
# Here, the VLAN ID in packets sent by CE1 and CE3 is VLAN 10, and the VLAN ID in
packets sent by CE2 and CE4 is VLAN 20.
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] ip address 10.1.1.1 255.255.255.0
[CE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[CE1-GigabitEthernet1/0/0.1] quit
# Configure CE2.
<Huawei> system-view
[Huawei] sysname CE2
[CE2] interface gigabitethernet 1/0/0.1
[CE2-GigabitEthernet1/0/0.1] ip address 10.2.1.1 255.255.255.0
[CE2-GigabitEthernet1/0/0.1] dot1q termination vid 20
[CE2-GigabitEthernet1/0/0.1] quit
# Configure CE3.
<Huawei> system-view
[Huawei] sysname CE3
[CE3] interface gigabitethernet 1/0/0.1
[CE3-GigabitEthernet1/0/0.1] ip address 10.3.1.1 255.255.255.0
[CE3-GigabitEthernet1/0/0.1] dot1q termination vid 10
[CE3-GigabitEthernet1/0/0.1] quit
# Configure CE4.
<Huawei> system-view
[Huawei] sysname CE4
[CE4] interface gigabitethernet 1/0/0.1
[CE4-GigabitEthernet1/0/0.1] ip address 10.4.1.1 255.255.255.0
[CE4-GigabitEthernet1/0/0.1] dot1q termination vid 20
[CE4-GigabitEthernet1/0/0.1] quit
Step 4 Configure VPN instances on PEs and bind the instances to the interfaces connected to CEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE1-GigabitEthernet1/0/0.1] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface gigabitethernet 1/0/0.1
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet1/0/0.1] ip address 10.3.1.2 24
[PE2-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE2-GigabitEthernet1/0/0.1] quit
[PE2] interface gigabitethernet 2/0/0.1
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
[PE2-GigabitEthernet2/0/0.1] ip address 10.4.1.2 24
[PE2-GigabitEthernet2/0/0.1] dot1q termination vid 20
[PE2-GigabitEthernet2/0/0.1] quit
# After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to check the VPN instance configuration. Each PE can ping its connected CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 10.10.1.9 as-number 100
[PE2-bgp] peer 10.10.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 10.10.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
# After the configuration is complete, run the display bgp peer or display bgp vpnv4 all
peer command on PEs. The command output shows that a BGP peer relationship has been
established between PEs.
[PE1] display bgp peer
Step 6 Set up EBGP peer relationships between PEs and CEs and import VPN routes into BGP.
# Configure CE1. The configurations of other CEs are similar to the configuration on CE1,
and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
# After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on PEs. The command output shows that BGP peer relationships have been
established between PEs and CEs.
# The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
# CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
# For example, CE1 can ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
----End
Configuration Files
l PE1 configuration file
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 10.10.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip binding vpn-instance vpna
area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 172.26.1.0 0.0.0.255
#
return
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 20
ip address 10.4.1.1 255.255.255.0
#
bgp 65440
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return
This chapter describes how to configure VLAN mapping. VLAN mapping technology
changes VLAN tags in packets to implement the mapping between different VLANs.
9.1 Overview of VLAN Mapping
9.2 Understanding VLAN Mapping
9.3 Application Scenarios for VLAN Mapping
This section describes the applicable environment of VLAN mapping.
9.4 Summary of VLAN Mapping Configuration Tasks
9.5 Licensing Requirements and Limitations for VLAN Mapping
This section describes VLAN Mapping configuration notes.
9.6 Configuring VLAN Mapping
9.7 Configuration Examples for VLAN Mapping
Definition
VLAN mapping technology changes VLAN tags in packets to implement the mapping
between different VLANs.
Purpose
In some scenarios, two Layer 2 user networks in the same VLAN are connected through the
backbone network. To implement Layer 2 connectivity between users and deploy Layer 2
protocols such as MSTP uniformly, the two user networks need to seamlessly interwork with
each other. In this case, the backbone network needs to transmit VLAN packets from the user
networks. Generally, VLAN plan on the backbone network and user network is different, so
the backbone network cannot directly transmit VLAN packets from a user network.
Basic Principles
After receiving a tagged packet, the router determines to replace the outer tag based on the
VLAN mapping mode. Then the router learns the MAC addresses contained in the packet.
Based on the source MAC address and mapped VLAN ID, the switch updates the MAC
address entries in the VLAN mapping table. Based on the destination MAC address and the
mapped VLAN ID, the switch searches for the MAC address entries. If the destination MAC
address matches no entry, the switch broadcasts the packet in the specified VLAN; if the
destination MAC address matches an entry, the switch forwards the packet through the
corresponding outbound interface.
As shown in Figure 9-1, VLAN mapping between VLAN 2 and VLAN 3 is configured on
Interface1. Before sending packets from VLAN 2 to VLAN 3, Interface1 replaces the VLAN
tags with VLAN 3 tags. When receiving packets from VLAN 3, Interface1 replaces the
VLAN tags with VLAN 2 tags. Then packets are forwarded according to the Layer 2
forwarding process. This implements communication between devices in VLAN 2 and VLAN
3.
Interface1
3
RouterA RouterB
2 3
2 3
172.16.0.1/16 172.16.0.7/16
Implementation Modes
The device supports VLAN ID-based and 802.1p priority-based VLAN mapping.
l VLAN ID-based VLAN mapping
When an interface configured with VLAN mapping receives a single-tagged packet, the
interface maps the VLAN tag in the packet to a new VLAN tag.
When an interface configured with VLAN mapping receives a double-tagged packet, the
interface maps the outer tag of the packet to a specified tag and transparently transmits
the inner tag as the data.
l 802.1p priority-based VLAN mapping
When an interface configured with VLAN mapping receives a single-tagged packet, the
interface replaces the 802.1p priority in the packet with a new 802.1p priority.
When an interface configured with VLAN mapping receives a double-tagged packet, the
interface replaces the 802.1p priority in the outer tag of the packet with a new 802.1p
priority.
CE1 CE2
VLAN Mapping
Enterprise A Enterprise A
Branch 1 Department 1:VLAN 10 Branch 2
VLAN 10 to 50 VLAN 11 to 50
Department 1:VLAN 100 VLAN 100
CE1 CE2
VLAN Mapping
VolP PC VolP PC
Configuring VLAN ID- When packets are sent from 9.6.1 Configuring VLAN
based VLAN Mapping one LAN to another, if ID-based VLAN Mapping
VLAN ID plans are
different, their VLAN IDs
need to be changed. You can
configure VLAN ID-based
VLAN mapping on the LAN
edge device to map VLAN
IDs in received packets.
Then the LAN edge device
forwards packets based on
mapped VLAN IDs.
Configuring 802.1p Priority- When packets are sent from 9.6.2 Configuring 802.1p
based VLAN Mapping one LAN to another, if Priority-based VLAN
different networks use Mapping
different priority policies,
their 802.1p priorities need
to be changed. You can
configure 802.1p priority-
based VLAN mapping on
the LAN edge device to map
802.1p priorities in received
packets. Then the LAN edge
device forwards packets
based on mapped 802.1p
priorities.
Licensing Requirements
VLAN Mapping is a basic feature of a router and is not under license control.
Feature Limitations
When deploying VLAN Mapping on the router, pay attention to the following:
l Before configuring VLAN mapping on an interface, add the interface to a network
bridge. If the interface is deleted from the network bridge, the VLAN mapping
configuration is also deleted from the interface.
l You can configure only one of QinQ, selective QinQ, and VLAN mapping on a sub-
interface.
NOTE
edge device to map VLAN IDs in received packets. Then the LAN edge device forwards
packets based on mapped VLAN IDs.
Procedure
l Configure VLAN ID-based VLAN mapping on a sub-interface.
a. Run system-view
NOTE
NOTE
NOTE
The sub-interface has been added to a bridge group and the VLANs allowed by the sub-
interface has been configured using the vlan allow-pass command.
The VLANs allowed by the sub-interface include VLANs specified by vlan-id1 in vlan
mapping vid vlan-id1 map-vlan vlan-id2.
When the vlan mapping vid command is executed multiple times, vlan-id2 in the vlan
mapping vid command on a sub-interface must be different from vlan-id1 and vlan-id2 in
the vlan mapping vid command on other sub-interfaces of the same main interface.
l Configure VLAN ID-based VLAN mapping on a Layer 2 VE interface.
a. Run system-view
NOTE
l The VLAN ID in the tag of the received frame on an interface must be different from the
mapped VLAN ID.
l The mapped outer VLAN must exist and the interface must join the original and mapped
VLANs in tagged mode.
l VLAN stacking and VLAN mapping can take effect, but VLAN IDs of multiple CEs
must be unique, VLAN IDs in the original and mapped tags must be different, and
VLAN IDs of multiple PEs must be unique.
l Layer 2 Ethernet interfaces support only VLAN ID-based VLAN mapping, and do not
support VLAN mapping based on 802.1p priorities or VLAN IDs and 802.1p priorities.
l This command can be configured on an interface multiple times, and a maximum of 128
VLAN mapping entries can be configured on all interfaces.
----End
Procedure
Step 1 Run system-view
NOTE
Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works in Layer 2 mode
and supports switching between Layer 2 and Layer 3 modes, run the undo portswitch command to
switch the interface in Layer 3 mode before creating a sub-interface on the interface.
NOTE
----End
Networking Requirements
As shown in Figure 9-4, enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs
are assigned.
Because of plan or operation causes, department 1 in branch 1 uses VLAN 10, and branch 2
assigns VLAN 100 to department 1.
Figure 9-4 Networking diagram for configuring VLAN ID-based VLAN Mapping functions
GE0/0/1 GE0/0/0
Network
PE1 PE2
GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/1
CE1 CE2
GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/1
VLAN Mapping
Enterprise A Enterprise A
Branch 1 Department 1:VLAN 10 Branch 2
VLAN 10 to 50 VLAN 11 to 50
VLAN 100
Department 1:VLAN 100
Configuration Roadmap
The configuration roadmap is as follows:
You can configure VLAN Mapping and Dot1q Tunnel on the CE connected to the PE and
implement communication between two branches of enterprise A through VLAN 20 provided
by the carrier. VLAN mapping is configured on a user-side interface of CE2 so that
department 1 in two branches can communicate.
1. Create a bridge group and add a sub-interface to the bridge group.
2. Configure VLANs allowed by a sub-interface.
3. Configure QinQ mapping on a user-side interface of CE2 to map VLAN 100 to VLAN
10 so that department 1 in two branches can communicate.
4. Configure dot1q tunnel on the CE interface connected to the PE so that the CE can add
the S-VLAN tag to user packets.
5. Add interfaces of the PE and P to VLAN 20 so that packets from VLAN 20 are allowed
to pass through.
Procedure
Step 1 Create a bridge group and add a sub-interface to the bridge group.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] bridge 1
[CE1-bridge1] quit
[CE1] interface gigabitethernet 0/0/0.1
[CE1-GigabitEthernet0/0/0.1] bridge 1
The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 3 Configure VLAN mapping on a user-side interface of CE2 to map VLAN 100 to VLAN 10.
[CE2] interface gigabitethernet 0/0/1.1
[CE2-GigabitEthernet0/0/1.1] vlan mapping vid 100 map-vlan 10
[CE2-GigabitEthernet0/0/1.1] quit
Step 4 Configure CE1 interface connected to the PE to add a VLAN tag to user packets.
[CE1] interface gigabitethernet 0/0/0.1
[CE1-GigabitEthernet0/0/0.1] vlan dot1q-tunnel 20
[CE1-GigabitEthernet0/0/0.1] quit
The configuration of CE2 is similar to that of CE1, and is not mentioned here.
The configurations of PE2 and P are similar to the configuration of PE1, and are not
mentioned here.
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
bridge 1
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0.1
bridge 1
bridge vlan-transmit enable
vlan allow-pass vid 10 to 50
vlan dot1q-tunnel 20
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.1
bridge 1
bridge vlan-transmit enable
vlan allow-pass vid 10 to 50
#
return
#
vlan batch 20
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
return
l Configuration file of P
#
sysname P
#
vlan batch 20
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
return
Figure 9-5 Networking diagram for configuring 802.1p Priority-based VLAN Mapping
functions
GE0/0/1 GE0/0/0
Network
PE1 PE2
GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/1
CE1 CE2
GE0/0/0 GE0/0/0
VLAN Mapping
VolP PC VolP PC
Configuration Roadmap
The configuration roadmap is as follows:
VLAN mapping or dot1q tunnel can meet the preceding requirements. You can configure the
dot1q tunnel function on the CE connected to the PE and implement communication between
two branches of enterprise A through VLAN 20 provided by the carrier, and configure VLAN
mapping on the user-side interface of CE2 to map a higher priority for voice services and a
lower priority for data services.
1. Create a bridge group and add a sub-interface to the bridge group.
2. Configure VLANs allowed by a sub-interface.
3. Configure the user-side interface on CE2 to map the 802.1p priority of voice services
from 0 to 7 so that voice services are transmitted preferentially.
4. Configure dot1q tunnel on the CE interface connected to the PE so that the CE can add
the S-VLAN tag to user packets.
5. Add interfaces of the PE and P to VLAN 20 so that packets from VLAN 20 are allowed
to pass through.
Procedure
Step 1 Create a bridge group and add a sub-interface to the bridge group.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] bridge 1
[CE1-bridge1] quit
The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 2 Configure VLANs allowed by a sub-interface.
# Configure VLANs allowed by a sub-interface on the CE1.
[CE1] interface gigabitethernet 0/0/0.1
[CE1-GigabitEthernet0/0/0.1] vlan allow-pass vid 50 to 51
[CE1-GigabitEthernet0/0/0.1] quit
[CE1] interface gigabitethernet 0/0/1.1
[CE1-GigabitEthernet0/0/1.1] vlan allow-pass vid 50
[CE1-GigabitEthernet0/0/1.1] quit
[CE1] interface gigabitethernet 0/0/2.1
[CE1-GigabitEthernet0/0/2.1] vlan allow-pass vid 51
[CE1-GigabitEthernet0/0/2.1] quit
The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 3 Configure GE0/0/1 on CE2 to map the 802.1p priority of voice services from 0 to 7.
[CE2] interface gigabitethernet 0/0/1.1
[CE2-GigabitEthernet0/0/1.1] vlan mapping 8021p 0 map-8021p 7
[CE2-GigabitEthernet0/0/1.1] quit
Step 4 Configure CE1 interface connected to the PE to add a VLAN tag to user packets.
[CE1] interface gigabitethernet 0/0/0.1
[CE1-GigabitEthernet0/0/0.1] vlan dot1q-tunnel 20
[CE1-GigabitEthernet0/0/0.1] quit
The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 5 Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 in trunk mode.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 0/0/0
[PE1-GigabitEthernet0/0/0] port link-type trunk
[PE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet0/0/0] quit
[PE1] interface gigabitethernet 0/0/1
[PE1-GigabitEthernet0/0/1] port link-type trunk
[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 20
[PE1-GigabitEthernet0/0/1] quit
The configurations of PE2 and P are similar to the configuration of PE1, and are not
mentioned here.
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
bridge 1
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0.1
bridge 1
bridge vlan-transmit enable
vlan allow-pass vid 50 to 51
vlan dot1q-tunnel 20
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.1
bridge 1
bridge vlan-transmit enable
vlan allow-pass vid 50
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/2.1
bridge 1
bridge vlan-transmit enable
vlan allow-pass vid 51
#
return
#
return
l Configuration file of P
#
sysname P
#
vlan batch 20
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
return
10 GVRP Configuration
This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes
with a GVRP configuration example.
10.1 Overview of GVRP
10.2 Understanding GVRP
10.3 Application Scenarios for GVRP
10.4 Default Settings for GVRP
10.5 Licensing Requirements and Limitations for GVRP
10.6 Configuring GVRP
10.7 Clearing GVRP Statistics
10.8 Configuration Examples for GVRP
Definition
The Generic Attribute Registration Protocol (GARP) provides a mechanism to propagate
attributes so that a protocol entity can register and deregister attributes. By filling different
attributes into GARP packets, GARP supports different upper-layer applications.
The Generic Attribute Registration Protocol (GVRP) is used to register and deregister VLAN
attributes.
GARP identifies applications through destination MAC addresses. IEEE Std 802.1Q assigns
01-80-C2-00-00-21 to the VLAN application (GVRP).
Purpose
To deploy certain VLANs on all devices on a network, the network administrator needs to
manually create these VLANs on each device. As shown in Figure 10-1, three routers are
RouterA RouterC
RouterB
When a network is complicated and the network administrator is unfamiliar with the network
topology or when many VLANs are configured on the network, huge workload is required for
manual configuration. In addition, configuration errors may occur. In this case, you can
configure GVRP on the network to implement automatic registration of VLANs.
Benefits
GVRP is based on GARP and is used to maintain VLAN attributes dynamically on devices.
Through GVRP, VLAN attributes of one device can be propagated throughout the entire
switching network. GVRP enables network devices to dynamically deliver, register, and
propagate VLAN attributes, reducing workload of the network administrator and ensuring
correct configuration.
Participant
On a device, each port running a protocol is considered as a participant. On a device running
GVRP, each GVRP-enabled port is considered as a GVRP participant, as shown in Figure
10-2.
RouterA RouterC
RouterB
GVRP registers and deregisters VLAN attributes through attribute declarations and reclaim
declarations as follows:
l When a port receives a VLAN attribute declaration, it registers the VLAN specified in
the declaration. That is, the port is added to the VLAN.
l When a port receives a VLAN attribute reclaim declaration, it deregisters the VLAN
specified in the declaration. That is, the port is removed from the VLAN.
Declaration
Register
Reclaim
Deregister
RouterA declaration RouterB
GARP Messages
GARP participants exchange VLAN information through GARP messages. Major GARP
messages are Join messages, Leave messages, and LeaveAll messages.
l Join message
When a GARP participant expects other devices to register its attributes, it sends Join
messages to other devices. When the GARP participant receives a Join message from
another participant or is configured with attributes statically, it also sends Join messages
to other devices for the devices to register the new attributes.
Join messages are classified into JoinEmpty messages and JoinIn messages. The
difference between the two types of messages is:
– JoinEmpty: declares an unregistered attribute.
– JoinIn: declares a registered attribute.
l Leave message
When a GARP participant expects other devices to deregister its attributes, it sends
Leave messages to other devices. When the GARP participant receives a Leave message
from another participant or some of its attributes are deregistered statically, it also sends
Leave messages to other devices.
Leave messages are classified into LeaveEmpty messages and LeaveIn messages. The
difference between the two types of messages is:
– LeaveEmpty: deregisters an unregistered attribute.
– LeaveIn: deregisters a registered attribute.
l LeaveAll message
When a participant starts, it starts the LeaveAll timer. When the LeaveAll timer expires,
the participant sends LeaveAll messages to other devices.
A participant sends LeaveAll messages to deregister all attributes so that other
participants can re-register attributes of the local participant. LeaveAll messages are used
to periodically delete useless attributes on the network. For example, an attribute of a
participant is deleted but the participant does not send Leave messages to request other
participants to deregister the attribute because of a sudden power failure. Then this
attribute becomes useless.
GARP Timers
The GARP protocol defines four timers:
l Join timer
The Join timer controls sending of Join messages including JoinIn messages and
JoinEmpty messages.
After sending the first Join message, a participant starts the Join timer. If the participant
receives a JoinIn message before the Join timer expires, it does not send the second Join
message. If the participant does not receive any JoinIn message, it sends the second Join
message when the Join timer expires. This ensures that the Join message can be sent to
other participants. Each port maintains an independent Join timer.
l Hold timer
The Hold timer controls sending of Join messages (JoinIn messages and JoinEmpty
messages) and Leave messages (LeaveIn messages and LeaveEmpty messages).
After a participant is configured with an attribute or receives a message, it does not send
the message to other participants before the Hold timer expires. The participant
encapsulates messages received within the hold time into a minimum number of packets,
reducing the packets sent to other participants. If the participant does not use the Hold
timer but forwards a message immediately after receiving one, a large number of packets
are transmitted on the network. This makes the network unstable and wastes data fields
of packets.
Each port maintains an independent Hold timer. The Hold timer value must be equal to
or smaller than half of the Join timer value.
l Leave timer
The Leave timer controls attribute deregistration.
A participant starts the Leave timer after receiving a Leave or LeaveAll message. If the
participant does not receive any Join message of the corresponding attribute before the
Leave timer expires, the participant deregisters the attribute.
A participant sends a Leave message if one of its attributes is deleted, but this attribute
may still exist on other participants. Therefore, the participant receiving the Leave
message cannot deregister the attribute immediately and needs to wait for messages from
other participants.
For example, an attribute has two sources on the network: participant A and participant
B. Other participants register the attribute through GARP. If the attribute is deleted from
participant A, participant A sends a Leave message to other participants. After receiving
the Leave message, participant B sends a Join message to other participants because the
attribute still exists on participant B. After receiving the Join message from participant
B, other participants retain the attribute. Other participants deregister the attribute only if
they do not receive any Join message of the attribute within a period longer than two
times the Join timer value. Therefore, the Leave timer value must be greater than two
times the Join timer value.
Each port maintains an independent Leave timer.
l LeaveAll timer
When a GARP participant starts, it starts the LeaveAll timer. When the LeaveAll timer
expires, the participant sends a LeaveAll message and restarts the LeaveAll timer.
After receiving a LeaveAll message, a participant restarts all GARP timers. The
participant sends another LeaveAll message when its LeaveAll timer expires. This
reduces LeaveAll messages sent in a period of time.
If LeaveAll timers of multiple devices expire at the same time, they send LeaveAll
messages at the same time, which causes unnecessary LeaveAll messages. To solve this
problem, each device uses a random value between the LeaveAll timer value and 1.5
times the LeaveAll timer value as its LeaveAll timer value. When a LeaveAll event
occurs, all attributes on the entire network are deregistered. The LeaveAll event affects
the entire network; therefore, you need to set the LeaveAll timer to a proper value, at
least greater than the Leave timer value.
Each device maintains a global LeaveAll timer.
Registration Modes
A manually configured VLAN is a static VLAN, and a VLAN created through GVRP is a
dynamic VLAN. GVRP provides three registration modes. Static VLANs and dynamic
VLANs are processed differently in each registration mode as follows:
l Normal mode: Dynamic VLANs can be registered on a port, and the port can send
declarations of static VLANs and dynamic VLANs.
l Fixed mode: Dynamic VLANs cannot be registered on a port, and the port can send only
declarations of static VLANs.
l Forbidden mode: Dynamic VLANs cannot be registered on a port. All VLANs except
VLAN 1 are deleted from the port, and the port can send only the declaration of VLAN
1.
1 2 N
1 N
Attribute Event Indicates the event that an The value can be:
attribute describes. l 0: LeaveAll Event
l 1: JoinEmpty Event
l 2: JoinIn Event
l 3: LeaveEmpty Event
l 4: LeaveIn Event
l 5: Empty Event
This section describes the working procedure of GVRP by using an example. This example
illustrates how a VLAN attribute is registered and deregistered on a network in four phases.
One-Way Registration
RouterA RouterC
Static vlan 2
Port 4
Port 1 JoinEmpty
JoinEmpty
Port 2 Port 3
RouterB
Static VLAN 2 is created on RouterA. Ports on RouterB and RouterC can join VLAN 2
automatically through one-way registration. The process is as follows:
1. After VLAN 2 is created on RouterA, Port 1 of RouterA starts the Join timer and Hold
timer. When the Hold timer expires, Port 1 sends the first JoinEmpty message to
RouterB. When the Join timer expires, Port 1 restarts the Hold timer. When the Hold
timer expires again, Port 1 sends the second JoinEmpty message.
2. After Port 2 of RouterB receives the first JoinEmpty message, RouterB creates dynamic
VLAN 2 and adds Port 2 to VLAN 2. In addition, RouterB requests Port 3 to start the
Join timer and Hold timer. When the Hold timer expires, Port 3 sends the first JoinEmpty
message to RouterC. When the Join timer expires, Port 3 restarts the Hold timer. When
the Hold timer expires again, Port 3 sends the second JoinEmpty message. After Port 2
receives the second JoinEmpty message, RouterB does not take any action because Port
2 has been added to VLAN 2.
3. After Port 4 of RouterC receives the first JoinEmpty message, RouterC creates dynamic
VLAN 2 and adds Port 4 to VLAN 2. After Port 4 receives the second JoinEmpty
message, RouterC does not take any action because Port 4 has been added to VLAN 2.
4. Every time the LeaveAll timer expires or a LeaveAll message is received, each router
restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Then Port 1 repeats
step 1 to send JoinEmpty messages. Port 3 of RouterB sends JoinEmpty messages to
RouterC in the same way.
Two-Way Registration
RouterA RouterC
Static vlan 2 Static vlan 2
Port 4
JoinEmpty
Port 1 JoinIn
JoinIn
JoinEmpty
JoinIn JoinIn
Port 2 Port 3
RouterB
After one-way registration is complete, Port 1, Port 2, and Port 4 are added to VLAN 2 but
Port 3 is not added to VLAN 2 because only ports receiving a JoinEmpty or JoinIn message
can be added to dynamic VLANs. To transmit traffic of VLAN 2 in both directions, VLAN
registration from RouterC to RouterA is required. The process is as follows:
1. After one-way registration is complete, static VLAN 2 is created on RouterC (the
dynamic VLAN is replaced by the static VLAN). Port 4 of RouterC starts the Join timer
and Hold timer. When the Hold timer expires, Port 4 sends the first JoinIn message
(because it has registered VLAN 2) to RouterB. When the Join timer expires, Port 4
restarts the Hold timer. When the Hold timer expires, Port 4 sends the second JoinIn
message.
