Huawei AR Series Access Routers CLI Base

Huawei AR Series Access Routers
V200R009
CLI-based Configuration Guide -

Ethernet Switching Configuration
Issue 06
Date 2019-04-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. i

CLI-based Configuration Guide - Ethernet Switching
Configuration About This Document
About This Document
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples of the LAN services supported by the device.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death
or serious injury.

which, if not avoided, may result in minor
or moderate injury.

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. ii

Symbol Description
NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Security Conventions
l Password setting
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. iii

– When configuring a password, the cipher text is recommended. To ensure device

security, change the password periodically.
– When you configure a password in plain text that starts and ends with %@%@, @
%@%, %#%#, or %^%# (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in the
configuration file. Do not use this setting.
– When you configure a password in cipher text, different features cannot use the
same cipher-text password. For example, the cipher-text password set for the AAA
feature cannot be used for other features.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: 3DES, AES, RSA,
SHA1, SHA2, and MD5. 3DES, RSA and AES are reversible, while SHA1, SHA2, and
MD5 are irreversible. The encryption algorithms DES/3DES/RSA (RSA-1024 or
lower)/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital
signature scenarios) have a low security, which may bring security risks. If protocols
allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or
higher)/SHA2/HMAC-SHA2, is recommended. The encryption algorithm depends on
actual networking. The irreversible encryption algorithm must be used for the
administrator password, SHA2 is recommended.
l Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy
policies and take measures according to the applicable law of the country to protect
personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this manual
are mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
Declaration
l This manual is only a reference for you to configure your devices. The contents in the
manual, such as web pages, command line syntax, and command outputs, are based on
the device conditions in the lab. The manual provides instructions for general scenarios,
but do not cover all usage scenarios of all product models. The contents in the manual
may be different from your actual device situations due to the differences in software
versions, models, and configuration files. The manual will not list every possible
difference. You should configure your devices according to actual situations.
l The specifications provided in this manual are tested in lab environment (for example,
the tested device has been installed with a certain type of boards or only one protocol is
run on the device). Results may differ from the listed specifications when you attempt to
obtain the maximum values with multiple functions enabled on the device.
l In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
l In this document, AR series access routers include AR100-S&AR110-S&AR120-
S&AR150-S&AR160-S&AR200-S&AR1200-S&AR2200-S&AR3200-S Series.
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. iv

Mappings Between Product Software Versions and NMS

Versions
The mappings between product software versions and NMS versions are as follows.
AR Product eSight iManager U2000

Software Version
V200R009C00 V300R008C00 V200R017C60
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 06 (2019-04-30)

This version has the following updates:
The following information is deleted:
l References for MAC Address Tables
l References for Link Aggregation

The following information is modified:
l 1.11.1 Example for Configuring the MAC Address Table

l 12 MSTP Configuration

The following information is added:
l 1.6 Licensing Requirements and Limitations for MAC Address Tables
l 2.5 Licensing Requirements and Limitations for Link Aggregation
l 3.6 Licensing Requirements and Limitations for VLANs
l 4.5 Licensing Requirements and Limitations for VLAN Aggregation
l 5.2 Licensing Requirements and Limitations for MUX VLANs
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. v

l 6.5 Licensing Requirements and Limitations for VLAN Termination

l 7.5 Licensing Requirements and Limitations for Voice VLANs
l 8.5 Licensing Requirements and Limitations for QinQ
l 9.5 Licensing Requirements and Limitations for VLAN Mapping
l 10.5 Licensing Requirements and Limitations for GVRP
l 11.6 Licensing Requirements and Limitations for STP
l 12.6 Licensing Requirements and Limitations for MSTP
l 13.5 Licensing Requirements and Limitations for SEP
l 14.4 Licensing Requirements and Limitations for Layer 2 Protocol Transparent
Transmission
l 15.6 Licensing Requirements and Limitations for Transparent Bridging

l 8.6.1 Configuring Basic QinQ

Initial commercial release.
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. vi

Configuration Contents
Contents
About This Document.....................................................................................................................ii

1 MAC Address Table Configuration...........................................................................................1
1.1 Overview of MAC Addresses.........................................................................................................................................1
1.2 Understanding MAC Address Table...............................................................................................................................2
1.2.1 Definition and Classification of MAC Address Entries.............................................................................................. 2
1.2.2 Elements and Functions of a MAC Address Table......................................................................................................4
1.2.3 MAC Address Entry Learning and Aging................................................................................................................... 5
1.2.4 MAC Address Learning Control................................................................................................................................. 6
1.2.5 MAC Address Flapping...............................................................................................................................................7
1.3 Application Scenarios for MAC Address Tables............................................................................................................9
1.4 Summary of MAC Address Table Configuration Tasks.................................................................................................9
1.5 Default Settings for MAC Address Tables................................................................................................................... 11
1.6 Licensing Requirements and Limitations for MAC Address Tables............................................................................ 11
1.7 Manually Configuring a MAC Address Table..............................................................................................................12
1.7.1 Configuring a Static MAC Address Entry.................................................................................................................12
1.7.2 Configuring a Blackhole MAC Address Entry..........................................................................................................13
1.7.3 Setting the Aging Time of Dynamic MAC Address Entries..................................................................................... 13
1.7.4 Disabling MAC Address Learning............................................................................................................................ 14
1.7.5 Configuring the MAC Address Limiting Function................................................................................................... 15
1.8 Configuring MAC Address Flapping Detection...........................................................................................................17
1.9 Configuring the Router to Discard Packets with an All-0 MAC Address....................................................................18
1.10 Maintaining the MAC Address Table.........................................................................................................................19
1.10.1 Displaying MAC Address Entries........................................................................................................................... 19
1.10.2 Deleting MAC Address Entries............................................................................................................................... 20
1.11 Configuration Examples for MAC Address Tables.................................................................................................... 20
1.11.1 Example for Configuring the MAC Address Table................................................................................................. 20
1.11.2 Example for Configuring Blackhole MAC Address Entries................................................................................... 22
1.11.3 Example for Configuring MAC Address Limiting Rules on Interfaces..................................................................23
1.11.4 Example for Configuring a MAC Address Learning Rule in a VLAN................................................................... 25
1.12 Troubleshooting MAC Address Tables...................................................................................................................... 26
1.12.1 Correct MAC Address Entry Cannot Be Learned on the Device............................................................................26
1.13 FAQ About MAC Address Tables.............................................................................................................................. 29
1.13.1 What Are the Differences Between Static MAC Addresses and Sticky MAC Addresses?.................................... 29
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. vii

1.13.2 Why Are Source MAC Addresses Not Learned?.................................................................................................... 29

1.13.3 Can Multicast Packet Source MAC Addresses Be Learned?.................................................................................. 30
1.13.4 Why Do MAC Address Entries Need to Be Synchronized Between Boards and What Are the Functions of Real-
Time Synchronization and Periodic Synchronization?.......................................................................................................30
1.13.5 Which MAC Addresses Do Not Age?.....................................................................................................................30
2 Link Aggregation Configuration..............................................................................................31

2.1 Overview of Link Aggregation.....................................................................................................................................32
2.2 Understanding Link Aggregation................................................................................................................................. 32
2.2.1 Concepts.................................................................................................................................................................... 32
2.2.2 Link Aggregation in Manual Mode........................................................................................................................... 35
2.2.3 Link Aggregation in LACP Mode............................................................................................................................. 35
2.2.4 Load Balancing Modes of Link Aggregation............................................................................................................ 41
2.3 Application Scenarios for Link Aggregation................................................................................................................43
2.3.1 Application of Eth-Trunk...........................................................................................................................................43
2.4 Summary of Link Aggregation Configuration Tasks................................................................................................... 43
2.5 Licensing Requirements and Limitations for Link Aggregation..................................................................................44
2.6 Default Settings for Link Aggregation......................................................................................................................... 45
2.7 Configuring Link Aggregation in Manual Load Balancing Mode............................................................................... 45
2.7.1 Creating an Eth-Trunk............................................................................................................................................... 46
2.7.2 Setting the Manual Load Balancing Mode................................................................................................................ 47
2.7.3 Adding Member Interfaces to an Eth-Trunk..............................................................................................................47
2.7.4 (Optional) Setting the Lower Threshold for the Number of Active Interfaces......................................................... 49
2.7.5 (Optional) Configuring a Load Balancing Mode...................................................................................................... 49
2.7.6 Verifying the Link Aggregation Configuration......................................................................................................... 50
2.8 Configuring Link Aggregation in LACP Mode........................................................................................................... 51
2.8.1 Creating an Eth-Trunk............................................................................................................................................... 51
2.8.2 Setting the LACP Mode............................................................................................................................................ 52
2.8.3 Adding Member Interfaces to an Eth-Trunk..............................................................................................................53
2.8.4 (Optional) Setting the Upper and Lower Thresholds for the Number of Active Interfaces...................................... 54
2.8.5 (Optional) Configuring a Load Balancing Mode...................................................................................................... 55
2.8.6 (Optional) Setting the LACP System Priority........................................................................................................... 56
2.8.7 (Optional) Setting the LACP Interface Priority.........................................................................................................57
2.8.8 (Optional) Configuring LACP Preemption............................................................................................................... 57
2.8.9 (Optional) Setting the Timeout Interval for Receiving LACPDUs........................................................................... 58
2.8.10 Verifying the Link Aggregation Configuration....................................................................................................... 59
2.9 Creating an Eth-Trunk Sub-interface............................................................................................................................59
2.10 Maintaining Link Aggregation................................................................................................................................... 60
2.10.1 Monitoring the LAG Operating............................................................................................................................... 60
2.10.2 Clearing LACP Packet Statistics............................................................................................................................. 60
2.10.3 Using Ping to Monitor the Reachability of Layer 3 Eth-Trunk Member Interfaces................................................61
2.11 Configuration Examples for Link Aggregation.......................................................................................................... 62
2.11.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode..................................................... 62
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. viii

2.11.2 Example for Configuring Link Aggregation in LACP Mode..................................................................................65

2.11.3 Example for Configuring Layer 3 Link Aggregation.............................................................................................. 68
2.12 Troubleshooting Link Aggregation............................................................................................................................ 70
2.12.1 Traffic Is Unevenly Load Balanced Among Eth-Trunk Member Interfaces Because the Load Balancing Mode Is
Incorrect..............................................................................................................................................................................70
2.13 FAQ About Link Aggregation.................................................................................................................................... 70
2.13.1 What Link Aggregation Modes Are Supported by the Device?..............................................................................71
2.13.2 Can an Eth-Trunk Be Configured with an IP Address?...........................................................................................71
2.13.3 How Do I Add Member Interfaces to an Eth-Trunk?..............................................................................................71
2.13.4 How Do I Delete Member Interfaces from an Eth-Trunk?......................................................................................71
2.13.5 What Is the Function of the LACP Preemption Delay?.......................................................................................... 72
3 VLAN Configuration.................................................................................................................. 73
3.1 Overview of VLANs.................................................................................................................................................... 73
3.2 Understanding VLANs................................................................................................................................................. 75
3.2.1 Intra-VLAN Communication.................................................................................................................................... 75
3.2.2 Inter-VLAN Communication.....................................................................................................................................77
3.2.3 Basic Concepts of VLAN.......................................................................................................................................... 82
3.2.3.1 VLAN Tags.............................................................................................................................................................82
3.2.3.2 Link and Interface Types........................................................................................................................................ 84
3.2.3.3 Default VLAN........................................................................................................................................................ 85
3.2.3.4 Adding and Removing VLAN Tags....................................................................................................................... 85
3.2.4 Intra-VLAN Layer 2 Isolation................................................................................................................................... 90
3.2.5 Inter-VLAN Layer 3 Isolation................................................................................................................................... 91
3.2.6 Management VLAN.................................................................................................................................................. 91
3.3 Application Scenarios for VLANs............................................................................................................................... 91
3.3.1 Using VLAN Assignment to Implement Layer 2 Isolation.......................................................................................92
3.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer 3 Connectivity........................................................... 92
3.3.3 Using a Traffic Policy to Implement Inter-VLAN Access Control........................................................................... 94
3.4 Summary of VLAN Configuration Tasks.....................................................................................................................95
3.5 Default Settings for VLANs......................................................................................................................................... 96
3.6 Licensing Requirements and Limitations for VLANs..................................................................................................97
3.7 Configuring VLAN.......................................................................................................................................................97
3.7.1 Configuring VLAN Assignment............................................................................................................................... 97
3.7.2 Configuring Inter-VLAN Communication.............................................................................................................. 101
3.7.3 Configuring a Traffic Policy to Implement Intra-VLAN Layer 2 Isolation............................................................ 103
3.7.4 Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation............................................................ 104
3.7.5 Configuring an mVLAN..........................................................................................................................................105
3.8 Configuration Examples for VLANs..........................................................................................................................106
3.8.1 Example for Configuring VLAN Assignment.........................................................................................................106
3.8.2 Example for Configuring VLANIF Interfaces to Implement Inter-VLAN Communication.................................. 108
3.8.3 Example for Configuring VLANIF Interfaces to Implement Intra-VLAN Communication.................................. 110
3.8.4 Example for Configuring VLANIF Interfaces to Implement Communication of Hosts on Different Network
Segments in the Same VLAN...........................................................................................................................................114
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. ix

3.8.5 Example for Configuring a Traffic Policy to Implement Inter-VLAN Layer 3 Isolation....................................... 117
3.8.6 Example for Configuring an mVLAN to Implement Remote Management........................................................... 123
3.9 Troubleshooting VLANs............................................................................................................................................ 126
3.9.1 A VLANIF Interface Fails to Be Created................................................................................................................126
3.9.2 A VLANIF Interface Goes Down........................................................................................................................... 127
3.9.3 Users in a VLAN Cannot Communicate................................................................................................................. 128
3.9.4 Directly Connected Devices Cannot Communicate................................................................................................ 130
3.10 FAQ About VLANs..................................................................................................................................................131
3.10.1 How to Create and Delete VLANs in a Batch.......................................................................................................131
3.10.2 How to Add Interfaces to a VLAN in a Batch.......................................................................................................131
3.10.3 How to Restore the Default VLAN Configuration of an Interface....................................................................... 132
3.10.4 How to Change the Link Type of an Interface...................................................................................................... 133
3.10.5 How to Verify That an Interface Is Added to a VLAN..........................................................................................133
3.10.6 How to Rapidly Query the Link Types, Default VLANs, and Allowed VLANs of All Interfaces.......................134
3.10.7 Can Multiple Network Segments Be Configured in a VLAN...............................................................................134
4 VLAN Aggregation Configuration........................................................................................ 136

4.1 Overview of VLAN Aggregation............................................................................................................................... 136
4.2 Understanding VLAN Aggregation............................................................................................................................137
4.3 Application Scenarios for VLAN Aggregation.......................................................................................................... 142
4.4 Default Settings for VLAN Aggregation....................................................................................................................143
4.5 Licensing Requirements and Limitations for VLAN Aggregation............................................................................ 144
4.6 Configuring VLAN Aggregation................................................................................................................................144
4.6.1 Creating a Sub-VLAN............................................................................................................................................. 144
4.6.2 Creating a Super-VLAN.......................................................................................................................................... 145
4.6.3 Configuring a VLANIF Interface Corresponding to a Super-VLAN......................................................................146
4.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface Corresponding to a Super-VLAN..............................146
4.6.5 Verifying the VLAN Aggregation Configuration....................................................................................................147
4.7 Configuration Examples for VLAN Aggregation...................................................................................................... 147
4.7.1 Example for Configuring VLAN Aggregation........................................................................................................147
4.8 FAQ About VLAN Aggregation................................................................................................................................ 151
4.8.1 Can a Traffic Policy Be Configured in a Super-VLAN or Sub-VLAN to Make the Traffic Policy Take Effect.... 151
5 MUX VLAN Configuration..................................................................................................... 152

5.1 Overview of MUX VLANs........................................................................................................................................ 152
5.2 Licensing Requirements and Limitations for MUX VLANs..................................................................................... 154
5.3 Default Settings for MUX VLANs.............................................................................................................................154
5.4 Configuring MUX VLANs.........................................................................................................................................155
5.4.1 Configuring a Principal VLAN for MUX VLAN................................................................................................... 155
5.4.2 Configuring a Group VLAN for a Subordinate VLAN...........................................................................................155
5.4.3 Configuring a Separate VLAN for a Subordinate VLAN....................................................................................... 156
5.4.4 Enabling the MUX VLAN Function on an Interface.............................................................................................. 157
5.4.5 Verifying the MUX VLAN Configuration.............................................................................................................. 157
5.5 Configuration Examples for MUX VLANs............................................................................................................... 157
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. x

5.5.1 Example for Configuring the MUX VLAN Function............................................................................................. 158

5.5.2 Example for Configuring Inter-Device MUX VLAN............................................................................................. 160
6 VLAN Termination Configuration........................................................................................ 165