2. After Port 3 of RouterB receives the first JoinIn message, RouterB adds Port 3 to VLAN
2 and requests Port 2 to start the Join timer and Hold timer. When the Hold timer expires,
Port 2 sends the first JoinIn message to RouterA. When the Join timer expires, Port 2
restarts the Hold timer. When the Hold timer expires again, Port 2 sends the second
JoinIn message. After Port 3 receives the second JoinIn message, RouterB does not take
any action because Port 3 has been added to VLAN 2.
3. When RouterA receives the JoinIn message, it stops sending JoinEmpty messages to
RouterB. Every time the LeaveAll timer expires or a LeaveAll message is received, each
router restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Port 1 of
RouterA sends a JoinIn message to RouterB when the Hold timer expires.
4. RouterB sends a JoinIn message to RouterC.
5. After receiving the JoinIn message, RouterC does not create dynamic VLAN 2 because
static VLAN 2 has been created.
One-Way Deregistration
RouterA RouterC
Static vlan 2
LeaveEmpty Port 4
Port 1
LeaveIn
Port 2 Port 3
RouterB
When VLAN 2 is not required on the routers, the routers can deregister VLAN 2. The process
is as follows:
1. After static VLAN 2 is manually deleted from RouterA, Port 1 of RouterA starts the
Hold timer. When the Hold timer expires, Port 1 sends a LeaveEmpty message to
RouterB. Port 1 needs to send only one LeaveEmpty message.
2. After Port 2 of RouterB receives the LeaveEmpty message, it starts the Leave timer.
When the Leave timer expires, Port 2 deregisters VLAN 2. Then Port 2 is deleted from
VLAN 2, but VLAN 2 is not deleted from RouterB because Port 3 is still in VLAN 2. At
this time, RouterB requests Port 3 to start the Hold timer and Leave timer. When the
Hold timer expires, Port 3 sends a LeaveIn message to RouterC. Static VLAN 2 is not
deleted from RouterC; therefore, Port 3 can receive the JoinIn message sent from Port 4
after the Leave timer expires. In this case, RouterA and RouterB can still learn dynamic
VLAN 2.
3. After RouterC receives the LeaveIn message, Port 4 is not deleted from VLAN 2
because VLAN 2 is a static VLAN on RouterC.
Two-Way Deregistration
RouterA RouterC
LeaveEmpty Port 4
Port 1 LeaveEmpty
LeaveEmpty
LeaveIn
Port 2 Port 3
RouterB
To delete VLAN 2 from all the routers, two-way deregistration is required. The process is as
follows:
1. After static VLAN 2 is manually deleted from RouterC, Port 4 of RouterC starts the
Hold timer. When the Hold timer expires, Port 4 sends a LeaveEmpty message to
RouterB.
2. After Port 3 of RouterB receives the LeaveEmpty message, it starts the Leave timer.
When the Leave timer expires, Port 3 deregisters VLAN 2. Then Port 3 is deleted from
dynamic VLAN 2, and dynamic VLAN 2 is deleted from RouterB. At this time, RouterB
requests Port 2 to start the Hold timer. When the Hold timer expires, Port 2 sends a
LeaveEmpty message to RouterA.
3. After Port 1 of RouterA receives the LeaveEmpty message, it starts the Leave timer.
When the Leave timer expires, Port 1 deregisters VLAN 2. Then Port 1 is deleted from
dynamic VLAN 2, and dynamic VLAN 2 is deleted from RouterA.
RouterB
RouterA RouterC
Licensing Requirements
GVRP is a basic feature of a router and is not under license control.
Feature Limitations
When deploying GVRP on the router, pay attention to the following:
l The 4GE-2S, 4ES2G-S, and 4ES2GP-S cards do not support GVRP.
l AR100-S&AR110-S&AR120-S&AR160-S series routers do not support GVRP.
l Among the AR150-S series routers, only AR151-S2 do not support GVRP.
l Among the AR1200-S series routers, only AR1220E-S do not support GVRP.
Context
Before enabling GVRP on an interface, you must enable GVRP globally. GVRP can be
enabled only on trunk interfaces. You must perform related configurations to ensure that all
dynamically registered VLANs can pass the trunk interfaces.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run gvrp
GVRP is enabled globally.
Step 3 Run interface interface-type interface-number
The interface view is displayed.
Step 4 Run port link-type trunk
The link type of the interface is set to trunk.
Step 5 Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The interface is added to the specified VLANs.
Step 6 Run gvrp
GVRP is enabled on the interface.
By default, GVRP is disabled globally and on each interface.
NOTE
The device supports a maximum of 256 dynamic VLANs when using default GARP timers. When the
recommended GARP timer settings are used, the device supports a maximum of 4094 dynamic VLANs.
----End
Context
A GVRP interface supports three registration modes:
l Normal: In this mode, the GVRP interface can dynamically register and deregister
VLANs, and transmit dynamic VLAN registration information and static VLAN
registration information.
l Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static VLAN registration information. If
the registration mode is set to fixed for a trunk interface, the interface allows only the
manually configured VLANs to pass even if it is configured to allow all the VLANs to
pass.
l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering
and deregistering VLANs and can transmit only information about VLAN 1. If the
registration mode is set to forbidden for a trunk interface, the interface allows only
VLAN 1 to pass even if it is configured to allow all the VLANs to pass.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run gvrp registration { fixed | forbidden | normal }
The registration mode is set for the interface.
By default, the registration mode of a GVRP interface is normal.
NOTE
Before setting the registration mode for an interface, enable GVRP on the interface.
----End
Context
When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer
expires, the GARP participant sends LeaveAll messages to request other GARP participants
to re-register all its attributes. Then the LeaveAll timer restarts.
Devices on a network may have different settings for the LeaveAll timer. In this case, all the
devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a
device expires, the device sends LeaveAll messages to other devices. After other devices
receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeaveAll
timer with the smallest value takes effect even if devices have different settings for the
LeaveAll timer.
When using the garp timer command to set the GARP timers, pay attention to the following
points:
l The undo garp timer command restores the default values of GARP timers. If the
default value of a timer is out of the valid range, the undo garp timer command does
not take effect.
l The value range of each timer changes with the values of the other timers. If a value you
set for a timer is not in the allowed range, you can change the value of the timer that
determines the value range of this timer.
l To restore the default values of all the GARP timers, restore the Hold timer to the default
value, and then sequentially restore the Join timer, Leave timer, and LeaveAll timer to
the default values.
It is recommended that you use the following values for the GARP timers:
l GARP Hold timer: 100 centiseconds (1 second)
l GARP Join timer: 600 centiseconds (6 seconds)
l GARP Leave timer: 3000 centiseconds (30 seconds)
l GARP LeaveAll timer: 12000 centiseconds (2 minutes)
When more than 80 dynamic VLANs are created or more than three devices are running
GARP on the network, set the GARP timer to be larger than or equal to the recommended
value. Otherwise, the device CPU is affected. When the number of dynamic VLANs or GARP
devices increases, increase lengths of the GARP timers. Otherwise, traffic may fail to be
forwarded.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run garp timer leaveall timer-value
The value of the LeaveAll timer is set.
The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).
The Leave timer length on an interface is restricted by the global LeaveAll timer length.
When configuring the global LeaveAll timer, ensure that all the interfaces configured with a
GARP Leave timer are working properly.
Step 3 Run interface interface-type interface-number
The interface view is displayed.
Step 4 Run garp timer { hold | join | leave } timer-value
The value of the Hold timer, Join timer, or Leave timer is set.
By default, the value of the Hold timer is 40 centiseconds, the value of the Join timer is 80
centiseconds, and the value of the Leave timer is 240 centiseconds.
----End
Procedure
l Run the display gvrp status command to view the status of global GVRP.
l Run the display gvrp statistics [ interface { interface-type interface-number [ to
interface-type interface-number ] }&<1-5> ] command to view the GVRP statistics on
an interface.
Context
GVRP statistics cannot be restored after being cleared. Confirm your action before using this
command.
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type
interface-number ] }&<1-10> ] command in the user view to clear GARP statistics on the
specified interfaces.
----End
Networking Requirements
As shown in Figure 10-10, company A, a branch of company A, and company B are
connected using switches. To implement dynamic VLAN registration, enable GVRP. The
branch of company A can communicate with the headquarters using RouterA and RouterB.
Company B can communicate with company A using RouterB and RouterC. Interfaces
connected to company A allow only the VLAN to which company B belongs to pass.
Branch of
Company B
company A
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable GVRP to implement dynamic VLAN registration.
2. Configure GVRP on all switch devices of company A and set the registration mode to
normal for the interfaces to simplify configurations.
3. Configure GVRP on all switch devices of company B and set the registration mode to
fixed for the interfaces connecting to company A to allow only the VLAN to which
company B belongs to pass.
Procedure
Step 1 Create VLAN 101 to VLAN 200 on RouterA.
<RouterA> system-view
[RouterA] vlan batch 101 to 200
# Set the link type of Eth 2/0/1 and Eth 2/0/2 to trunk, and configure the interfaces to allow all
VLANs to pass through.
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type trunk
[RouterA-Ethernet2/0/1] port trunk allow-pass vlan all
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type trunk
[RouterA-Ethernet2/0/2] port trunk allow-pass vlan all
[RouterA-Ethernet2/0/2] quit
# Enable GVRP on the interfaces and set the registration modes for the interfaces.
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] gvrp
[RouterA-Ethernet2/0/1] gvrp registration normal
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] gvrp
[RouterA-Ethernet2/0/2] gvrp registration normal
[RouterA-Ethernet2/0/2] quit
# Set the link type of Eth 2/0/1 and Eth 2/0/2 to trunk, and configure the interfaces to allow all
VLANs to pass through.
[RouterC] interface ethernet 2/0/1
[RouterC-Ethernet2/0/1] port link-type trunk
[RouterC-Ethernet2/0/1] port trunk allow-pass vlan all
[RouterC-Ethernet2/0/1] quit
[RouterC] interface ethernet 2/0/2
[RouterC-Ethernet2/0/2] port link-type trunk
[RouterC-Ethernet2/0/2] port trunk allow-pass vlan all
[RouterC-Ethernet2/0/2] quit
# Enable GVRP on the interfaces and set the registration modes for the interfaces.
[RouterC] interface ethernet 2/0/1
[RouterC-Ethernet2/0/1] gvrp
[RouterC-Ethernet2/0/1] gvrp registration fixed
[RouterC-Ethernet2/0/1] quit
[RouterC] interface ethernet 2/0/2
[RouterC-Ethernet2/0/2] gvrp
[RouterC-Ethernet2/0/2] gvrp registration normal
[RouterC-Ethernet2/0/2] quit
# Run the display gvrp statistics command on RouterA to view GVRP statistics, including
the GVRP state of each interface, number of GVRP registration failures, source MAC address
of the last GVRP PDU, and registration mode of each interface.
<RouterA> display gvrp statistics interface ethernet 2/0/1
GVRP statistics on port Ethernet2/0/1
GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0001-0001-0001
GVRP registration type : Normal
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 101 to 200
#
gvrp
#
interface ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
interface ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return
11 STP/RSTP Configuration
This chapter describes the concepts and configuration procedures for the Spanning Tree
Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and provides configuration
examples.
11.1 Overview of STP/RSTP
11.2 Understanding STP/RSTP
11.3 Application Scenarios for STP/RSTP
11.4 Summary of STP/RSTP Configuration Tasks
11.5 Default Settings for STP/RSTP
11.6 Licensing Requirements and Limitations for STP
11.7 Configuring Basic STP/RSTP Functions
You can configure STP/RSTP on an Ethernet network to trim the network into a loop-free tree
topology.
11.8 Setting STP Parameters that Affect STP Convergence
STP cannot implement rapid convergence. However, STP parameters including the network
diameter, timeout interval, Hello timer value, Max Age timer value, and Forward Delay timer
value can affect the STP convergence speed.
11.9 Setting RSTP Parameters that Affect RSTP Convergence
RSTP supports link type and fast transition configuration on ports to implement rapid
convergence.
11.10 Configuring RSTP Protection Functions
Huawei network devices provide the following RSTP protection functions. You can configure
one or more functions.
11.11 Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices
To implement interoperation between Huawei and non-Huawei devices, select the fast
transition mode based on the Proposal/Agreement mechanism of the non-Huawei device.
11.12 Maintaining STP/RSTP
Definition
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and making the MAC address table unstable. As a result, network
communication may encounter quality deterioration or even be interrupted. STP solves this
problem.
STP refers to the spanning tree protocol defined in IEEE 802.1D, RSTP defined in IEEE
802.1W, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1S.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 11-1
compares the STP, RSTP, and MSTP protocols.
STP l A loop-free tree topology is All VLANs share one spanning tree,
formed in an STP region to and users or services do not need to
prevent broadcast storms while be differentiated.
implementing link redundancy.
l Route convergence is slow.
Purpose
After a spanning tree protocol is configured on an Ethernet switching network, the protocol
calculates the network topology to implement the following functions:
l Loop prevention: The spanning tree protocol blocks redundant links to prevent potential
loops on the network.
l Link redundancy: If an active link fails and a redundant link exists, the spanning tree
protocol activates the redundant link to ensure network connectivity.
11.2.1 Background
STP prevents loops on a local area network (LAN). The switching devices running STP
exchange information with one another to discover loops on the network, and block certain
ports to eliminate loops. With the growth in scale of LANs, STP has become an important
protocol for a LAN.
Host A
port1 1 port1 5
2
S1 S2
port2 3 port2 4
Host B
Data flow
On the network shown in Figure 11-1, the following situations may occur:
l Broadcast storms cause a breakdown of the network.
If a loop exists on the network, broadcast storms may occur, leading to a breakdown of
the network. In Figure 11-1, STP is not enabled on the switching devices. If Host A
sends a broadcast request, both S1 and S2 receive the request on port 1 and forward the
request through their port 2. Then, S1 and S2 receive the request forwarded by each
other on port 2 and forward the request through port 1. As this process repeats, resources
on the entire network are exhausted, and the network finally breaks down.
l Assume that no broadcast storm has occurred on the network shown in Figure 11-1.
HostA sends a unicast packet to HostB. If HostB is temporarily removed from the
network at this time, the MAC address entry for HostB will be deleted on S1 and S2. The
unicast packet sent by HostA to HostB is received by port 1 on S1. S1 has no matching
MAC address entry, so the unicast packet is forwarded to port 2. Then port 2 on S2
receives the unicast packet from port 2 on S1 and sends it out through port 1. In addition,
port 1 on S2 also receives the unicast packet sent by HostA to HostB, and sends it out
through port 2. As such transmissions repeat, port 1 and port 2 on S1 and S2
continuously receive unicast packets from HostA. S1 and S2 modify the MAC address
entries continuously, causing the MAC address table to flap. As a result, MAC address
entries are damaged.
Root Bridge
A tree topology must have a root. As defined in STP, the device that functions as the root of a
tree network is called the root bridge.
There is only one root bridge on the entire STP network. The root bridge is the logical center
of but is not necessarily at the physical center of the network. The root bridge changes
dynamically with the network topology.
After network convergence, the root bridge generates and sends configuration BPDUs at a
specific interval. Upon receipt of the configuration BPDUs, non-root bridges compare
whether the priority of the received BPDUs is higher than that of their local configuration
BPDUs. If the priority is higher, the non-root bridges update their configuration BPDU
information stored on their STP interfaces based on the information in the received BPDUs. If
the priority is lower, the non-root bridges discard the received configuration BPDUs.
The port priority affects the role of a port in a specified spanning tree instance. For details, see
11.2.4 STP Topology Calculation.
l Path cost
The path cost is a port variable used for link selection. STP calculates path costs to select
robust links and blocks redundant links, and finally trims the network into a loop-free
tree topology.
On an STP network, a port's path cost to the root bridge is the sum of the path costs of all
ports between the port and the root bridge. This path cost is the root path cost.
A B
PC=100;RPC=100 PC=99;RPC=199
S3
B A
PC=200;RPC=100 PC=200;RPC=300 S4
l Root bridge
The root bridge is the bridge with the smallest BID. The smallest BID is discovered by
exchanging configuration BPDUs.
l Root port
The root port on an STP device is the port with the smallest path cost to the root bridge
and is responsible for forwarding data to the root bridge. An STP device has only one
root port, and there is no root port on the root bridge.
l Designated port
Table 11-2 explains the designated bridge and designated port.
As shown in Figure 11-3, AP1 and AP2 are ports of S1; BP1 and BP2 are ports of S2;
CP1 and CP2 are ports of S3.
– S1 sends configuration BPDUs to S2 through AP1, so S1 is the designated bridge
for S2, and AP1 is the designated port on S1.
– S2 and S3 are connected to the LAN. If S2 forwards configuration BPDUs to the
LAN, S2 is the designated bridge for the LAN, and BP2 is the designated port on
S2.
AP1 AP2
BP1 CP1
S2 S3
BP2 CP2
LAN
After the root bridge, root ports, and designated ports are selected successfully, a tree
topology is set up on the entire network. When the topology is stable, only the root port and
designated ports forward traffic. The other ports are in the Blocking state; they only receive
STP BPDUs and do not forward user traffic.
Comparison Principles
During role election, STP devices compare four fields, which form a BPDU priority vector
{root ID, root path cost, sender BID, PID}.
Table 11-3 describes the four fields carried in a configuration BPDU.
Root ID ID of the root bridge. Each STP network has only one
root bridge.
Root path cost Path cost to the root bridge. It is determined by the
distance between the port sending the configuration
BPDU and the root bridge.
Sender BID BID of the device that sends the configuration BPDU.
After a device on the STP network receives a configuration BPDU, it compares the fields
listed in Table 11-3 with its own values. The four comparison principles are as follows:
l Smallest BID: used to select the root bridge. Devices on an STP network select the
device with the smallest BID based on the root ID field in Table 11-3.
l Smallest root path cost: used to select the root port on a non-root bridge. On the root
bridge, the path cost of each port is 0.
l Smallest sender BID: used to select the root port among ports with the same root path
cost. The port with the smallest BID is selected as the root port in STP calculation. For
example, S2 has a smaller BID than S3 in Figure 11-2. If the BPDUs received on port A
and port B of S4 contain the same root path cost, port B becomes the root port on S4
because the BPDU received on port B has a smaller sender BID.
l Smallest PID: used to determine which port should be blocked when multiple ports have
the same root path cost. The port with the greatest PID is blocked. The PIDs are
compared in the scenario shown in Figure 11-4. The BPDUs received on port A and port
B of S1 contain the same root path cost and sender BID. Port A has a smaller PID than
port B. Therefore, port B is blocked to prevent loops.
A B
S2
designated port
blocked port
Port States
Table 11-4 describes the possible states of ports on an STP device.
Forwardi A port in Forwarding state can Only the root port and designated port
ng forward user traffic and process can enter the Forwarding state.
BPDUs.
Learning When a port is in Learning state, the This is a transitional state, which is
device creates MAC address entries designed to prevent temporary loops.
based on user traffic received on the
port but does not forward user traffic
through the port.
Listening All ports are in Listening state before This is a transitional state.
the root bridge, root port, and
designated port are selected.
Blocking A port in Blocking state receives and This is the final state of a blocked
forwards only BPDUs, and does not port.
forward user traffic.
Disabled or
Down
①
⑤
Blocking
②
④ ⑤
Listening
③
④ ⑤
Learning
④ ⑤
Forwarding
1 The port is initialized or enabled, and enters the Blocking state.
NOTE
By default, a Huawei network device uses the MSTP mode. After a device transitions from the MSTP
mode to the STP mode, its STP ports support only those states defined in MSTP, which are Forwarding,
Learning, and Discarding. Table 11-5 describes the three port states.
Forwardi A port in Forwarding state can forward user traffic and process BPDUs.
ng
Learning This is a transitional state. When a port is in Learning state, it can send and
receive BPDUs, but does not forward user traffic. The device creates MAC
address entries based on user traffic received on the port but does not forward
user traffic through the port.
Port Description
State
The following parameters affect the STP port states and convergence.
l Hello Time
The Hello Time specifies the interval at which an STP device sends configuration
BPDUs to detect link failures.
When the Hello Time is changed, the new value takes effect only after a new root bridge
is elected. The new root bridge adds the new Hello Time value in BPDUs it sends to
non-root bridges. When the network topology changes, TCN BPDUs are transmitted
immediately, independent of the Hello Time.
l Forward Delay
The Forward Delay timer specifies the length of delay before a port state transition.
When a link fails, STP calculation is triggered and the spanning tree structure changes.
However, new configuration BPDUs cannot be immediately spread over the entire
network. If the new root port and designated port forward data immediately, transient
loops may occur. Therefore, STP defines a port state transition delay mechanism. The
newly selected root port and designated port must wait for two Forward Delay intervals
before transitioning to the Forwarding state. Within this period, the new configuration
BPDUs can be transmitted over the network, preventing transient loops.
The default Forward Delay timer value is 15 seconds. This means that the port stays in
the Listening state for 15 seconds and then stays in the Learning state for another 15
seconds before transitioning to the Forwarding state. The port does not forward user
traffic when it is in the Listening or Learning state, which is key to preventing transient
loops.
l Max Age
The Max Age specifies the aging time of BPDUs. This parameter is configurable on the
root bridge.
The Max Age is spread to the entire network with configuration BPDUs. After a non-
root bridge receives a configuration BPDU, it compares the Message Age value with the
Max Age value in the received configuration BPDU.
– If the Message Age value is smaller than or equal to the Max Age value, the non-
root bridge forwards the configuration BPDU.
– If the Message Age value is larger than the Max Age value, the non-root bridge
discards the configuration BPDU. When this happens, the network size is
considered too large and the non-root bridge disconnects from the root bridge.
If the configuration BPDU is sent from the root bridge, the value of Message Age is 0.
Otherwise, the value of Message Age is the total time spent to transmit the BPDU from
the root bridge to the local bridge, including the transmission delay. In real world
situations, the Message Age value of a configuration BPDU increases by 1 each time the
configuration BPDU passes through a bridge.
Configuration BPDU
Configuration BPDUs are used most commonly and are sent to exchange topology
information among STP devices.
During initialization, each bridge actively sends configuration BPDUs. After the network
topology becomes stable, the designated port of each device periodically sends configuration
BPDUs. A configuration BPDU is at least 35 bytes long, including the parameters such as the
BID, path cost, and PID. A BPDU is discarded if both the sender BID and Port ID field values
are the same as those of the local port. Otherwise, the BPDU is processed. In this manner,
BPDUs containing the same information as that of the local port are not processed.
A configuration BPDU is sent in one of the following scenarios:
l After STP is enabled on ports of a device, the designated port on the device sends
configuration BPDUs at Hello intervals.
l When a root port receives a configuration BPDU with a priority higher than that of its
own configuration BPDU, the device where the root port resides updates the
configuration BPDU information stored on its STP ports based on the information in the
received configuration BPDU and sends the information to a downstream device through
a designated port. In contrast, if the root port receives a configuration BPDU with a
priority lower than that of its own configuration BPDU, the root port discards the
received configuration BPDU.
l When a designated port receives an inferior configuration BPDU, the designated port
immediately sends its own configuration BPDU to the downstream device.
Table 11-7 describes fields in a BPDU.
BPDU Type 1 Indicates the type of a BPDU. The value is one of the
following:
l 0x00: configuration BPDU
l 0x80: TCN BPDU
Root Path Cost 4 Indicates the accumulated path cost from a port to the root
bridge.
Bridge Identifier 8 Indicates the BID of the bridge that sends the BPDU.
Port Identifier 2 Indicates the ID of the port that sends the BPDU.
Message Age 2 Records the time that has elapsed since the original BPDU
was generated on the root bridge.
If the configuration BPDU is sent from the root bridge, the
value of Message Age is 0. Otherwise, the value of Message
Age is the total time spent to transmit the BPDU from the
root bridge to the local bridge, including the transmission
delay. In real world situations, the Message Age value of a
configuration BPDU increases by 1 each time the
configuration BPDU passes through a bridge.
Forward Delay 2 Indicates the period during which a port stays in the
Listening and Learning states.
Figure 11-7 shows the Flags field. Only the leftmost and rightmost bits are used in STP.
Reserved
Bit7 Bit0
TCN BPDU
A TCN BPDU contains only three fields: Protocol Identifier, Version, and Type, as shown in
Table 11-7. The Type field is four bytes long and is fixed at 0x80.
When the network topology changes, TCN BPDUs are transmitted upstream until they reach
the root bridge. A TCN BPDU is sent in either of the following scenarios:
l A port transitions to the Forwarding state.
l A designated port receives a TCN BPDU and sends a copy to the root bridge.
BPDU Exchange
Figure 11-8 shows the initial information exchange process. The four parameters in a pair of
brackets represent the root ID (S1_MAC and S2_MAC are BIDs of the two devices), root
path cost, sender BID, and PID carried in configuration BPDUs. Configuration BPDUs are
sent at Hello intervals.