6.1 Overview of VLAN Termination................................................................................................................................166
6.2 Application Scenarios for VLAN Termination...........................................................................................................167
6.2.1 Using a Dot1q Termination Sub-interface to Implement Inter-VLAN Communication.........................................167
6.2.2 Using a Dot1q Termination Sub-interface to Connect to a VPN.............................................................................168
6.2.3 Using a QinQ Termination Sub-interface to Connect to a VPN..............................................................................170
6.3 Summary of VLAN Termination Configuration Tasks.............................................................................................. 172
6.4 Default Settings for VLAN Termination.................................................................................................................... 173
6.5 Licensing Requirements and Limitations for VLAN Termination.............................................................................173
6.6 Configuring a Dot1q Termination Sub-interface to Implement Inter-VLAN Communication..................................174
6.7 Configuring a Dot1q Termination Sub-interface and Connecting It to an L2VPN....................................................175
6.7.1 Configuring a Dot1q Termination Sub-interface.....................................................................................................175
6.7.2 Configuring L2VPN................................................................................................................................................ 176
6.7.3 Verifying the Configuration of a Dot1q Termination Sub-interface and Its Connection to an L2VPN.................. 176
6.8 Configuring a Dot1q Termination Sub-interface and Connecting It to an L3VPN....................................................176
6.8.1 Configuring a Dot1q Termination Sub-interface.....................................................................................................177
6.8.3 Verifying the Configuration of a Dot1q Termination Sub-interface and Its Connection to an L3VPN.................. 177
6.9 Configuring a QinQ Termination Sub-interface and Connecting It to an L2VPN..................................................... 178
6.9.1 Configuring a QinQ Sub-interface.......................................................................................................................... 178
6.9.3 Verifying the Configuration of a QinQ Termination Sub-interface and Its Connection to an L2VPN................... 179
6.10 Configuring a QinQ Termination Sub-interface and Connecting It to an L3VPN................................................... 179
6.10.1 Configuring a QinQ Sub-interface........................................................................................................................ 179
6.10.2 Configuring L3VPN.............................................................................................................................................. 180
6.10.3 Verifying the Configuration of a QinQ Termination Sub-interface and Its Connection to an L3VPN................. 180
6.11 Configuration Examples for VLAN Termination..................................................................................................... 180
6.11.1 Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication......... 180
6.11.2 Example for Configuring Dot1q Termination Sub-interfaces to Implement Inter-VLAN Communication Across
Different Networks........................................................................................................................................................... 183
6.11.3 Example for Connecting a Dot1q Sub-interface to a VLL Network..................................................................... 186
6.11.4 Example for Connecting QinQ Termination Sub-interfaces to a VLL Network................................................... 192
6.11.5 Example for Connecting a Dot1q VLAN Tag Termination Sub-interface to an L3VPN......................................198
6.11.6 Example for Connecting a QinQ VLAN Tag Termination Sub-interface to an L3VPN....................................... 210
7 Voice VLAN Configuration.....................................................................................................223

7.1 Overview of Voice VLANs........................................................................................................................................ 223
7.2 Understanding Voice VLANs..................................................................................................................................... 224
7.3 Application Scenarios for Voice VLANs................................................................................................................... 226
7.4 Default Settings for Voice VLANs............................................................................................................................. 227
7.5 Licensing Requirements and Limitations for Voice VLANs......................................................................................228
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xi

7.6 Configuring an Automatic Voice VLAN....................................................................................................................228

7.6.1 Configuring an OUI for a Voice VLAN.................................................................................................................. 228
7.6.2 Enabling the Voice VLAN Function........................................................................................................................229
7.6.3 Configuring the Auto Mode of Adding a Port to the Voice VLAN.........................................................................229
7.6.4 (Optional) Configuring the Secure or Normal Mode of a Voice VLAN................................................................. 230
7.6.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN..............................................230
7.6.6 (Optional) Configuring a Port to Communicate with a Voice Device of Another Vendor......................................231
7.6.7 Verifying the Voice VLAN Configuration...............................................................................................................232
7.7 Configuring a Manual Voice VLAN...........................................................................................................................232
7.7.1 Configuring an OUI for a Voice VLAN.................................................................................................................. 232
7.7.2 Enabling the Voice VLAN Function........................................................................................................................233
7.7.3 Configuring the Mode in Which Ports Are Added to a Voice VLAN.....................................................................233
7.7.4 (Optional) Configuring the Secure or Normal Mode of a Voice VLAN................................................................. 234
7.7.5 (Optional) Configuring an 802.1p Priority and a DSCP Value for the Voice VLAN..............................................235
7.7.6 (Optional) Configuring a Port to Communicate with a Voice Device of Another Vendor......................................235
7.7.7 Verifying the Voice VLAN Configuration...............................................................................................................236
7.8 Configuration Examples for Voice VLANs................................................................................................................236
7.8.1 Example for Configuring a Voice VLAN in Auto Mode........................................................................................ 236
7.8.2 Example for Configuring a Voice VLAN in Manual Mode.................................................................................... 238
7.9 FAQ About Voice VLANs..........................................................................................................................................241
7.9.1 How Can I Change the Voice Vlan Priority on the AR?......................................................................................... 241
8 QinQ Configuration..................................................................................................................242
8.1 Overview of QinQ...................................................................................................................................................... 242
8.2 Understanding QinQ...................................................................................................................................................243
8.2.1 QinQ Fundamentals................................................................................................................................................. 243
8.2.2 Basic QinQ.............................................................................................................................................................. 245
8.2.3 Selective QinQ.........................................................................................................................................................246
8.2.4 TPID........................................................................................................................................................................ 247
8.3 Application Scenarios for QinQ................................................................................................................................. 248
8.4 Summary of QinQ Configuration Tasks..................................................................................................................... 250
8.5 Licensing Requirements and Limitations for QinQ................................................................................................... 251
8.6 Configuring QinQ Tunneling......................................................................................................................................251
8.6.1 Configuring Basic QinQ.......................................................................................................................................... 252
8.6.2 Configuring Selective QinQ.................................................................................................................................... 253
8.7 Configuring a VLAN Tag Termination Sub-interface to Connect to an L2VPN....................................................... 256
8.7.1 Configuring a Dot1q VLAN Tag Termination Sub-interface..................................................................................256
8.7.2 Configuring a QinQ VLAN Tag Termination Sub-interface................................................................................... 257
8.7.3 Configuring the L2VPN.......................................................................................................................................... 258
8.7.4 Verifying the Configuration of the Access of a Sub-interface to an L2VPN Network........................................... 258
8.8 Configuring a VLAN Tag Termination Sub-interface to Connect to an L3VPN....................................................... 258
8.8.1 Configuring a Dot1q VLAN Tag Termination Sub-interface..................................................................................259
8.8.2 Configuring a QinQ VLAN Tag Termination Sub-interface................................................................................... 259
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xii


8.8.4 Verifying the Configuration of Connecting a Sub-interface to an L3VPN............................................................. 260
8.9 Configuring the TPID Value in an Outer VLAN Tag.................................................................................................261
8.10 Configuration Examples for QinQ........................................................................................................................... 261
8.10.1 Example for Configuring Basic QinQ................................................................................................................... 261
8.10.2 Example for Configuring Selective QinQ............................................................................................................. 264
8.10.3 Example for Connecting a Dot1q Sub-interface to a VLL Network..................................................................... 268
8.10.4 Example for Connecting a QinQ Sub-interface to a VLL Network...................................................................... 274
8.10.5 Example for Connecting a Dot1q VLAN Tag Termination Sub-interface to an L3VPN......................................280
9 VLAN Mapping Configuration.............................................................................................. 293

9.1 Overview of VLAN Mapping.....................................................................................................................................293
9.2 Understanding VLAN Mapping................................................................................................................................. 294
9.3 Application Scenarios for VLAN Mapping................................................................................................................295
9.4 Summary of VLAN Mapping Configuration Tasks................................................................................................... 297
9.5 Licensing Requirements and Limitations for VLAN Mapping..................................................................................298
9.6 Configuring VLAN Mapping..................................................................................................................................... 298
9.6.1 Configuring VLAN ID-based VLAN Mapping...................................................................................................... 298
9.6.2 Configuring 802.1p Priority-based VLAN Mapping.............................................................................................. 300
9.7 Configuration Examples for VLAN Mapping............................................................................................................301
9.7.1 Example for Configuring VLAN ID-based VLAN Mapping................................................................................. 301
9.7.2 Example for Configuring 802.1p Priority-based VLAN Mapping..........................................................................305
10 GVRP Configuration.............................................................................................................. 310

10.1 Overview of GVRP.................................................................................................................................................. 310
10.2 Understanding GVRP............................................................................................................................................... 311
10.2.1 Basic Concepts.......................................................................................................................................................311
10.2.2 Packet Structure..................................................................................................................................................... 315
10.2.3 Working Procedure................................................................................................................................................ 316
10.3 Application Scenarios for GVRP............................................................................................................................. 319
10.4 Default Settings for GVRP....................................................................................................................................... 320
10.5 Licensing Requirements and Limitations for GVRP................................................................................................320
10.6 Configuring GVRP................................................................................................................................................... 321
10.6.1 Enabling GVRP..................................................................................................................................................... 321
10.6.2 (Optional) Setting the Registration Mode for a GVRP Interface.......................................................................... 321
10.6.3 (Optional) Setting the GARP Timers.....................................................................................................................322
10.6.4 Verifying the GVRP Configuration....................................................................................................................... 323
10.7 Clearing GVRP Statistics......................................................................................................................................... 324
10.8 Configuration Examples for GVRP..........................................................................................................................324
10.8.1 Example for Configuring GVRP........................................................................................................................... 324
11 STP/RSTP Configuration....................................................................................................... 328

11.1 Overview of STP/RSTP............................................................................................................................................329
11.2 Understanding STP/RSTP........................................................................................................................................ 330
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xiii

11.2.1 Background............................................................................................................................................................330
11.2.2 Basic Concepts.......................................................................................................................................................331
11.2.3 BPDU Format........................................................................................................................................................ 338
11.2.4 STP Topology Calculation.....................................................................................................................................340
11.2.5 Improvements in RSTP..........................................................................................................................................347
11.2.6 RSTP Technology Details......................................................................................................................................353
11.3 Application Scenarios for STP/RSTP.......................................................................................................................355
11.4 Summary of STP/RSTP Configuration Tasks.......................................................................................................... 356
11.5 Default Settings for STP/RSTP................................................................................................................................ 357
11.6 Licensing Requirements and Limitations for STP....................................................................................................357
11.7 Configuring Basic STP/RSTP Functions..................................................................................................................358
11.7.1 Configuring the STP/RSTP Mode......................................................................................................................... 358
11.7.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge.................................................................. 358
11.7.3 (Optional) Setting a Priority for a Switching Device............................................................................................ 359
11.7.4 (Optional) Setting a Path Cost for a Port............................................................................................................... 360
11.7.5 (Optional) Setting a Priority for a Port.................................................................................................................. 361
11.7.6 Enabling STP/RSTP.............................................................................................................................................. 361
11.7.7 Verifying the STP/RSTP Configuration................................................................................................................ 362
11.8 Setting STP Parameters that Affect STP Convergence............................................................................................ 362
11.8.1 Setting the STP Network Diameter....................................................................................................................... 363
11.8.2 Setting the STP Timeout Interval.......................................................................................................................... 363
11.8.3 Setting the STP Timers.......................................................................................................................................... 364
11.8.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation........... 365
11.9 Setting RSTP Parameters that Affect RSTP Convergence....................................................................................... 367
11.9.1 Setting the RSTP Network Diameter.....................................................................................................................367
11.9.2 Setting the RSTP Timeout Interval........................................................................................................................367
11.9.3 Setting RSTP Timers............................................................................................................................................. 368
11.9.5 Setting the Link Type for a Port.............................................................................................................................370
11.9.6 Setting the Maximum Transmission Rate of an Interface..................................................................................... 371
11.9.7 Switching to the RSTP Mode................................................................................................................................ 371
11.9.8 Configuring Edge Ports and BPDU Filter Ports.................................................................................................... 372
11.10 Configuring RSTP Protection Functions................................................................................................................ 373
11.10.1 Configuring BPDU Protection on a Switching Device....................................................................................... 373
11.10.2 Configuring TC Protection on a Switching Device............................................................................................. 374
11.10.3 Configuring Root Protection on a Port................................................................................................................ 374
11.10.4 Configuring Loop Protection on a Port................................................................................................................375
11.10.5 Verifying the STP/RSTP Configuration.............................................................................................................. 375
11.11 Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices.............................................. 376
11.12 Maintaining STP/RSTP.......................................................................................................................................... 377
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xiv

11.12.1 Clearing STP/RSTP Statistics..............................................................................................................................377

11.12.2 Monitoring STP/RSTP Topology Change Statistics............................................................................................377
11.13 Configuration Examples for STP/RSTP................................................................................................................. 377
11.13.1 Example for Configuring Basic STP Functions.................................................................................................. 378
11.13.2 Example for Configuring Basic RSTP Functions................................................................................................382
11.14 FAQ About STP/RSTP........................................................................................................................................... 386
11.14.1 Is STP Required on the AR Router Used as the Access Device?........................................................................386
11.14.2 Which STP Protocols Do AR Series Routers Support?.......................................................................................386
11.14.3 How Does STP Process MAC and ARP Entries After the Network Topology Changes?.................................. 387
12 MSTP Configuration...............................................................................................................388
12.1 Overview of MSTP...................................................................................................................................................389
12.2 Understanding MSTP............................................................................................................................................... 390
12.2.1 MSTP Background................................................................................................................................................ 390
12.2.2 Basic MSTP Concepts........................................................................................................................................... 392
12.2.3 MST BPDUs..........................................................................................................................................................399
12.2.4 MSTP Topology Calculation................................................................................................................................. 403
12.2.5 MSTP Fast Convergence....................................................................................................................................... 405
12.3 Application Scenarios for MSTP..............................................................................................................................406
12.4 Summary of MSTP Configuration Tasks................................................................................................................. 407
12.5 Default Settings for MSTP....................................................................................................................................... 408
12.6 Licensing Requirements and Limitations for MSTP................................................................................................ 408
12.7 Configuring Basic MSTP Functions.........................................................................................................................408
12.7.1 Configuring the MSTP Mode................................................................................................................................ 409
12.7.2 Configuring and Activating an MST Region........................................................................................................ 409
12.7.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge.................................................................. 411
12.7.4 (Optional) Configuring a Priority for a Switching Device in an MSTI.................................................................412
12.7.5 (Optional) Configuring a Path Cost of a Port in an MSTI.....................................................................................413
12.7.6 (Optional) Configuring a Port Priority in an MSTI............................................................................................... 414
12.7.7 Enabling MSTP..................................................................................................................................................... 414
12.7.8 Verifying the Basic MSTP Configuration............................................................................................................. 415
12.8 Configuring MSTP Parameters on an Interface....................................................................................................... 416
12.8.1 Setting the MSTP Network Diameter....................................................................................................................416
12.8.2 Setting the MSTP Timeout Interval.......................................................................................................................417
12.8.3 Setting the Values of MSTP Timers...................................................................................................................... 417
12.8.5 Setting the Link Type of a Port..............................................................................................................................419
12.8.6 Setting the Maximum Transmission Rate of an Interface..................................................................................... 420
12.8.7 Switching to the MSTP Mode............................................................................................................................... 420
12.8.8 Configuring a Port as an Edge Port and BPDU Filter Port................................................................................... 421
12.8.9 Setting the Maximum Number of Hops in an MST Region..................................................................................423
12.8.10 Verifying the Configuration of the MSTP Parameters on an Interface............................................................... 423
12.9 Configuring MSTP Protection Functions................................................................................................................. 423
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xv

12.9.1 Configuring BPDU Protection on a Switching Device......................................................................................... 424

12.9.2 Configuring TC Protection on a Switching Device...............................................................................................424
12.9.3 Configuring Root Protection on an Interface........................................................................................................ 425
12.9.4 Configuring Loop Protection on an Interface........................................................................................................426
12.9.5 Checking the MSTP Protection Function Configuration...................................................................................... 426
12.10 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices...................................427
12.10.1 Configuring a Proposal/Agreement Mechanism................................................................................................. 427
12.10.2 Configuring the MSTP Protocol Packet Format on an Interface.........................................................................428
12.10.3 Enabling the Digest Snooping Function.............................................................................................................. 428
12.10.4 Verifying the Configuration of the MSTP Interoperability Between Huawei Devices and Non-Huawei Devices
.......................................................................................................................................................................................... 429
12.11 Maintaining MSTP................................................................................................................................................. 429
12.11.1 Clearing MSTP Statistics.....................................................................................................................................429
12.11.2 Monitoring the Statistics on MSTP Topology Changes...................................................................................... 429
12.12 Configuration Examples for MSTP........................................................................................................................ 430
12.12.1 Example for Configuring Basic MSTP Functions...............................................................................................430
12.13 FAQ About MSTP.................................................................................................................................................. 437
12.13.1 How Do I Determine Whether Devices Belong to the Same MST Region?.......................................................437
12.13.2 Is the MSTP Status of Interfaces Affected When the MSTP Status of a Member Interface in the MST Region
Changes?...........................................................................................................................................................................437
12.13.3 Which Statuses Does an MSTP Interface Have, and How Does the Interface Process Packets?....................... 437
13 SEP Configuration...................................................................................................................439
13.1 Overview of SEP...................................................................................................................................................... 440
13.2 Understanding SEP...................................................................................................................................................440
13.2.1 Principles of SEP................................................................................................................................................... 440
13.2.2 Basic Concepts of SEP.......................................................................................................................................... 443
13.2.3 SEP Implementation Mechanisms.........................................................................................................................447
13.3 Applications Scenarios for SEP................................................................................................................................459
13.3.1 Open-Ring Networking......................................................................................................................................... 459
13.3.2 Closed-Ring Networking....................................................................................................................................... 460
13.3.3 Multi-Ring Networking......................................................................................................................................... 461
13.3.4 Hybrid SEP+MSTP Ring Networking.................................................................................................................. 462
13.3.5 SEP Multi-Instance................................................................................................................................................463
13.4 Summary of SEP Configuration Tasks..................................................................................................................... 464
13.5 Licensing Requirements and Limitations for SEP................................................................................................... 465
13.6 Configuring Basic SEP Functions............................................................................................................................ 466
13.6.1 Configuring a SEP Segment.................................................................................................................................. 466
13.6.2 Configuring a Control VLAN................................................................................................................................466
13.6.3 Creating a Protected Instance................................................................................................................................ 467
13.6.4 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface.....................................468
13.6.5 Verifying the Basic SEP Configuration................................................................................................................. 470
13.7 Specifying an Interface to Block.............................................................................................................................. 471
13.7.1 Setting an Interface Blocking Mode...................................................................................................................... 471
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xvi

13.7.2 Configuring the Preemption Mode........................................................................................................................ 472

13.7.3 Verifying the Configuration of Specifying an Interface to Block..........................................................................474
13.8 Configuring SEP Multi-Instance.............................................................................................................................. 474
13.9 Configuring the Topology Change Notification Function........................................................................................476
13.9.1 Reporting Topology Changes in a Lower-Layer Network - SEP Topology Change Notification........................ 476
13.9.2 Verifying the Configuration of the Topology Change Notification Function........................................................477
13.10 Maintaining SEP.....................................................................................................................................................478
13.10.1 Clearing SEP Statistics........................................................................................................................................ 478
13.11 Configuration Examples for SEP............................................................................................................................478
13.11.1 Example for Configuring SEP on a Closed Ring Network................................................................................. 478
13.11.2 Example for Configuring SEP on a Multi-Ring Network................................................................................... 484
13.11.3 Example for Configuring a Hybrid SEP+MSTP Ring Network......................................................................... 495
13.11.4 Example for Configuring SEP Multi-Instance.....................................................................................................503
14 Layer 2 Protocol Transparent Transmission Configuration............................................510

14.1 Overview of Layer 2 Protocol Transparent Transmission........................................................................................510
14.2 Understanding Layer 2 Protocol Transparent Transmission.....................................................................................511
14.3 Application Scenarios for Layer 2 Protocol Transparent Transmission...................................................................512
14.4 Licensing Requirements and Limitations for Layer 2 Protocol Transparent Transmission..................................... 513
14.5 Configuring Layer 2 Protocol Transparent Transmission........................................................................................ 514
14.5.1 Replacing the Multicast Destination MAC Address of Layer 2 Protocol Packets with a Specified Multicast MAC
Address............................................................................................................................................................................. 514
14.5.2 Configuring a Transparent Bridge......................................................................................................................... 514
14.5.3 Enabling Layer 2 Protocol Transparent Transmission on an Interface..................................................................515
14.5.4 Verifying the Configuration of Interface-based Layer 2 Protocol Transparent Transmission...............................516
14.6 Configuration Examples for Layer 2 Protocol Transparent Transmission............................................................... 516
14.6.1 Example for Configuring Layer 2 Protocol Transparent Transmission.................................................................516
15 Transparent Bridging Configuration...................................................................................520

15.1 Overview of Transparent Bridge.............................................................................................................................. 521
15.2 Understanding Transparent Bridging........................................................................................................................521
15.2.1 Basic Principles of Transparent Bridging..............................................................................................................521
15.2.2 Local Bridging....................................................................................................................................................... 525
15.2.3 Remote Bridging....................................................................................................................................................525
15.2.4 Integrated Bridging and Routing........................................................................................................................... 526
15.2.5 VLAN ID Transparent Transmission.....................................................................................................................527
15.3 Application Scenarios for Transparent Bridging...................................................................................................... 528
15.4 Summary of Transparent Bridging Configuration Tasks..........................................................................................533
15.5 Default Settings for Transparent Bridging................................................................................................................533
15.6 Licensing Requirements and Limitations for Transparent Bridging........................................................................ 534
15.7 Configuring Local Bridging..................................................................................................................................... 534
15.7.1 Creating a Bridge Group........................................................................................................................................534
15.7.2 Adding Local Interfaces to a Bridge Group.......................................................................................................... 535
15.7.3 (Optional) Disabling a Bridge Group from Bridging Specified Protocol Packets................................................ 536
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xvii

15.7.4 (Optional) Configuring a MAC Address Table for a Bridge Group......................................................................536

15.7.5 Verifying the Configuration of the Local Bridging............................................................................................... 537
15.8 Configuring Local Bridging Integrated with IP Routing..........................................................................................537
15.8.2 Adding Local Interfaces to a Bridge Group.......................................................................................................... 538
15.8.3 Enabling IP Routing for a Bridge Group...............................................................................................................539
15.8.6 Verifying the Configuration of the Local Bridging Integrated with IP Routing....................................................541
15.9 Configuring Remote Bridging.................................................................................................................................. 541
15.9.2 Adding a LAN-side Interface to a Bridge Group.................................................................................................. 542
15.9.3 Adding a WAN-side Interface to a Bridge Group................................................................................................. 543
15.9.5 (Optional) Configuring Transparent Transmission of BPDUs.............................................................................. 546
15.9.6 (Optional) Configuring VLAN ID Transparent Transmission.............................................................................. 546
15.9.8 Verifying the Configuration of the Remote Bridging............................................................................................ 548
15.10 Configuring Remote Bridging Integrated with IP Routing.................................................................................... 548
15.10.1 Creating a Bridge Group......................................................................................................................................548
15.10.2 Adding a LAN-side Interface to a Bridge Group................................................................................................ 549
15.10.3 Adding a WAN-side Interface to a Bridge Group............................................................................................... 550
15.10.4 Enabling IP Routing for a Bridge Group.............................................................................................................552
15.10.5 (Optional) Disabling a Bridge Group from Bridging Specified Protocol Packets.............................................. 553
15.10.6 (Optional) Configuring a MAC Address Table for a Bridge Group....................................................................553
15.10.7 Verifying the Configuration of the Remote Bridging Integrated with IP Routing.............................................. 554
15.11 Maintaining Transparent Bridging..........................................................................................................................554
15.11.1 Monitoring the Operation of Bridge Groups....................................................................................................... 554
15.11.2 Clearing the Traffic Statistics of a Bridge Group................................................................................................ 555
15.11.3 Clearing the Traffic Statistics on the Bridge-if Interface of a Bridge Group...................................................... 555
15.12 Configuration Examples for Transparent Bridging................................................................................................ 556
15.12.1 Example for Configuring Local Bridging........................................................................................................... 556
15.12.2 Example for Configuring Local Bridging with IP Routing................................................................................. 558
15.12.3 Example for Configuring Remote Bridging........................................................................................................ 560
15.12.4 Example for Configuring Remote Bridging with IP Routing..............................................................................563
15.12.5 Example for Configuring Remote Bridging with VLAN ID Transparent Transmission.................................... 566
15.13 FAQ About Transparent Bridging.......................................................................................................................... 570
15.13.1 Are Packets in a Bridge Group Forwarded at Layer 2 or Layer 3?..................................................................... 570
15.13.2 Do Network Bridges on AR Series Routers Transparently Transmit BPDUs?...................................................571
15.13.3 Can the MAC Address of the BVI Interface in a Network Bridge Be Changed?............................................... 571
15.13.4 Do Network Bridges Transparently Transmit Packets with VLAN Tags?..........................................................571
15.13.5 What Are the Differences Between Network Bridge MAC Addresses and Common MAC Addresses?...........571
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xviii

15.13.6 Which Layer 2 Links Do Network Bridges Support?......................................................................................... 571

15.13.7 Can an Optical Interface on the AR Router Join a Bridge Group?..................................................................... 571
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xix

Configuration 1 MAC Address Table Configuration
1 MAC Address Table Configuration
About This Chapter
This chapter describes how to configure the MAC address table.

1.1 Overview of MAC Addresses
This section describes the concept of the Media Access Control (MAC) address.
1.2 Understanding MAC Address Table
This section describes principles of MAC address table.
1.3 Application Scenarios for MAC Address Tables
This section describes the applicable environment of MAC address flapping.
1.4 Summary of MAC Address Table Configuration Tasks
1.5 Default Settings for MAC Address Tables
1.6 Licensing Requirements and Limitations for MAC Address Tables
1.7 Manually Configuring a MAC Address Table
1.8 Configuring MAC Address Flapping Detection
MAC address flapping detection detects all MAC addresses on the device. When MAC
address flapping occurs, the device sends an alarm to the NMS.
1.9 Configuring the Router to Discard Packets with an All-0 MAC Address
1.10 Maintaining the MAC Address Table
1.11 Configuration Examples for MAC Address Tables
1.12 Troubleshooting MAC Address Tables
1.13 FAQ About MAC Address Tables
1.1 Overview of MAC Addresses

This section describes the concept of the Media Access Control (MAC) address.
A MAC address defines the location of a network device. A MAC address consists of 48 bits
and is displayed as a 12-digit hexadecimal number. Bits 0 to 23 are assigned by the IETF and
Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. 1

other institutions to identify vendors, and bits 24 to 47 are the unique ID assigned by vendors
to identify their network adapters.
MAC addresses fall into the following types:
l Physical MAC address: uniquely identifies a terminal on an Ethernet network and is the
globally unique hardware address.
l Broadcast MAC address: indicates all terminals on a LAN. The broadcast address is all
1s (FF-FF-FF-FF-FF-FF).
l Multicast MAC address: indicates a group of terminals on a LAN. All the MAC
addresses with the 8 bit as 1 are multicast MAC addresses (for example,
01-00-00-00-00-00), excluding the broadcast MAC address.
1.2 Understanding MAC Address Table

This section describes principles of MAC address table.
1.2.1 Definition and Classification of MAC Address Entries

Definition of a MAC Address Table
A MAC address table records other devices' MAC addresses learned by the router, interfaces
on which MAC addresses are learned, and VLANs that the interfaces belong to. Before
forwarding a packet, the router looks up the destination MAC address of the packet the MAC
address table. If a MAC address entry matches the destination MAC address, the router
forwards the packet from the corresponding outbound interface in the MAC address entry. If
no MAC address entry matches the destination MAC address, the router broadcasts the packet
to all interfaces in the corresponding VLAN, except the inbound interface receiving the
packet.
Classification of MAC Address Entries

MAC address entries are classified into dynamic, static, and blackhole entries. In addition,
there are MAC address entries that are related to service types, for example, secure MAC and
MUX MAC. They are maintained by service modules and are converted from dynamic MAC
address entries.

Table 1-1 Characteristics and functions of different MAC address entries

MAC Address Entry Characteristics Function
Type
Dynamic MAC address l Dynamic MAC address l You can check whether
entry entries are obtained by data is forwarded
learning source MAC between two connected
addresses of packets on devices by checking
an interface, and can be dynamic MAC address
aged. entries.
l Dynamic MAC address l You can obtain the
entries are lost after a number of
system restart, LPU hot communicating users
swap, or LPU reset. connected to an
interface by checking
the number of specified
dynamic MAC address
entries.
Static MAC address entry l Static MAC address When static MAC address
entries are manually entries are configured,
configured and delivered authorized users can use
to each LPU. Static MAC network resources and
address entries never age. other users are prevented
l The static MAC address from using the bound MAC
entries saved in the addresses to initiate attacks.
system are not lost after a
system restart, LPU hot
swap, or LPU reset.
l After an interface is
statically bound to a
MAC address, other
interfaces discard packets
from this source MAC
address.
l Each static MAC address
entry can have only one
outbound interface.
l Statically binding an
interface to a MAC
address does not affect the
learning of dynamic MAC
address entries on the
interface.

MAC Address Entry Characteristics Function

Type
Blackhole MAC address l Blackhole MAC address Blackhole MAC address

entry entries are manually entries can filter out
configured and delivered unauthorized users.
to each LPU. Blackhole
MAC address entries
never age.
l The blackhole MAC
address entries saved in
the system are not lost
after a system restart,
LPU hot swap, or LPU
reset.
l After blackhole MAC
address entries are
configured, the device
discards packets from or
destined for the blackhole
MAC addresses.
1.2.2 Elements and Functions of a MAC Address Table

Elements
Each entry in a MAC address table is identified by a MAC address and a VLAN ID or VSI.
When a destination host joins multiple VLANs or VSIs, the host's MAC address corresponds
to multiple VLAN IDs or VSIs in the MAC address table. Table 1-2 lists four MAC address
entries, which specify the outbound interfaces for packets with specified destination MAC
addresses and VLAN IDs or VSI names. For example, the first MAC address entry is used to
forward the packets with destination MAC address 0011-0022-0034 and VLAN 10 through
outbound interface GE.
Table 1-2 MAC address entries

MAC Address VLAN ID/VSI Name Outbound Interface
0011-0022-0034 10 GE
0011-0022-0034 20 GE
0011-0022-0035 30 Eth-Trunk20
0011-0022-0035 huawei GE
Functions
A MAC address table is used for unicast forwarding of packets. In Figure 1-1, when packets
sent from PC1 to PC3 reach the router, the router searches its MAC address table for the

destination MAC address MAC3 and VLAN 10 in the packets to obtain outbound interface
Port3. The router then forwards packets to PC3 from Port3.
Figure 1-1 Forwarding based on the MAC address table

MAC Address VLANID Port
MAC1 10 Port1
MAC2 10 Port2 PC2
MAC3 10 Port3
Router
PC1 Port1 Port2
Port3
MAC3 MAC1 VLAN10 Type Data MAC PC3
3 M
AC1
VL AN
10
Type
Data
1.2.3 MAC Address Entry Learning and Aging
MAC Address Entry Learning

Generally, MAC address entries are learned from source MAC addresses of data frame.
Figure 1-2 MAC address entry learning
PortA
HostA Data frame RouterA
As shown in Figure 1-2, HostA sends a data frame to RouterA. When receiving the data
frame, RouterA obtains the source MAC address (HostA's MAC address) and VLAN ID of
the frame.
l If the MAC address entry does not exist in the MAC address table, SwitchA adds an
entry with the new MAC address, PortA, and VLAN ID to the MAC address table.
l If the MAC address entry exists in the MAC address table, SwitchA resets the aging
timer of the MAC address entry and updates the entry.
NOTE
l If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC address entry is
Eth-TrunkA.
l All interfaces of a router belong to VLAN 1 by default. If the default VLAN is not changed, the
VLAN ID of all MAC address entries is VLAN 1.
l The router does not learn the BPDU MAC address similar to 0180-c200-xxxx.
MAC address entry learning and update are triggered on a device only when the device
receives data frames.

MAC Address Entry Aging

A device needs to update its MAC address table continuously to adapt to changing network
topologies. Dynamic MAC address entries are not always valid. Each entry has a life cycle
(aging time) and will be deleted when the aging time expires. If an entry is updated within the
aging time, the aging timer of the entry is reset.
Figure 1-3 MAC address entry aging

t1: The entry with MAC
t2-t3: No packet matching
address 00e0-fc00-0001
this MAC address is
and VLAN ID 1 is learned,
received, so hit flag is 0.
and the hit flag is set to 1.
1 2 3 4
0 T T T T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
As shown in Figure 1-3, the aging time of MAC address entries is set to T. At t1, packets with
source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an interface, which has joined
VLAN 1. If no entry with MAC address 00e0-fc00-0001 and VLAN 1 exists in the MAC
address table, the MAC address is learned as a dynamic MAC address entry in the MAC
address table, and the hit flag of the entry is set to 1.
The device checks all dynamic MAC address entries at an interval of T.
1. At t2, if the device finds that the hit flag of the matching dynamic MAC address entry
with MAC address 00e0-fc00-0001 and VLAN 1 is 1, the device sets the hit flag to 0 but
does not delete the MAC address entry.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the device
between t2 and t3, the hit flag of the matching MAC address entry is always 0.
3. At t3, the device finds that the hit flag of the matching MAC address entry is 0. The
device considers that the aging time of the MAC address entry has expired and deletes
the MAC address entry.
The minimum holdtime of a dynamic MAC address entry ranges from T to 2T on the device.
You can set the aging time of MAC address entries to control the life cycle of dynamic MAC
address entries in a MAC address table.
1.2.4 MAC Address Learning Control

When hackers send a large number of packets with different source MAC addresses to a
device, useless MAC addresses will consume MAC address entry resources of the device. As
a result, the device cannot learn source MAC addresses of valid packets. The device
broadcasts the packets that do not match MAC address entries, wasting bandwidth resources.

The device provides the following MAC address learning control methods to address the
preceding issue:
l Disabling MAC address learning on a VLAN or an interface

l Limiting the number of learned MAC address entries on a VLAN or an interface
Table 1-3 MAC address learning control
MAC Address Principle Application Scenario

Learning
Control Method
Disabling MAC After MAC address learning is l In most cases, attack packets
address learning disabled on a VLAN or an sent by a hacker enter the
on a VLAN or an interface, the device does not device through the same
interface learn new dynamic MAC address interface. Therefore, you can
entries on the VLAN or interface. use either of the two methods
The dynamic MAC address to prevent attack packets from
entries learned before are aged using up MAC address entry
out when the aging time expires. resources on the device.
They can also be manually l The method of limiting the
deleted using commands. number of learned MAC
Limiting the The device can only learn a address entries on a VLAN or
number of learned specified number of MAC an interface can also be used
MAC address address entries on a VLAN or an to limit the number of access
entries on a VLAN interface. users.
or an interface When the number of learned
MAC address entries reaches the
limit, the device reports an alarm
to notify the network
administrator.
After that, the device cannot
learn new MAC address entries
on the VLAN or interface and
discards the packets with source
MAC addresses out of the MAC
address table.
1.2.5 MAC Address Flapping
What Is MAC Address Flapping

MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN and the MAC address entry learned later overrides the earlier one. Figure 1-4 shows
how MAC address flapping occurs. In the MAC address entry with MAC address
0011-0022-0034 and VLAN 2, the outbound interface is changed from GE0/0/1 to GE0/0/2.
MAC address flapping can cause an increase in the CPU usage on the device.

MAC address flapping does not occur frequently on a network unless a network loop occurs.
If MAC address flapping frequently occurs on your network, you can quickly locate the fault
and eliminate the loops according to alarms and MAC address flapping records.
Figure 1-4 MAC address flapping

0011-0022-0034 2 GE0/0/1

0011-0022-0034 2 GE0/0/2
MAC Address Flapping Detection

The device can detect MAC address flapping. When MAC address flapping occurs, the device
can provide diagnosis information, including the flapping MAC address, interfaces between
which the MAC address flaps, and VLAN that the interfaces belong to. A loop may exist on
the interfaces between which the MAC address flaps. You will know how the loop is
generated by checking interfaces where MAC addresses are flapping.
Figure 1-5 MAC address flapping detection
Network
Port1
MAC:11-22-33 RouterA
Port2 Access port

MAC:11-22-33
Users
Router
SwitchB SwitchC
Broadca
st strom
Incorrect
connection Data flow
As shown in Figure 1-5, Switch B should not be connected to Switch C. When the two
switches are connected, Router, Switch B, and Switch C form a loop. When Port1 of Router A
receives a broadcast packet, Router A forwards the packet to Switch B. The packet is then
sent to Port2 of Router A. Router A detects that the source MAC address of the packet flaps
from Port1 to Port2. If the MAC address flaps between the two ports frequently, Router A
considers that MAC address flapping occurs.