{S1_MAC,0,S1_MAC,A_PID}
A B
S1 {S2_MAC,0,S2_MAC,B_PID} S2
Because each bridge considers itself the root bridge, the BPDU sent from a port is set as
follows:
The root ID is the BID of the local bridge, the root path cost is 0, the sender BID is the
BID of the local bridge, and the PID is the ID of the port that sends the BPDU.
2. Root bridge election
During network initialization, every device considers itself the root bridge and sets the
root ID to its own BID. Then devices exchange configuration BPDUs and compare their
root IDs to find the device with the smallest BID, which finally becomes the root bridge.
3. Root port and designated port selection
Table 11-8 describes the process of selecting the root port and designated port.
1 A non-bridge device selects the port that receives the optimal configuration
BPDU as the root port. Table 11-9 describes the process of selecting the optimal
configuration BPDU.
2 The device generates a configuration BPDU for each port and calculates the
fields in the configuration BPDU based on the configuration BPDU on the root
port and path cost of the root port:
l Replaces the root ID with the root ID in the configuration BPDU on the root
port.
l Replaces the root path cost with the sum of the root path cost in
configuration BPDU on the root port and the path cost of the root port.
l Replaces the sender BID with the local BID.
l Replaces the PID with the local port ID.
3 The device compares the calculated configuration BPDU with the configuration
BPDU received on the port:
l If the calculated configuration BPDU is superior, the port is selected as the
designated port and periodically sends the calculated configuration BPDU.
l If the port's own configuration BPDU is superior, the configuration BPDU
on the port is not updated and the port is blocked. After that, the port only
receives BPDUs, and does not forward data or send BPDUs.
1 Each port compares the received configuration BPDU with its own
configuration BPDU:
l If the received configuration BPDU is inferior, the port discards the received
configuration BPDU and does not retain its own configuration BPDU.
l If the received configuration BPDU is superior, the port replaces its own
configuration BPDU with the received one.
2 The device compares configuration BPDUs on all the ports and selects the
optimal one.
DeviceA
DeviceA
Priority=0 Root
Bridge
Port A1 Port A2
STP Topology
5
Pa
st=
Calculation
th
co
co
th
s
Pa
t=1
Port B1 Port C1
0
Path cost=4
Port B2 Port C2
DeviceB DeviceC DeviceB DeviceC
Priority=1 Priority=2
root port
designated port
blocked port
As shown in Figure 11-9, DeviceA, DeviceB, and DeviceC are deployed on the network, with
priorities 0, 1, and 2, respectively. The path costs between DeviceA and DeviceB, DeviceA
and DeviceC, and DeviceB and DeviceC are 5, 10, and 4, respectively.
Devi l Port A1 receives the configuration BPDU {1, l Port A1: {0, 0, 0, Port
ceA 0, 1, Port B1} from Port B1 and finds it A1}
inferior to its own configuration BPDU {0, 0, l Port A2: {0, 0, 0, Port
0, Port A1}, so Port A1 discards the received A2}
configuration BPDU.
l Port A2 receives the configuration BPDU {2,
0, 2, Port C1} from Port C1 and finds it
inferior to its own configuration BPDU {0, 0,
0, Port A2} superior, so Port A2 discards the
received configuration BPDU.
l DeviceA finds that the root bridge and
designated bridge specified in the
configuration BPDUs on its ports are both
itself. Therefore, DeviceA considers itself as
the root bridge and periodically sends
configuration BPDUs from each port without
modifying the BPDUs.
Devi l Port B1 receives the configuration BPDU {0, l Port B1: {0, 0, 0, Port
ceB 0, 0, Port A1} from Port A1 and finds it A1}
superior to its own configuration BPDU {0, l Port B2: {1, 0, 1, Port
0, 0, Port B1}, so Port B1 updates its B2}
configuration BPDU.
l Port B2 receives the configuration BPDU {2,
0, 2, Port C2} from Port C2 and finds it
inferior to its own configuration BPDU {1, 0,
1, Port B2}, so Port B2 discards the received
configuration BPDU.
Devi l Port C1 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
ceC 0, 0, Port A2} from Port A2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {1, 0, 1, Port
0, 0, Port C1}, so Port C1 updates its B2}
configuration BPDU.
l Port C2 receives the configuration BPDU {1,
0, 1, Port B2} from Port B2 and finds it
superior to its own configuration BPDU {1,
0, 1, Port C2}, so Port C2 updates its
configuration BPDU.
l Port C2 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
5, 1, Port B2} from Port B2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {0, 5, 1, Port
10, 2, Port C2}, so Port C2 updates its B2}
configuration BPDU.
l Port C1 receives the configuration BPDU {0,
0, 0, Port A2} from Port A2 and finds it the
same as its own configuration BPDU, so Port
C1 discards the received configuration
BPDU.
l The root path cost of Port C1 is 10 (root path l Blocked port (Port C1):
cost 0 in the received configuration BPDU {0, 0, 0, Port A2}
plus the link patch cost 10), and the root path l Root port (Port C2):
cost of Port C2 is 9 (root path cost 5 in the {0, 5, 1, Port B2}
received configuration BPDU plus the link
patch cost 4). DeviceC finds that Port C2 has
a smaller root path cost and therefore
considers the configuration BPDU of Port C2
superior to that of Port C1. DeviceC then
selects Port C2 as the root port and retains its
configuration BPDU.
l DeviceC calculates the configuration BPDU
{0, 9, 2, Port C1} for Port C1 based on the
configuration BPDU and path cost of the root
port, and finds the calculated configuration
BPDU inferior to the original configuration
BPDU {0, 0, 0, Port A2} on Port C2.
DeviceC blocks Port C1 and does not update
its configuration BPDU. Port C1 no longer
forwards data until STP recalculation is
triggered, for example, when the link between
DeviceB and DeviceC is Down.
After the topology becomes stable, the root bridge still sends configuration BPDUs at a
specific interval set by the Hello timer. Upon receipt of the configuration BPDUs, non-root
bridges compare whether the priority of the received BPDUs is higher than that of their local
configuration BPDUs. If the priority is higher, the non-root bridges update their configuration
BPDU information stored on their STP interfaces based on the information in the received
BPDUs. If the priority is lower, the non-root bridges discard the received configuration
BPDUs.
T
A topology change is generated on 2nd Step:The root advertises the TC
Point T. 1st Step: A TCN is going for max_age+ forward delay
up to the root.
1. When the status of the interface at point T changes, a downstream device continuously
sends TCN BPDUs to the upstream device.
2. The upstream device processes only the TCN BPDUs received on the designated port
and drops TCN BPDUs on other ports.
3. The upstream device sets the TCA bit of the Flags field in the configuration BPDUs to 1
and returns the configuration BPDUs to instruct the downstream device to stop sending
TCN BPDUs.
4. The upstream device sends a copy of the TCN BPDUs toward the root bridge.
5. Steps 1, 2, 3 and 4 are repeated until the root bridge receives the TCN BPDUs.
6. The root bridge sets the TC bit of the Flags field in the configuration BPDUs to 1 to
instruct the downstream devices to delete MAC address entries.
NOTE
l TCN BPDUs are used to inform the upstream device and root bridge of topology changes.
l Configuration BPDUs with the TCA bit set to 1 are used by the upstream device to inform the
downstream device that the topology changes are known and instruct the downstream device to stop
sending TCN BPDUs.
l Configuration BPDUs with the TC bit set to 1 are used by the upstream device to inform the
downstream device of topology changes and instruct the downstream device to delete MAC address
entries. In this manner, fast network convergence is achieved.
Disadvantages of STP
STP ensures a loop-free network but has a slow network topology convergence speed, leading
to service quality deterioration. If the network topology changes frequently, connections on
the STP network are frequently torn down, causing frequent service interruption. This is
unacceptable to users.
B A
S2 S3
A A a
S1
root bridge
B A
S2 S3
A a
B A
b
root port
designated port
Alternate port
Backup port
As shown in Figure 11-11, RSTP defines four port roles: root port, designated port,
alternate port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The alternate port and backup port are described as follows:
– From the perspective of configuration BPDU transmission:
n An alternate port is blocked after learning a configuration BPDU sent by
another bridge.
n A backup port is blocked after learning a configuration BPDU sent by itself.
– From the perspective of user traffic:
n An alternate port acts as a backup of the root port and provides an alternate
path from the designated bridge to the root bridge.
n A backup port acts as a backup of the designated port and provides a backup
path from the root bridge to the related network segment.
After roles of all RSTP ports are determined, the topology convergence is
completed.
Table 11-12 Comparison between port states defined in STP and RSTP
STP Port State RSTP Port State Port Role
Disabled Discarding -
l RSTP changes the configuration BPDU format and uses the Flags field to describe port
roles.
RSTP retains the basic configuration BPDU format defined in STP and makes minor
changes:
– The value of the Type field is changed from 0 to 2. Devices running STP will drop
the configuration BPDUs sent from devices running RSTP.
– The Flags field uses the six bits reserved in STP. This configuration BPDU is called
an RST BPDU. Figure 11-12 shows the Flags field in an RST BPDU.
S1
p0 1 Proposal
3 Agreement
p1
S2
p2 E p4
p3
STP can select designated ports quickly; however, to prevent loops, all ports must wait at least
one Forward Delay interval before starting data forwarding. RSTP blocks non-root ports to
prevent loops and uses the proposal/agreement mechanism to shorten the time that an
upstream port waits before transitioning to the Forwarding state.
NOTE
The proposal/agreement mechanism applies only to P2P full-duplex links between two switching
devices. When proposal/agreement fails, a designated port is elected after two Forward Delay intervals,
same as designated port election in STP mode.
STP Application
Loops often occur on a complex network, because multiple physical links are often deployed
between two devices to implement link redundancy. Loops may cause broadcast storms and
damage MAC address entries on network devices.
Network
STP
CE1 CE2
PC1 PC2
Blocked port
As shown in Figure 11-14, STP is deployed on the devices. The devices exchange
information to discover loops on the network and block a port to trim the ring topology into a
loop-free tree topology. The tree topology prevents infinite looping of packets on the network
and ensures packet processing capabilities of the devices.
Task Description
11.8 Setting STP Parameters that Affect STP cannot implement rapid convergence.
STP Convergence However, you can set STP parameters,
including the network diameter, timeout
interval, Hello timer value, Max Age timer
value, and Forward Delay timer value to
speed up convergence.
11.9 Setting RSTP Parameters that Affect RSTP supports link type and fast transition
RSTP Convergence configuration on ports to implement rapid
convergence.
11.10 Configuring RSTP Protection You can configure one or more functions
Functions RSTP protection functions on a Huawei
device.
Licensing Requirements
STP is a basic feature of a router and is not under license control.
Feature Limitations
None.
Context
A switching device supports three working modes: STP, RSTP, and MSTP. Use the STP mode
on a ring network running only STP, and use the RSTP mode on a ring network running only
RSTP.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp mode { stp | rstp }
The working mode of the switching device is set to STP or RSTP.
By default, the working mode of a switching device is MSTP. MSTP is compatible with STP
and RSTP.
----End
Context
The root bridge of a spanning tree is automatically calculated. You can also manually specify
a root bridge or secondary root bridge.
l A spanning tree can have only one effective root bridge. When two or more devices are
specified as root bridges for a spanning tree, the device with the smallest MAC address is
elected as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root
bridge fails or is powered off, a secondary root bridge becomes the new root bridge. If a
new root bridge is specified, the secondary root bridge will not become the root bridge.
If there are multiple secondary root bridges, the one with smallest MAC address
becomes the root bridge of the spanning tree.
NOTE
It is recommended that you specify the root bridge and secondary root bridge when configuring STP/
RSTP.
Procedure
l Perform the following operations on the device you want to use as the root bridge.
a. Run system-view
The system view is displayed.
b. Run stp root primary
The device is configured as the root bridge.
By default, a switching device does not function as the root bridge. After you run
this command, the priority value of the device is set to 0 and cannot be changed.
l Perform the following operations on the device you want to use as the secondary root
bridge.
a. Run system-view
The system view is displayed.
b. Run stp root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root bridge. After
you run this command, the priority value of the device is set to 4096 and cannot be
changed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp priority priority
A priority is set for the switching device.
----End
Table 11-15 Mappings between link rates and path cost values
Link Rate Recommended Recommended Allowable Path
Path Cost Path Cost Range Cost Range
10 Gbit/s 2 2 to 20 1 to 200000
If a network has loops, it is recommended that you set a large path cost for ports with low link
rates. STP/RSTP then blocks these ports.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is specified.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path costs.
All Layer 2 switches enabled with STP or RSTP on the same network must use the same path
cost calculation algorithm.
Step 3 Run interface interface-type interface-number
The view of an interface participating in STP calculation is displayed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of an interface participating in STP calculation is displayed.
Step 3 Run stp port priority priority
A priority is set for the interface.
The default priority value of a port on a switching device is 128.
----End
Procedure
l Enable STP/RSTP on a switching device.
a. Run system-view
The system view is displayed.
b. Run stp enable
STP/RSTP is enabled on the switching device.
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths for associated VLANs
are changed. Switching devices need to update the ARP entries corresponding to those
VLANs. Depending on how switching devices process ARP entries, STP/RSTP convergence
mode can be fast or normal.
l In fast mode, ARP entries to be updated are directly deleted.
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0 to immediately age the
ARP entries out. If the number of ARP aging probes is greater than 0, the switching
device performs aging probe for these ARP entries.
Run the stp converge { fast | normal } command in the system view to configure the STP/
RSTP convergence mode.
By default, the normal STP/RSTP convergence mode is used. The normal mode is
recommended. If the fast mode is used, ARP entries will be frequently deleted, causing a high
CPU usage (even 100%). As a result, network flapping will frequently occur.
Pre-configuration Tasks
Before setting STP parameters that affect STP convergence, configure basic STP functions.
Context
Any two terminals on a switching network are connected through a specific path along
multiple devices. The network diameter is the maximum number of devices between any two
terminals. A larger network diameter indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect
communication. Run the stp bridge-diameter command to set an appropriate network
diameter based on the network scale, which helps speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 1 Run system-view
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network diameter
cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
value, and Max Age timer value based on the configured network diameter.
----End
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval,
the device considers the upstream device to have failed and recalculates the spanning tree.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout
interval because the upstream device is busy. In this case, recalculating the spanning tree will
cause a waste of network resources. To avoid wasting network resources, set a long timeout
interval on a stable network.
If a switching device does not receive any BPDUs from the upstream device within the
timeout interval, spanning tree recalculation is performed. The timeout interval is calculated
as follows:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp timer-factor factor
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello timer value.
----End
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and
Max Age timer values conform to the following formulas:
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1. Run stp timer forward-delay forward-delay
The Forward Delay timer is set for the switching device.
By default, the Forward Delay timer is 1500 centiseconds (15 seconds).
2. Run stp timer hello hello-time
The Hello Time is set for the switching device.
By default, the Hello Time is 200 centiseconds (2 seconds).
3. Run stp timer max-age max-age
The Max Age timer is set for the switching device.
By default, the Max Age timer is 2000 centiseconds (20 seconds).
----End
Root Bridge
RouterA RouterB
After Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
Alternate port
Root port
Designated port
The maximum number of connections affects only the path cost of an Eth-Trunk interface
participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-
Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active
member interfaces in the Eth-Trunk.
Procedure
Step 1 Run system-view
----End
Procedure
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to
view the spanning tree status and statistics.
----End
Pre-configuration Tasks
Before configuring RSTP parameters that affect RSTP convergence, configure basic RSTP
functions.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp bridge-diameter diameter
The network diameter is configured.
By default, the network diameter is 7.
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network diameter
cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
value, and Max Age timer value based on the configured network diameter.
----End
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout
interval because the upstream device is busy. In this case, recalculating the spanning tree will
cause a waste of network resources. To avoid wasting network resources, set a long timeout
interval on a stable network.
If a switching device does not receive any BPDUs from the upstream device within the
timeout interval, spanning tree recalculation is performed. The timeout interval is calculated
as follows:
Procedure
Step 1 Run system-view
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
----End
Context
The following timers are used in spanning tree calculation:
l Forward Delay: specifies the delay before a state transition. After the topology of a ring
network changes, it takes some time to spread the new configuration BPDU throughout
the entire network. As a result, the original blocked port may be unblocked before a new
port is blocked. When this occurs, a loop exists on the network. You can set the Forward
Delay timer to prevent loops. When the topology changes, all ports will be temporarily
blocked during the Forward Delay.
l Hello Time: specifies the interval at which hello packets are sent. A switching device
sends configuration BPDUs at the specified interval to detect link failures. If the
switching device does not receive any BPDUs within an interval of Hello Time, the
switching device recalculates the spanning tree.
l Max Age: determines whether BPDUs expire. A switching device determines that a
received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values of Forward Delay, Hello Time, and Max
Age.
You are not advised to directly change the preceding three timers. The three parameters are
relevant to the network scale; therefore, it is recommended that you set the network diameter
so that the spanning tree protocol automatically adjusts these timers. When the default
network diameter is used, the three timers also retain their default values.
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and
Max Age timer values conform to the following formulas:
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
Procedure
Step 1 Run system-view
Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1. Run stp timer forward-delay forward-delay
----End
Context
The path costs affect spanning tree calculation. Changes of path costs trigger spanning tree
recalculation. The path cost of an interface is affected by its bandwidth, so you can change the
interface bandwidth to affect spanning tree calculation.
As shown in Figure 11-16, deviceA and deviceB are connected through two Eth-Trunk links.
Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member
interfaces in Up state. Each member link has the same bandwidth, and deviceA is selected as
the root bridge.
l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1
on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1,
the path cost of Eth-Trunk 1 is larger than the path cost of Eth-Trunk 2. Therefore, the
two devices perform spanning tree recalculation. Then Eth-Trunk 1 on deviceB becomes
the alternate port and Eth-Trunk 2 becomes the root port.
Root Bridge
RouterA RouterB
After Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
Alternate port
Root port
Designated port
The maximum number of connections affects only the path cost of an Eth-Trunk interface
participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-
Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active
member interfaces in the Eth-Trunk.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
By default, the maximum number of connections affecting the bandwidth of an Eth-Trunk is
8.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
l If the Ethernet interface works in full-duplex mode, the interface is connected to a P2P
link. In this case, force-true can be specified in the command to implement rapid
network convergence.
l If the Ethernet interface works in half-duplex mode, you can run the stp point-to-point
force-true command to forcibly set the link type to P2P.
----End
Context
The more BPDUs sent from an interface within a Hello Time interval, the more system
resources consumed. Setting a proper transmission rate (packet-number) on an interface
prevents excess bandwidth usage when network flapping occurs.
Procedure
Step 1 Run system-view
The maximum transmission rate of BPDUs (BPDUs per second) is set for the interface.
NOTE
If the same maximum transmission rate of BPDUs needs to be sent for each interface on a device, run
the stp transmit-limit (system view) command.
----End
Context
If an interface on an RSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP compatible mode.
If the STP-enabled device is powered off or removed, the interface cannot automatically
switch to the RSTP mode. When the interface goes Up again, the interface needs to be
manually switched to the RSTP mode.
If the STP-enabled switching device is switched to the RSTP mode, the interface can
automatically switch to the RSTP mode.
Procedure
l Switching to the RSTP mode in the interface view
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of an interface participating in spanning tree calculation is displayed.
c. Run stp mcheck
The interface is switched to the RSTP mode.
l Switching to the RSTP mode in the system view
a. Run system-view
The system view is displayed.
b. Run stp mcheck
The device is switched to the RSTP mode.
----End
NOTE
After all ports are configured as edge ports and BPDU filter ports in the system view, none of ports on
the local device send BPDUs or negotiate the STP states with directly connected ports on the peer
device. All ports are in Forwarding state. This may cause loops on the network, leading to broadcast
storms. Exercise caution when deciding to perform this configuration.
After a specified port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs and cannot negotiate the STP state with the directly connected port on
the peer device. Exercise caution when deciding to perform this configuration.
Procedure
l Configuring all ports as edge ports and BPDU filter ports
a. Run system-view
The system view is displayed.
b. Run stp edged-port default
All ports are configured as edge ports.
By default, all ports are non-edge ports.
c. Run stp bpdu-filter default
All ports are configured as BPDU filter ports.
By default, all ports are non-BPDU filter ports.
l Configuring a specified port as an edge port and BPDU filter port
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of an Ethernet interface that participates in spanning tree calculation is
displayed.
c. Run stp edged-port enable
The port is configured as an edge port.
By default, all ports are non-edge ports.
d. Run stp bpdu-filter enable
The port is configured as a BPDU filter port.
By default, a port is a non-BPDU filter port.
----End
Procedure
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to
view the spanning tree status and statistics.
----End
Procedure
Step 1 Run system-view
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the delay expires. Note the following when
setting the recovery delay:
l By default, the auto recovery function is disabled; therefore, the recovery delay
parameter does not have a default value. When you enable the auto recovery function,
you must set a recovery delay.
l A smaller value of interval-value indicates a shorter time taken for an edge port to go
Up, and a higher frequency of Up/Down state transitions on the port.
l A larger value of interval-value indicates a longer time taken for the edge port to go Up,
and a longer service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp tc-protection threshold threshold
The maximum number of times the switching device processes TC BPDUs and updates
forwarding entries within the specified time period is set.
NOTE
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
By default, root protection is disabled on the interface. Root protection takes effect only on
designated ports. Root protection and loop protection cannot be configured on the same
interface.
----End
Context
If the root port or alternate port does not receive BPDUs from the upstream device for a long
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
Procedure
Step 1 Run system-view
NOTE
An alternate port is a backup for a root port. If a switching device has an alternate port, configure loop
protection on both the root port and the alternate port.
Root protection and loop protection cannot be configured on the same port.
----End
Procedure
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to
view the spanning tree status and statistics.
----End
Context
A switching device supports the following Proposal/Agreement modes:
l Enhanced mode: The device determines the root port when it calculates the
synchronization flag bit.
a. An upstream device sends a Proposal message to a downstream device to request
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
b. The upstream device sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the
Forwarding state.
c. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.
l Common mode: The device ignores the root port when it calculates the synchronization
flag bit.
a. An upstream device sends a Proposal message to a downstream device to request
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
Then, the root port transitions to the Forwarding state.
b. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.
On an STP network, if a Huawei switching device is connected to a non-Huawei device that
uses a different Proposal/Agreement mechanism, the two devices may fail to interoperate with
each other. Select the enhanced mode or common mode based on the Proposal/Agreement
mechanism of the non-Huawei device.
Pre-configuration Tasks
Before setting parameters for interoperation between Huawei and non-Huawei devices,
configure basic STP/RSTP functions.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of an interface participating in spanning tree calculation is displayed.
----End
STP/RSTP statistics cannot be restored after being cleared. Exercise caution when deciding to
clear STP/RSTP statistics.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics command to clear statistics about error STP
packets.
----End
Context
The statistics about STP/RSTP topology changes can be viewed. If the statistics increase,
network flapping occurs.
Procedure
l Run the display stp topology-change command to view statistics about STP/RSTP
topology changes.
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to
view the spanning tree status and statistics.
----End
Network
Root
Bridge
RouterA
Eth2/0/0 Eth2/0/1
Eth0/0/1 Et Eth0/0/1
0 /4 h0
h 0/ /0
/4
SwitchC Et SwitchD
Eth0/0/2 Eth0/0/3 Eth0/0/2 Eth0/0/3
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
STP is not required on the ports connected to terminals because these ports do not need to
participate in STP calculation. Disable STP on the ports or configure the ports as edge ports.
Procedure
Step 1 Configure basic STP functions.
1. Configure the STP mode for the switching devices on the ring network.
# Configure the STP mode on RouterA. The configurations of SwitchA, SwitchB,
SwitchC and SwitchD are similar to that of RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] stp mode stp
– The path cost value range depends on path cost calculation methods. This example uses the
Huawei proprietary calculation method and sets the path cost to 200000.
– All switching devices on a network must use the same path cost calculation method. To use
other path cost calculation methods, see the list of recommended value ranges for the specific
path cost calculation method.
# On RouterA, set the path cost calculation method to the Huawei proprietary method.
The configurations of SwitchA, SwitchB, SwitchC and SwitchD are similar to that of
RouterA.
[RouterA] stp pathcost-standard legacy
# Run the display stp brief command on SwitchA to view port roles and states. Eth0/0/1 is
selected as the root port, whereas Eth0/0/2 and Eth0/0/3 are selected as designated ports. The
ports are all in the Forwarding state.
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/2 DESI FORWARDING NONE
0 Ethernet0/0/3 DESI FORWARDING NONE
# Run the display stp brief command on SwitchB to view port roles and states. Eth0/0/1 is
selected as the root port, whereas Eth0/0/2 and Eth0/0/3 are selected as designated ports. The
ports are all in the Forwarding state.
[SwitchB] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/2 DESI FORWARDING NONE
0 Ethernet0/0/3 DESI FORWARDING NONE
# Run the display stp brief command on SwitchC to view port roles and states. Eth0/0/1 is
selected as root port and is in the Forwarding state. Eth0/0/4 is selected as designated port and
is in the Discarding state.