NOTE
l MAC address flapping detection allows a device to detect changes in traffic based on learned MAC
addresses, but the device cannot obtain the entire network topology. It is recommended that this function
be used on an interface when the interface connects to a user network where loops may occur.
1.3 Application Scenarios for MAC Address Tables

This section describes the applicable environment of MAC address flapping.
MAC Address Flapping Detection

As shown in Figure 1-6, a loop occurs on a user network because network cables between
two LSWs are incorrectly connected. The loop causes MAC address flapping and MAC
address table flapping.
You can enable MAC address flapping detection on the Router to detect MAC address
flapping and discover loops.
Figure 1-6 Networking diagram of MAC address flapping detection
Network
Router
LSW1 LSW2
Incorrect connection
1.4 Summary of MAC Address Table Configuration Tasks

Table 1-4 MAC address table configuration tasks
Scenario Description Task
MAC addresses and Configure static MAC address entries 1.7.1 Configuring a
interfaces need to be to bind MAC addresses and interfaces, Static MAC Address
bound statically. improving security of authorized users. Entry

Attack packets from Configure blackhole MAC address 1.7.2 Configuring a

unauthorized users entries to filter out packets from Blackhole MAC
need to be filtered unauthorized users, thereby protecting Address Entry
out. the system against attacks.
Aging of dynamic Set the aging time according to your 1.7.3 Setting the Aging
MAC address entries needs. Set the aging time to a large Time of Dynamic
needs to be flexibly value or 0 (not to age dynamic MAC MAC Address Entries
controlled. address entries) on a stable network;
set a short aging time in other
situations.
MAC address Attacks initiated by unauthorized users 1.7.4 Disabling MAC

learning needs to be may exhaust MAC address entries. To Address Learning
controlled. prevent this problem, disable MAC 1.7.5 Configuring the
address learning or limit the number of MAC Address
learned MAC address entries. Limiting Function
MAC address MAC address flapping occurs when a 1.8 Configuring MAC
flapping needs to be MAC address is learned by two Address Flapping
detected. interfaces in the same VLAN and the Detection
MAC address entry learned later
overrides the earlier one.
MAC address flapping detection
enables a switch to check whether any
MAC address flaps between interfaces
and determine whether a loop occurs.
When MAC address flapping occurs,
the switch sends an alarm to the NMS.
The network maintenance personnel
can locate the loop based on the alarm
information and historical records for
MAC address flapping. This greatly
improves network maintainability. If
the network connected to the switch
does not support loop prevention
protocols, configure the switch to shut
down the interfaces where MAC
address flapping occurs to reduce the
impact of MAC address flapping on
the network.
The switch needs to A faulty host or device may send 1.9 Configuring the
discard packets with packets with an all-0 source or Router to Discard
an all-0 source or destination MAC address to a router. Packets with an All-0
destination MAC Configure the switch to discard such MAC Address
address. packets and send an alarm to the NMS
so that the network administrator can
locate the faulty host or device based
on the alarm information.

1.5 Default Settings for MAC Address Tables

Table 1-5 Default setting for MAC address tables
Parameter Default Value
Aging time of a dynamic MAC address 300 seconds

entry
Whether MAC address learning is enabled Enable
Port security Disabled
Limit on the number of MAC addresses 1

learned by an interface
Action to be taken when the number of Restrict

learned MAC addresses reaches the limit
Discarding packets with all-0 invalid MAC Disabled

addresses
Alarms generated when receiving packets Disabled

with all-0 invalid MAC addresses
1.6 Licensing Requirements and Limitations for MAC

Address Tables
Involved Network Elements
None
Licensing Requirements
MAC is a basic feature of a router and is not under license control.
Feature Limitations
When deploying a MAC address on the router, pay attention to the following:
l Dynamic MAC address entries can be learned on an interface only after the interface is
added to an existing VLAN.
l Each static MAC address entry can have only one outbound interface.
l When the aging time of dynamic MAC address entries is set to 0, dynamic MAC address
entries do not age. To age MAC address entries, delete the aging time configuration.

1.7 Manually Configuring a MAC Address Table

Context
You can configure functions and parameters for a MAC address table to implement secure
communication between authorized users. The following configurations are optional and can
be performed in any sequence.
1.7.1 Configuring a Static MAC Address Entry
Context
MAC addresses and interfaces are bound statically in static MAC address entries.
A device cannot distinguish packets from authorized and unauthorized users when it learns
source MAC addresses of packets to maintain the MAC address table. This causes network
risks. If an unauthorized user uses the MAC address of an authorized user as the source MAC
address of attack packets and connects to another interface of the device, the device learns an
incorrect MAC address entry. As a result, packets destined for the authorized user are
forwarded to the unauthorized user. To improve security, you can create static MAC address
entries to bind MAC addresses of authorized users to specified interfaces. This prevents
unauthorized users from intercepting data of authorized users.
Static MAC address entries have the following characteristics:
l A static MAC address entry will not be aged out. After being saved, a static MAC
address entry will not be lost after a system restart, and can only be deleted manually.
l The VLAN bound to a static MAC address entry must have been created and assigned to
the interface bound to the entry.
l The MAC address in a static MAC address entry must be a unicast MAC address, and
cannot be a multicast or broadcast MAC address.
l A static MAC address entry takes precedence over a dynamic MAC address entry. The
system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is created.
----End
Verifying the Configuration

Run the display mac-address static command to check configured static MAC address
entries.

1.7.2 Configuring a Blackhole MAC Address Entry

Blackhole MAC address entries can be used to filter out invalid MAC addresses.
Context
To protect a device or network against MAC address attacks from hackers, configure MAC
addresses of untrusted users as blackhole MAC addresses. The device then directly discards
the received packets of which the source or destination MAC addresses match the blackhole
MAC address entries.
Procedure
Step 2 Run mac-address blackhole mac-address vlan vlan-id
A blackhole MAC address entry is configured.
NOTE
The AR111-S, AR121-S and AR151-S2 forward packets with the source MAC address as the blackhole
MAC address.
The WAN-side Interface of the AR2204-27GE-S, when the source MAC addresses of packets are
blackhole MAC addresses, the device forwards packets and does not discard them.
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards forward packets with the source MAC address as
the blackhole MAC address.
----End

Run the display mac-address blackhole command to check configured blackhole MAC
address entries.
1.7.3 Setting the Aging Time of Dynamic MAC Address Entries
Context
To prevent explosive increase of MAC address entries, set the aging time for dynamic MAC
address entries.
Because the network topology changes frequently, the router will learn more and more MAC
addresses. Therefore, the aging time needs to be set properly for dynamic MAC address
entries so that the router can delete unneeded MAC address entries to prevent a sharp increase
of MAC address entries. A shorter aging time makes the router more sensitive to network
changes and is applicable to networks where network topology changes frequently. A longer
aging time makes the router more insensitive to network changes and is only applicable to
stable networks.

Procedure
Step 2 Run mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.
----End

Run the display mac-address aging-time command to view the aging time of dynamic MAC
address entries.
1.7.4 Disabling MAC Address Learning

Background
The MAC address learning function is enabled by default on the router. When receiving a
data frame, the router records the source MAC address of the data frame and the interface that
receives the data frame in a MAC address entry. When receiving data frames destined for this
MAC address, the router forwards the data frames through the outbound interface according
to the MAC address entry. The MAC address learning function reduces broadcast packets on a
network. After MAC address learning is disabled on an interface, the router does not learn
source MAC addresses of data frames received by the interface, but the dynamic MAC
address entries learned on the interface are not immediately deleted. These dynamic MAC
address entries are deleted after the aging time expires or can be manually deleted using
commands.
Procedure
l Disable MAC address learning on an interface.
a. Run system-view
b. Run interface interface-type interface-number
The interface view is displayed.
c. (Optional) Run portswitch
The virtual Ethernet (VE) interface is switched from Layer 3 mode to Layer 2
mode.
By default, a VE interface works in Layer 3 mode.
You need to perform this operation after accessing the VE interface view.
d. Run mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
By default, the router takes the forward action after MAC address learning is
disabled. That is, the router forwards packets according to the MAC address table.
When the action is set to discard, the router looks up the source MAC address of
the packet in the MAC address table. If the source MAC address is found in the

MAC address table, the router forwards the packet according to the matching MAC
address entry. If the source MAC address is not found, the router discards the
packet.
l Disable MAC address learning in a VLAN.
a. Run system-view
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
NOTE
Only the AR2200-S&AR3200-S series support disable MAC address learning in a VLAN.
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support disable MAC address learning in a
VLAN.

l Run the display mac-address summary command to check statistics on all the MAC
address entries.
l Run the display mac-address total-number command to check the number of MAC
address entries.
1.7.5 Configuring the MAC Address Limiting Function
Context
The MAC address limiting function controls the number of access users to prevent MAC
addresses from hackers.
An insecure network is vulnerable to MAC address attacks. When hackers send a large
number of forged packets with different source MAC addresses to the router, the MAC
address table of the router will be filled with useless MAC address entries. As a result, the
router cannot learn source MAC addresses of valid packets.
You can limit the number of MAC address entries learned on the router. When the number of
learned MAC address entries reaches the limit, the router does not learn new MAC address
entries. You can also configure an action to take when the number of MAC address entries
reaches the limit. This prevents MAC address attacks and improves network security.
NOTE
Only AR2200-S&AR3200-S series support limiting the number of MAC addresses learned in a VLAN.
The AR100-S&AR110-S&AR120-S&AR160-S&AR160-S series, AR151-S2 do not support limiting the
number of MAC addresses learned.
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support limiting the number of MAC
addresses learned.

Procedure
l Limit the number of MAC address entries learned on an interface.
a. Run system-view


c. Run mac-limit maximum max-num
The maximum number of MAC address entries that can be learned on the interface
is set.
By default, the number of MAC address entries learned on an interface is not

limited.
d. Run mac-limit action { discard | forward }
The action to take when the number of learned MAC address entries reaches the
limit is configured.
By default, the router discards packets with new MAC addresses when the number
of learned MAC address entries reaches the limit.
e. Run mac-limit alarm { disable | enable }
The router is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the router generates an alarm when the number of learned MAC address
entries reaches the limit.
l Limit the number of MAC address entries learned in a VLAN.
a. Run system-view

b. Run vlan vlan-id

c. Run mac-limit maximum max-num
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not limited.
d. Run mac-limit alarm { disable | enable }
The router is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the router generates an alarm when the number of learned MAC address
entries reaches the limit.
----End

Run the display mac-limit command to check limiting on MAC address learning.

1.8 Configuring MAC Address Flapping Detection

MAC address flapping detection detects all MAC addresses on the device. When MAC
address flapping occurs, the device sends an alarm to the NMS.
Context
After MAC address flapping detection is configured in a VLAN, the device checks all MAC
addresses in the VLAN to detect MAC address flapping. When MAC address flapping occurs
on an interface, the device blocks the interface or MAC address, or reports an alarm according
to the configuration.
NOTE
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support MAC address flapping detection.
Only the AR151-S, AR151G-U-S, AR151W-P-S, AR201-S, AR207-S, AR1220–S, AR1220W-L, and
AR1220L-S support MAC address flapping detection.
Procedure
Step 2 Run vlan vlan-id
A VLAN is created and the VLAN view is displayed.
Step 3 Run loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times |
alarm-only }
MAC address flapping detection is configured in the VLAN.
When detecting MAC address flapping in a VLAN, the device can take either of the following
actions:
l Block the interface or MAC address. When block-mac is specified in the command, the
router does not block the interface but blocks the traffic from the flapping MAC address.
l Send an alarm to the NMS.
----End

Run the display loop-detect eth-loop [ vlan vlan-id ] command to check information about
MAC address flapping detection in a VLAN.
Follow-up Procedure
After MAC address flapping detection is configured in a VLAN, the device checks all MAC
addresses in the VLAN to detect MAC address flapping. If MAC address flapping occurs on
an interface, the system blocks the interface if it is configured to do so. After a specified
period of time, the system unblocks the interface. If no MAC address flapping is detected
within 20 seconds, the system unblocks the interface and starts a new round of detection. If

MAC address flapping is detected again within 20 seconds, the system blocks the interface.
This process repeats for a specified number of times. If MAC address flapping persists, the
interface is permanently blocked.
After an interface or a MAC address is permanently blocked because of MAC address
flapping, you must run the reset loop-detect eth-loop command in the corresponding VLAN
if you want to restore the interface or MAC address.
1. Run the system-view command to enter the system view.
2. Run the reset loop-detect eth-loop vlan vlan-id { all | interface interface-type interface-
number | mac-address mac-address } command to unblock the specified interface or
MAC address.
Before using the reset loop-detect eth-loop command, run the display loop-detect eth-loop
command to check the blocked interface or MAC address.
1.9 Configuring the Router to Discard Packets with an

All-0 MAC Address
Context
A faulty network device may send packets with an all-0 source or destination MAC address to
the router. You can configure the router to discard such packets and send an alarm to the
network management system (NMS). You can locate the faulty device according to the alarm.
You can configure the router to discard packets with an all-0 source or destination MAC
address.
Procedure
Step 2 Run drop illegal-mac enable
The router is configured to discard packets with an all-0 MAC address.
By default, the router does not discard packets with an all-0 MAC address.
NOTE
The AR100-S&AR110-S&AR120-S&AR150-S&AR160-S&AR200-S&AR1200-S series,

AR2204-27GE-S, AR2220E-S, and AR2240C-S do not support discarding packets with an all-0 MAC
address.
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support discarding packets with an all-0
MAC address.
Step 3 (Optional) Run drop illegal-mac alarm

The router is configured to send an alarm to the NMS when receiving packets with an all-0
MAC address.
By default, the router does not send an alarm to the NMS when receiving packets with an
all-0 MAC address.

NOTE
The router sends only one alarm after receiving packets with an all-0 MAC address. To enable the router
to send an alarm again after receiving packets with an all-0 MAC address, run the drop illegal-mac
alarm command.
----End

Run the display current-configuration command to check whether the router is configured
to discard packets with an all-0 MAC address.
1.10 Maintaining the MAC Address Table

1.10.1 Displaying MAC Address Entries
Table 1-6 Commands used to display MAC address entries
Action Command
Display all MAC address entries. display mac-address
Display static MAC address entries. display mac-address static
Display MAC address entries learned in a display mac-address dynamic vlan vlan-id
VLAN.
Display MAC address entries learned on an display mac-address dynamic interface-

interface. type interface-number
Display a specified MAC address. display mac-address mac-address
Display the aging time of dynamic MAC display mac-address aging-time

address entries.
Display statistics on MAC address entries. l Display the total statistics: display mac-
address total-number
l Display the statistics of various types of
MAC address entries: display mac-
address summary
Display the system MAC address. display bridge mac-address
Display the MAC address of an interface. display interface interface-type interface-

number
Hardware address indicates the MAC
address of the interface.
Display the MAC address of a VLANIF display interface vlanif vlan-id

interface. Hardware address indicates the MAC
address of the VLANIF interface.

1.10.2 Deleting MAC Address Entries

Table 1-7 Commands used to delete MAC address entries
Action Command
Delete all MAC address entries. undo mac-address
Delete MAC address entries in a VLAN. undo mac-address vlan vlan-id
Delete MAC address entries on an interface. undo mac-address vlan interface-type

interface-number
1.11 Configuration Examples for MAC Address Tables
1.11.1 Example for Configuring the MAC Address Table
Networking Requirements
As shown in Figure 1-7, the MAC address of PC1 is 0002-0002-0002, and the MAC address
of PC2 is 0003-0003-0003. The LSW connects the PCs to the Router. The LSW is connected
to Ethernet2/0/1 of the Router, which belongs to VLAN 2. The MAC address of the server is
0004-0004-0004. The server is connected to Ethernet2/0/2 of the Router, which belongs to
VLAN 2. The network requires the following configurations:
l To prevent hackers from using MAC addresses to attack the network, configure a static
MAC address entry for each user host on the Router.
l To prevent unauthorized users from using the server's MAC address to intercept data,
configure a static MAC address entry for the server on the Router.
l Set the aging time for the dynamic MAC address entries to 500 seconds.
Figure 1-7 Network diagram

MAC:
Server 0004-0004-0004
VLAN2
Eth2/0/2
Router
Eth2/0/1
LSW VLAN2
PC1 PC2
MAC: MAC:
0002-0002-0002 0003-0003-0003

Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs on the Router and add the interfaces to the VLANs.
2. Configure static MAC address entries.
3. Set the aging time for the dynamic MAC address entries.
Procedure
Step 1 Add static MAC address entries.
# Create VLAN 2 and add Ethernet2/0/1 and Ethernet2/0/2 to VLAN 2.

<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 2
[Router-vlan2] quit
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port hybrid tagged vlan 2
[Router-Ethernet2/0/1] quit
[Router-Ethernet2/0/2] port hybrid pvid vlan 2
[Router-Ethernet2/0/2] port hybrid untagged vlan 2
# Configure static MAC address entries.