[SwitchC] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/4 DESI DISCARDING NONE
# Run the display stp brief command on SwitchD to view port roles and states. Eth0/0/1 is
selected as root port and is in the Forwarding state. Eth0/0/4 is selected as designated port and
is in the Discarding state.
----End
Configuration Files
l RouterA configuration file
#
sysname RouterA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
interface Ethernet2/0/0
#
interface Ethernet2/0/1
#
return
#
interface Ethernet0/0/4
stp instance 0 cost 200000
#
return
Network
Root
Bridge
RouterA
Eth2/0/0 Eth2/0/1
Eth0/0/1 Et Eth0/0/1
0 /4 h0
h 0/ /0
/4
SwitchC Et SwitchD
Eth0/0/2 Eth0/0/3 Eth0/0/2 Eth0/0/3
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic RSTP functions, including:
a. Configure the RSTP mode for the switching devices on the ring network.
b. Configure primary and secondary root bridges.
c. Set a path cost for the ports to block certain ports.
d. Enable RSTP to eliminate loops.
n Enable RSTP globally.
n Enable RSTP on all the ports except those connected to terminals.
NOTE
RSTP is not required on the ports connected to terminals because these ports do not need to
participate in RSTP calculation.
2. Configure RSTP protection functions. For example, configure root protection on
designated ports of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the RSTP mode for the devices on the ring network.
# Configure the RSTP mode on RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] stp mode rstp
– The path cost value range depends on path cost calculation methods. This example uses the
Huawei proprietary calculation method and sets the path cost to 200000.
– All switching devices on a network must use the same path cost calculation method. To use
other path cost calculation methods, see the list of recommended value ranges for the specific
path cost calculation method.
# On RouterA, set the path cost calculation method to the Huawei proprietary method.
[RouterA] stp pathcost-standard legacy
# On SwitchA, SwitchB, SwitchC and SwitchD, set the path cost calculation method to
the Huawei proprietary method according to the configuration guide of the switches.
# Set the path cost of Eth0/0/4 on SwitchC and SwitchD to 200000. (The detailed
configuration is not provided here.)
4. Enable RSTP to eliminate loops.
– Disable RSTP on the ports directly connected to PCs.
# Disable RSTP on the ports of SwitchC and SwitchD connected to PCs.
– Enable RSTP globally.
# Enable RSTP globally on RouterA.
[RouterA] stp enable
# Enable RSTP on all the ports except those connected to PCs on SwitchA,
SwitchB, SwitchC and SwitchD.
Step 2 Configure RSTP protection.
# Enable root protection on Eth2/0/0 and Eth2/0/1 of RouterA.
[RouterA] interface ethernet 2/0/0
# After RouterA is configured as the root bridge, Ethernet2/0/0 connected to SwitchA and
Ethernet2/0/1 connected to SwitchB are elected as designated ports through spanning tree
calculation.
----End
Configuration Files
l RouterA configuration file
#
sysname RouterA
#
stp mode rstp
stp instance 0 root primary
stp pathcost-standard legacy
#
interface Ethernet2/0/0
stp root-protection
#
interface Ethernet2/0/1
stp root-protection
#
return
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
return
NOTE
AR502E series do not support MSTP.
11.14.3 How Does STP Process MAC and ARP Entries After the
Network Topology Changes?
If the network topology changes, the Spanning Tree Protocol (STP) clears media access
control (MAC) addresses, and ages Address Resolution Protocol (ARP) entries by default.
12 MSTP Configuration
This chapter describes the concepts and configuration procedure of the Multiple Spanning
Tree Protocol (MSTP), and provides configuration examples.
12.1 Overview of MSTP
This section describes definition and purpose of MSTP.
12.2 Understanding MSTP
This section describes the principles of MSTP.
12.3 Application Scenarios for MSTP
This section describes the applicable environment of MSTP.
12.4 Summary of MSTP Configuration Tasks
12.5 Default Settings for MSTP
12.6 Licensing Requirements and Limitations for MSTP
12.7 Configuring Basic MSTP Functions
MSTP based on the basic STP/RSTP function divides a switching network into multiple
regions, each of which has multiple spanning trees that are independent of each other. MSTP
isolates different VLANs' traffic, and load-balances VLAN traffic.
12.8 Configuring MSTP Parameters on an Interface
Proper MSTP parameter settings achieve rapid convergence.
12.9 Configuring MSTP Protection Functions
Huawei datacom devices provide the following MSTP protection functions. You can
configure one or more functions.
12.10 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei
Devices
To communicate with a non-Huawei device, set proper parameters on the MSTP-enabled
Huawei device.
12.11 Maintaining MSTP
12.12 Configuration Examples for MSTP
Definition
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result, the
communication quality deteriorates, and the communication service may even be interrupted.
The Spanning Tree Protocol (STP) is introduced to solve this problem.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP) defined
in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 12-1
shows the comparison between STP, RSTP, and MSTP.
NOTE
The AR111-S, AR121-S and AR151-S2 only support one loop-free tree.
Purpose
After a spanning tree protocol is configured on an Ethernet switching network, it calculates
the network topology and implements the following functions to remove network loops:
l Loop cut-off: The potential loops on the network are cut off by blocking redundant links.
l Link redundancy: When an active path becomes faulty, a redundant link can be activated
to ensure network connectivity.
S1 S4
VLAN3 VLAN2 VLAN2
HostC HostA
(VLAN3) VLAN3 VLAN2 (VLAN2)
VLAN3
VLAN2
S2 S5
S3 S6
On the network shown in Figure 12-1, STP or RSTP is enabled. The broken line shows the
spanning tree. S6 is the root switching device. The links between S1 and S4 and between S2
and S5 are blocked. VLAN packets are transmitted by using the corresponding links marked
with "VLAN2" or "VLAN3."
Host A and Host B belong to VLAN 2 but they cannot communicate with each other because
the link between S2 and S5 is blocked and the link between S3 and S6 denies packets from
VLAN 2.
To fix the defect of STP and RSTP, the IEEE released 802.1s in 2002, defining the Multiple
Spanning Tree Protocol (MSTP). MSTP implements fast convergence and provides multiple
paths to load balance VLAN traffic.
MSTP divides a switching network into multiple regions, each of which has multiple
spanning trees that are independent of each other. Each spanning tree is called a Multiple
Spanning Tree Instance (MSTI) and each region is called a Multiple Spanning Tree (MST)
region.
NOTE
S1 S4
VLAN3 VLAN2 VLAN2
HostC HostA
VLAN3 VLAN2 (VLAN2)
(VLAN3)
VLAN3
VLAN2
S2 S5
S3 S6
As shown in Figure 12-2, MSTP maps VLANs to MSTIs in the VLAN mapping table. Each
VLAN can be mapped to only one MSTI. This means that traffic of a VLAN can be
transmitted in only one MSTI. An MSTI, however, can correspond to multiple VLANs.
In this manner, devices within the same VLAN can communicate with each other; packets of
different VLANs are load balanced along different paths.
MSTP Network
MSTI1 MSTI1
MSTI1
MSTI2 MSTI0
MST Region
MST Region
An MST region contains multiple switching devices and network segments between them.
The switching devices of one MST region have the following characteristics:
l MSTP-enabled
l Same region name
l Same VLAN-MSTI mappings
l Same MSTP revision level
A LAN can comprise several MST regions that are directly or indirectly connected. Multiple
switching devices can be grouped into an MST region by using MSTP configuration
commands.
As shown in Figure 12-4, the MST region D0 contains the switching devices S1, S2, S3, and
S4, and has three MSTIs.
AP1
D0 S1
MSTI1
Master Bridge
root switch:S3
MSTI2
root switch:S2
MSTI0 (IST)
S2 root switch:S1
S3
VLAN1 MSTI1
VLAN2,VLAN3 MSTI2
other VLANs MSTI0
S4
Regional Root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 12-6, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI regional
root is the root of the MSTI. On the network shown in Figure 12-5, each MSTI has its own
regional root.
MST Region
VLAN VLA
N 10&
10&20&30 20
VLAN 20&30
VLAN 10
Root
Root
MSTIs are independent of each other. An MSTI can correspond to one or more VLANs, but a
VLAN can be mapped to only one MSTI.
Master Bridge
The master bridge is the IST master, which is the switching device closest to the CIST root in
a region, for example, S1 shown in Figure 12-4.
If the CIST root is in an MST region, the CIST root is the master bridge of the region.
CIST Root
A0
CIST Root
D0 Region Root B0
Region Root
C0
Region Root
IST
CST
On the network shown in Figure 12-6, the CIST root is the root bridge of the CIST. The CIST
root is a device in A0.
CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
If each MST region is considered a node, the CST is calculated by using STP or RSTP based
on all the nodes.
As shown in Figure 12-6, the MST regions are connected to form a CST.
IST
An IST resides within an MST region.
An IST is a special MSTI with the MSTI ID being 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 12-6, the switching devices in an MST region are connected to form an
IST.
CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 12-6, the ISTs and the CST form a complete spanning tree, the CIST.
SST
A Single Spanning Tree (SST) is formed in either of the following situations:
l A switching device running STP or RSTP belongs to only one spanning tree.
l An MST region has only one switching device.
Port Role
Based on RSTP, MSTP has two additional port types. MSTP ports can be root ports,
designated ports, alternate ports, backup ports, edge ports, master ports, and regional edge
port.
The functions of root ports, designated ports, alternate ports, and backup ports have been
defined in RSTP. Table 12-2 lists all port roles in MSTP.
NOTE
Port Description
Role
Root port A root port is the non-root bridge port closest to the root bridge. Root bridges
do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in Figure 12-7, S1 is the root; CP1 is the root port on S3; BP1 is the
root port on S2.
Designate The designated port on a switching device forwards BPDUs to the downstream
d port switching device.
As shown in Figure 12-7, AP2 and AP3 are designated ports on S1; CP2 is a
designated port on S3.
Alternate l From the perspective of sending BPDUs, an alternate port is blocked after a
port BPDU sent by another bridge is received.
l From the perspective of user traffic, an alternate port provides an alternate
path to the root bridge. This path is different than using the root port.
As shown in Figure 12-7, BP2 is an alternate port.
Port Description
Role
Backup l From the perspective of sending BPDUs, a backup port is blocked after a
port BPDU sent by itself is received.
l From the perspective of user traffic, a backup port provides a backup/
redundant path to a segment where a designated port already connects.
As shown in Figure 12-7, CP3 is a backup port.
Master A master port is on the shortest path connecting MST regions to the CIST root.
port BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on ISTs
or CISTs and master ports in instances.
As shown in Figure 12-8, S1, S2, S3, and S4 form an MST region. AP1 on S1,
being the nearest port in the region to the CIST root, is the master port.
Regional A regional edge port is located at the edge of an MST region and connects to
edge port another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port in
the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 12-8, AP1, DP1, and DP2 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of the
MST region.
AP1 is a master port in the CIST. Therefore, AP1 is the master port in every
MSTI in the MST region.
Edge port An edge port is located at the edge of an MST region and does not connect to
any switching device.
Generally, edge ports are directly connected to terminals.
Figure 12-7 Root port, designated port, alternate port, and backup port
S1
Root
AP2 AP3
CP1 BP1
S3 S2
root port
designated port
Alternate port
Backup port
AP1
Master
S1
S3
S2
S4
Port Description
Status
Forwardi A port in the Forwarding state can send and receive BPDUs as well as forward
ng user traffic.
Learning A port in the Learning state learns MAC addresses from user traffic to
construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but not forward
user traffic.
There is no necessary link between the port status and the port role. Table 12-4 lists the
relationships between port roles and port status.
Yes: The port supports this status. No: The port does not support this status.
Table 12-5 shows differences between TCN BPDUs, configuration BPDUs defined by STP,
RST BPDUs defined by RSTP, and MST BPDUs defined by MSTP.
The first 36 bytes of an intra-region or inter-region MST BPDU are the same as those of an
RST BPDU.
Fields from the 37th byte of an MST BPDU are MSTP-specific. The field MSTI
Configuration Messages consists of configuration messages of multiple MSTIs.
Table 12-6 lists the major information carried in an MST BPDU.
CIST External 4 Indicates the total path costs from the MST region
Path Cost where the switching device resides to the MST region
where the CIST root switching device resides. This
value is calculated based on link bandwidth.
Hello Time 2 Indicates the Hello timer value. The default value is 2
seconds.
Forward Delay 2 Indicates the forwarding delay timer. The default value
is 15 seconds.
CIST Internal 4 Indicates the total path costs from the local port to the
Root Path Cost IST master. This value is calculated based on link
bandwidth.
If a port transmits either dot1s or legacy BPDUs by default, the user needs to identify the
format of BPDUs sent by the peer, and then runs a command to configure the port to support
the peer BPDU format. Once the configuration is incorrect, a loop probably occurs due to
incorrect MSTP calculation.
By using the stp compliance command, you can configure a port on a Huawei datacom
device to automatically adjust the MST BPDU format. With this function, the port
automatically adopts the peer BPDU format. The following MST BPDU formats are
supported by Huawei datacom devices:
l auto
l dot1s
l legacy
In addition to dot1s and legacy formats, the auto mode allows a port to automatically switch
to the BPDU format used by the peer based on BPDUs received from the peer. In this manner,
the two ports use the same BPDU format. In auto mode, a port uses the dot1s BPDU format
by default, and keeps pace with the peer after receiving BPDUs from the peer.
After a switching device becomes the root, it sends BPDUs at Hello intervals. Non-root
switching devices adopt the Hello Time value set for the root.
Huawei datacom devices allow the maximum number of BPDUs sent by a port at a Hello
interval to be configured as needed.
The greater the Hello Time value, the more BPDUs sent at a Hello interval. Setting the Hello
Time to a proper value limits the number of BPDUs sent by a port at a Hello interval. This
helps prevent network topology flapping and avoid excessive use of bandwidth resources by
BPDUs.
MSTP Principle
MSTP can divide the entire Layer 2 network into multiple MST regions, and the CST is
generated through calculation. In an MST region, multiple spanning trees are calculated, each
of which is called an MSTI. Among these MSTIs, MSTI 0 is also known as the internal
spanning tree (IST). Like STP, MSTP uses configuration messages to calculate spanning
trees, but the configuration messages are MSTP-specific.
Vectors
Both MSTIs and the CIST are calculated based on vectors, which are carried in MST BPDUs.
Therefore, switching devices exchange MST BPDUs to calculate MSTIs and the CIST.
Root ID Identifies the root switching device for the CIST. The root
identifier consists of the priority value (16 bits) and MAC address
(48 bits).
The priority value is the priority of MSTI 0.
External root path Indicates the path cost from a CIST regional root to the root.
cost (ERPC) ERPCs saved on all switching devices in an MST region are the
same. If the CIST root is in an MST region, ERPCs saved on all
switching devices in the MST region are 0s.
Regional root ID Identifies the MSTI regional root. The regional root ID consists
of the priority value (16 bits) and MAC address (48 bits).
The priority value is the priority of MSTI 0.
Internal root path Indicates the path cost from the local bridge to the regional root.
cost (IRPC) The IRPC saved on a regional edge port is greater than the IRPC
saved on a non-regional edge port.
Designated Identifies the nearest upstream bridge on the path from the local
switching device bridge to the regional root. If the local bridge is the root or the
ID regional root, this ID is the local bridge ID.
Designated port Identifies the port on the designated switching device connected
ID to the root port on the local bridge. The port ID consists of the
priority value (4 bits) and port number (12 bits). The priority
value must be a multiple of 16.
Receiving port ID Identifies the port receiving the BPDU. The port ID consists of
the priority value (4 bits) and port number (12 bits). The priority
value must be a multiple of 16.
CIST Calculation
After completing the configuration message comparison, the switching device with the
highest priority on the entire network is selected as the CIST root. MSTP calculates an IST
for each MST region, and computes a CST to interconnect MST regions. On the CST, each
MST region is considered a switching device. The CST and ISTs constitute a CIST for the
entire network.
MSTI Calculation
In an MST region, MSTP calculates an MSTI for each VLAN based on mappings between
VLANs and MSTIs. Each MSTI is calculated independently. The calculation process is
similar to the process for STP to calculate a spanning tree. For details, see 11.2.4 STP
Topology Calculation.
MSTIs have the following characteristics:
l The spanning tree is calculated independently for each MSTI, and spanning trees of
MSTIs are independent of each other.
l MSTP calculates the spanning tree for an MSTI in the manner similar to STP.
l Spanning trees of MSTIs can have different roots and topologies.
l Each MSTI sends BPDUs in its spanning tree.
l The topology of each MSTI is configured by using commands.
l A port can be configured with different parameters for different MSTIs.
l A port can play different roles or have different status in different MSTIs.
On an MSTP-aware network, a VLAN packet is forwarded along the following paths:
l MSTI in an MST region
l CST among MST regions
Sends a proposal
so that the port can
rapidly enter the
Forwarding state The root port blocks
all the other non-
Sends an agreement edge ports
The root port
The designated Sends an agreement enters the
port enters the Forwarding state
Forwarding state
root port
designated port
Application of MSTP
MST Region
S1 S2
all VLAN
VLAN
VLAN VLAN
10&20 VLAN
20&30 20&30
10&20
VLAN
S3 20&40 S4
MSTP allows packets in different VLANs to be forwarded by using different spanning tree
instances, as shown in Figure 12-11. The configurations are as follows:
l All devices on the network belong to the same MST region.
l VLAN 10 packets are forwarded within MSTI 1; VLAN 30 packets are forwarded within
MSTI 3; VLAN 40 packets are forwarded within MSTI 4; VLAN 20 packets are
forwarded within MSTI 0.
In Figure 12-11, S1 and S2 are devices at the aggregation layer; S3 and S4 are devices at the
access layer. Traffic from VLAN 10 and VLAN 30 is terminated by aggregation devices, and
traffic from VLAN 40 is terminated by the access device. Therefore, S1 and S2 can be
configured as the roots of MSTI 1 and MSTI 3, and S3 can be configured as the root of MSTI
4.
Licensing Requirements
MSTP is a basic feature of a router and is not under license control.
Feature Limitations
When deploying MSTP on the router, pay attention to the following:
The AR160-S series do not support MSTP.
Context
MSTP is commonly configured on switching devices to trim a ring network to a loop-free
network. Devices start spanning tree calculation after the working mode is set and MSTP is
enabled. Use any of the following methods if you need to intervene in the spanning tree
calculation:
Context
Before configuring basic MSTP functions, set the working mode of a switching device to
MSTP. MSTP is compatible with STP and RSTP.
Procedure
Step 1 Run system-view
The working mode of the switching device is set to MSTP. By default, the working mode is
MSTP.
STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an
MSTP-enabled switching device is connected to switching devices running STP, interfaces of
the MSTP-enabled switching device connected to devices running STP automatically
transition to STP mode, and other interfaces still work in MSTP mode. This enables devices
running different spanning tree protocols to interwork with each other.
----End
Context
An MST region contains multiple switching devices and network segments. These switching
devices are directly connected and have the same region name, same VLAN-to-instance
mapping, and the same configuration revision number after MSTP is enabled. One switching
network can have multiple MST regions. You can use MSTP commands to group multiple
switching devices into one MST region.
NOTE
Two switching devices belong to the same MST region when they have the same:
l Name of the MST region
l Mapping between VLANs and MSTIs
l Revision level of the MST region
Perform the following steps on a switching device that needs to join an MST region.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp region-configuration
The MST region view is displayed.
Step 3 Run region-name name
The name of an MST region is configured.
By default, the MST region name is the MAC address of the management network interface
on the MPU of the switching device.
Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.
l Run the instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to
configure VLAN-to-instance mappings.
l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping
assignment based on a default algorithm.
By default, all VLANs in an MST region are mapped to MSTI 0.
l The VLAN-to-instance mappings generated using the vlan-mapping modulo modulo
commands cannot meet network requirements. It is recommended that you run the
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure
VLAN-to-instance mappings.
l The vlan-mapping modulo specifies the formula (VLAN ID-1)%modulo+1. In the
formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1) divided by the
value of modulo. This formula is used to map a VLAN to the corresponding MSTI. The
calculation result of the formula is the ID of the mapping MSTI.
Step 5 (Optional) Run revision-level level
The MSTP revision number is set.
By default, the MSTP revision number is 0.
If the revision number of the MST region is not 0, this step is necessary.
NOTE
Changing MST region configurations (especially change of the VLAN mapping table) triggers spanning
tree recalculation and causes route flapping. Therefore:
l After configuring an MST region name, VLAN-to-instance mappings, and an MSTP revision
number, run the check region-configuration command in the MST region view to verify the
configuration. After confirming the region configurations, run the active region-configuration
command to activate MST region configurations.
l You are advised not to modify MST region parameters after the MST region is activated.
----End
NOTE
It is recommended that the root bridge and secondary root bridge be configured manually.
Procedure
l Perform the following operations on the device to be used as the root bridge.
a. Run system-view
The system view is displayed.
b. Run stp [ instance instance-id ] root primary
The device is configured as the root bridge.
By default, a switching device does not function as the root bridge. After the
configuration is complete, the BID of the device is 0 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a root bridge.
l Perform the following operations on the device to be used as the secondary root bridge.
a. Run system-view
The system view is displayed.
b. Run stp [ instance instance-id ] root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root bridge. After
the configuration is complete, the BID of the device is 4096 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a backup root bridge.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.
The default priority value of the switching device is 32768.
If the instance-id is not designated, a priority is set for the switching device in MSTI0.
NOTE
If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary
command has been executed to configure the device as the root bridge or secondary root bridge, to
change the device priority, run the undo stp [ instance instance-id ] root command to disable the root
bridge or secondary root bridge function and run the stp [ instance instance-id ] priority priority
command to set a priority.
----End
Table 12-9 Mappings between link rates and path cost values
Link Rate Recommended Recommended Path Cost Range
Path Cost Path Cost Range
10 Gbit/s 2 2 to 20 1 to 200000
If a network has loops, it is recommended that you set a relatively large path cost for ports
with low link rates.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run interface interface-type interface-number
The Ethernet interface view is displayed.
Step 4 Run stp instance instance-id cost cost
A path cost is set for the port in the current MSTI.
l When the Huawei calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected
as designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the
default value. This port will be blocked during designated port selection.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run stp instance instance-id port priority priority
A port priority is set in an MSTI.
By default, the port priority is 128.
The value range of the priority is from 0 to 240, in steps of 16.
----End
Context
After configuring basic MSTP functions on a switching device, enable MSTP function.
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and
port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation,
perform basic configurations on the switching device and its ports and enable MSTP.
Procedure
l Enable MSTP on a switching device.
a. Run system-view
The system view is displayed.
b. Run stp enable
MSTP is enabled on the switching device.
By default, MSTP is enabled on a router.
l Enable MSTP on an interface device.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run stp enable
MSTP is enabled on the interface.
By default, MSTP is enabled on the interface.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
l In fast mode, ARP entries to be updated are directly deleted.
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0. The switching device
rapidly processes these aged entries. If the number of ARP aging probe attempts is not
set to 0, ARP implements aging probe for these ARP entries.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the normal MSTP convergence mode is used.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on device to reach 100%. As a result, network flapping will frequently occur.
l Run the display stp region-configuration digest command to view the digest
configurations of activated MST regions.
----End
Pre-configuration Tasks
Before configuring MSTP parameters that affect route convergence, complete the following
task:
l Configuring MSTP
Context
Any two terminals on a switching network are connected through a specific path along
multiple devices. The network diameter is the maximum number of devices between any two
terminals. A larger network diameter indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect
communication. Run the stp bridge-diameter command to set an appropriate network
diameter based on the network scale, which helps speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 1 Run system-view
l RSTP uses a single spanning tree instance on the entire network. As a result,
performance deterioration cannot be prevented when the network scale grows. Therefore,
the network diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay
period, Hello timer value, and Max Age timer value based on the set network diameter.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
----End
so that the spanning tree protocol automatically adjusts these timers. When the default
network diameter is used, the three timers also retain their default values.
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and
Max Age timer values conform to the following formulas:
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Set Forward Delay, Hello Time, and Max Age.
1. Run stp timer forward-delay forward-delay
The value of Forward Delay of the switching device is set.
By default, the value of Forward Delay of the switching device is 1500 centiseconds.
2. Run stp timer hello hello-time
The value of Hello Time of the switching device is set.
By default, the value of Hello Time of the switching device is 200 centiseconds.
3. Run stp timer max-age max-age
The value of Max Age of the switching device is set.
By default, the value of Max Age of the switching device is 2000 centiseconds.
----End
two devices perform spanning tree recalculation. Then Eth-Trunk 1 on deviceB becomes
the alternate port and Eth-Trunk 2 becomes the root port.
Root Bridge
RouterA RouterB
After Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
Alternate port
Root port
Designated port
The maximum number of connections affects only the path cost of an Eth-Trunk interface
participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-
Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active
member interfaces in the Eth-Trunk.
Procedure
Step 1 Run system-view
----End
Context
It is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P
link are root or designated ports, the ports can transit to the forwarding state quickly by
sending Proposal and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run system-view
By default, an interface automatically determines whether to connect to a P2P link. The P2P
link supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this
case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-
true to forcibly set the link type to P2P.