[Router] mac-address static 0002-0002-0002 ethernet 2/0/1 vlan 2
Step 2 Set the aging time for the dynamic MAC address entries.
[Router] mac-address aging-time 500
Step 3 Verify the configuration.
# Run the display mac-address command in any view to check whether the static MAC
address entries are successfully added to the MAC address table.
[Router] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/Bridge/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/- Eth2/0/1 static
0003-0003-0003 2/- Eth2/0/1 static
0004-0004-0004 2/- Eth2/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 3
# Run the display mac-address aging-time command to check whether the aging time for
dynamic entries is set successfully.
[Router] display mac-address aging-time
Aging time: 500 seconds
----End

Configuration Files
Router configuration file
#
sysname Router
#
vlan batch 2
#
mac-address aging-time 500
#
interface Ethernet2/0/1
port hybrid tagged vlan 2
#
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
mac-address static 0002-0002-0002 Ethernet2/0/1 vlan 2
#
return
1.11.2 Example for Configuring Blackhole MAC Address Entries
As shown in Figure 1-8, the Router receives packets from an unauthorized PC that has the
MAC address of 0005-0005-0005 and belongs to VLAN 3. This MAC address entry can be
configured as a blackhole MAC address entry so that the Router filters out packets from the
unauthorized PC.
Figure 1-8 Networking for configuring a blackhole MAC address entry
MAC Address VLANID Unauthorized

0005-0005-0005 3 user
Router
Authorized Authorized Authorized

User 1 User 2 User 3
1. Create a VLAN to implement Layer 2 forwarding.

2. Configure a blackhole MAC address entry to filter out packets from the unauthorized
PC.
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.
[Router] vlan 3
[Router-vlan3] quit
# Configure a blackhole MAC address entry.

[Router] mac-address blackhole 0005-0005-0005 vlan 3
# Run the display mac-address blackhole command in any view to check whether the
blackhole MAC address entry is successfully added to the MAC address table.
[Router] display mac-address blackhole
-------------------------------------------------------------------------------
MAC Address VLAN/Bridge Learned-From Type
-------------------------------------------------------------------------------
0005-0005-0005 3/- - blackhole
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Router
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
1.11.3 Example for Configuring MAC Address Limiting Rules on

Interfaces
As shown in Figure 1-9, Ethernet2/0/1 and Ethernet2/0/2 of the Router are connected to
LSWs. One LSW is connected to individual users, and the other is connected to enterprise
users. To prevent MAC address attacks and limit the number of access users on the Router,
configure MAC address limiting rules on Ethernet2/0/1 and Ethernet2/0/2.

Figure 1-9 Network diagram for MAC address limiting on interfaces
IP
network
Router
Eth2/0/1 Eth2/0/2
……
LSW LSW
Individual Enterprise
user user
1. Set the limit on the number of MAC addresses learned by the interfaces.
2. Set the action performed when the limit is reached.
Procedure
Step 1 Configure MAC address limiting rules on the interfaces.
[Huawei] interface ethernet 2/0/1
[Huawei-Ethernet2/0/1] mac-limit maximum 4 action discard alarm enable
[Huawei-Ethernet2/0/1] quit
[Huawei-Ethernet2/0/2] mac-limit maximum 100 action discard alarm enable

# Run the display mac-limit command in any view to check whether the MAC address
limiting rule is successfully configured.
<Huawei> display mac-limit
-----------------------------------------------------------------------
PORT VLAN Maximum Action Alarm
-----------------------------------------------------------------------
Eth2/0/1 - 4 discard enable
Eth2/0/2 - 100 discard enable
-----------------------------------------------------------------------
----End
Configuration Files
Configuration file of the Router
#

mac-limit maximum 4
#
mac-limit maximum 100
#
return
1.11.4 Example for Configuring a MAC Address Learning Rule in

a VLAN
As shown in Figure 1-10, Ethernet2/0/1 and Ethernet2/0/2 of the Router are connected to
LSWs. The LSWs are connected to users, including a few IP phone users and many computer
users. IP phone users are in VLAN 100, and computer users are in VLAN 200. To prevent
MAC address attacks and save MAC address table space, configure a rule to limit the number
of MAC addresses learned in VLAN 200.
Figure 1-10 Networking diagram for MAC address limiting in a VLAN
IP
network
Router
Eth2/0/1 Eth2/0/2
……
LSW LSW
VLAN100 VLAN200
1. Create VLANs on the Router and add the interfaces to the VLANs.
2. Set the limit on the number of MAC addresses learned in the VLAN 200.
Procedure
Step 1 Configure a MAC address limiting rule in the VLAN 200.
# Add Ethernet2/0/1 to VLAN 100 and VLAN 200; add Ethernet2/0/2 to VLAN 200.
[Huawei] vlan batch 100 200
[Huawei-Ethernet2/0/1] port link-type trunk
[Huawei-Ethernet2/0/1] port trunk allow-pass vlan 100 200


[Huawei-Ethernet2/0/2] port trunk allow-pass vlan 200
# Configure the following MAC address limiting rule in VLAN 200:

l A maximum of 500 MAC addresses can be learned.
l When the number of learned MAC address entries reaches the limit, the Router forwards
packets with new source MAC addresses and generates an alarm, but does not add the
new MAC addresses to the MAC address table.
[Huawei] vlan 200
[Huawei-vlan200] mac-limit maximum 500 alarm enable
[Huawei-vlan200] quit
# Run the display mac-limit command in any view to check whether the MAC address
limiting rule is successfully configured.
<Huawei> display mac-limit
-----------------------------------------------------------------------
PORT VLAN Maximum Action Alarm
-----------------------------------------------------------------------
- 200 500 forward enable
-----------------------------------------------------------------------
----End
Configuration Files
#
vlan batch 100 200
#
vlan 200
mac-limit maximum 500
#
port link-type trunk
port trunk allow-pass vlan 100 200
#
port trunk allow-pass vlan 200
#
return
1.12 Troubleshooting MAC Address Tables
1.12.1 Correct MAC Address Entry Cannot Be Learned on the

Device
Fault Description
MAC address entries cannot be learned on the device, so Layer 2 forwarding fails.

Procedure
Step 1 Check that the configurations on the interface are correct.
Run the display mac-address command in any view to check whether the binding
relationships between the MAC address, VLAN, and interface are correct.
<Huawei> display mac-address
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
0025-9e80-2494 1/- Eth2/0/0 dynamic
-------------------------------------------------------------------------------
If not, re-configure the binding relationships between the MAC address, VLAN, and
interface.
If yes, go to step 2.
Step 2 Check whether a loop on the network causes MAC address flapping.
Generally, MAC address flapping is caused by loops. You can run the loop-detect eth-loop
command in the VLAN view to enable the MAC flapping detection function. The router
checks whether a MAC address moves from one interface to another in the VLAN.
Use either of the following methods to prevent MAC address flapping:
l Remove the loop from the network.
If no loop exists, go to step 3.
Step 3 Check whether the interface is blocked by a loop prevention protocol.
Run the display stp brief command in any view to check whether the interface participates in
STP calculation and check the interface status.
Run the display sep topology command in any view to check whether the interface
participates in STP calculation and check the interface status.
If the interface status is incorrect, check the STP or SEP configuration.
If the interface status is correct, go to step 4.
Step 4 Check that MAC address learning is enabled.
Check whether MAC address learning is enabled in the interface view and the VLAN view.
[Huawei-Ethernet2/0/0] display this
#
mac-address learning disable
undo negotiation auto
speed 100
#
return
[Huawei-vlan10] display this
#
vlan 10
mac-address learning disable
#
return
If the command output contains mac-address learning disable, MAC address learning is
disabled on the interface or VLAN.

l If MAC address learning is disabled, run the undo mac-address learning disable
command in the interface view or VLAN view to enable MAC address learning.
l If MAC address learning is enabled on the interface, go to step 4.
Step 5 Check whether any blackhole MAC address entry or MAC address limiting is configured.
If a blackhole MAC address entry or MAC address limiting is configured, the interface
discards packets.
l Blackhole MAC address entry
Run the display mac-address blackhole command to check whether any blackhole
MAC address entry is configured.
[Huawei] display mac-address blackhole
------------------------------------------------------------------------------
-
------------------------------------------------------------------------------
-
0001-0001-0001 3333/- - blackhole
------------------------------------------------------------------------------
-
If a blackhole MAC address entry is displayed, run the undo mac-address blackhole
command to delete it.
l MAC address limiting on the interface or VLAN
– Run the display this command in the interface view or VLAN view. If the
command output contains mac-limit maximum, the number of learned MAC
addresses is limited. Run either of the following commands:
n Run the undo mac-limit command in the interface view or VLAN view to
cancel MAC address limiting.
n Run the mac-limit command in the interface view or VLAN view to increase
the maximum number of learned MAC address entries.
– Run the display this command in the interface view. If the command output
contains port-security max-mac-num or port-security enable, the number of
secure dynamic MAC addresses is limited on the interface. Run either of the
following commands:
NOTE
By default, the limit on the number of secure dynamic MAC addresses is 1 after port
security is enabled.
n Run the undo port-security enable command in the interface view to disable
port security.
n Run the port-security max-mac-num command in the interface view to
increase the maximum number of secure dynamic MAC address entries on the
interface.
If the fault persists, go to step 5.
Step 6 Check whether the number of learned MAC address entries has reached the maximum value
supported by the router.
Run the display mac-address summary command to check the number of MAC address
entries in the MAC address table.
l If the number of learned MAC address entries has reached the maximum value supported
by the router, no MAC address entry can be created. Run the display mac-address
command to view all MAC address entries.

– If the number of MAC address entries learned on an interface is much larger than
the number of devices on the network connected to the interface, a user on the
network may maliciously update the MAC address table. Check the device
connected to the interface:
n If the interface is connected to a device, run the display mac-address
command on the device to view its MAC address table. Locate the interface
connected to the malicious user host based on the displayed MAC address
entries. If the interface that you find is connected to another device, repeat this
step until you find the user of the malicious user.
n If the interface is connected to a computer, perform either of the following
operations after obtaining permission from the administrator:
○ Disconnect the computer. When the attack stops, connect the computer to
the network again.
○ Run the port-security enable command on the interface to enable port
security or run the mac-limit command to set the maximum number of
MAC addresses that the interface can learn to 1.
n If the interface is connected to a hub, perform either of the following
operations:
○ Configure port mirroring or other tools to observe packets received by the
interface. Analyze the packet types to locate the attacking computer.
Disconnect the computer after obtaining permission from the
administrator. When the attack stops, connect the computer to the hub
again.
○ Disconnect computers connected to the hub one by one after obtaining
permission from the administrator. If the fault is rectified after a computer
is disconnected, the computer is the attacker. After it stops the attack,
connect it to the hub again.
– If the number of MAC addresses on the interface is equal to or smaller than the
number of devices connected to the interface, the number of devices connected to
the router has exceeded the maximum supported by the router. Adjust network
deployment.
----End
1.13 FAQ About MAC Address Tables
1.13.1 What Are the Differences Between Static MAC Addresses

and Sticky MAC Addresses?
Both types of media access control (MAC) addresses are saved as static MAC addresses on
devices. However, static MAC addresses and sticky MAC addresses have difference origins.
Static MAC addresses are created manually, while sticky MAC addresses are converted from
valid dynamic MAC addresses after the sticky MAC address is enabled on an interface.
1.13.2 Why Are Source MAC Addresses Not Learned?

The causes are as follows:

l The device does not receive packets because the link is Down, the interface does not join
the VLAN, the interface participates in spanning tree calculation and is blocked, and so
on.
l Loops cause MAC address flapping.
l MAC address learning is disabled or corresponding Sticky MAC address entries already
exist.
l The number of learned MAC address entries has reached the maximum.
l The static or blackhole route is configured.
1.13.3 Can Multicast Packet Source MAC Addresses Be Learned?

Yes.
1.13.4 Why Do MAC Address Entries Need to Be Synchronized

Between Boards and What Are the Functions of Real-Time
Synchronization and Periodic Synchronization?
Synchronizing MAC address entries ensures that most Layer 2 packets are forwarded based
on MAC addresses, reducing broadcasts.
The functions of real-time synchronization and periodic synchronization are:
l Real-time synchronization responds to MAC address changes quickly, but packet loss
may occur during synchronization due to the limited processing capacity of the system.
l Periodic synchronization synchronizes MAC address entries at an interval of several
seconds. It works with real-time synchronization to ensure that all MAC addresses are
synchronized and prevents aging of MAC address entries synchronized from other
boards.
1.13.5 Which MAC Addresses Do Not Age?

Static media access control (MAC) addresses and blackhole MAC addresses.

Configuration 2 Link Aggregation Configuration
2 Link Aggregation Configuration
About This Chapter
Link aggregation is a technology that bundles multiple Ethernet links into a logical link to
increase bandwidth, improve reliability, and load balance traffic.
2.1 Overview of Link Aggregation
This section describes definition and purpose of link aggregation.
2.2 Understanding Link Aggregation
This section describes principles of link aggregation.
2.3 Application Scenarios for Link Aggregation
This section describes application environments of Ethernet link aggregation.
2.4 Summary of Link Aggregation Configuration Tasks
The device supports the manual load balancing mode and Link Aggregation Control Protocol
(LACP) mode.
2.5 Licensing Requirements and Limitations for Link Aggregation
This section describes the notes about configuring an Eth-Trunk.
2.6 Default Settings for Link Aggregation
This section describes default parameter settings of link aggregation.
2.7 Configuring Link Aggregation in Manual Load Balancing Mode
Link aggregation implements load balancing, increases bandwidth, and improves transmission
reliability.
2.8 Configuring Link Aggregation in LACP Mode
reliability.
2.9 Creating an Eth-Trunk Sub-interface
Sub-interfaces can be configured on a Layer 3 Eth-Trunk. When Layer 3 devices connect to
Layer 2 devices in different VLANs through the Layer 3 Eth-Trunk, sub-interfaces must be
configured on the Eth-Trunk to identify packets from different VLANs and to enable users in
different VLANs to communicate with each other.
2.10 Maintaining Link Aggregation

This section describes how to maintain link aggregation, including monitoring the link
aggregation running status and clearing LACPDU statistics.
2.11 Configuration Examples for Link Aggregation
This section provides several configuration examples of link aggregation.
2.12 Troubleshooting Link Aggregation
This section describes common configuration errors.
2.13 FAQ About Link Aggregation
This section describes the FAQ of link aggregation.
2.1 Overview of Link Aggregation

This section describes definition and purpose of link aggregation.
Definition
Ethernet link aggregation, also called Eth-Trunk, bundles multiple physical links to form a
logical link to increase link bandwidth. The bundled links back up each other, increasing
reliability.
Purpose
As the network scale expands increasingly, users propose increasingly high requirements on
Ethernet backbone network bandwidth and reliability. Originally, to increase the bandwidth,
users use high-speed cards or devices supporting high-speed interface cards to replace old
interface cards or devices. This solution, however, is costly and inflexible.
Link aggregation helps increase bandwidth by bundling a group of physical interfaces into a
single logical interface, without having to upgrade hardware. In addition, link aggregation
provides link backup mechanisms, greatly improving link reliability.
Link aggregation has the following advantages:
l Increased bandwidth
The bandwidth of the link aggregation interface is the sum of bandwidth of member
interfaces.
l Higher reliability
When an active link fails, traffic on this active link is switched to another active link,
improving reliability of the link aggregation interface.
l Load balancing
In a link aggregation group (LAG), traffic is load balanced among active links of
member interfaces.
2.2 Understanding Link Aggregation

This section describes principles of link aggregation.
2.2.1 Concepts
As shown in Figure 2-1, DeviceA and DeviceB are connected through three Ethernet physical
links. The three Ethernet physical links are bundled into an Eth-Trunk link, and the bandwidth

of the Eth-Trunk link is the sum of bandwidth of the three Ethernet physical links. The three
Ethernet physical links back up each other, improving reliability.
Figure 2-1 Eth-Trunk networking
Eth-Trunk
DeviceA DeviceB
Link aggregation concepts are described as follows:
l LAG and LAG interface

A link aggregation group (LAG) is a logical link bundled by multiple Ethernet links.
Each LAG corresponds to a logical interface, that is, link aggregation interface or Eth-
Trunk. The Eth-Trunk can be used as a common Ethernet interface. The only difference
between the Eth-Trunk and common Ethernet interface is that the Eth-Trunk needs to
select one or more member interfaces to forward traffic.
l Member interface and member link
The interfaces that constitute an Eth-Trunk are member interfaces. The link
corresponding to a member interface is a member link.
l Active and inactive interfaces and links
There are two types of interfaces in an LAG: active interface that forwards data and
inactive interface that does not forward data.
The link connected to an active interface is the active link, whereas the link connected to
an inactive interface is the inactive link.
l Upper threshold for the number of active interfaces
When the number of active interfaces reaches this threshold, the bandwidth of an Eth-
Trunk will not increase even if more member links go Up. This guarantees higher
network reliability. When the number of active member interfaces reaches the upper
threshold, additional active member interfaces are set to Down.
For example, 8 trouble-free member links are bundled into an Eth-Trunk link and each
link provides a bandwidth of 1 Gbit/s. The Eth-Trunk link only needs to provide a
maximum bandwidth of 5 Gbit/s. You can set the maximum number of Up member links
to 5 or larger. Then any unselected Up links automatically enter the backup state,
improving reliability.
NOTE
The upper threshold for the number of active interfaces is inapplicable to the manual load
balancing mode.
l Lower threshold for the number of active interfaces
When the number of active interfaces falls below this threshold, an Eth-Trunk goes
Down. This guarantees the Eth-Trunk a minimum available bandwidth.
For example, if the Eth-Trunk is required to provide a minimum bandwidth of 2 Gbit/s
and each member link's bandwidth is 1 Gbit/s, the minimum number of Up member links
must be set to 2 or larger.
l Link aggregation mode

There are two link aggregation modes: manual and LACP. Table 2-1 compares the two
modes.
Table 2-1 Comparisons between link aggregation modes

Item Manual Mode LACP Mode
Definition You must manually create An Eth-Trunk is created

an Eth-Trunk and add based on LACP. LACP
member interfaces to the provides a standard
Eth-Trunk. In this mode, negotiation mechanism for
LACP is not required. a switching device so that
the switching device can
automatically form and
start the aggregated link
according to its
configuration. After the
aggregated link is formed,
LACP is responsible for
maintaining the link status.
When the link aggregation
condition is changed,
LACP adjusts or removes
the aggregated link.
Whether LACP is required No Yes
Data forwarding Generally, all links are Generally, some links are
active links. All active active links. All active
links participate in data links participate in data
forwarding. If one active forwarding. If an active
link fails, traffic is load link fails, the system
balanced among the selects a link among
remaining active links. inactive links as the active
link. That is, the number
of links participating in
data forwarding remains
unchanged.
Fault detection This mode can only detect This mode can detect
member link member link
disconnections, but cannot disconnections and other
detect other faults such as faults such as link layer
link layer faults and faults and incorrect link
incorrect link connections. connections.
NOTE
For more information, see 2.2.2 Link Aggregation in Manual Mode and 2.2.3 Link Aggregation in
LACP Mode.

2.2.2 Link Aggregation in Manual Mode

Link aggregation can work in manual or static LACP mode depending on whether LACP is
used.
In manual mode, you must manually create an Eth-Trunk and add member interfaces to the
Eth-Trunk. In this mode, LACP is not required. The manual mode applies to the scenario
where a high link bandwidth between two directly connected devices is required but the
remote device does not support the LACP protocol. This mode can increase bandwidth,
enhance reliability, and implement load balancing.
As shown in Figure 2-2, an Eth-Trunk is created between DeviceA and DeviceB. In manual
mode, three active links participate in data forwarding and load balance traffic. When one link
becomes faulty, the remaining two links load balance traffic.
Figure 2-2 Link aggregation in manual mode
DeviceA DeviceB
A%
B% Eth-Trunk
C%
A%+B%+C%=100%
One link is faulty
DeviceA DeviceB
D%
E% Eth-Trunk
D%+E%=100%
2.2.3 Link Aggregation in LACP Mode
Background
An Eth-Trunk in manual load balancing mode can increase the bandwidth. However, the
manual mode can only detect member link disconnections, but cannot detect other faults such
as link layer faults and incorrect link connections.
The Link Aggregation Control Protocol (LACP) can improve fault tolerance of the Eth-Trunk,
provide backup, and ensure high reliability of member links.
LACP uses a standard negotiation mechanism for a switching device so that the switching
device can create and start the aggregated link based on its configuration. After the aggregated
link is created, LACP maintains the link status. If an aggregated link's status changes, LACP
adjusts or removes the link.
For example, in Figure 2-3, four interfaces on DeviceA are bundled into an Eth-Trunk and the
Eth-Trunk is connected to the corresponding interfaces on DeviceB. Because an interface on
DeviceA is incorrectly connected to an interface on DeviceC, DeviceA may incorrectly send
data destined for DeviceB to DeviceC. However, the Eth-Trunk in manual load balancing
mode cannot detect this fault in a timely manner.
If LACP is enabled on DeviceA and DeviceB, the Eth-Trunk correctly selects active links to
forward data after negotiation. Data sent by DeviceA can reach DeviceB.

Figure 2-3 Incorrect Eth-Trunk connection
DeviceA DeviceB
Eth-Trunk
DeviceC
Concepts
l LACP system priority
LACP system priorities are set on devices at both ends of an Eth-Trunk. In LACP mode,
active member interfaces selected by both devices must be consistent; otherwise, an
LAG cannot be established. To keep active member interfaces consistent at both ends,
set a higher priority for one end so that the other end selects active member interfaces
based on the selection of the end with a higher priority. The smaller the LACP system
priority value, the higher the LACP system priority.
l LACP interface priority
Interface LACP priorities are set to prioritize interfaces of an Eth-Trunk. Interfaces with
higher priorities are selected as active interfaces. The smaller the LACP interface priority
value, the higher the LACP interface priority.
l M:N backup of member interfaces
In LACP mode, LACP is used to negotiate parameters to determine active links in an
LAG. This mode is also called the M:N mode, where M refers to the number of active
links and N refers to the number of backup links. This mode guarantees high reliability
and allows traffic to be load balanced among M active links.
As shown in Figure 2-4, M+N links with the same attributes (in the same LAG) are set
up between two devices. When data is transmitted over the aggregated link, traffic is
load balanced among M active links and no data is transmitted over N backup links.
Therefore, the actual bandwidth of the aggregated link is the sum of the M links'
bandwidth, and the maximum bandwidth of the aggregated link is the sum of the M+N
links' bandwidth.
If one of M links fails, LACP selects a link from N backup links to replace the faulty
link. The actual bandwidth of the aggregated link is still the sum of M links' bandwidth,
but the maximum bandwidth of the aggregated link is the sum of the (M+N-1) links'
bandwidth.

Figure 2-4 Networking of M:N backup
DeviceA DeviceB
Eth-Trunk
Eth-Trunk 1 Eth-Trunk 1
Active link
Backup link
M:N backup is mainly applied in situations where the bandwidth of M links must be
assured and a fault tolerance mechanism is in place. If an active link fails, the system
selects the backup link with the highest priority as the active link.
If no available backup link is found and the number of active links is smaller than the
lower threshold for the number of active interfaces, the system shuts down the LAG.
Implementation of Link Aggregation in LACP Mode

LACP, as specified in IEEE 802.3ad, implements dynamic link aggregation and de-
aggregation, allowing both ends to exchange Link Aggregation Control Protocol Data Units
(LACPDUs).
After member interfaces are added to an Eth-Trunk in LACP mode, each end sends
LACPDUs to inform its remote end of its system priority, MAC address, member interface
priorities, interface numbers, and keys. The remote end then compares this information with
that saved on itself, and selects which interfaces to be aggregated. The two ends perform
LACP negotiation to select active interfaces and links.
Figure 2-5 shows the format of an LACPDU.

Figure 2-5 Fields in an LACPDU

Destination Address
Source Address
Length/Type
Subtype=LACP
Version Number
TLV_type=Actor Information
Actor_Information_Length=20
Actor_System_Priority
Actor_System
Actor_Key
Actor_Port_Priority
Actor_Port
Actor_State
Reserved
TLV_type=Partner Information
Partner_Information_Length=20
Partner_System_Priority
Partner_System
Partner_Key
Partner_Port_Priority
Partner_Port
Partner_State
Reserved
TLV_type=Collector Information
Collector_Information_Length=16
CollectorMaxDelay
Reserved
TLV_type=Terminator
Terminator_Length=0
Reserved
FCS
The meaning of each field is explained as follows:

Item Description
Actor_Port/Partner_Port Interface of the Actor or Partner.
Actor_State/Partner_State Status of the Actor or Partner.
Actor_System_Priority/ System priority of the Actor or Partner.

Partner_System_Priority
Actor_System/Partner_System System ID of the Actor or Partner.
Actor_Key/Partner_Key Operational key of the Actor or Partner.
Actor_Port_Priority/Partner_Port_Priority Interface priority of the Actor or Partner.

l An Eth-Trunk in LACP mode is set up as follows:

a. Devices at both ends send LACPDUs to each other.
As shown in Figure 2-6, you need to create an Eth-Trunk in LACP mode on
DeviceA and DeviceB and add member interfaces to the Eth-Trunk. Then the
member interfaces are enabled with LACP, and devices at both ends can send
LACPDUs to each other.
Figure 2-6 LACPDUs sent in LACP mode
DeviceA LACPDU DeviceB
LACPDU
b. Devices at both ends determine the Actor and active links.

As shown in Figure 2-7, devices at both ends receive LACPDUs from each other.
For example, when DeviceB receives LACPDUs from DeviceA, DeviceB checks
and records information about DeviceA and compares system priorities. If the
system priority of DeviceA is higher than that of DeviceB, DeviceA acts as the
Actor. If DeviceA and DeviceB have the same system priority, the device with a
smaller MAC address functions as the Actor.
After devices at both ends select the Actor, they select active interfaces according to
the priorities of the Actor's interfaces. Then active interfaces are selected, active
links in the LAG are specified, and load balancing is implemented among these
active links.
Figure 2-7 Selecting the Actor in LACP mode

LACP port priority LACP port priority
DeviceA DeviceB
1 3
2 2
3 1
The device with higher The device with lower
system priority system priority
Compare system priority
and determine the Actor
LACP port priority LACP port priority
DeviceA DeviceB
1 3
2 2
3 1
Actor The Actor determines

active links
DeviceA LACP port priority LACP port priority DeviceB
1 3
2 2
3 1
Actor
l LACP preemption

When LACP preemption is enabled, interfaces with higher priorities in an LAG function
as active interfaces.
As shown in Figure 2-8, Port 1, Port 2, and Port 3 are member interfaces of an Eth-
Trunk; DeviceA acts as the Actor; the upper threshold for the number of active interfaces
is 2; LACP priorities of Port 1, Port 2, and Port 3 are 10, 20, and 30 respectively. When
LACP negotiation is complete, Port 1 and Port 2 are selected as active interfaces because
their LACP priorities are higher, and Port 3 is used as the backup interface.
Figure 2-8 LACP preemption
DeviceA LACP port priority DeviceB

Port 1 10 Port 1
Port 2 20 Eth-Trunk Port 2
Port 3 30 Port 3
Actor
Active link
Backup link
LACP preemption is used in the following situations:

– Port 1 becomes faulty, and then recovers. When Port 1 fails, Port 3 replaces Port 1
to transmit services. After Port 1 recovers, if LACP preemption is not enabled on
the Eth-Trunk, Port 1 still retains in backup state. If LACP preemption is enabled on
the Eth-Trunk, Port 1 and Port 3 become the active interface and backup interface
respectively.
– If LACP preemption is enabled and Port 3 needs to replace Port 1 or Port 2 to
become the active interface, set the highest LACP priority value for Port 3. When
LACP preemption is not enabled, the system does not re-select the active interface
even if the priority of a backup interface is higher than that of the active interface.
l LACP preemption delay
After LACP preemption occurs, a backup link waits for a given period of time and then
switches to the active status. This period is called LACP preemption delay. The LACP
preemption delay is used to prevent unstable data transmission over an Eth-Trunk link
caused by frequent status changes of member links.
As shown in Figure 2-8, Port 1 becomes inactive due to a link fault. Then the link of
Port 1 recovers. If LACP preemption is enabled and the LACP preemption delay is set,
Port 1 switches to be active after the LACP preemption delay.
l Switchover between active and inactive links
In LACP mode, a link switchover in an LAG is triggered if a device at one end detects
one of the following events:
– An active link goes Down.
– Ethernet OAM detects a link fault.
– LACP detects a link fault.
– An active interface becomes unavailable.
– When LACP preemption is enabled, a backup interface's priority is changed to be
higher than that of the current active interface.
When any of the preceding events occurs, perform the following operations:
a. Shut down the faulty link.

b. Select the backup link with the highest priority among N backup links to replace the
faulty active link.
c. The highest priority backup link becomes the active link and begins forwarding
data.
2.2.4 Load Balancing Modes of Link Aggregation

Background
A data flow is a group of data packets with one or more identical attributes. The attributes
include the source MAC address, destination MAC address, source IP address, destination IP
address, source TCP/UDP port number, and destination TCP/UDP port number.
Load balancing falls into packet- and flow-based load balancing.
l Packet-based load balancing
There are multiple physical links between both devices of the Eth-Trunk, so the first and
second data frames of the same data flow may be transmitted over two physical links. In
this case, the second data frame may arrive at the remote device earlier than the first data
frame. As a result, packet mis-sequencing occurs.
l Flow-based load balancing
The system uses the hash algorithm to calculate the address in a data frame and generates
a HASH-KEY value. Then the system searches for the outbound interface in the Eth-
Trunk forwarding table based on the generated HASH-KEY value. Each MAC or IP
address corresponds to a HASH-KEY value, so the system uses different outbound
interfaces to forward data. This mode ensures that frames of the same data flow are
forwarded on the same physical link and implements load balancing of flows. Flow-
based load balancing ensures the sequence of data transmission, but cannot ensure the
bandwidth utilization.
Forwarding Principle
As shown in Figure 2-9, the Eth-Trunk is located between the MAC address layer and the
LLC sub-layer, that is, data link layer.
Figure 2-9 Eth-Trunk in the Ethernet protocol stack
LLC
Data link Eth-Trunk
layer
MAC
Physical layer PHY
The Eth-Trunk module maintains a forwarding table that consists of the following entries:
l HASH-KEY value
The HASH-KEY value is calculated through the hash algorithm based on the MAC
address or IP address in a packet.
l Interface number

Eth-Trunk forwarding entries are relevant to the number of member interfaces in an Eth-
Trunk. Different HASH-KEY values map different outbound interfaces.
For example, an Eth-Trunk supports a maximum of eight member interfaces. If physical
interfaces 1, 2, 3, and 4 are bundled into an Eth-Trunk, the Eth-Trunk forwarding table
contains four entries, as shown in Figure 2-10. In the Eth-Trunk forwarding table, the
HASH-KEY values are 0, 1, 2, and 3, and the corresponding interface numbers are 1, 2,
3, and 4.
Figure 2-10 Example of an Eth-Trunk forwarding table
HASH-KEY 0 1 2 3
PORT 1 2 3 4
The Eth-Trunk module forwards a packet according to the Eth-Trunk forwarding table:
1. The Eth-Trunk module receives a packet from the MAC sub-layer, and then extracts its
source/destination MAC address or IP address.
2. The Eth-Trunk module calculates the HASH-KEY value using the hash algorithm.
3. Based on the HASH-KEY value, the Eth-Trunk module searches the Eth-Trunk
forwarding table for the interface number, and then sends the packet from the
corresponding interface.
Load Balancing Mode

To prevent data packet mis-sequencing, an Eth-Trunk uses flow-based load balancing. Data
forwarding varies depending on the load balancing mode.
You can use the following load balancing modes according to the actual networking:
l Based on source MAC addresses of packets

l Based on destination MAC addresses of packets
l Based on source IP addresses of packets
l Based on destination IP addresses of packets
l Based on the Exclusive-Or result of source and destination MAC addresses of packets
l Based on the Exclusive-Or result of source and destination IP addresses of packets
When configuring a load balancing mode, pay attention to the following points:
l The load balancing mode is only valid for the outbound interface of traffic. If traffic of
the inbound interface is uneven, change the load balancing mode of the uplink outbound
interface.
l Data flows should be load balanced among all active links as much as possible. If data
flows are transmitted over one link, traffic congestion may occur and service running is
affected.
For example, when data packets have only one destination MAC address and IP address,
use load balancing based on the source MAC address and IP address of packets. If load
balancing based on the destination MAC address and IP address is used, traffic is
transmitted over one link, causing congestion.

2.3 Application Scenarios for Link Aggregation

This section describes application environments of Ethernet link aggregation.
2.3.1 Application of Eth-Trunk

As shown in Figure 2-11, traffic of services with different priorities is sent to the core
network through the UPE and PE-AGG. To ensure the bandwidth and reliability of the link
between the UPE and PE-AGG, an LAG, Eth-Trunk 1, is established.
Figure 2-11 Link aggregation networking
Core
Network
PE-AGG
Eth-Trunk 1
UPE
VoIP DATA
IPTV
You can determine the working mode for the Eth-Trunk according to the following situations:
l If devices at both ends of the Eth-Trunk support LACP, the LACP mode is
recommended.
l If the device at either end of the Eth-Trunk does not support LACP, you must use the
manual load balancing mode.
QoS can be implemented on an Eth-Trunk as a common interface. At both ends (UPE and PE-
AGG) of Eth-Trunk 1, traffic shaping, congestion management, and congestion avoidance can
be performed for outgoing traffic, ensuring that packets of high priorities are sent in a timely
manner.
2.4 Summary of Link Aggregation Configuration Tasks

The device supports the manual load balancing mode and Link Aggregation Control Protocol
(LACP) mode.
Table 2-2 lists the link aggregation configuration tasks.

Table 2-2 Link aggregation configuration tasks

Item Description Task
Configure link aggregation In manual load balancing 2.7 Configuring Link

in manual load balancing mode, you must manually Aggregation in Manual
mode. create an Eth-Trunk and add Load Balancing Mode
member interfaces to the
Eth-Trunk. All active links
forward data and evenly
load balance traffic. The
manual load balancing mode
is often used when the
remote device does not
support LACP.
Configure link aggregation In LACP mode, you must 2.8 Configuring Link
in LACP mode. manually create an Eth- Aggregation in LACP
Trunk and add interfaces to Mode
the Eth-Trunk. LACP
determines active interfaces
by negotiating parameters in
LACPDUs. LACP provides
backup links and ensures
high reliability of member
links
2.5 Licensing Requirements and Limitations for Link

Aggregation
This section describes the notes about configuring an Eth-Trunk.

None
Ethernet link aggregation is a basic feature of a router and is not under license control.
Feature Limitations
When deploying Link Aggregation on the router, pay attention to the following:
l AR100-S, AR110-S, AR120-S, AR150-S2, and AR160-S series do not support link
aggregation.
Before an Eth-Trunk Is Configured:
l Member interfaces cannot be configured with some services. For example, the link type
of a member interface cannot be modified, and static MAC address entries cannot be
configured.

l An Eth-Trunk cannot be added to another Eth-Trunk.

l Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
Interfaces that use different Ethernet types and rates cannot join the same Eth-Trunk. For
example, GE and FE interfaces cannot join the same Eth-Trunk, and GE electrical and
optical interfaces cannot join the same Eth-Trunk.
l If an interface of the local device is added to an Eth-Trunk, an interface of the remote
device directly connected to the interface of the local device must also be added to an
Eth-Trunk so that the two ends can communicate.
l Both devices of an Eth-Trunk must use the same link aggregation mode.
After an Eth-Trunk Is Configured:

l An Ethernet interface can be added to only one Eth-Trunk. To add an Ethernet interface
to another Eth-Trunk, delete it from the original one first.
l After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC addresses and
ARP entries but member interfaces do not.
l Before deleting an Eth-Trunk, delete member interfaces from the Eth-Trunk.
2.6 Default Settings for Link Aggregation

This section describes default parameter settings of link aggregation.
Table 2-3 Default setting for link aggregation

Parameter Value
Link aggregation mode Manual load balancing mode
Upper threshold for the number of active 8

member links
Lower threshold for the number of active 1

member links
LACP system priority 32768
LACP interface priority 32768
LACP preemption Disabled
LACP preemption delay 30s
Timeout interval at which LACPDUs are 90s

received
2.7 Configuring Link Aggregation in Manual Load

Balancing Mode
reliability.