----End
Context
A larger value of packet-number indicates more BPDUs sent in a hello interval and therefore
more system resources occupied. Setting the proper value of packet-number prevents excess
bandwidth usage when route flapping occurs.
Procedure
Step 1 Run system-view
By default, the maximum number of BPDUs that a port sends is 6 per second.
----End
Context
If an interface on an MSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP compatible mode.
If the STP-enabled device is powered off or removed, the interface cannot automatically
switch to the MSTP mode. When the interface goes Up again, the interface needs to be
manually switched to the MSTP mode.
If the STP-enabled switching device is switched to the MSTP mode, the interface can
automatically switch to the MSTP mode.
Procedure
l Switching to the MSTP mode in the interface view
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
c. Run stp mcheck
The device is switched to the MSTP mode.
l Switching to the MSTP mode in the system view
a. Run system-view
The system view is displayed.
b. Run stp mcheck
The device is switched to the MSTP mode.
----End
After all ports are configured as edge ports and BPDU filter ports in the system view, none of
ports on the device send BPDUs or negotiate the STP status with directly connected ports on
the peer device. All ports are in forwarding state. This may cause loops on the network,
leading to broadcast storms. Exercise caution when you configure a port as an edge port and
BPDU filter port.
After a port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs. The port cannot negotiate the STP status with the directly
connected port on the peer device. Exercise caution when you configure a port as an edge port
and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run system-view
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
c. (Optional) Run stp edged-port enable
----End
Context
Switching devices on a Layer 2 network running MSTP communicate with each other by
exchanging MST BPDUs. An MST BPDU has a field that indicates the number of remaining
hops.
l The number of remaining hops in a BPDU sent by the root switching device equals the
maximum number of hops.
l The number of remaining hops in a BPDU sent by a non-root switching device equals
the maximum number of hops minus the number of hops from the non-root switching
device to the root switching device.
l If a switching device receives a BPDU in which the number of remaining hops is 0, the
switching device will discard the BPDU.
Therefore, the maximum number of hops of a spanning tree in an MST region determines the
network scale. The stp max-hops command can be used to set the maximum number of hops
in an MST domain so that the network scale of a spanning tree can be controlled.
Procedure
Step 1 Run system-view
By default, the maximum number of hops of the spanning tree in an MST region is 20.
----End
Procedure
l Run the display stp [ instance instance-id ] [ interface interface-type interface-number ]
[ brief ] command to view spanning-tree status and statistics.
----End
Pre-configuration Tasks
Before configuring MSTP protection functions, complete the following task:
l Configuring MSTP
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is not enabled on the switching device.
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the delay expires. Note the following when
setting the recovery delay:
l By default, the auto recovery function is disabled; therefore, the recovery delay
parameter does not have a default value. When you enable the auto recovery function,
you must set a recovery delay.
l A smaller value of interval-value indicates a shorter time taken for an edge port to go
Up, and a higher frequency of Up/Down state transitions on the port.
l A larger value of interval-value indicates a longer time taken for the edge port to go Up,
and a longer service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.
TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are
processed by a switching device within a given time period is configurable. If the number of
TC BPDUs that the switching device receives within a given time exceeds the specified
threshold, the switching device handles TC BPDUs only for the specified number of times.
Excess TC BPDUs are processed by the switching device as a whole for once after the
specified time period expires. This protects the switching device from frequently deleting
MAC entries and ARP entries, therefore avoiding overburden.
Procedure
Step 1 Run system-view
The number of times the MSTP process handles the received TC BPDUs and updates
forwarding entries within a given time is set.
NOTE
----End
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to
serve as the root bridge and the network topology is changed, triggering spanning tree
recalculation. This also may cause the traffic that should be transmitted over high-speed links
to be transmitted over low-speed links, leading to network congestion. The root protection
function on a switching device is used to protect the root bridge by preserving the role of the
designated port.
NOTE
Procedure
Step 1 Run system-view
----End
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching
device cannot receive BPDUs from the upstream device because of link congestion or
unidirectional-link failure, the switching device re-selects a root port. The original root port
becomes a designated port and the original blocked ports change to the Forwarding state. This
switching may cause network loops, which can be mitigated by configuring loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a long
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switching device in an
MST region.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run stp loop-protection
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
Root protection and loop protection cannot be configured simultaneously.
----End
Procedure
l Run the display stp [ instance instance-id ] [ interface interface-type interface-number ]
[ brief ] command to view spanning-tree status and statistics.
----End
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All
switching devices support the following modes:
l Enhanced mode: The current interface counts the root port calculation when it computes
the synchronization flag bit.
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
– The upstream device then sends an Agreement message to the downstream device.
After the downstream device receives the message, the root port transitions to the
Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port, and the designated port transitions to
the Forwarding state.
l Common mode: The current interface ignores the root port when it computes the
synchronization flag bit.
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
The root port then transitions to the Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port. The designated port then transitions
to the Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that
used on non-Huawei devices.
Procedure
Step 1 Run system-view
----End
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets).
You can specify the packet format and use the auto mode. In auto mode, the switching device
switches the MSTP protocol packet format based on the received MSTP protocol packet
format so that the switching device can communicate with the peer device.
Procedure
Step 1 Run system-view
NOTE
The negotiation will fail if the format of MSTP packets is set to dot1s at one end and legacy at the other
end.
----End
Context
Interconnected Huawei and non-Huawei devices cannot communicate with each other if they
have the same region name, revision number, and VLAN-to-instance mappings but different
BPDU keys. To address this problem, enable the digest snooping function on the Huawei
device.
Perform the following steps on a switching device in an MST region to enable the digest
snooping function.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run stp config-digest-snoop
The digest snooping function is enabled.
----End
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics to clear the statistics of error STP packets.
----End
Network
MST RouterA
Region
Eth2/0/0 Eth2/0/1
3
Et
0/
h0
Eth0/0/2 0/
Eth0/0/2
/0
h
Et
/3
Et
/4
h0
/0
/0
h0
Eth0/0/1 Eth0/0/1
/4
Et
SwitchC SwitchD
Eth0/0/2 Eth0/0/3 Eth0/0/2 Eth0/0/3
VLAN2~10 MSTI1
VLAN11~20 MSTI2
MSTI1:
Root Switch:RouterA
Blocked port
MSTI2:
Root Switch:RouterA
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic MSTP functions, including:
a. Configure the MSTP mode for the ring network.
b. Configure an MST region and create multiple MSTIs to implement load balancing.
c. In the MST region, configure a primary root bridge and a secondary root bridge for
each MSTI.
d. Set path costs for ports to be blocked in each MSTI.
e. Enable MSTP to eliminate loops, including:
n Enable MSTP globally.
n Disable MSTP on the interfaces that connected to terminals, or configure those
interfaces as edge ports.
n Enable MSTP on all the interfaces except the interfaces connected to
terminals.
NOTE
MSTP is not required on the interfaces connected to terminals because these interfaces do
not need to participate in MSTP calculation.
2. Configure MSTP protection functions, for example, configure root protection on a
designated port of a root bridge in each MSTI.
3. Configure the Layer 2 forwarding function on devices.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure the MSTP mode for the devices on the ring network.
# Configure the MSTP mode on RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] stp mode mstp
# Configure SwitchA, SwitchB, SwitchC and SwitchD to MST region RG1, and create
two MSTIs. MSTI1 maps to VLAN (2 to 10), and MSTI2 maps to VLAN (11 to 20).
3. In RG1, configure primary and secondary root bridges for MSTI1 and MSTI2.
# Configure primary root bridge on RouterA in MSTI1.
[RouterA] stp instance 1 root primary
– The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 200000.
– If the switches are not Huawei 2300 Series, all switches on a network must use the same path
cost calculation method. Refer to STP List of path costs to get standard of other calculation
methods.
# On RouterA, configure the path cost calculation method as the Huawei proprietary
method.
[RouterA] stp pathcost-standard legacy
# On SwitchA, SwitchB, SwitchC and SwitchD, configure the path cost calculation
method as the Huawei proprietary method.
# As shown in Figure 12-13, set the path cost of Eth0/0/4 on SwitchC to 200000 in
MSTI1.
# As shown in Figure 12-13, set the path cost of Eth0/0/4 on SwitchD to 200000 in
MSTI2.
5. Enable MSTP to eliminate loops.
– Disable MSTP on interfaces connected to PCs, or set those interfaces as edge ports.
# As shown in Figure 12-13, disable MSTP on interface Eth0/0/2 and Eth0/0/3 of
SwitchC, or set them as edge ports.
# As shown in Figure 12-13, disable MSTP on interface Eth0/0/2 and Eth0/0/3 of
SwitchD, or set them as edge ports.
– Enable MSTP globally.
# Enable MSTP globally on RouterA.
[RouterA] stp enable
# As shown in Figure 12-13, Enable MSTP on all interfaces except the interfaces
connected to terminals, for SwitchA, SwitchB, SwitchC and SwitchD.
Step 2 Configure MSTP protection function.
# Enable root protection on RouterA Eth2/0/0 and Eth2/0/1.
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] stp root-protection
[RouterA-Ethernet2/0/0] quit
[RouterA] interface ethernet 2/0/1
# Add interfaces Eth0/0/1, Eth0/0/2 and Eth0/0/3 on SwitchA and SwitchB to VLAN 2
to 20.
# Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchC to VLAN 2 to
10.
# Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchD to VLAN 11 to
20.
# After the previous configurations, run the following commands to verify the configuration
when the network is stable:
# run display stp brief on RouterA to view the interface status and protection type. The
displayed information is as follows:
[RouterA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet2/0/0 DESI FORWARDING ROOT
0 Ethernet2/0/1 DESI FORWARDING ROOT
1 Ethernet2/0/0 DESI FORWARDING ROOT
1 Ethernet2/0/1 DESI FORWARDING ROOT
2 Ethernet2/0/0 DESI FORWARDING ROOT
2 Ethernet2/0/1 DESI FORWARDING ROOT
# In MSTI1, after RouterA is configured as a root bridge, RouterA Eth2/0/0 and Eth2/0/1 are
elected as designated ports during spanning tree calculation. In MSTI2, after RouterA is
configured as a root bridge, RouterA Eth2/0/0 and Eth2/0/1 are elected as designated ports
during spanning tree calculation.
# Verify the interface status and protection type on SwitchA. In MSTI1, interface Eth0/0/1 is
elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In
MSTI2, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected
as designated ports.
# Verify the interface status and protection type on SwitchB. In MSTI1, interface Eth0/0/1 is
elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In
MSTI2, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected
as designated ports.
# Verify the interface status and protection type on SwitchC. In MSTI1, interface Eth0/0/1 is
elected as root port, interface Eth0/0/4 is blocked. In MSTI2, interface Eth0/0/1 is elected as
root port, interface Eth0/0/4 is elected as designated port.
# Verify the interface status and protection type on SwitchD. In MSTI1, interface Eth0/0/1 is
elected as root port, interface Eth0/0/4 is elected as designated port. In MSTI2, interface
Eth0/0/1 is elected as root port, interface Eth0/0/4 is blocked.
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 2 to 20
#
stp instance 1 root primary
stp instance 2 root primary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
#
return
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 20
#
return
l Learning: This is a transitional status. In the learning state, switches set up media access
control (MAC) address tables based on the received user traffic. A switch in the learning
state, however, does not forward user traffic.
l Discarding: In the discarding state, interfaces block packets, and do not learn MAC
addresses.
13 SEP Configuration
This chapter describes how to configure Smart Ethernet Protection (SEP). SEP is a ring
network protocol specially used for the Ethernet link layer. It blocks redundant links to
prevent logical loops on a ring network.
13.1 Overview of SEP
13.2 Understanding SEP
13.3 Applications Scenarios for SEP
13.4 Summary of SEP Configuration Tasks
13.5 Licensing Requirements and Limitations for SEP
13.6 Configuring Basic SEP Functions
When there is no faulty link on a ring network running SEP, SEP can eliminate loops on the
Ethernet. When a link fault occurs on the ring network, SEP can immediately restore the
communication between the nodes on the network.
13.7 Specifying an Interface to Block
By default, the blocked interface is one of the two interfaces that complete neighbor
negotiations last. Sometimes, the negotiated blocked interface, however, may not be the
expected one. You can configure a blocked interface to suit your needs.
13.8 Configuring SEP Multi-Instance
13.9 Configuring the Topology Change Notification Function
The topology change notification function is configured on the device that connects a lower-
layer network to an upper-layer network. This function enables the device to notify the peer
device of topology changes in the lower-layer and upper-layer networks. All the devices on
the network where the peer device resides then delete original MAC addresses and ARP
entries and learn new MAC addresses to ensure uninterrupted traffic forwarding.
13.10 Maintaining SEP
13.11 Configuration Examples for SEP
Definition
The Smart Ethernet Protection (SEP) protocol is a ring network protocol specially used for the
Ethernet link layer. A SEP segment consists of interconnected Layer 2 switching devices
configured with the same SEP segment ID and control VLAN ID. A SEP segment is the basic
unit for SEP.
Purpose
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and rendering the MAC address table unstable. As a result,
communication quality deteriorates, and services may even be interrupted. To solve the loop
problem, Huawei datacom devices support the following ring network protocols:
l STP/RSTP/MSTP
STP, RSTP, and MSTP are standard protocols for breaking loops on Ethernet networks.
They are mature and widely used. Huawei devices running STP, RSTP, or MSTP can
communicate with non-Huawei devices. Networks running these protocols converge
slowly (in seconds), failing to meet transmission requirements of some real-time
services. The convergence time is affected by the network topology.
Huawei developed SEP to overcome the disadvantages of the preceding ring network
protocols. SEP has the following advantages:
l Applies to diverse complex networks and supports all topologies and network topology
query. For example, a network running SEP can connect to a network running STP,
RSTP, or MSTP.
Network topology display helps locate blocked interfaces quickly. When a fault occurs,
SEP can quickly locate the fault, improving network maintainability.
l Allows selectively interface blocking, which effectively implements traffic load
balancing.
l Prevents traffic from being switched back after link recovery, which improves network
stability.
Figure 13-1 shows a typical SEP application. CE1 is connected to Network Provider Edges
(NPEs) through a semi-ring formed by Routers. A VRRP group is deployed on the NPEs.
Initially, NPE1 serves as the master and NPE2 as backup to NPE1. When the link between
NPE1 and Router5 or a node on the link becomes faulty, NPE1 becomes the backup to NPE2,
which then becomes the master. The following situations occur depending on whether SEP is
deployed. The following assumes that the link between Router1 and Router5 becomes faulty.
l If SEP is not deployed on the semi-ring, CE1 traffic is still transmitted along the original
path, but NPE1 does not forward traffic, causing traffic interruption.
l If SEP is deployed on the semi-ring, the blocked interface on Router5 is unblocked,
enters the Forwarding state, and sends link state advertisements (LSAs) to instruct other
nodes on the SEP segment to update their LSA databases. Then CE1 traffic is
transmitted along backup link Router5->Router2->Router4->NPE2, ensuring
uninterrupted traffic transmission.
NPE1 IP/MPLS
VRRP+peer BFD Core
NPE2
CE1
Router5
Router1 Router3
Master Backup
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is
blocked, all service data is transmitted only along the path where the primary edge interface is
located. The path where the secondary edge interface is located remains idle, wasting
bandwidth.
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing. SEP multi-instance allows two SEP segments to be configured on a physical ring.
Each SEP segment independently detects the completeness of the physical ring, blocks or
unblocks interfaces without affecting the other.
For details about SEP multi-instance, see 13.2.3 SEP Implementation Mechanisms.
Figure 13-2 shows the typical networking of an open ring running SEP. The following
describes the basic concepts of SEP.
Network Network
Router5
SEP SEP
Segment Segment
Router3 Router3
CE CE
No-Neighbor Primary Edge Port
No-Neighbor Secondary Edge Port
Primary Edge Port
Secondary Edge Port
Block Port
l SEP segment
A SEP segment consists of interconnected Layer 2 switching devices configured with the
same SEP segment ID and control VLAN ID. A SEP segment is the basic unit for SEP.
A SEP segment is a ring or linear Ethernet topology. Each SEP segment has a control
VLAN, edge interfaces, and common interfaces.
l Control VLAN
In a SEP segment, the control VLAN is used to transmit only SEP packets.
Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
Different SEP segments can use the same control VLAN.
Different from a control VLAN, a data VLAN is used to transmit data packets.
l Node
Each Layer 2 switching device in a SEP segment is a node. Each node can have at most
two interfaces added to the same SEP segment.
l Interface role
As defined in SEP, there are two interface roles: common interfaces and edge interfaces.
As shown in Table 13-1, edge interfaces are further classified into primary edge
interfaces, secondary edge interfaces, no-neighbor primary edge interfaces, and no-
neighbor secondary edge interfaces.
NOTE
Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
Edge interface Primary edge A SEP segment has only one primary
interface edge interface, which is determined by
the configuration and election.
The primary edge interface initiates
blocked interface preemption, terminates
packets, and sends topology change
notification messages to other networks.
l Blocked interface
In a SEP segment, some interfaces are blocked to prevent loops.
Any interface in a SEP segment may be blocked if no interface is specified for blocking.
A complete SEP segment has only one blocked interface.
l Status of a SEP interface
In a SEP segment, a SEP interface has two working states: Forwarding and Discarding,
as shown in Table 13-2.
Forwarding The interface can forward user traffic, receive and send SEP packets.
Discarding The interface can receive and send SEP packets but cannot forward user
traffic.
SEP Packet
Table 13-3 shows the types of SEP packets.
LSA LSA request After an interface has SEP enabled, the interface
packet periodically sends LSAs to its neighbor. After the
state machine of the neighbor goes Up, the two
LSA ACK packet interfaces update their LSA databases, that is, all
topology information.
Neighbor negotiations provide information required to obtain the SEP segment topology.
Interfaces establish neighbor relationships through neighbor negotiations, forming a complete
SEP segment. Therefore, the SEP segment topology can be obtained.
the other devices. After receiving LSA request packets from the device, neighboring
interfaces reply with LSA ACK packets that contain the latest link state information.
l SEP segment topology display
The topology display function allows you to view the topology with the highest network
connectivity on any device in a SEP segment. Link state synchronization ensures that all
devices in a SEP segment display the same topology.
Table 13-4 shows the types of SEP segment topologies.
Linear topology All topologies except ring For interfaces at both ends
topologies are linear of a link:
topologies. l If one interface
functions as the
primary edge interface,
the primary edge
interface is listed first
in the topology
information displayed
on each interface.
l If the primary edge
interface is not elected
but the secondary edge
interface is elected, the
secondary edge
interface is listed first
in the topology
information displayed
on each interface.
NOTE
The constraints listed in Table 13-4 ensure that each node in a ring or linear topology displays the
same topology information.
NOTE
If only one interface on a node has SEP enabled, you must set the role of the interface to edge so that the
interface can function as an edge interface.
As shown in Figure 13-3, if there is no faulty link on the network and SEP is enabled on the
interfaces, the following situations occur:
l Common interfaces do not participate in primary edge interface election. Only P1 on
Router1 and P1 on Router5 participate in primary edge interface election.
l If P1 on Router1 and P1 on Router5 have the same role, P1 with a higher MAC address
is elected as the primary edge interface.
After the primary edge interface is selected, it periodically sends primary edge interface
election packets without waiting for the success of neighbor negotiations. A primary edge
interface election packet contains the interface role (primary edge interface, secondary edge
interface, or common interface), bridge MAC address of the interface, interface ID, and
integrity of the topology database.
Network Network
Router1 Router5 Router1 Router5
P1 P1 P1 P1
SEP SEP
Segment Segment
As shown in Figure 13-3, if a link fault occurs in the SEP segment, P1 on Router1 and P1 on
Router5 receive fault notification packets or P1 on LSW5 does not receive primary edge
interface election packets within a specified period. Then P1 on Router1 becomes the
secondary edge interface. Consequently, two secondary edge interfaces exist in the SEP
segment and periodically send primary edge interface election packets.
When all link faults in the SEP segment are rectified, the two secondary edge interfaces can
receive primary edge interface election packets and elect a new primary edge interface within
a configured interval (1s by default).
Specify a blocked interface SEP sets the hop count of the primary edge interface
based on the configured hop to 1 and the hop count of the neighboring interface of
count. the primary interface to 2. Hop counts of other
interfaces increase by steps of 1 in the downstream
direction of the primary edge interface.
l Preemption
After the interface blocking mode is specified, whether a specified interface will be
blocked is determined by the preemption mode. Table 13-6 lists the preemption modes.
Non-preemption mode When all link faults are rectified or the last two
interfaces enabled with SEP complete neighbor
negotiations, interfaces send blocking status packets to
each other. The interface with the highest priority is
then blocked, and the other interfaces enter the
Forwarding state.
An interface fault occurs. Figure 13-4 shows an interface fault in a SEP segment.
An interface fault can be a link fault or neighboring
interface fault.
If a device having an interface in Forwarding state in the
SEP segment receives a fault advertisement packet, the
device needs to send a Flush-Forwarding Database
(Flush-FDB) packet through the interface to notify other
nodes in the SEP segment that there is a change in
topology.
The fault is rectified and the After faults occur in the SEP segment and the last faulty
preemption function takes interface recovers, the blocked interface is preempted
effect. and the topology is considered changed.
Preemption is triggered by the primary edge interface.
When an interface in a SEP segment receives a
preemption packet from the primary edge interface, the
interface needs to send Flush-FDB packets to notify
other nodes in the SEP segment that there is a change in
topology.
Network
Router
8
SEP SEP
Router1 Segment1 Segment3 Router13
Router9 Router10
Failed
Router3 Router4 Router5 Router6 Router7
Block Port
Primary Edge Port
Forwarding Database
Topology Change
NOTE
The topology change notification function is configured on devices that connect an upper-layer network
and a lower-layer network. If the topology of one network changes, devices affected inform the other
network of the change.
Table 13-8 lists the scenarios in which topology changes are reported.
Router9 Router10
SEP
Segment 1
Router7 Router8
SEP
Segment2
Router4 Router6
Router5
SEP
Segment3
Router1 Router3
Router2
Sending a large number of TC notification packets reduces the CPU capability to quickly
process other types of packets. In addition, devices in SEP segments frequently update MAC
address entries, heavily consuming bandwidth resources. To solve such problems, the
following measures can be taken to suppress TC notification packets:
l Configure a device to process only one of the TC notification packets carrying the same
source address.
l Configure a device to process a specified number of TC notification packets within a
specified period. By default, three TC notification packets with different source
addresses are processed in 2s.
l Avoid the networking scenario having more than three SEP ring networks.
SEP Multi-Instance
In common SEP networking shown in Figure 13-6, a physical ring network can be configured
with only one SEP segment in which only one interface can be blocked.
If an interface in a complete SEP segment is blocked, all service data is transmitted only along
the path where the primary edge interface is located. The path where the secondary edge
interface is located remains idle, wasting bandwidth.
Router2 Router4
SEP
Segment1
Router1 Router3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance allows two SEP segments to be configured on a physical ring. Each SEP
segment independently detects the completeness of the physical ring, blocks or unblocks
interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be
configured with a protected instance, each protected instance indicating a VLAN range. The
topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between
protected instances and VLANs is set, a blocked interface is only valid for the VLANs
protected by the SEP segment where the blocked interface resides. Data traffic for different
VLANs can be transmitted along different paths. This implements traffic load balancing and
link backup.
Router2 Router4
SEP
Segment2
P2 SEP Segment1 P1
Router1 Router3
Instance1: Instance2:
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 13-7, the SEP multi-instance ring network that consists of Router1 to
Router4 has two SEP segments. P1 is the blocked interface in SEP segment 1, and P2 is the
blocked interface in SEP segment 2.
l Protected instance 1 is configured in SEP segment 1 to protect the data from VLAN 100
to VLAN 200. The data is transmitted along path Router1->Router2. As the blocked
interface in SEP segment 2, P2 blocks only the data from VLAN 201 to VLAN 400.
l Protected instance 2 is configured in SEP segment 2 to protect the data from VLAN 201
to VLAN 400. The data is transmitted along path Router3->Router4. As the blocked
interface in SEP segment 1, P1 blocks only the data from VLAN 100 to VLAN 200.
When a node fault or link fault occurs, each SEP segment calculates its own topology
independently, and the nodes in each SEP segment update their own LSA databases.
As shown in Figure 13-8, a fault occurs on the link between LSW3 and LSW4. The link fault
does not affect the transmission path for the data from VLAN 100 to VLAN 200 in SEP
segment 1, but blocks the transmission path for the data from VLAN 201 to VLAN 400 in
SEP segment 2.
Figure 13-8 Networking diagram for a link fault on a SEP multi-instance network
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
Router1 Router3
Instance1: Instance2:
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
After the link between Router3 and Router4 becomes faulty, Router3 starts to send LSAs to
instruct the other devices in SEP segment 2 to update their LSA databases, and the blocked
interface enters the Forwarding state. After the topology of SEP segment 2 is recalculated, the
data from VLAN 201 to VLAN 400 is transmitted along path Router3->Router1->Router2.
After the link between Router3 and Router4 recovers, the devices in SEP segment 2 perform
delayed preemption. After the preemption delay expires, P1 becomes the blocked interface
again, and sends LSAs to instruct the other devices in SEP segment 2 to update their LSA
databases. After the topology of SEP segment 2 is recalculated, the data from VLAN 201 to
VLAN 400 is transmitted along path Router3->Router4.