NOTE
The 4GE-2S, 4ES2G-S, and 4ES2GP-S do not support link aggregation in manual load balancing mode.
2.7.1 Creating an Eth-Trunk
Context
Eth-Trunks increase bandwidth and improve transmission reliability. You can configure Layer
2 and Layer 3 Eth-Trunks based on network applications.
Procedure
l Create a Layer 2 Eth-Trunk.
a. Run system-view

b. Run interface eth-trunk trunk-id
A Layer 2 Eth-Trunk is created.
By default, no Eth-Trunk is created.

a. Run system-view


c. Run undo portswitch
The Eth-Trunk is configured to work in Layer 3 mode.
By default, the Eth-Trunk works in Layer 2 mode.

d. Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the Layer 3 Eth-Trunk.
By default, no IP address is configured for the Layer 3 Eth-Trunk.

e. (Optional) Run mac-address mac-address
A MAC address is configured for the Layer 3 Eth-Trunk.
By default, an Eth-Trunk uses the system MAC address. When the MAC address of
the Eth-Trunk and the MAC address of another interface overlap and a MAC
address conflict occurs, run this command to configure a MAC address for the
Layer 3 Eth-Trunk.
f. (Optional) Run mtu mtu
The maximum transmission unit (MTU) of the Eth-Trunk is set.
The default MTU of an interface is 1500 bytes.

l The mtu command cannot be used on Layer 2 Eth-Trunks.

l Directly connected interfaces must use the same MTU. If you change the MTU
of a local interface, you must use the mtu command to change the MTU of the
remote interface to be the same value; otherwise, services may be interrupted.
----End
2.7.2 Setting the Manual Load Balancing Mode
Context
Link aggregation can work in manual load balancing mode and LACP mode.
In manual load balancing mode, you must manually create an Eth-Trunk and add member
interfaces to the Eth-Trunk. All active links forward data and evenly load balance traffic. The
manual load balancing mode is used when the peer device does not support LACP.
When an Eth-Trunk changes from manual load balancing mode to LACP mode, the Eth-
Trunk can contain member interfaces. When an Eth-Trunk changes from LACP mode to
manual load balancing mode, ensure that the Eth-Trunk has no member interface.
Procedure
Step 2 Run interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run mode manual load-balance
A working mode of the Eth-Trunk is configured.
By default, an Eth-Trunk works in manual load balancing mode.
Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the
local end works in manual load balancing mode, the remote end must use the manual load
balancing mode.
----End
2.7.3 Adding Member Interfaces to an Eth-Trunk

Context
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
NOTE
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support the member interfaces of multiple
Eth-Trunks deployed on different cards.

Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run system-view


c. Run trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
A member interface is added to the Eth-Trunk.
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be
added to the Eth-Trunk, interfaces with smaller IDs are added to the Eth-Trunk successfully
but those with larger IDs will fail to be added.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run system-view

The member interface view is displayed.

c. Run eth-trunk trunk-id
The member interface is added to an Eth-Trunk.
When adding an interface to an Eth-Trunk, pay attention to the following points:
– An Eth-Trunk contains a maximum of 8 member interfaces.

– A member interface cannot be configured with some services or static MAC
addresses.
– When adding an interface to an Eth-Trunk, ensure that the interface uses the default
link type.
– An Eth-Trunk cannot be added to another Eth-Trunk.
– An Ethernet interface can be added to only one Eth-Trunk. To add the Ethernet
interface to another Eth-Trunk, delete it from the Eth-Trunk first.
– Member interfaces of an Eth-Trunk must use the same type.
– If an interface of the local device is added to an Eth-Trunk, an interface of the
remote device directly connected to the interface of the local device must also be
added to an Eth-Trunk so that the two ends can communicate.
– After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC addresses
and ARP entries but member interfaces do not.
– Devices at both ends of an Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, flow control mode and jumbo.
----End

Follow-up Procedure
You can configure Eth-Trunk member interfaces to send trap messages after the Eth-Trunk
member interface status changes. After the device receives a trap message, check whether the
device fails or recovers.
If you need to know the status change of the member interface of a specified Eth-Trunk, run
the trunk-member trap in private-mib enable command to enable Eth-Trunk member
interfaces to use the proprietary MIB to send trap messages. The trap messages sent by using
the proprietary MIB carry Eth-Trunk IDs, whereas the trap messages sent by using the public
MIB do not carry Eth-Trunk IDs.
NOTE
After the trunk-member trap in private-mib enable command is configured, Eth-Trunk member
interfaces only use the proprietary MIB to send trap messages. To view these trap messages, use the
Huawei proprietary MIB.
2.7.4 (Optional) Setting the Lower Threshold for the Number of

Active Interfaces
Context
The lower threshold for the number of active interfaces affects the status and bandwidth of an
Eth-Trunk. To ensure that the Eth-Trunk functions properly and is less affected by member
link status changes, set the lower threshold for the number of active interfaces.
When the number of active interfaces falls below the lower threshold, the Eth-Trunk goes
Down. This ensures that the Eth-Trunk has a minimum available bandwidth.
The upper threshold for the number of active interfaces is inapplicable to the manual load
balancing mode.
Procedure
Step 3 Run least active-linknumber link-number
The lower threshold for the number of active interfaces is set.
By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local router can be different
from that on the remote router.
----End
2.7.5 (Optional) Configuring a Load Balancing Mode

Context
Perform the following steps on the device to configure a load balancing mode for an Eth-
Trunk.
NOTE
The AR100–S&AR110–S&AR120–S&AR150–S&AR160–S series, AR1220E-S, AR1220C-S,

AR2220E-S, AR2240C-S do not support configuring the load balancing mode.
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support the load balancing mode
configuration.
Procedure
l Configure a Layer 2 Eth-Trunk.
a. Run system-view

b. Run load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
A load balancing mode is configured for the Eth-Trunk.
By default, the load balancing mode of a Layer 2 Eth-Trunk is src-dst-mac.
Eth-Trunk member interfaces use flow-based load balancing. The local and remote
ends can use different load balancing modes, without affecting each other.
NOTE
All Layer 2 Eth-Trunks in the system must use the same load balancing mode. If the load
balancing mode of one Eth-Trunk is changed, all the other Eth-Trunks use the new load
balancing mode and do not support the dst-ip, src-ip and src-dst-ip parameters.
a. Run system-view


c. Run load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
By default, the load balancing mode of a Layer 3 Eth-Trunk is src-dst-ip.
----End
2.7.6 Verifying the Link Aggregation Configuration
Procedure
l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number |
verbose ] ] command to check the Eth-Trunk configuration.

l Run the display trunkmembership eth-trunk trunk-id command to check information

about Eth-Trunk member interfaces.
l Run the display trunk resource command to check Eth-Trunk resources that have been
used on a device.
----End
2.8 Configuring Link Aggregation in LACP Mode

reliability.
2.8.1 Creating an Eth-Trunk
Context
Eth-Trunks increase bandwidth and improve transmission reliability. You can configure Layer
2 and Layer 3 Eth-Trunks based on network applications.
Procedure
a. Run system-view
A Layer 2 Eth-Trunk is created.
a. Run system-view
c. Run undo portswitch
The Eth-Trunk is configured to work in Layer 3 mode.
By default, the Eth-Trunk works in Layer 2 mode.
d. Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the Layer 3 Eth-Trunk.
By default, no IP address is configured for the Layer 3 Eth-Trunk.
e. (Optional) Run mac-address mac-address
A MAC address is configured for the Layer 3 Eth-Trunk.
By default, an Eth-Trunk uses the system MAC address. When the MAC address of
the Eth-Trunk and the MAC address of another interface overlap and a MAC

address conflict occurs, run this command to configure a MAC address for the
Layer 3 Eth-Trunk.
f. (Optional) Run mtu mtu
The maximum transmission unit (MTU) of the Eth-Trunk is set.
The default MTU of an interface is 1500 bytes.
l The mtu command cannot be used on Layer 2 Eth-Trunks.

l Directly connected interfaces must use the same MTU. If you change the MTU
of a local interface, you must use the mtu command to change the MTU of the
remote interface to be the same value; otherwise, services may be interrupted.
----End
2.8.2 Setting the LACP Mode
Context
Link aggregation can work in manual load balancing mode or LACP mode depending on
whether LACP is used.
In LACP mode, you must manually create an Eth-Trunk and add interfaces to the Eth-Trunk.
However, LACP determines active interfaces through negotiation.
When an Eth-Trunk changes from manual load balancing mode to LACP mode, the Eth-
Trunk can contain member interfaces. When an Eth-Trunk changes from LACP mode to
manual load balancing mode, ensure that the Eth-Trunk has no member interface.
Procedure
Step 3 Run mode lacp-static
A working mode of the Eth-Trunk is configured.
By default, an Eth-Trunk works in manual load balancing mode.
Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the
local end works in LACP mode, the remote end must use the LACP mode.
----End

2.8.3 Adding Member Interfaces to an Eth-Trunk
Context
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member
interface view.
NOTE
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support the member interfaces of multiple
Eth-Trunks deployed on different cards.
Procedure
l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
a. Run system-view


c. Run trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
A member interface is added to the Eth-Trunk.
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be
added to the Eth-Trunk, interfaces with smaller IDs are added to the Eth-Trunk successfully
but those with larger IDs will fail to be added.
l Add member interfaces to an Eth-Trunk in the member interface view.
a. Run system-view


c. Run eth-trunk trunk-id
The member interface is added to an Eth-Trunk.
When adding an interface to an Eth-Trunk, pay attention to the following points:
– An Eth-Trunk contains a maximum of 8 member interfaces.

– A member interface cannot be configured with some services or static MAC
addresses.
– When adding an interface to an Eth-Trunk, ensure that the interface uses the default
link type.
– An Eth-Trunk cannot be added to another Eth-Trunk.
– An Ethernet interface can be added to only one Eth-Trunk. To add the Ethernet
interface to another Eth-Trunk, delete it from the Eth-Trunk first.
– Member interfaces of an Eth-Trunk must use the same type.

– If an interface of the local device is added to an Eth-Trunk, an interface of the

remote device directly connected to the interface of the local device must also be
added to an Eth-Trunk so that the two ends can communicate.
– After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC addresses
and ARP entries but member interfaces do not.
– Devices at both ends of an Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, flow control mode and jumbo.
----End
Follow-up Procedure
You can configure Eth-Trunk member interfaces to send trap messages after the Eth-Trunk
member interface status changes. After the device receives a trap message, check whether the
device fails or recovers.
If you need to know the status change of the member interface of a specified Eth-Trunk, run
the trunk-member trap in private-mib enable command to enable Eth-Trunk member
interfaces to use the proprietary MIB to send trap messages. The trap messages sent by using
the proprietary MIB carry Eth-Trunk IDs, whereas the trap messages sent by using the public
MIB do not carry Eth-Trunk IDs.
NOTE
After the trunk-member trap in private-mib enable command is configured, Eth-Trunk member
interfaces only use the proprietary MIB to send trap messages. To view these trap messages, use the
Huawei proprietary MIB.
2.8.4 (Optional) Setting the Upper and Lower Thresholds for the
Number of Active Interfaces
Context
The number of Up member links affects the status and bandwidth of an Eth-Trunk. To ensure
that the Eth-Trunk functions properly and is less affected by member link status changes, set
the following thresholds.
l Lower threshold for the number of active interfaces: When the number of active
interfaces falls below this threshold, the Eth-Trunk goes Down. This guarantees the Eth-
Trunk a minimum available bandwidth.
l Upper threshold for the number of active interfaces: It is used for improving network
reliability with assured bandwidth. When the number of active interfaces reaches this
threshold, you can add new member interfaces to the Eth-Trunk, but excess member
interfaces enter the Down state.
Procedure

Step 3 Run least active-linknumber link-number

The lower threshold for the number of active interfaces is set.
By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local device can be different
from that on the remote device. If the two values are different, the larger one is used.
Step 4 Run max active-linknumber link-number
The upper threshold for the number of active interfaces is set.
By default, the upper threshold for the number of active interfaces is 8.
The upper threshold for the number of active interfaces at the local end can be different from
that at the remote end. If the two values are different, the smaller one is used.
The upper threshold for the number of active interfaces must be greater than or equal to the
lower threshold for the number of active interfaces.
----End
2.8.5 (Optional) Configuring a Load Balancing Mode
Context
Perform the following steps on the device to configure a load balancing mode for an Eth-
Trunk.
NOTE
The AR100–S&AR110–S&AR120–S&AR150–S&AR160–S series, AR1220E-S, AR1220C-S,

AR2220E-S, AR2240C-S do not support configuring the load balancing mode.
The 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards do not support the load balancing mode
configuration.
Procedure
a. Run system-view
b. Run load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
By default, the load balancing mode of a Layer 2 Eth-Trunk is src-dst-mac.
NOTE
All Layer 2 Eth-Trunks in the system must use the same load balancing mode. If the load
balancing mode of one Eth-Trunk is changed, all the other Eth-Trunks use the new load
balancing mode and do not support the dst-ip, src-ip and src-dst-ip parameters.

a. Run system-view


c. Run load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }
By default, the load balancing mode of a Layer 3 Eth-Trunk is src-dst-ip.
----End
2.8.6 (Optional) Setting the LACP System Priority
Context
LACP system priority differentiates priorities of devices at both ends. In LACP mode, active
interfaces selected by devices at both ends must be consistent; otherwise, the LAG cannot be
set up. To keep active interfaces consistent at both ends, you can set the priority of one device
to be higher than that of the other device so that the other device can select active interfaces
according to those selected by the device with a higher priority.
Procedure
Step 2 Run lacp priority-command-mode { default | system-priority }
The configuration mode of the LACP system priority is set.
By default, the configuration mode of the LACP system priority is default.
If the lacp priority command used to set the LACP interface priority is executed in the
system view, the Eth-Trunk in LACP mode may alternate between Up and Down. To prevent
this situation, run the lacp priority-command-mode command in the system view to set the
configuration mode of the LACP system priority to system-priority. This mode can be used
to differentiate the LACP system priority and LACP interface priority.
Step 3 Use either of the following methods to set the LACP system priority based on the
configuration mode.
l default mode
Run the lacp priority priority command to set the LACP system priority.
l system-priority mode
Run the lacp system-priority priority command to set the LACP system priority.
A smaller LACP priority value indicates a higher priority. By default, the LACP system
priority is 32768.

The end with a smaller priority value functions as the Actor. If the two ends have the same
priority, the end with a smaller MAC address functions as the Actor.
----End
2.8.7 (Optional) Setting the LACP Interface Priority
Context
In LACP mode, LACP interface priorities are set to prioritize interfaces of the same device.
Interfaces with higher priorities are selected as active interfaces.
Procedure
Step 2 Run interface interface-type interface-number
Step 3 Run lacp priority priority
The LACP priority of the member interface is configured.
By default, the LACP interface priority is 32768. A smaller priority value indicates a higher
LACP priority.
By default, the system selects active interfaces based on interface priorities. However, low-
speed member interfaces with high priorities may be selected as active interfaces. To select
high-speed member interfaces as active interfaces, run the lacp selected { priority | speed }
command to configure the system to select active interfaces based on the interface rate.
----End
2.8.8 (Optional) Configuring LACP Preemption
Context
The LACP preemption function ensures that the interface with the highest LACP priority
always functions as an active interface. For example, the interface with the highest priority
becomes inactive due to a failure. If LACP preemption is enabled, the interface becomes
active again after it recovers; if LACP preemption is disabled, the interface cannot become
active interface after it recovers.
The LACP preemption delay is the period during which an inactive interface switches to
active. The LACP preemption delay prevents instable data transmission on an Eth-Trunk link
due to frequent status changes of some links.
Procedure


Step 3 Run lacp preempt enable
LACP preemption is enabled.
By default, LACP preemption is disabled. To ensure normal running of an Eth-Trunk, enable
or disable LACP preemption at both ends of the Eth-Trunk.
Step 4 Run lacp preempt delay delay-time
The LACP preemption delay is set.
By default, the LACP preemption delay is 30 seconds. If both devices of an Eth-Trunk use
different preemption delays, a longer preemption delay is used.
----End
2.8.9 (Optional) Setting the Timeout Interval for Receiving

LACPDUs
Context
If the Eth-Trunk on the local device cannot detect a self-loop or fault that occurred on a
member interface in the LAG on the remote device, data on the local device is still load
balanced among original active interfaces. As a result, data traffic on the faulty link is
discarded.
After the timeout interval at which LACPDUs are received is set, if a local member interface
does not receive any LACPDUs within the configured timeout interval, the local member
interface becomes Down immediately and no longer forwards data.
Procedure
Step 3 Run lacp timeout { fast [ user-defined user-defined ] | slow }
The timeout interval at which LACPDUs are received is set.
By default, the timeout interval at which an Eth-Trunk receives LACPDUs is 90 seconds.
l After you run the lacp timeout command, the local end notifies the remote end of the
timeout interval by sending LACPDUs. When fast is specified, the interval for sending
LACPDUs is 1 second. When slow is specified, the interval for sending LACPDUs is 30
seconds.
l The timeout interval for receiving LACPDUs is three times the interval for sending
LACPDUs. When fast is specified, the timeout interval for receiving LACPDUs is 3
seconds. When slow is specified, the timeout interval for receiving LACPDUs is 90
seconds.

l You can use different modes of the timeout interval at the two ends. However, to
facilitate maintenance, you are advised to use the same mode at both ends.
----End
2.8.10 Verifying the Link Aggregation Configuration
Procedure
about Eth-Trunk member interfaces.
l Run the display trunk resource command to check Eth-Trunk resources that have been
used on a device.
----End
2.9 Creating an Eth-Trunk Sub-interface