Network
Router1 Router5
SEP
Segment
Router2 Router4
Router3
CE
Router1 Router5
SEP
Segment
Router2 Router4
Router3
Router1 Router5
SEP
Segment 1
Router2 Router4
Router3
Se
SE en
gm
P t3
t2
gm EP
SEP
en
Se S
Router9
Router6 Segment 4
Router12
SEP
Segment 5
Router8 Router14
Router13
Router7
Router10 Router11
Block Port
PE3 PE4
MSTP
PE1 PE2
SEP
Segment
Router1 Router2
Router3
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
Block Port
Router2 Router4
SEP
Segment2
P2 SEP Segment1 P1
Router1 Router3
Instance1: Instance2:
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
Configuring Basic SEP After basic SEP functions 13.6 Configuring Basic
Functions are configured on devices, SEP Functions
the devices start SEP
negotiation. One of the two
interfaces that complete
neighbor negotiations last is
blocked to eliminate
redundant links.
NOTE
When logging in to nodes on a
SEP semi-ring through Telnet
to configure the nodes, note
the following points:
l Basic SEP functions need
to be configured from the
node at one end of the
semi-ring to the node at
the other end of the semi-
ring.
Licensing Requirements
SEP is a basic feature of a router and is not under license control.
Feature Limitations
When deploying SEP on the router, pay attention to the following:
The AR100-S, AR110-S, AR120-S, AR160-S series, and AR151-S2 do not support SEP.
Pre-configuration Tasks
Before configuring basic SEP functions, complete the following tasks:
Context
A SEP segment is the basic unit for SEP. A SEP segment consists of interconnected Layer 2
switching devices configured with the same SEP segment ID and control VLAN ID.
Procedure
Step 1 Run system-view
A SEP segment is created and the view of the SEP segment is displayed.
----End
Context
In a SEP segment, a control VLAN is used to transmit SEP packets but not service packets,
enhancing SEP security. Each SEP segment must be configured with a control VLAN. After
being added to a SEP segment configured with a control VLAN, an interface is added to the
control VLAN automatically.
NOTE
On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot be
added to the control VLAN of the SEP segment. Otherwise, a loop will occur on the network.
Procedure
Step 1 Run system-view
A SEP segment is created and the view of the SEP segment is displayed.
A control VLAN is configured for the SEP segment to transmit SEP packets.
The control VLAN must be not created, and is not used by VLAN mapping and VLAN
stacking. Additionally, no interface is added to the control VLAN in trunk, access, hybrid, or
qinq mode.
----End
Context
Interfaces can be added to a SEP segment only after the SEP segment is configured with
protected instances.
Procedure
Step 1 Run system-view
A SEP segment is created and the view of the SEP segment is displayed.
----End
Context
To ensure that SEP packets are forwarded correctly in a SEP segment, add Layer 2 interfaces
to the SEP segment and configure different roles for the interfaces.
After an interface is added to a SEP segment, the interface sets its interface role to the primary
edge interface if the interface has the right to participate in primary edge interface election.
Then, the interface periodically sends a primary edge interface election packet without
waiting for the success of neighbor negotiations.
A primary edge interface election packet contains the interface role (primary edge interface,
secondary edge interface, or common interface), bridge MAC address of the interface,
interface ID, and integrity of the topology database.
Edge interface Primary A SEP segment has only one Open-ring networking
edge primary edge interface, Closed-ring networking
interface which is determined by the
configuration and election. Multi-ring networking
NOTE
l Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
l Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the
interface (except that the interface is a no-neighbor edge interface).
Procedure
Step 1 Run system-view
The Ethernet interface is added to a specified SEP segment and a role is configured for the
interface.
----End
Procedure
l Run the display sep segment { segment-id | all } command to check the configurations
of SEP segments.
l Run the display sep interface [ interface-type interface-number | segment segment-id ]
[ verbose ] command to check information about interfaces that are added to a specified
SEP segment.
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
Specify the interface in This mode applies to a network where traffic is symmetrically
the middle of a SEP distributed.
segment as the blocked After fault recovery, the interface in the middle of a SEP
interface. segment becomes the blocked interface.
Perform the following operations on the device where the primary edge interface or no-
neighbor primary edge interface is located:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run block port { optimal | middle | hop hop-id | sysname sysname interface { interface-
type interface-number | interface-name } }
An interface blocking mode is set.
By default, one of the interfaces at two ends of the link that is set up last or recovers from a
fault last is blocked.
----End
Follow-up Procedure
If the interface with the highest priority is specified to block, run the sep segment segment-id
priority priority command in the view of the interface to be blocked to increase its priority.
When a fault is rectified, the specified interface is blocked.
The default priority of an interface added to a SEP segment is 64. The priority value of an
interface is an integer that ranges from 1 to 128. A larger priority value indicates a higher
priority.
Preempt Delayed Each time a fault is l The delayed preemption mode needs
ion preempt rectified, the system to be specified in advance. There is no
mode ion automatically completes default delay in preemption, and the
preemption and ensures delay time needs to be configured
that the specified using a command.
interface is blocked. l After delayed preemption is
configured successfully, a fault needs
to be simulated to ensure that the
specified interface is blocked.
Perform the following operations on the Layer 2 switching device where the primary edge
interface or no-neighbor primary edge interface resides.
Procedure
Step 1 Run system-view
A SEP segment is created and the view of the SEP segment is displayed.
By default, no preemption mode is configured on the primary edge interface, that is, the non-
preemption mode is used.
----End
IP/MPLS Core
Core
group 1:Master group 2:Master
group 2:Backup group 1:Backup
NPE1 NPE2
VRRP+peer BFD
Aggregation
Router2 Router4
SEP
Segment2
P2 SEP Segment1 P1
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing and link backup. As shown in Figure 13-14, multiple instances are deployed in the
SEP segment, and protected instances are mapped to different VLANs. Data traffic for
different VLANs can then be transmitted along different paths.
NOTE
Currently, SEP multi-instance allows two SEP segments to be configured on a physical ring. Different
blocked interfaces and priorities need to be configured for the two SEP segments.
Pre-configuration Tasks
Before configuring SEP multi-instance, complete the following tasks:
l Configuring basic SEP functions
l Specifying an interface to block
Procedure
Step 1 Run system-view
The value of instance-id specified in this command must be the same as that of instance-id
specified in the protected-instance command.
Before you switch a VLAN from one SEP segment to another segment, shut down the
blocked port. If you do not shut down the blocked port, a routing loop may occur after the
VLAN switchover.
After mappings between protected instances and VLANs take effect, topology changes of a
SEP segment affect only corresponding VLANs. This ensures reliable service data
transmission.
----End
Context
SEP runs on devices at the access layer. The topology change notification function enables
devices to detect topology changes on the upper and lower-layer networks.
If the upper-layer network fails to be notified of the topology change in a SEP segment, the
MAC address entries remain unchanged on the upper layer network and user traffic may be
interrupted. To ensure uninterrupted traffic forwarding, configure devices on the lower-layer
network to report topology changes to the upper-layer network and specify the devices on the
upper-layer network that will be notified of topology changes.
NOTE
Currently, topology changes in a SEP segment can be reported to other SEP segments, STP networks.
After receiving a topology change notification from a lower-layer network, a device on the
upper-layer network sends TC packets to instruct other devices on the upper-layer network to
clear original MAC addresses and learn new MAC addresses after the topology of the lower-
layer network changes. This ensures uninterrupted traffic forwarding.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp }
The topology change of the specified SEP segment is reported to another SEP segment or a
network running other ring protocols such as STP or RRPP.
By default, the topology change of a SEP segment is not reported.
----End
Follow-up Procedure
In the networking scenario where three or more SEP ring networks exist, when a topology
change notification is sent through multiple links, the upper-layer network will receive it
multiple times. This reduces packet processing efficiency on the upper-layer network.
Therefore, topology change notifications need to be suppressed. Suppressing topology change
notifications frees the upper-layer network from processing multiple duplicate packets and
protects the devices in the SEP segment against topology change notification attacks.
Run the tc-protection interval interval-value command in the SEP segment view to set the
interval for suppressing topology change notifications.
By default, the interval for suppressing topology change notifications is 2s, and three
topology change notifications with different source addresses are processed within 2s.
NOTE
l In the networking scenario where three or more SEP ring networks exist, the tc-protection interval
interval-value command must be run. If this command is not run, the default interval for suppressing
topology change notifications is used.
l A longer interval ensures stable SEP operation but reduces convergence performance.
Context
SEP statistics cannot be restored after being cleared. Therefore, exercise caution when you
run reset commands.
Procedure
Step 1 Run the reset sep interface interface-type interface-number statistics command in the user
view to clear SEP packet statistics on a specified interface in a SEP segment.
----End
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-
layer network to provide link backup and enhance network reliability. The use of redundant
links, however, may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, communication quality deteriorates, and services may even be
interrupted. SEP can be deployed on the ring network to eliminate loops and restore
communication if a link fault occurs.
In the closed ring networking, CE1 is dual-homed to a Layer 2 network through multiple
Layer 2 switching devices. The two edge devices connected to the upper-layer Layer 2
network are directly connected to each other. The closed ring network is deployed at the
aggregation layer to transparently transmit Layer 2 unicast and multicast packets. SEP runs at
the aggregation layer to implement link redundancy.
As shown in Figure 13-15, Layer 2 switching devices Router1 to Router5 form a ring
network.
SEP runs at the aggregation layer.
l When there is no faulty link on a ring network, SEP can eliminate loops on the network.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes on the network.
SEP
Segment1
GE7/0/1 GE7/0/1
Router2 Router4
Router3
GE7/0/2 GE7/0/2
GE7/0/1 GE7/0/2
GE7/0/3
GE7/0/1
Access
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on Router1 to Router5 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure Router1.
<Huawei> system-view
[Huawei] sysname Router1
[Router1] sep segment 1
[Router1-sep-segment1] control-vlan 10
[Router1-sep-segment1] protected-instance all
[Router1-sep-segment1] quit
# Configure Router2.
<Huawei> system-view
[Huawei] sysname Router2
[Router2] sep segment 1
[Router2-sep-segment1] control-vlan 10
[Router2-sep-segment1] protected-instance all
[Router2-sep-segment1] quit
# Configure Router3.
<Huawei> system-view
[Huawei] sysname Router3
[Router3] sep segment 1
[Router3-sep-segment1] control-vlan 10
[Router3-sep-segment1] protected-instance all
[Router3-sep-segment1] quit
# Configure Router4.
<Huawei> system-view
[Huawei] sysname Router4
[Router4] sep segment 1
[Router4-sep-segment1] control-vlan 10
[Router4-sep-segment1] protected-instance all
[Router4-sep-segment1] quit
# Configure Router5.
<Huawei> system-view
[Huawei] sysname Router5
[Router5] sep segment 1
[Router5-sep-segment1] control-vlan 10
[Router5-sep-segment1] protected-instance all
[Router5-sep-segment1] quit
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the configuration
file automatically displays the command for creating the VLAN.
– Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the
control VLAN.
2. Add all devices on the ring to SEP segment 1 and configure interface roles on the
devices.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On Router1, configure GE7/0/1 as the primary edge interface and GE7/0/3 as the
secondary edge interface.
[Router1] interface gigabitethernet 7/0/1
[Router1-GigabitEthernet7/0/1] stp disable
[Router1-GigabitEthernet7/0/1] sep segment 1 edge primary
[Router1-GigabitEthernet7/0/1] quit
[Router1] interface gigabitethernet 7/0/3
[Router1-GigabitEthernet7/0/3] stp disable
[Router1-GigabitEthernet7/0/3] sep segment 1 edge secondary
[Router1-GigabitEthernet7/0/3] quit
# Configure Router2.
[Router2] interface gigabitethernet 7/0/1
[Router2-GigabitEthernet7/0/1] stp disable
# Configure Router3.
[Router3] interface gigabitethernet 7/0/1
[Router3-GigabitEthernet7/0/1] stp disable
[Router3-GigabitEthernet7/0/1] sep segment 1
[Router3-GigabitEthernet7/0/1] quit
[Router3] interface gigabitethernet 7/0/2
[Router3-GigabitEthernet7/0/2] stp disable
[Router3-GigabitEthernet7/0/2] sep segment 1
[Router3-GigabitEthernet7/0/2] quit
# Configure Router4.
[Router4] interface gigabitethernet 7/0/1
[Router4-GigabitEthernet7/0/1] stp disable
[Router4-GigabitEthernet7/0/1] sep segment 1
[Router4-GigabitEthernet7/0/1] quit
[Router4] interface gigabitethernet 7/0/2
[Router4-GigabitEthernet7/0/2] stp disable
[Router4-GigabitEthernet7/0/2] sep segment 1
[Router4-GigabitEthernet7/0/2] quit
# Configure Router5.
[Router5] interface gigabitethernet 7/0/1
[Router5-GigabitEthernet7/0/1] stp disable
[Router5-GigabitEthernet7/0/1] sep segment 1
[Router5-GigabitEthernet7/0/1] quit
[Router5] interface gigabitethernet 7/0/3
[Router5-GigabitEthernet7/0/3] stp disable
[Router5-GigabitEthernet7/0/3] sep segment 1
[Router5-GigabitEthernet7/0/3] quit
NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and then
run the undo shutdown command on GE7/0/2 to rectify the fault.
Step 2 Configure the Layer 2 forwarding function on CE1 and Router1 to Router5.
For details about the configuration, see the configuration files.
Step 3 Verify the configuration.
# Run the shutdown command on GE7/0/1 of Router3 to simulate an interface fault, and then
run the display sep interface command on Router3 to check whether GE7/0/2 of Router3 has
switched from the Discarding state to the Forwarding state.
<Router3> display sep interface gigabitethernet 7/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/2 common up forwarding
----End
Configuration Files
l Configuration file of Router1
#
sysname Router1
#
vlan batch 10 100 200
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1 edge primary
#
interface GigabitEthernet7/0/2
port hybrid pvid vlan 200
port hybrid tagged vlan 100
port hybrid untagged vlan 200
#
interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1 edge secondary
#
return
stp disable
sep segment 1
#
return
l Configuration file of Router3
#
sysname Router3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100
stp disable
sep segment 1
sep segment 1 priority 128
#
interface GigabitEthernet7/0/3
port hybrid tagged vlan 100
#
return
l Configuration file of Router4
#
sysname Router4
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
return
l Configuration file of Router5
#
sysname Router5
#
vlan batch 10 100 200
#
sep segment 1
control-vlan 10
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
interface GigabitEthernet7/0/2
port hybrid pvid vlan 200
G
GE7/0/2 Router3
E7
/0
/3
GE7/0/4
GE7/0/1 GE7/0/2 GE7/0/1 GE7/0/2
t2
gm EP
Router11
Se
en
SE en
Router6
S
GE7/0/2
gm
P t
Router8
Se
GE7/0/2 GE7/0/1
3
GE7/0/1 GE7/0/1 GE7/0/2
GE7/0/1 GE7/0/2 Router9 GE7/0/1
Router7 GE7/0/3 Router10 GE7/0/3
Access
GE7/0/1 GE7/0/1
CE2
CE1
Configuration Roadmap
The configuration roadmap is as follows:
n On Router1 to Router5, add the interfaces on the ring at the access layer to
SEP segment 1. Configure the roles of GE7/0/1 and GE7/0/3 of Router1 in
SEP segment 1.
n Add GE7/0/2 of Router2, GE7/0/1 and GE7/0/2 of Router6 to Router8, and
GE7/0/2 of Router3 to SEP segment 2. Configure the roles of GE7/0/2 of
Router2 and GE7/0/2 of Router3 in SEP segment 2.
n Add GE7/0/1 of Router3, GE7/0/1 and GE7/0/2 of Router9 to Router11, and
GE7/0/1 of Router4 to SEP segment 3. Configure the roles of GE7/0/1 of
Router3 and GE7/0/1 of Router4 in SEP segment 3.
c. Specify an interface to block on the device where the primary edge interface is
located.
n In SEP segment 1, specify the interface with the highest priority to block.
n In SEP segment 2, specify the device and interface names to block the
specified interface.
n In SEP segment 3, specify the blocked interface based on the configured hop
count.
d. Configure the preemption mode on the device where the primary edge interface is
located.
Configure delayed preemption in SEP segment 1 and manual preemption in SEP
segment 2 and SEP segment 3.
e. Configure the topology change notification function on the edge devices between
SEP segments, namely, Router2, Router3, and Router4.
2. Configure the Layer 2 forwarding function on CE1, CE2, and Router1 to Router11.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as
their respective control VLANs, as shown in Figure 13-16.
# Configure Router1.
<Huawei> system-view
[Huawei] sysname Router1
[Router1] sep segment 1
[Router1-sep-segment1] control-vlan 10
[Router1-sep-segment1] protected-instance all
[Router1-sep-segment1] quit
# Configure Router2.
<Huawei> system-view
[Huawei] sysname Router2
[Router2] sep segment 1
[Router2-sep-segment1] control-vlan 10
[Router2-sep-segment1] protected-instance all
[Router2-sep-segment1] quit
[Router2] sep segment 2
[Router2-sep-segment2] control-vlan 20
[Router2-sep-segment2] protected-instance all
[Router2-sep-segment2] quit
# Configure Router3.
<Huawei> system-view
[Huawei] sysname Router3
[Router3] sep segment 1
[Router3-sep-segment1] control-vlan 10
[Router3-sep-segment1] protected-instance all
[Router3-sep-segment1] quit
[Router3] sep segment 2
[Router3-sep-segment2] control-vlan 20
[Router3-sep-segment2] protected-instance all
[Router3-sep-segment2] quit
[Router3] sep segment 3
[Router3-sep-segment3] control-vlan 30
[Router3-sep-segment3] protected-instance all
[Router3-sep-segment3] quit
# Configure Router4.
<Huawei> system-view
[Huawei] sysname Router4
[Router4] sep segment 1
[Router4-sep-segment1] control-vlan 10
[Router4-sep-segment1] protected-instance all
[Router4-sep-segment1] quit
[Router4] sep segment 3
[Router4-sep-segment3] control-vlan 30
[Router4-sep-segment3] protected-instance all
[Router4-sep-segment3] quit
# Configure Router5.
<Huawei> system-view
[Huawei] sysname Router5
[Router5] sep segment 1
[Router5-sep-segment1] control-vlan 10
[Router5-sep-segment1] protected-instance all
[Router5-sep-segment1] quit
– The control VLAN must be a VLAN that has not been created or used, but the configuration
file automatically displays the command for creating the VLAN.
– Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the
control VLAN.
2. Add devices on the rings to the SEP segments and configure interface roles according to
Figure 13-16.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On Router1, configure GE7/0/1 as the primary edge interface and GE7/0/3 as the
secondary edge interface.
[Router1] interface gigabitethernet 7/0/1
[Router1-GigabitEthernet7/0/1] stp disable
[Router1-GigabitEthernet7/0/1] sep segment 1 edge primary
[Router1-GigabitEthernet7/0/1] quit
[Router1] interface gigabitethernet 7/0/3
[Router1-GigabitEthernet7/0/3] stp disable
[Router1-GigabitEthernet7/0/3] sep segment 1 edge secondary
[Router1-GigabitEthernet7/0/3] quit
# Configure Router2.
[Router2] interface gigabitethernet 7/0/1
[Router2-GigabitEthernet7/0/1] stp disable
[Router2-GigabitEthernet7/0/1] sep segment 1
[Router2-GigabitEthernet7/0/1] quit
[Router2] interface gigabitethernet 7/0/3
# On Router4 where the primary edge interface of SEP segment 3 is located, specify the
blocked interface based on the configured hop count.
[Router4] sep segment 3
[Router4-sep-segment3] block port hop 5
[Router4-sep-segment3] quit
NOTE
SEP sets the hop count of the primary edge interface to 1 and the hop count of the secondary edge
interface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction of
the primary interface.
4. Configure the preemption mode.
# Configure delayed preemption on Router1.
[Router1] sep segment 1
[Router1-sep-segment1] preempt delay 30
NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and then
run the undo shutdown command on GE7/0/2 to rectify the fault.
# Configure manual preemption on Router2.
[Router2] sep segment 2
[Router2-sep-segment2] preempt manual
# Configure Router3.
[Router3] sep segment 2
[Router3-sep-segment2] tc-notify segment 1
[Router3-sep-segment2] quit
# Configure Router3.
[Router3] sep segment 3
[Router3-sep-segment3] tc-notify segment 1
[Router3-sep-segment3] quit
# Configure Router4.
[Router4] sep segment 3
[Router4-sep-segment3] tc-notify segment 1
[Router4-sep-segment3] quit
NOTE
The topology change notification function is configured on edge devices between SEP segments
so that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and Router1 to Router11.
For details about the configuration, see the configuration files.
Step 3 Verify the configuration.
# After completing the preceding configurations, verify the configuration. Router1 is used as
an example.
l Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and
then run the display sep interface command on Router3 to check whether GE7/0/4 of
Router3 has switched from the Discarding state to the Forwarding state.
<Router3> display sep interface gigabitethernet 7/0/4
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/4 common up forwarding
----End
Configuration Files
l Configuration file of Router1
#
sysname Router1
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1 edge primary
#
interface GigabitEthernet7/0/2
port hybrid pvid vlan 300
port hybrid tagged vlan 100 200
port hybrid untagged vlan 300
#
interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 200 300
stp disable
sep segment 1 edge secondary
#
return
control-vlan 20
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
interface GigabitEthernet7/0/2
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
return
l Configuration file of Router7
#
sysname Router7
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
interface GigabitEthernet7/0/2
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
interface GigabitEthernet7/0/3
port hybrid tagged vlan 200
#
return
l Configuration file of Router8
#
sysname Router8
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
interface GigabitEthernet7/0/2
port hybrid tagged vlan 20 200
stp disable
sep segment 2
#
return
l Configuration file of Router9
#
sysname Router9
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 30 100
stp disable
sep segment 3
#
interface GigabitEthernet7/0/2
port hybrid tagged vlan 30 100
stp disable
sep segment 3
#
return
#
return
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
As shown in Figure 13-17, multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. The two devices where the
access layer and the aggregation layer are intersected do not support SEP. You can configure
SEP at the access layer to implement redundancy protection switching and configure the
topology change notification function on an edge device in a SEP segment. This function
enables an upper-layer network to detect topology changes in a lower-layer network in time.
l When there is no faulty link on the ring network, SEP can eliminate loops.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes.
l The topology change notification function must be configured on an edge device in a
SEP segment. This enables an upper-layer network to detect topology changes in a
lower-layer network in time.
After receiving a message indicating the topology change in a lower-layer network, a device
on an upper-layer network sends TC packets to instruct other devices to delete original MAC
addresses and learn new MAC addresses after the topology of the lower-layer network
changes. This ensures uninterrupted traffic forwarding.
GE7/0/2
GE7/0/3 GE7/0/3
GE7/0/2
Aggregation
PE3 PE4
GE7/0/1
GE7/0/1
MSTP
GE7/0/3
GE7/0/1 Do not Support SEP GE7/0/1
GE7/0/1 GE7/0/1
SEP
Router1 Segment1 Router2
GE7/0/2 GE7/0/2
GE7/0/2 GE7/0/1
Access
GE7/0/3Router3
GE7/0/1
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
VLAN100 Block Port(SEP)
Block Port(MSTP)
Configuration Roadmap
The configuration roadmap is as follows:
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of Router1 and
Router2 connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located, specify the
interface in the middle of the SEP segment as the interface to block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-layer network
running MSTP can be notified of topology changes in the SEP segment.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on Router1 to Router3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure Router1.
<Huawei> system-view
[Huawei] sysname Router1
[Router1] sep segment 1
[Router1-sep-segment1] control-vlan 10
[Router1-sep-segment1] protected-instance all
[Router1-sep-segment1] quit
# Configure Router2.
<Huawei> system-view
[Huawei] sysname Router2
[Router2] sep segment 1
[Router2-sep-segment1] control-vlan 10
[Router2-sep-segment1] protected-instance all
[Router2-sep-segment1] quit
# Configure Router3.
<Huawei> system-view
[Huawei] sysname Router3
[Router3] sep segment 1
[Router3-sep-segment1] control-vlan 10
[Router3-sep-segment1] protected-instance all
[Router3-sep-segment1] quit
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the configuration
file automatically displays the command for creating the VLAN.
– Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the
control VLAN.
2. Add Router1 to Router3 to SEP segment 1 and configure interface roles.
# Configure Router1.
[Router1] interface gigabitethernet 7/0/1
[Router1-GigabitEthernet7/0/1] sep segment 1 edge no-neighbor primary
[Router1-GigabitEthernet7/0/1] quit
[Router1] interface gigabitethernet 7/0/2
[Router1-GigabitEthernet7/0/2] stp disable
[Router1-GigabitEthernet7/0/2] sep segment 1
[Router1-GigabitEthernet7/0/2] quit
# Configure Router2.
[Router2] interface gigabitethernet 7/0/1
[Router2-GigabitEthernet7/0/1] sep segment 1 edge no-neighbor secondary
[Router2-GigabitEthernet7/0/1] quit
[Router2] interface gigabitethernet 7/0/2
[Router2-GigabitEthernet7/0/2] stp disable
[Router2-GigabitEthernet7/0/2] sep segment 1
[Router2-GigabitEthernet7/0/2] quit
# Configure Router3.
[Router3] interface gigabitethernet 7/0/1
[Router3-GigabitEthernet7/0/1] stp disable
[Router3-GigabitEthernet7/0/1] sep segment 1
[Router3-GigabitEthernet7/0/1] quit
[Router3] interface gigabitethernet 7/0/2
[Router3-GigabitEthernet7/0/2] stp disable
[Router3-GigabitEthernet7/0/2] sep segment 1
[Router3-GigabitEthernet7/0/2] quit
# Configure Router2.
[Router2] sep segment 1
[Router2-sep-segment1] tc-notify stp
[Router2-sep-segment1] quit
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
[PE2] stp region-configuration
[PE2-mst-region] region-name RG1
[PE2-mst-region] active region-configuration
[PE2-mst-region] quit
# Configure PE3.
<Huawei> system-view
[Huawei] sysname PE3
[PE3] stp region-configuration
[PE3-mst-region] region-name RG1
[PE3-mst-region] active region-configuration
[PE3-mst-region] quit
# Configure PE4.
<Huawei> system-view
[Huawei] sysname PE4
[PE4] stp region-configuration
[PE4-mst-region] region-name RG1
# Configure Router1.
[Router1] stp region-configuration
[Router1-mst-region] region-name RG1
[Router1-mst-region] active region-configuration
[Router1-mst-region] quit
# Configure Router2.
[Router2] stp region-configuration
[Router2-mst-region] region-name RG1
[Router2-mst-region] active region-configuration
[Router2-mst-region] quit
# On PE2, PE3, and PE4, create VLAN 100 and add GE7/0/1, GE7/0/2, and GE7/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1. For
details about the configuration, see the configuration files.
# On Router1 and Router2, create VLAN 100 and add GE7/0/1 to VLAN 100. The
configurations of Router1 and Router2 are similar to the configuration of PE1. For
details about the configuration, see the configuration files.
3. Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
# Configure Router1.
[Router1] stp enable
# Configure Router2.
[Router2] stp enable
4. Configure PE3 as the root bridge and PE4 as the backup root bridge.
# Set the priority of PE3 to 0 in MSTP to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTP to ensure that PE4 functions as the backup
root bridge.
[PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and Router1 to Router3.
For details about the configuration, see the configuration files.
Step 4 Verify the configuration.
# After the configurations are complete and network becomes stable, run the following
commands to verify the configuration. Router1 is used as an example.
l Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and
then run the display sep interface command on Router3 to check whether GE7/0/2 of
Router3 has switched from the Discarding state to the Forwarding state.
<Router3> display sep interface gigabitethernet 7/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/2 common up forwarding
----End
Configuration Files
l Configuration file of Router1
#
sysname Router1
#
vlan batch 10 100
#
stp region-configuration
region-name RG1
active region-configuration
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
protected-instance 0 to 4094
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor primary
#
interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100
stp disable
sep segment 1
#
return
l Configuration file of CE
#
sysname CE
#
vlan batch 100
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 100
#
return
Networking Requirements
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is
blocked, all service data is transmitted only along the path where the primary edge interface is
located. The path where the secondary edge interface is located remains idle, wasting
bandwidth.
To improve bandwidth efficiency and implement traffic load balancing, Huawei develops SEP
multi-instance.
Network
/0/3 GE7
GE7/0/2 GE7 /0/3 GE7/0/2
Router1
Router4
GE7/0/1
GE7/0/1
Aggregation
P2 P1 GE7/0/1
GE7/0/1
Router2 GE Router3
7/0/ /0/2
GE7/0/3 2 GE7 GE7/0/3
GE7/0/1 GE7/0/1
Access
CE1 CE2
Instance1: Instance2:
VLAN VLAN
100~300 301~500
SEP Segment1
SEP Segment2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 13-18, a ring network comprising Layer 2 switches (Router1 to Router4)
is connected to the network. SEP runs at the aggregation layer. SEP multi-instance is
configured on Router1 to Router4 to allow for two SEP segments to improve bandwidth
efficiency, implement load balancing, and provide link backup.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure basic SEP functions.
l Configure SEP segment 1 and control VLAN 10.
# Configure Router1.
<Huawei> system-view
[Huawei] sysname Router1
[Router1] sep segment 1
[Router1-sep-segment1] control-vlan 10
[Router1-sep-segment1] quit
# Configure Router2.
<Huawei> system-view
[Huawei] sysname Router2
[Router2] sep segment1
[Router2-sep-segment1] control-vlan 10
[Router2-sep-segment1] quit
# Configure Router3.
<Huawei> system-view
[Huawei] sysname Router3
[Router3] sep segment 1
[Router3-sep-segment1] control-vlan 10
[Router3-sep-segment1] quit
# Configure Router4.
<Huawei> system-view
[Huawei] sysname Router4
[Router4] sep segment 1
[Router4-sep-segment1] control-vlan 10
[Router4-sep-segment1] quit
# Configure Router2.
[Router2] sep segment2
[Router2-sep-segment2] control-vlan 10
[Router2-sep-segment2] quit
# Configure Router3.
[Router3] sep segment 2
[Router3-sep-segment2] control-vlan 10
[Router3-sep-segment2] quit
# Configure Router4.
[Router4] sep segment 2
[Router4-sep-segment2] control-vlan 10
[Router4-sep-segment2] quit
NOTE
Step 2 Configure SEP protected instances, and configure mappings between SEP protected instances
and user VLANs.
# Configure Router1.
[Router1] vlan batch 100 to 500
[Router1] sep segment 1
[Router1-sep-segment1] protected-instance 1
[Router1-sep-segment1] quit
[Router1] sep segment 2
[Router1-sep-segment2] protected-instance 2
[Router1-sep-segment2] quit
[Router1] stp region-configuration
[Router1-mst-region] instance 1 vlan 100 to 300
[Router1-mst-region] instance 2 vlan 301 to 500
[Router1-mst-region] active region-configuration
[Router1-mst-region] quit
The configurations of Router2 to Router4 are similar to that of Router1, and are not
mentioned here. For details, see the configuration files.
Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# On Router1, configure GE7/0/1 as the primary edge interface and GE7/0/3 as the secondary
edge interface.
[Router1] interface gigabitethernet 7/0/1
[Router1-GigabitEthernet7/0/1] stp disable
[Router1-GigabitEthernet7/0/1] sep segment 1 edge primary
[Router1-GigabitEthernet7/0/1] sep segment 2 edge primary
[Router1-GigabitEthernet7/0/1] quit
[Router1] interface gigabitethernet 7/0/3
# Configure Router2.
[Router2] interface gigabitethernet 7/0/1
[Router2-GigabitEthernet7/0/1] stp disable
[Router2-GigabitEthernet7/0/1] sep segment 1
[Router2-GigabitEthernet7/0/1] sep segment 2
[Router2-GigabitEthernet7/0/1] quit
[Router2] interface gigabitethernet 7/0/2
[Router2-GigabitEthernet7/0/2] stp disable
[Router2-GigabitEthernet7/0/2] sep segment 1
[Router2-GigabitEthernet7/0/2] sep segment 2
[Router2-GigabitEthernet7/0/2] quit
# Configure Router3.
[Router3] interface gigabitethernet 7/0/1
[Router3-GigabitEthernet7/0/1] stp disable
[Router3-GigabitEthernet7/0/1] sep segment 1
[Router3-GigabitEthernet7/0/1] sep segment 2
[Router3-GigabitEthernet7/0/1] quit
[Router3] interface gigabitethernet 7/0/2
[Router3-GigabitEthernet7/0/2] stp disable
[Router3-GigabitEthernet7/0/2] sep segment 1
[Router3-GigabitEthernet7/0/2] sep segment 2
[Router3-GigabitEthernet7/0/2] quit
# Configure Router4.
[Router4] interface gigabitethernet 7/0/1
[Router4-GigabitEthernet7/0/1] stp disable
[Router4-GigabitEthernet7/0/1] sep segment 1
[Router4-GigabitEthernet7/0/1] sep segment 2
[Router4-GigabitEthernet7/0/1] quit
[Router4] interface gigabitethernet 7/0/3
[Router4-GigabitEthernet7/0/3] stp disable
[Router4-GigabitEthernet7/0/3] sep segment 1
[Router4-GigabitEthernet7/0/3] sep segment 2
[Router4-GigabitEthernet7/0/3] quit
# Configure delayed preemption and block an interface based on the device and interface
names on Router1 where the primary edge interface is located.
[Router1] sep segment 1
[Router1-sep-segment1] block port sysname Router3 interface gigabitethernet 7/0/1
[Router1-sep-segment1] preempt delay 15
[Router1-sep-segment1] quit
[Router1] sep segment 2
[Router1-sep-segment2] block port sysname Router2 interface gigabitethernet 7/0/1
[Router1-sep-segment2] preempt delay 15
[Router1-sep-segment2] quit
NOTE
l In this configuration example, an interface fault needs to be simulated and then rectified to
implement delayed preemption. To ensure that delayed preemption takes effect on the two SEP
segments, simulate an interface fault in the two SEP segments. For example:
– In SEP segment 1, run the shutdown command on GE 7/0/1 of Router2 to simulate an
interface fault. Then, run the undo shutdown command on GE7/0/1 to simulate interface fault
recovery.
– In SEP segment 2, run the shutdown command on GE 7/0/1 of Router3 to simulate an
interface fault. Then, run the undo shutdown command on GE7/0/1 to simulate interface fault
recovery.
Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and Router1 to Router4.
The configuration details are not mentioned here. For details, see the configuration files.
Step 6 Verify the configuration.
# Simulate a fault, and then check whether the status of the blocked interface changes from
blocked to forwarding.
# Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault.
# Run the display sep interface command on Router3 to check whether the status of GE7/0/1
in SEP segment 1 changes from blocked to forwarding.
[Router3] display sep interface gigabitethernet 7/0/1
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/1 common up forwarding
SEP segment 2
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/1 common up forwarding
# The preceding command output shows that the status of GE7/0/1 changes from blocked to
forwarding and the forwarding path change in SEP segment 1 does not affect the forwarding
path in SEP segment 2.
----End
Configuration Files
l Configuration file of Router1
#
sysname Router1
#
vlan batch 10 100 to 500
#
stp region-configuration
instance 1 vlan 100 to 300
instance 2 vlan 301 to 500
active region-configuration
#
sep segment 1
control-vlan 10
block port sysname Router3 interface GigabitEthernet7/0/1
preempt delay 15
protected-instance 1
sep segment 2
control-vlan 10
block port sysname Router2 interface GigabitEthernet7/0/1
preempt delay 15
protected-instance 2
#
interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1 edge primary
sep segment 2 edge primary
#
interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1 edge secondary
This chapter describes the concept, configuration procedure, and configuration examples of
Layer 2 protocol transparent transmission.
Definition
Layer 2 protocol transparent transmission is a Layer 2 tunneling technology that transparently
transmits BPDUs between private networks at different locations over a specified tunnel on a
public Internet Service Provider (ISP) network.
Purpose
Leased lines of ISPs are often used to establish Layer 2 networks. As a result, private
networks of a user can be located at two sides of the ISP network. As shown in Figure 14-1,
User A has two networks: network1 and network2. The two networks are connected through
the ISP network. When network1 and network2 run the same Layer 2 protocol (such as
MSTP), Layer 2 protocol packets from network1 and network2 must be transmitted through
the ISP network to perform Layer 2 protocol calculation (for example, calculating a spanning
tree). Generally, the destination MAC addresses in Layer 2 protocol packets of the same
Layer 2 protocol are the same. For example, the MSTP PDUs are BPDUs with the destination
MAC address 0180-C200-0000. Therefore, when a Layer 2 protocol packet reaches an edge
device on the ISP network, the edge device cannot identify whether the Layer 2 protocol
packet comes from a user network or the ISP network and sends the Layer 2 protocol packets
to the CPU to calculate a spanning tree.
In Figure 14-1, devices on user network1 build a spanning tree together with PE1 but not
with devices on user network2. As a result, the Layer 2 protocol packets on user network1
cannot traverse the ISP network to reach user network2.
Figure 14-1 Transparent transmission of Layer 2 protocol packets on the ISP network
ISP
network
PE1 PE2
CE1 CE2
User A User A
network1 network2
You can use Layer 2 protocol transparent transmission to transparently transmit Layer 2
protocol packets from the user network for the ISP network. This addresses the network
identity issue. The procedure is as follows:
1. After receiving Layer 2 protocol packets sent from CE1, PE1 replaces the destination
MAC address with a specified multicast MAC address. Then PE1 forwards the packets
on the ISP network.
2. PE2 of the ISP network receives the packet, restores the original destination MAC
address of packets, and sends it to CE2.
ISP
Network
PE1 BPDU Tunnel PE2
LAN-A LAN-A
MSTP MSTP
Layer 2 protocol packets need to be transparently transmitted on the backbone network. The
following requirements must be met:
l All branches of a user network can receive Layer 2 protocol packets from other
branches.
l Layer 2 protocol packets of a user network cannot be processed by the CPU of devices
on the ISP network.
l Layer 2 protocol packets of different user networks must be isolated and do not affect
each other.
You can configure Layer 2 protocol transparent transmission to meet the preceding
requirements.
1. PE1 on the backbone network receives Layer 2 protocol packets from user networks.
PE1 replaces the standard multicast destination MAC address of Layer 2 protocol
packets with a specified multicast MAC address according to the mappings between
multicast destination MAC addresses and Layer 2 protocols.
2. Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
3. The egress device PE2 of the backbone network restores the original destination MAC
address of the packets according to the mappings between multicast destination MAC
addresses and Layer 2 protocols, and then forwards the packets to user networks.
You can configure Layer 2 protocol transparent transmission on PEs, so that MSTP packets
are not sent to the CPUs of PEs for processing. This prevents PEs from participating in
spanning tree calculation.
ISP
network
PE1 PE2
CE1 CE2
User A User A
network1 network2
Licensing Requirements
Layer 2 Protocol Transparent Transmission is a basic feature of a router and is not under
license control.
Feature Limitations
l When configuring Layer 2 protocol transparent transmission, do not use multicast MAC
addresses that have been used on the device.
l The user-side interface cannot be a VLANIF interface; otherwise, protocol packets
cannot be transmitted.
l Currently, the device supports transparent transmission of packets of the following Layer
2 protocols:
– Spanning Tree Protocol (STP)
– Link Aggregation Control Protocol (LACP)
– Link Layer Discovery Protocol (LLDP)
– Cisco Discovery Protocol (CDP)
– User-defined protocols
Context
Layer 2 protocol transparent transmission is implemented by replacing the original multicast
MAC address of Layer 2 protocol packets from user networks with a specified multicast
MAC address.
Procedure
Step 1 Run system-view
– The used multicast MAC address on the device cannot be replaced destination MAC address of
Layer 2 protocol packets.
l If the Layer 2 protocol packets from a user network are not STP BPDUs, LACPDUs,
LLDPDUs, or CDP packets, run the l2protocol-tunnel user-defined-protocol protocol-
name protocol-mac protocol-mac group-mac group-mac command to customize Layer
2 protocol packets and replace the destination MAC address of the Layer 2 protocol
packets with a specified multicast MAC address.
By default, Layer 2 protocol packets are not customized.
NOTE
– The destination MAC address of user-defined protocol packets must be different from that of STP
BPDUs, LACPDUs, LLDPDUs, and CDP packets, and the replaced multicast MAC address must
be different from the used multicast MAC address.
----End
Context
To configure Layer 2 protocol transparent transmission, you need to configure a bridge group
and add user-side and network-side interfaces of a PE to the bridge group.
Perform the following steps on the PE.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
A bridge group is created and the bridge group view is displayed.
By default, no bridge group is configured.
Step 3 Run quit
Return to the system view.
Step 4 Add a user-side interface to the bridge group.
1. Run interface interface-type interface-number
The interface view is displayed.
2. Run bridge bridge-id
The interface is added to the bridge group.
By default, no interface is added to the bridge group.
Step 5 Repeat step 4 to add a network-side interface to the bridge group.
----End
Context
Perform the following operations on PEs based on the required Layer 2 protocol transparent
transmission mode.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The network-side interface view is displayed.
Step 3 Run l2protocol-tunnel { protocol-type | user-defined-protocol protocol-name } enable
Layer 2 protocol transparent transmission is enabled on the interface.
----End
Networking Requirements
As shown in Figure 14-4, CEs are edge devices on an enterprise's networks in different
locations, and PE1 and PE2 are edge devices on the ISP network. The two networks are Layer
2 networks and connected through the ISP network. STP is used to prevent loops on Layer 2
networks. Enterprise users require that STP should run on their Layer 2 networks so that
spanning trees can be generated correctly.
PE1 PE2
GE2/0/0 ISP GE2/0/0
GE1/0/0 network
GE1/0/0
Eth2/0/0 Eth2/0/0
CE1 CE2
User A User A
network1 network2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure STP on CEs to prevent loops on Layer 2 networks.
2. Configure interface-based Layer 2 protocol transparent transmission on PEs so that STP
BPDUs are not sent to the CPUs of PEs for processing.
Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
NOTE
STP is enabled in the system and on an interface by default. You do not need to configure it.
Step 2 Configure PEs to replace the destination MAC address of STP BPDUs received from CEs.
# Configure PE1.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] l2protocol-tunnel stp group-mac 0100-0ccd-eeee
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
[PE2] l2protocol-tunnel stp group-mac 0100-0ccd-eeee
Step 4 Enable Layer 2 protocol transparent transmission on GE2/0/0 of PE1 and PE2.
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned
here.
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] l2protocol-tunnel stp enable
[PE1-GigabitEthernet2/0/0] quit
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
interface Ethernet2/0/0
#
return
#
return
Transparent bridges are widely used in Ethernet LANs because they are easy to configure and
operate.
15.1 Overview of Transparent Bridge
15.2 Understanding Transparent Bridging
15.3 Application Scenarios for Transparent Bridging
15.4 Summary of Transparent Bridging Configuration Tasks
Transparent bridges are widely used in Ethernet LANs because they are easy to configure and
operate.
15.5 Default Settings for Transparent Bridging
This section provides default parameter settings of transparent bridging.
15.6 Licensing Requirements and Limitations for Transparent Bridging
15.7 Configuring Local Bridging
Configuring local bridging allows users in the same geographical location and on the same
network segment to communicate with each other.
15.8 Configuring Local Bridging Integrated with IP Routing
Configuring local bridging integrated with IP routing allows users in the same geographical
location but on different network segments to communicate with each other.
15.9 Configuring Remote Bridging
Configuring remote bridging allows users in different geographical locations and on the same
network segment to communicate with each other.
15.10 Configuring Remote Bridging Integrated with IP Routing
Configuring remote bridging integrated with IP routing allows users in different geographical
locations and on different network segments to communicate with each other.
15.11 Maintaining Transparent Bridging
This section describes how to clear traffic statistics on a bridge group to help locate faults in
the bridge group.
15.12 Configuration Examples for Transparent Bridging
This section describes the typical application scenarios of transparent bridging and provides
configuration roadmaps.
15.13 FAQ About Transparent Bridging
This section lists FAQs related to the transparent bridging configuration.
Purpose
Ethernet LAN has become the mainstream technology due to its robust expansibility and low
costs. On some small-scale networks especially on dispersed networks where PPP, HDLC,
FR, or ATM links are interconnected, interworking between LANs remains a problem and
needs to be addressed urgently.
Traditional routers can connect LANs, but the costs are high and the configurations are
complex. Transparent bridging can be used on an Ethernet network to connect LANs.
Transparent bridging makes full use of links but not low-speed Ethernet links to connect
LANs without affecting the existing LAN network. Transparent bridging is easy to use and
cost-effective, so it is widely used.
LAN1 LAN1
PC 1 PC 2
Port3 Port4
PC 3 PC 4
LAN2 LAN2
After Port2 receives the frame, the network bridge learns that PC1 connects to Port1 because
the frame is received from Port1. Then the mapping between the MAC address of PC1 and
Port1 is added to the network bridge table, as shown in Figure 15-2.
LAN1 LAN1
PC 1 PC 2
Port3 Port4
MAC address Port
00e0:fcaa:aaaa port1
PC 3 PC 4
LAN2 LAN2
When PC2 responds to the frame from PC1, the network bridge also detects the frame from
PC2 and learns that PC2 connects to Port2 because the frame is received from Port2. The
mapping between the MAC address of PC2 and Port2 is added to the network bridge table, as
shown in Figure 15-3.
LAN1 LAN1
PC 1 PC 2
Port3 Port4
MAC address Port
00e0:fcaa:aaaa port1
00e0:fcaa:bbbb port2
PC 3 PC 4
LAN2 LAN2
The network bridge learns the mappings between all MAC addresses and bridge interfaces, as
shown in Figure 15-4.
LAN1 LAN1
PC 1 PC 2
Port3 Port4
MAC address Port
00e0:fcaa:aaaa port1
00e0:fcaa:bbbb port2
PC 3 00e0:fcaa:cccc port3 PC 4
00e0:fcaa:dddd port4
LAN2 LAN2
If a MAC address establishes a mapping relationship with more than one interface, the more
recent mapping relationship overrides the earlier one. This ensures each MAC address is
related with only one outbound interface.
The transparent bridge can perform dynamic MAC address learning. Learned MAC address
entries are deleted when their aging time expires.
Packet Processing
The transparent bridge processes received data frames in either of the following modes:
l Unicast frame
If the received data frame's destination MAC address can be found in the forwarding
table, and the inbound and outbound interfaces of the frame are different, the outbound
interface forwards the data frame.
l Broadcast
If the received data frame's destination MAC address is a unicast MAC address and
cannot be found in the forwarding table, or the destination MAC address of the data
frame is a multicast or broadcast MAC address, the data frame is forwarded to all
interfaces in the corresponding bridge group on the same VLAN, except the frame's
inbound interface.
NOTE
When packets enter the network bridge, the following BPDUs will be discarded:
l If the network bridge interface is configured with selective QinQ, the packets with the destination MAC
address of 0180-C200-0002 will be discarded.
l If the network bridge interface is not configured with selective QinQ, the packets with the destination
MAC addresses of 0180-C200-000x and 0180-C200-002x will be discarded. x represents 1-bit
hexadecimal integer.
LAN1
Eth2/0/1
RouterA
Eth2/0/2
LAN2
PC 1 PC 2
A bridge group is created on Router A. Ethernet 2/0/1 in LAN 1 and Ethernet 2/0/2 in LAN 2
are added to the bridge group. In this manner, LAN 1 and LAN 2 are bridged and can
communicate with each other at the link layer.
After local bridging is configured, the bridge group configured for the transparent bridge is
able to:
l Learn the mapping relationship between the MAC address and the interface (MAC
forwarding entry).
l Be configured with static and blackhole MAC address entries.
l Be enabled with or disabled from dynamic MAC address entry learning.
l Be configured with the aging time of dynamic MAC entries.
l Bridge all protocol packets (including IP and non-IP packets) by default.
HostA HostB
LAN1 LAN3
Eth2/0/1 Eth2/0/1
Serial1/0/0 Serial1/0/0
RouterA Network RouterB
Serial1/0/1 Serial1/0/1
Eth2/0/2 Eth2/0/2
LAN2 LAN4
HostC HostD
PC 1 PC 2 PC 5 PC 6
As shown in Figure 15-6, Router A and Router B are connected with each other over a
network. PC2, PC4, PC5, and PC7 belong to four different LANs (LAN 2, LAN 1, LAN 4,
LAN 3) on different network segments. LAN 1 needs to communicate with LAN 3, and LAN
2 with LAN 4.
Bridges 1 and 2 are created on Router A and Router B, respectively. Ethernet2/0/1 and Serial
1/0/0 on both Router A and Router B are added to bridge 1; Ethernet2/0/2 and Serial 1/0/1 on
both Router A and Router B are added to bridge 2. In this manner, the preceding
communication requirement can be met.
Other types of links, such as Ethernet, Point-to-Point Protocol (PPP), Asynchronous Transfer
Mode (ATM), and High-level Data Link Control (HDLC), can also be used for remote
bridging.
l Allow Ethernet interfaces, Ethernet sub-interfaces, VLANIF, VT, Serial, Serial sub-
interfaces, Dialer, PON interfaces, ATM interfaces, ATM sub-interfaces, FR interfaces,
FR sub-interfaces, MP-Group interfaces, MFR interfaces, MFR sub-interfaces to be
added to bridge groups.
l Link encapsulation protocols such as Ethernet, PPP, HDLC, FR, PPP0A, PPPOE,
PPPOEOA, and ATM.
l 802.1Q VLAN ID transparent transmission.
l Bridging IP and non-IP packets.
Integrated bridging and routing uses Bridge-if interfaces for routing packets. Bridge-if
interfaces can be configured with network layer attributes, such as IP addresses. Each bridge
group can be configured with only one Bridge-if interface. A Bridge-if interface's number is
the number of the bridge group that the Bridge-if interface represents. After the integrated
bridging and routing function has been activated, the Bridge-if interface can route packets
between users in the bridge group and the outside network.
The integrated bridging and routing function needs to be enabled using the command line.
Otherwise, all the packets in a bridge group can only be bridged, but not routed. After
integrated bridging and routing has been enabled, protocol packets can either be bridged or
routed, which can be configured through the command line.
After integrated bridging and routing has been enabled, the interfaces added to a bridge group
cannot be configured with IP addresses.
PC1 PC2
1.1.1.11/24 1.1.1.12/24
As shown in Figure 15-7, a bridge group and a Bridge-if interface are configured on Router
A. Ethernet2/0/1 and Ethernet2/0/2, connecting two different LANs, are added to the bridge
group. An IP address is configured for the Bridge-if interface. After the integrated bridging
and routing function and the IP packet routing function have been enabled, the Bridge-if
interface can route IP packets between the four hosts (PC1, PC2, PC3, and PC4) and the
network outside the bridge group, and the return route is configured for Router B. That is, the
four hosts can access the network outside the bridge group by using the Bridge-if interface.
RouterA RouterB
Eth2/0/0 Eth2/0/0
SwitchA SwitchB
PC1 PC2
If two trunk interfaces are connected over Ethernet, configuring VLAN ID transparent
transmission prevents the transmission devices on the Ethernet from removing VLAN IDs of
the packets. The two trunk interfaces can be considered as directly connected. For example, in
Figure 15-8 VLAN ID transparent transmission is enabled on the interfaces of Router A and
Router B, allowing PC1 and PC2 to communicate with each other.
and User 3 need to communicate with each other. After bridge groups are created on RouterA,
departments in the same bridge group can communicate with each other and those in different
bridge groups are isolated from each other.
VLAN 11
Departments of Enterprise A belong to the LANs on the same network segment, and therefore
they can be bridged to communicate with each other. Enterprise B, however, belongs to a
LAN on a different network segment. Therefore, link-layer bridging cannot meet the
requirement of the communication between Enterprise A and Enterprise B.
In this case, you can configure local bridging integrated with IP routing to achieve the
communication between Enterprise A and Enterprise B.
Network
Figure 15-12 Remote users in the same vlan on the same network segment
RouterA RouterB
Network
Eth1/0/3 Eth1/0/3
Licensing Requirements
Transparent bridging is a basic feature of a router and is not under license control.
Feature Limitations
None
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added
to the group.
Procedure
Step 1 Run system-view
If the bridge group specified by bridge-id exists, the bridge group view is displayed.
----End
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added
to the group.
As shown in Figure 15-14, the following methods can be used to add users to a bridge group:
l Directly add users to the bridge group. User 3 uses this method.
l Use a VLAN to add users to the bridge group. Create a VLAN on a bridge and add users
to the VLAN. Users then connect to the bridge group through the VLANIF interface.
User 1 and User 2 use this method.
l Use Ethernet sub-interfaces to add users to the bridge group. This method is used when
flows on a physical interface need to be differentiated using sub-interfaces. User 4 uses
this method.
VLANIF 11
User 1 User 2
VLAN 11
Procedure
Step 1 Run system-view
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can
be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
The bridge group view is displayed.
Step 3 Run bridging { ip | others } disable
The bridge group is disabled from bridging specified protocol packets.
By default, a bridge group bridges all protocol packets.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
The bridge group view is displayed.
Multiple devices can use the same bridge number.
Step 3 Run mac-address learning disable
Dynamic MAC address learning is disabled.
----End
Prerequisites
The configurations for local bridging are complete.
Procedure
l Run the display bridge [ bridge-id ] information command to view information about
the bridge group.
l Run the display bridge traffic [ bridge bridge-id | interface interface-type interface-
number ] command to view the traffic statistics on a specified interface in the bridge
group.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
A bridge group is created and the bridge group view is displayed.
If the bridge group specified by bridge-id exists, the bridge group view is displayed.
Multiple devices can use the same bridge number.
----End
VLANIF 11
User 1 User 2
VLAN 11
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The user-side interface view is displayed.
Step 3 Run bridge bridge-id
An interface is added to a bridge group.
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can
be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
The bridge group view is displayed.
Step 3 Run routing ip
IP routing is enabled for the bridge group.
The IP routing function cannot be configured if any of member interfaces in the bridge group
has an IP address. Before configuring the IP routing function, delete the IP addresses of these
member interfaces.
Step 4 Run quit
Return to the system view.
Step 5 Run interface bridge-if bridge-id
A Bridge-if interface is created and the Bridge-if interface view is displayed.
Step 6 Run ip address ip-address { mask | mask-length }
An IP address is configured for the Bridge-if interface.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
The bridge group view is displayed.
Step 3 Run bridging { ip | others } disable
The bridge group is disabled from bridging specified protocol packets.
By default, a bridge group bridges all protocol packets.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
The bridge group view is displayed.
Multiple devices can use the same bridge number.
Step 3 Run mac-address learning disable
Dynamic MAC address learning is disabled.
----End
Prerequisites
The configurations for local bridging integrated with IP routing are complete.
Procedure
l Run the display interface bridge-if [ bridge-id ] command to check information about
the Bridge-if interface.
l Run the display bridge [ bridge-id ] information command to check information about
the remote bridge group.
l Run the display bridge traffic [ bridge bridge-id | interface interface-type interface-
number ] command to view the traffic statistics on a specified interface in the bridge
group.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
A bridge group is created and the bridge group view is displayed.
If the bridge group specified by bridge-id exists, the bridge group view is displayed.
Multiple devices can use the same bridge number.
----End
User 1
User 5
User 2 User 3
VLAN 11
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The user-side interface view is displayed.
Step 3 Run bridge bridge-id
An interface is added to a bridge group.
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can
be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
Ethernet sub-interfaces and GE sub-interfaces configured to terminate QinQ tags do not
support transparent bridging.
----End
To implement remote bridging between different LANs, add the user-side interface
connecting to a LAN and the network-side interface connecting to the intermediate link to the
same bridge group.
Perform the following steps on the devices at both ends of the intermediate link.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The view of the network-side interface is displayed.
Step 3 Perform the following operations depending on the type of interface:
l Add an Ethernet interface to a bridge group.
a. Run bridge bridge-id
The Ethernet interface is added to the bridge group.
l Add an HDLC interface to a bridge group.
a. Run link-protocol hdlc
HDLC is enabled on the interface.
b. Run bridge bridge-id
The HDLC interface is added to the bridge group.
l Add a PPP interface to a bridge group.
a. Run link-protocol ppp
PPP is enabled on the interface.
b. Run bridge bridge-id
The PPP interface is added to the bridge group.
l Add an MP group interface to a bridge group.
a. Run bridge bridge-id
The VT interface is added to the bridge group.
b. Run quit
Return to the system view.
c. Run interface interface-type interface-number
The MP group interface view is displayed.
d. Run link-protocol ppp
PPP is enabled on the interface.
e. Run ppp mp virtual-template number
The MP group interface is bound to a virtual template.
l Add an FR interface to a bridge group.
a. Run link-protocol fr
FR is enabled on the interface.
b. Run fr dlci dlci
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
The bridge group view is displayed.
----End
Context
Some BPDUs sent out from an interface of a bridge group may be discarded during
transmission by default. After the outbound interface added to the bridge group is enabled to
transparently transmit BPDUs, BPDUs can be sent from this interface.
Procedure
Step 1 Run system-view
NOTE
----End
Context
By default, an outbound interface of a bridge group removes the VLAN IDs of the packets to
be sent out. After VLAN ID transparent transmission is configured on an outbound interface
of a bridge group, the outbound interface does not remove the VLAN IDs of the packets to be
sent out.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run bridge vlan-transmit enable
VLAN ID transparent transmission is enabled.
NOTE
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
The bridge group view is displayed.
Multiple devices can use the same bridge number.
Step 3 Run mac-address learning disable
Dynamic MAC address learning is disabled.
By default, dynamic MAC address learning is enabled for a bridge group.
Step 4 Run quit
Return to the system view.
Step 5 Configure a MAC address entry.
l Run mac-address static mac-address interface-type interface-number bridge bridge-id
A static MAC address entry is configured for a bridge group.
By default, no static MAC address entry is configured. In a bridge group, each MAC
address entry can be configured as only one static entry. If the MAC address entry is
configured as a static entry repeatedly, the last configuration overwrites the previous
configuration.
l Run mac-address blackhole mac-address bridge bridge-id
A blackhole MAC address entry is configured for a bridge group.
By default, no blackhole MAC address entry is configured.
l Run mac-address aging-time seconds bridge
The aging time is configured for a dynamic MAC entry.
The configured aging time takes effect on the dynamic MAC address entries of all bridge
groups.
----End
Prerequisites
The configurations for remote bridging are complete.
Procedure
l Run the display bridge [ bridge-id ] information command to view information about
the bridge group.
l Run the display bridge traffic [ bridge bridge-id | interface interface-type interface-
number ] command to view the traffic statistics on a specified interface in the bridge
group.
----End
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added
to the group.
Procedure
Step 1 Run system-view
If the bridge group specified by bridge-id exists, the bridge group view is displayed.
----End
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added
to the group.
As shown in Figure 15-17, the following methods can be used to add users to a bridge group:
l Directly add users to the bridge group. User 1 uses this method.
l Use a VLAN to add users to the bridge group. Create a VLAN on a bridge and add users
to the VLAN. Users then connect to the bridge group through the VLANIF interface.
User 2 and User 3 use this method.
l Use Ethernet sub-interfaces to add users to the bridge group. This method is used when
flows on a physical interface need to be differentiated using sub-interfaces. User 4 uses
this method.
User 1
User 5
User 2 User 3
VLAN 11
Procedure
Step 1 Run system-view
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can
be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
----End
Context
Two devices can be connected using different types of intermediate links, such as Ethernet,
PPP, HDLC, FRMP, and ATM to bridge data between different LANs.
To implement remote bridging between different LANs, add the user-side interface
connecting to a LAN and the network-side interface connecting to the intermediate link to the
same bridge group.
Perform the following steps on the devices at both ends of the intermediate link.
Procedure
Step 1 Run system-view
The number of interfaces that can be added to a bridge group depends on device models:
l AR100-S&AR110-S&AR120-S&AR150-S&AR160-S&AR200-S&AR1200-S series: 20
Interfaces of different types can be added to the same bridge group, but Layer 2 interfaces
cannot be added to a bridge group.
----End
Context
IP routing enables a bridge group to bridge and route packets. If IP routing is not enabled, all
protocol packets can only be bridged. After IP routing is enabled, specified protocol packets
can be bridged or routed depending on the configuration.
Procedure
Step 1 Run system-view
The IP routing function cannot be configured if any of member interfaces in the bridge group
has an IP address. Before configuring the IP routing function, delete the IP addresses of these
member interfaces.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
The bridge group view is displayed.
Step 3 Run bridging { ip | others } disable
The bridge group is disabled from bridging specified protocol packets.
By default, a bridge group bridges all protocol packets.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run bridge bridge-id
The bridge group view is displayed.
Multiple devices can use the same bridge number.
Step 3 Run mac-address learning disable
Dynamic MAC address learning is disabled.
By default, dynamic MAC address learning is enabled for a bridge group.
Step 4 Run quit
Return to the system view.
----End
Prerequisites
The configurations for remote bridging integrated with IP routing are complete.
Procedure
l Run the display interface bridge-if [ bridge-id ] command to check information about
the Bridge-if interface.
l Run the display bridge [ bridge-id ] information command to check information about
the remote bridge group.
l Run the display bridge traffic [ bridge bridge-id | interface interface-type interface-
number ] command to view the traffic statistics on the bridge group.
----End
Context
During routine maintenance, you can run the following commands in any view to monitor the
operation of bridge groups.
Procedure
l Run the display bridge traffic [ bridge bridge-id | interface interface-type interface-
number ] command in any view to check whether the traffic statistics on a bridge group
have been cleared.
l Run the display bridge [ bridge-id ] information command in any view to check
information about a bridge group.
l Run the display interface bridge-if [ bridge-id ] command in any view to check
information about the Bridge-if interface of a specified bridge group, including the
protocol status, interface description, and IP address.
l Run the display mac-address [ mac-address | blackhole | static | dynamic ] [ bridge
bridge-id ] [ verbose ] command in any view to check the static, dynamic, or blackhole
MAC address entry of a specified bridge group.
l Run the display mac-address [ mac-address | interface-type interface-number ] bridge
bridge-id [ verbose ] command or display mac-address { static | dynamic } [ interface-
type interface-number ] bridge bridge-id verbose command in any view to check the
static or dynamic MAC address entry of a specified bridge group and interface.
----End
Context
Before collecting traffic statistics on a bridge group, clear the previous statistics.
Procedure
l Run the reset bridge bridge-id statistics command in the user view to clear the traffic
statistics of a bridge group.
----End
Context
To locate faults in a bridge group, you can clear the traffic statistics on the Bridge-if interface.
Procedure
l Run the reset counters interface bridge-if [ bridge-id ] command in the user view to
clear the traffic statistics on the Bridge-if interface of the bridge group.
----End
Networking Requirements
An enterprise has multiple departments located in the same office building but on different
floors. As business expands for the enterprise, data communication is required between
terminals within the same department, and between some departments. To keep information
secure, information in some departments needs to be isolated from that in the other
departments. Users that require communication with each other need to be added to the same
bridge group so that they can communicate with each other and are isolated from other
departments.
As shown in Figure 15-18, User 1 and User 2 belong to the same department, and both of
them are added to VLAN 11. User 4 and User 3 belong to the different departments. User 1,
User 2, and User 3 need to communicate with each other. After bridge groups are created on
RouterA, departments in the same bridge group can communicate with each other and those in
different bridge groups are isolated from each other.
RouterA
Eth2/0/2
Eth3/0/0
Eth2/0/1
Eth4/0/0
VLAN 11
Configuration Roadmap
The configuration roadmap is as follows:
1. Add User 1 and User 2 to VLAN 11 and then add them to bridge group 1 on VLANIF
11. Add User 3 to bridge group 1. This allows communication between User 1, User 2,
and User 3.
2. Add User 4 to bridge group 2 to isolate User 4 from User 1, User 2, and User 3.
Procedure
Step 1 Create bridge group 1.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] bridge 1
[RouterA-bridge1] quit
# After the preceding configuration is complete, User 1, User 2, and User 3 can ping each
other, User 3 cannot ping User 4.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
vlan batch 11
#
bridge 1
bridge 2
#
interface Vlanif11
bridge 1
#
interface Ethernet2/0/1
port link-type access
port default vlan 11
#
interface Ethernet2/0/2
port link-type access
port default vlan 11
#
interface Ethernet4/0/0
bridge 1
#
interface Ethernet3/0/0
bridge 2
#
return
Networking Requirements
Departments of Enterprise A need to communicate with each other and with local Enterprise
B.
Departments of Enterprise A belong to the LANs on the same network segment and can be
bridged, but Enterprise B belongs to a LAN on a different network segment. As a result, link-
layer bridging cannot be used to communicate between Enterprise A and Enterprise B.
In this scenario, local bridging integrated with IP routing offers a viable solution.
As shown in Figure 15-19, bridge groups are configured on local bridging, and interfaces are
added to different bridge groups. After Bridge-if interfaces are created and assigned IP
addresses, and the IP routing function is enabled, the two hosts of Enterprise A can
communicate with the hosts of Enterprises B.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a bridge group on RouterA.
2. Add Eth2/0/1 and Eth2/0/2 on Router A to the created bridge group to allow the two
hosts of Enterprise A to communicate with each other.
3. Create a Bridge-if interface and enable IP routing for the bridge group on RouterA to
allow Enterprise A to communicate with Enterprise B.
Procedure
Step 1 Configure the IP routing function.
# Create bridge group 1 and enable local bridging and IP routing for the bridge group.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] bridge 1
[RouterA-bridge1] routing ip
[RouterA-bridge1] quit
# After the preceding configurations are complete, User 1 and User 3 can ping each other.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
vlan batch 11
#
bridge 1
routing ip
#
interface Vlanif11
bridge 1
#
interface Ethernet2/0/1
port link-type access
port default vlan 11
#
interface Ethernet2/0/2
port link-type access
port default vlan 11
#
interface Ethernet3/0/0
ip address 10.1.3.1 255.255.255.0
#
interface Bridge-if1
ip address 10.1.1.3 255.255.255.0
#
return
Networking Requirements
An enterprise has multiple departments in different locations. As business expands for the
enterprise, data communication is required between terminals within the same department and
between other departments located in different geological areas.
As shown in Figure 15-20, intermediate links are used to connect RouterA and RouterB,
which are located in different locations. Users 1 to 4 are on the same network segment. User 3
and User 4 are in a different location than User 1 and User 2. Configuring remote bridging
allows User 1 and User 2 to communicate with User 3 and User 4.
Eth2/0/2 Eth2/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure bridge groups on RouterA and RouterB.
2. Add User 1 and User 2 to VLAN 11 on RouterA, and add User 3 and User 4 to VLAN
11 on RouterB so that users can communicate with each other.
3. Add VLANIF 11 and Serial3/0/0 to bridge group 1 on RouterA and add VLANIF 11 and
Serial3/0/0 to bridge group 1 on RouterB. Enable remote bridging.
Procedure
Step 1 Configure RouterA.
# Create bridge group 1.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] bridge 1
[RouterA-bridge1] quit
# Add Eth2/0/2 and Eth2/0/1 to VLAN 11 to allow the communication between User 1 and
User 2.
[RouterA] vlan 11
[RouterA-vlan11] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type access
[RouterA-Ethernet2/0/2] port default vlan 11
[RouterA-Ethernet2/0/2] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 11
[RouterA-Ethernet2/0/1] quit
[RouterA-Vlanif11] bridge 1
[RouterA-Vlanif11] quit
# Add Eth2/0/2 and Eth2/0/1 to VLAN 11 to allow the communication between User 3 and
User 4.
[RouterB] vlan 11
[RouterB-vlan11] quit
[RouterB] interface ethernet 2/0/2
[RouterB-Ethernet2/0/2] port link-type access
[RouterB-Ethernet2/0/2] port default vlan 11
[RouterB-Ethernet2/0/2] quit
[RouterB] interface ethernet 2/0/1
[RouterB-Ethernet2/0/1] port link-type access
[RouterB-Ethernet2/0/1] port default vlan 11
[RouterB-Ethernet2/0/1] quit
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 11
#
bridge 1
#
interface Vlanif11
bridge 1
#
interface Ethernet2/0/1
port link-type access
port default vlan 11
#
interface Ethernet2/0/2
port link-type access
port default vlan 11
#
interface Serial3/0/0
bridge 1
link-protocol ppp
#
return
#
sysname RouterB
#
vlan batch 11
#
bridge 1
#
interface Vlanif11
bridge 1
#
interface Ethernet2/0/1
port link-type access
port default vlan 11
#
interface Ethernet2/0/2
port link-type access
port default vlan 11
#
interface Serial3/0/0
bridge 1
link-protocol ppp
#
return
Networking Requirements
Departments of Enterprise A need to communicate with other and with Enterprises C (in a
different geographical location).
Departments of Enterprise A belong to the LANs on the same network segment and can be
bridged, but Enterprise C belongs to a different network segment. As a result, link-layer
bridging cannot be used to communicate between Enterprise A and Enterprise C.
In this scenario, local bridging integrated with IP routing offers a viable solution.
As shown in Figure 15-21, bridge groups are configured on local bridging, and interfaces are
added to different bridge groups. After Bridge-if interfaces are created and assigned IP
addresses, and the IP routing function is enabled, the two hosts of Enterprise A can
communicate with the hosts of Enterprises C.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure bridge groups on RouterA and RouterB.
2. Add Ethernet 2/0/1 and Ethernet 2/0/2 on Router A to a bridge group so that the two
hosts of Enterprise A can communicate with each other.
3. Add Ethernet3/0/0 to another bridge group on Router A, and add Ethernet 3/0/0 to the
bridge group on Router B.
4. Create Bridge-if interfaces and enable the IP routing function for the bridge groups on
Router A and Router B. This allows Enterprise A and Enterprise C to communicate with
each other.
Procedure
Step 1 Configure RouterA.
# Create bridge group 1 and bridge group, then enable the IP routing function for the bridge
groups.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] bridge 1
[RouterA-bridge1] routing ip
[RouterA-bridge1] quit
[RouterA] bridge 2
[RouterA-bridge2] routing ip
[RouterA-bridge2] quit
# Add Eth2/0/1 and Eth2/0/2 to VLAN 11 to allow the communication between User 1 and
User 2.
[RouterA] vlan 11
[RouterA-vlan11] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 11
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
# Create Bridge-if interface 1 for bridge group 1 and Bridge-if interface 2 for bridge group 2,
and then configure IP addresses for the two Bridge-if interfaces.
[RouterA] interface bridge-if 1
[RouterA-Bridge-if1] ip address 10.1.1.3 255.255.255.0
[RouterA-Bridge-if1] quit
[RouterA] interface bridge-if 2
[RouterA-Bridge-if2] ip address 10.1.2.3 255.255.255.0
[RouterA-Bridge-if2] quit
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 11
#
bridge 1
routing ip
bridge 2
routing ip
#
interface Vlanif11
bridge 1
#
interface Ethernet2/0/1
port link-type access
port default vlan 11
#
interface Ethernet2/0/2
port link-type access
port default vlan 11
#
interface Bridge-if1
ip address 10.1.1.3 255.255.255.0
#
interface Bridge-if2
ip address 10.1.2.3 255.255.255.0
#
interface Ethernet3/0/0
bridge 2
#
return
l Configuration file of RouterB
#
sysname RouterB
#
vlan batch 11
#
bridge 2
routing ip
#
interface Vlanif11
bridge 2
#
interface Ethernet2/0/0
port link-type access
port default vlan 11
#
interface Ethernet3/0/0
bridge 2
#
return
Networking Requirements
An enterprise has multiple departments in different locations. To allow the communication
between departments in different locations, remote bridging can be used. To allow users in the
same department (the same VLAN) to communicate with each other, while isolating users in
As shown in Figure 15-22, User 1, User 2, User 3, and User 4 are on the same network
segment. User 1 and User 3 belong to a VLAN; User 2 and User 4 belong to the other VLAN.
To allow users in the same VLAN to communicate with each other and isolate users in
different VLANs, remote bridging and VLAN ID transparent transmission can be enabled. In
this manner, User 1 can only communicate with User 3, and User 2 can only communicate
with User 4.
RouterA RouterB
Network
Eth2/0/0 Eth2/0/0
Eth1/0/0 Eth1/0/0
Eth1/0/3 Eth1/0/3
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure Router A.
# Create bridge group 1.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] bridge 1
[RouterA-bridge1] undo shutdown
[RouterA-bridge1] quit
# Add Ethernet1/0/0 and Ethernet2/0/0 to bridge group 1, and enable VLAN ID transparent
transmission on the two interfaces.
[RouterA] interface ethernet 1/0/0
[RouterA-Ethernet1/0/0] bridge 1
[RouterA-Ethernet1/0/0] bridge vlan-transmit enable
[RouterA-Ethernet1/0/0] quit
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] bridge 1
[RouterA-Ethernet2/0/0] bridge vlan-transmit enable
[RouterA-Ethernet2/0/0] quit
# Configure Ethernet 1/0/3 to allow the packets from VLAN 11 and VLAN 12 to pass
through.
[Switch1] interface ethernet 1/0/3
[Switch1-Ethernet1/0/3] port link-type trunk
[Switch1-Ethernet1/0/3] port trunk allow-pass vlan 11 to 12
[Switch1-Ethernet1/0/3] quit
# Add Ethernet1/0/0 and Ethernet2/0/0 to bridge group 2, and enable VLAN ID transparent
transmission on the two interfaces.
[RouterB] interface ethernet 1/0/0
[RouterB-Ethernet1/0/0] bridge 2
# Configure Ethernet1/0/3 to allow the packets from VLAN 11 and VLAN 12 to pass through.
[Switch2] interface ethernet 1/0/3
[Switch2-Ethernet1/0/3] port link-type trunk
[Switch2-Ethernet1/0/3] port trunk allow-pass vlan 11 to 12
[Switch2-Ethernet1/0/3] quit
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
vlan batch 11 to 12
#
bridge 1
#
interface Ethernet1/0/0
bridge 1
bridge vlan-transmit enable
#
interface Ethernet2/0/0
bridge 1
bridge vlan-transmit enable
#
return
vlan batch 11 to 12
#
bridge 2
#
interface Ethernet1/0/0
bridge 2
bridge vlan-transmit enable
#
interface Ethernet2/0/0
bridge 2
bridge vlan-transmit enable
#
return
l Configuration file of Switch 1
#
sysname Switch1
#
vlan batch 11 to 12
#
interface Ethernet1/0/1
port link-type access
port default vlan 11
#
interface Ethernet1/0/2
port link-type access
port default vlan 12
#
interface Ethernet1/0/3
port link-type trunk
port trunk allow-pass vlan 11 to 12
#
return
l Configuration file of Switch 2
#
sysname Switch2
#
vlan batch 11 to 12
#
#
interface Ethernet1/0/1
port link-type access
port default vlan 11
#
interface Ethernet1/0/2
port link-type access
port default vlan 12
#
interface Ethernet1/0/3
port link-type trunk
port trunk allow-pass vlan 11 to 12
#
return