Sub-interfaces can be configured on a Layer 3 Eth-Trunk. When Layer 3 devices connect to
Layer 2 devices in different VLANs through the Layer 3 Eth-Trunk, sub-interfaces must be
configured on the Eth-Trunk to identify packets from different VLANs and to enable users in
different VLANs to communicate with each other.
Procedure
An Eth-Trunk is created and the Eth-Trunk interface view is displayed.
Step 3 Run undo portswitch
A Layer 3 Eth-Trunk is configured.
Step 4 Run quit
Step 5 Run interface eth-trunk trunk-id.subnumber
An Eth-Trunk sub-interface is created.
subnumber specifies the number of a sub-interface. The value ranges from 1 to 4096.
Step 6 Run ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the sub-interface.
When configuring multiple IP addresses for an Eth-Trunk sub-interface, use the sub keyword
to indicate the IP addresses configured after the first one.
----End

2.10 Maintaining Link Aggregation

This section describes how to maintain link aggregation, including monitoring the link
aggregation running status and clearing LACPDU statistics.
2.10.1 Monitoring the LAG Operating
Context
During routine maintenance, run the following commands in any view to check the LAG
operating status.
Procedure
l Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type interface-
number ] ] command to check the statistics about LACPDUs sent and received in LACP
mode.
l Run the display interface eth-trunk [ trunk-id ] command to check the Eth-Trunk
status.
about member interfaces of an Eth-Trunk.
----End
2.10.2 Clearing LACP Packet Statistics
Context
The cleared LACPDU statistics cannot be restored. Exercise caution when you run the reset
command.
Procedure
l Run the reset lacp statistics eth-trunk [ trunk-id [ interface interface-type interface-
number ] ] command in the user view to clear statistics about LACPDUs received and
sent.
l Run the reset lacp error packet statistics command in the user view to clear statistics
on error LACPDUs.
----End

2.10.3 Using Ping to Monitor the Reachability of Layer 3 Eth-

Trunk Member Interfaces
Context
Multiple physical interfaces can be bundled into an Eth-Trunk, and these physical interfaces
are Eth-Trunk member interfaces. Each member interface uses a specified transmission path.
The path-specific service parameters, such as delay, jitter, and packet loss ratio, are also
different. Therefore, you cannot determine which member interface is faulty when the quality
of services on an Eth-Trunk deteriorates. To resolve this problem, perform a ping test to detect
each physical link to help locate the faulty link.
NOTE
The ping test applies to scenarios where two devices are directly connected through an Eth-Trunk.
Pre-configuration Tasks
Before using ping to monitor the reachability of Layer 3 Eth-Trunk member interfaces,
complete the following task:
l Running the undo portswitch command to configure the Eth-Trunk to work in Layer 3
mode and configuring an IP address for the Layer 3 Eth-Trunk
Procedure
Step 1 Enable the receive end to monitor Layer 3 Eth-Trunk member interfaces.
1. Run system-view
2. Run trunk member-port-inspect
The receive end is enabled to monitor Layer 3 Eth-Trunk member interfaces.
By default, the receive end is disabled from monitoring Layer 3 Eth-Trunk member
interfaces.
NOTE
The trunk member-port-inspect command takes effect for all Layer 3 Eth-Trunks on a device. To
test the connectivity of Eth-Trunks, disable this function after detection of Eth-Trunk member
interfaces is completed. If this function is not disabled, the device keeps monitoring Eth-Trunk
member interfaces, which consumes a lot of system resources.
Step 2 Enable the transmit end to monitor Layer 3 Eth-Trunk member interfaces.
1. Run ping [ ip ] [ -a source-ip-address | -c count | -d | -h ttl-value | -i interface-type
interface-number | -m time | -p pattern | -q | -r | -s packetsize | -system-time | -t timeout |
-v | -vpn-instance vpn-instance-name ] * host [ ip-forwarding ]<Huawei> ping -a
192.168.1.1 -i gigabitethernet 1/0/1 10.1.1.2 PING 10.1.1.2: 56 data bytes, press
CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=254 time=2 ms Reply
from 10.1.1.2: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 10.1.1.2: bytes=56
Sequence=3 ttl=254 time=2 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=254
time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=254 time=2 ms --- 10.1.1.2
ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-
trip min/avg/max = 1/1/2 ms

The transmit end is enabled to monitor the reachability of Layer 3 Eth-Trunk member
interfaces.
NOTE
When testing the reachability of Layer 3 Eth-Trunk member interfaces, you must specify the -a and -i
parameters in the ping command. -a and -i indicate the source IP address and source interface of ICMP
Echo Request packets respectively.
The ping command output contains the following information:

– Response to each ping message: If an echo response message is not received by the
transmit end after the corresponding timer expires, a message reading "Request time
out" is displayed, indicating that an Eth-Trunk member interface fails. If an echo
response message is received, the data bytes, message sequence number, and
response time are displayed, indicating that no Eth-Trunk member interface fails.
– Final statistics: The statistics include the number of sent and received packets,
percentage of failure response packets, and minimum, maximum, and average
response times.
----End
2.11 Configuration Examples for Link Aggregation

This section provides several configuration examples of link aggregation.
2.11.1 Example for Configuring Link Aggregation in Manual Load

Balancing Mode
As shown in Figure 2-12, RouterA and RouterB connect to devices in VLAN 10 and VLAN
20 through Ethernet links, and heavy traffic is transmitted between RouterA and RouterB.
RouterA and RouterB can provide higher link bandwidth to implement inter-VLAN
communication. Reliability of data transmission needs to be ensured.
Figure 2-12 Configuring link aggregation in manual load balancing mode
VLAN10 VLAN20
Eth1/0/4 Eth1/0/1 Eth1/0/4

Eth1/0/1
RouterA Eth1/0/2 Eth-Trunk Eth1/0/2 RouterB
Eth1/0/3 Eth1/0/3
Eth1/0/5 Eth-Trunk 1 Eth-Trunk 1 Eth1/0/5
VLAN20 VLAN10

1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.
2. Create VLANs and add interfaces to the VLANs.
3. Configure a load balancing mode to ensure that traffic is load balanced among Eth-Trunk
member interfaces.
Procedure
Step 1 Create an Eth-Trunk on RouterA and add member interfaces to the Eth-Trunk. The
configuration of RouterB is similar to the configuration of RouterA, and is not mentioned
here.
[Huawei] sysname RouterA
[RouterA] interface Eth-Trunk1
[RouterA-Eth-Trunk1] trunkport ethernet 1/0/1 to 1/0/3
[RouterA-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs. The configuration of RouterB is similar to
the configuration of RouterA, and is not mentioned here.
# Create VLAN 10 and VLAN 20, and add interfaces to VLAN 10 and VLAN 20.
[RouterA] vlan batch 10 20
[RouterA] interface ethernet 1/0/4
[RouterA-Ethernet1/0/4] port link-type trunk
[RouterA-Ethernet1/0/4] port trunk allow-pass vlan 10
[RouterA-Ethernet1/0/4] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through.
[RouterA] interface Eth-Trunk1
[RouterA-Eth-Trunk1] port link-type trunk
[RouterA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Configure a load balancing mode for Eth-Trunk 1. The configuration of RouterB is similar to
the configuration of RouterA, and is not mentioned here.
[RouterA] load-balance src-dst-mac
# Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is
created and whether member interfaces are added.
[RouterA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-
DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Ports In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
Ethernet1/0/1 Up 1
Ethernet1/0/2 Up 1
Ethernet1/0/3 Up 1

# The preceding command output shows that Eth-Trunk 1 has three member interfaces:
Ethernet1/0/1, Ethernet1/0/2, and Ethernet1/0/3. The member interfaces are all in Up state.
----End
Configuration Files
l Configuration file of RouterA
#
sysname RouterA
#
vlan batch 10 20
#
interface Eth-Trunk1
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
l Configuration file of RouterB

#
sysname RouterB
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return

2.11.2 Example for Configuring Link Aggregation in LACP Mode
To increase the bandwidth and improve the connection reliability, you can configure an LAG
on two directly connected routers, as shown in Figure 2-13. The requirements are as follows:
l The LAG contains three member links. Two links function as active links to implement
load balancing, and the other link functions as the backup link.
l When a fault occurs on an active link, the backup link replaces the faulty one to ensure
nonstop services.
Figure 2-13 Link aggregation in LACP mode

Eth-Trunk 1 Eth-Trunk 1
Eth 2/0/1 Eth 2/0/1
Eth 2/0/2 Eth 2/0/2 Active link
Eth-Trunk
Eth 2/0/3 Eth 2/0/3 Backup link
RouterA RouterB
1. Create an Eth-Trunk on each router and configure the Eth-Trunk to work in LACP mode.
2. Add member interfaces to the Eth-Trunk.
3. Set the LACP system priority and determine the Actor.
4. Set the maximum number of active interfaces in the Eth-Trunk.
5. Set LACP interface priorities and determine active links.
Procedure
Step 1 Create Eth-Trunk 1 and configure Eth-Trunk 1 to work in LACP mode.
# Configure RouterA.
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] mode lacp-static
# Configure RouterB.
[Huawei] sysname RouterB
[RouterB] interface eth-trunk 1
[RouterB-Eth-Trunk1] mode lacp-static
[RouterB-Eth-Trunk1] quit
Step 2 Add member interfaces to Eth-Trunk 1.

# Configure RouterA.


[RouterA-Ethernet2/0/1] eth-trunk 1
# Configure RouterB.
[RouterB] interface ethernet 2/0/1
[RouterB-Ethernet2/0/1] eth-trunk 1
[RouterB-Ethernet2/0/1] quit
Step 3 Set the LACP system priority on RouterA to 100 so that RouterA becomes the Actor.
[RouterA] lacp priority 100
Step 4 Set maximum number of active interfaces in Eth-Trunk 1 on RouterA to 2.

[RouterA-Eth-Trunk1] max active-linknumber 2
Step 5 Set LACP interface priorities and determine active links on RouterA.
[RouterA-Ethernet2/0/1] lacp priority 100
[RouterA-Ethernet2/0/2] lacp priority 100

# Check information about the Eth-Trunk of the routers and check whether the negotiation is
successful.
[RouterA] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 100 System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: Up Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Weight
Ethernet2/0/1 Selected 100M 100 6145 2865
11111100 1
11111100 1
Ethernet2/0/3 Unselect 100M 32768 6147 2865
11100000 1
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState
Ethernet2/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
Ethernet2/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100
Ethernet2/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000

[RouterB] display eth-trunk 1

Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: Up Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Weight
11111100 1
11111100 1
Ethernet2/0/3 Unselect 100M 32768 6147 2609
11100000 1
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey
PortState
Ethernet2/0/1 100 00e0-fca8-0417 100 6145 2865
11111100
Ethernet2/0/2 100 00e0-fca8-0417 100 6146 2865
11111100
Ethernet2/0/3 100 00e0-fca8-0417 32768 6147 2865
11110000
According to the preceding information, the system priority of RouterA is 100, which is
higher than the system priority of RouterB; Ethernet2/0/1 and Ethernet2/0/2 are active
interfaces and are in Selected state; Ethernet2/0/3 is in Unselect state. That is, load balancing
and redundancy are implemented.
----End
Configuration Files
#
sysname RouterA
#
lacp priority 100
#
mode lacp-static
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#
return

#
sysname RouterB
#
mode lacp-static

#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
return
2.11.3 Example for Configuring Layer 3 Link Aggregation
RouterA and RouterB are connected by two Layer 3 Ethernet interfaces. To increase link
bandwidth and improve reliability, you can create an Eth-Trunk on each router and add the
Layer 3 Ethernet interfaces to the Eth-Trunk.
Figure 2-14 Networking of Layer 3 link aggregation

RouterA Eth-Trunk1 RouterB
Eth1/0/0 10.1.1.1/24 Eth1/0/0
Eth2/0/0 Eth-Trunk1 Eth2/0/0
10.1.1.2/24
1. Create a Layer 3 Eth-Trunk on each device and configure an IP address for each Eth-
Trunk.
2. Add Ethernet interfaces to the Eth-Trunk.
Procedure
Step 1 Configure RouterA.
# Create a Layer 3 Eth-Trunk (Eth-Trunk 1) and configure an IP address for Eth-Trunk 1.

[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] ip address 10.1.1.1 24
# Add Ethernet1/0/0 and Ethernet2/0/0 to Eth-Trunk 1.


Step 2 Configure RouterB.

# Create a Layer 3 Eth-Trunk (Eth-Trunk 1) and configure an IP address for Eth-Trunk 1.

[RouterB] interface eth-trunk 1
[RouterB-Eth-Trunk1] undo portswitch
[RouterB-Eth-Trunk1] ip address 10.1.1.2 24
[RouterB-Eth-Trunk1] quit
# Add Ethernet1/0/0 and Ethernet2/0/0 to Eth-Trunk 1.


Run the display interface eth-trunk command on RouterA or RouterB. You can see that the
Eth-Trunks are in Up state.
The display on RouterA is used as an example.
[RouterA] display interface eth-trunk 1
Eth-Trunk1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AR Series, Eth-Trunk1 Interface
Route Port, Hash arithmetic : According to SIP-XOR-DIP,The Maximum Transmit Unit
is 1500
Internet Address is 10.1.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc09-9722
Current system time: 2011-4-14 14:51:01
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.00%
-----------------------------------------------------
PortName Status Weight
-----------------------------------------------------
Ethernet1/0/0 UP 1
Ethernet2/0/0 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
The Eth-Trunks on RouterA and RouterB can ping each other.

[RouterA] ping -a 10.1.1.1 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms
--- 10.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/49/62 ms
----End
Configuration Files

#
sysname RouterA
#
undo portswitch
ip address 10.1.1.1 255.255.255.0
#
eth-trunk 1
#
eth-trunk 1
#
return

#
sysname RouterB
#
undo portswitch
ip address 10.1.1.2 255.255.255.0
#
eth-trunk 1
#
eth-trunk 1
#
return
2.12 Troubleshooting Link Aggregation

This section describes common configuration errors.
2.12.1 Traffic Is Unevenly Load Balanced Among Eth-Trunk

Member Interfaces Because the Load Balancing Mode Is Incorrect
Fault Description
Traffic is unevenly load balanced among Eth-Trunk member interfaces due to the incorrect
load balancing mode.
Procedure
1. Run the display eth-trunk command to check whether the load balancing mode of the
Eth-Trunk meets networking requirements. For example, source or destination IP
address-based load balancing is not recommended in Layer 2 networking.
2. Run the load-balance command to set an appropriate load balancing mode.
2.13 FAQ About Link Aggregation

This section describes the FAQ of link aggregation.

2.13.1 What Link Aggregation Modes Are Supported by the

Device?
The following link aggregation modes are supported:
l Manual load balancing mode: This mode allows you to manually add interfaces to an
Eth-Trunk. All the member interfaces are in forwarding state and perform load
balancing.
l LACP mode: This mode allows the AR to select active links by negotiating parameters
using LACP. In LACP mode, you need to manually set up an Eth-Trunk and add
interfaces to the Eth-Trunk.
2.13.2 Can an Eth-Trunk Be Configured with an IP Address?

By default, an Eth-Trunk is a Layer 2 interface and cannot be configured with an IP address.
You can configure an IP address for the Eth-Trunk that has been switched to a Layer 3
interface using the undo portswitch command.
2.13.3 How Do I Add Member Interfaces to an Eth-Trunk?

NOTE
Before adding a new member interface, ensure that the type of the new member interface is the same as that
of other member interfaces and there is no configuration on the new member interface.
1. Run the shutdown command in the interface view to configure the new member
interface in Down state.
NOTE
If the new member interface that joins the Eth-Trunk is not configured to be Down, a temporary loop
may occur. As a result, services are affected.
2. Run either of the following commands to add the new member interface to the Eth-
Trunk.
– Run the eth-trunk trunk-id command in the interface view.
– Run the trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8> command in the Eth-Trunk interface view.
3. After member interfaces at both ends join the Eth-Trunk, run the undo shutdown
command in the interface view to enable the new member interfaces.
2.13.4 How Do I Delete Member Interfaces from an Eth-Trunk?

1. Run the shutdown command in the interface view to configure the member interface to
be deleted in Down state.
2. Run either of the following commands to delete the member interface from the Eth-
Trunk.
– Run the undo eth-trunk trunk-id command in the interface view.
– Run the undo trunkport interface-type { interface-number1 [ to interface-
number2 ] } &<1-8> command in the Eth-Trunk interface view.
3. Run the undo shutdown command in the interface view to enable the member
interfaces.

2.13.5 What Is the Function of the LACP Preemption Delay?

When an Eth-Trunk in LACP mode goes Up and Down frequently due to unstable physical
links, LACP flaps. As a result, services transmitted on the Eth-Trunk link are affected. After
the LACP preemption delay is set, LACP negotiation is not performed during the delay. The
possibility of LACP flapping is reduced, and services will not be affected.
You can run the lacp preempt enable command in the interface view to enable LACP
preemption on the Eth-Trunk and run the lacp preempt delay delay-time command to set the
LACP preemption delay.

Configuration 3 VLAN Configuration
3 VLAN Configuration
About This Chapter
This chapter describes how to configure VLAN technology. VLAN technology provides
broadcast domain isolation, security hardening, flexible networking, and high extensibility.
3.1 Overview of VLANs
3.2 Understanding VLANs
3.3 Application Scenarios for VLANs
3.4 Summary of VLAN Configuration Tasks
3.5 Default Settings for VLANs
3.6 Licensing Requirements and Limitations for VLANs
3.7 Configuring VLAN
3.8 Configuration Examples for VLANs
3.9 Troubleshooting VLANs
3.10 FAQ About VLANs
3.1 Overview of VLANs

Definition
Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple
broadcast domains, each of which is called a VLAN. Hosts within a VLAN can communicate
with each other but cannot communicate directly with hosts in other VLANs. Consequently,
broadcast packets are confined to within a single VLAN.
Purpose
Ethernet technology implements data communication over shared media based on Carrier
Sense Multiple Access/Collision Detection (CSMA/CD). When an Ethernet network has a

large number of hosts, collision becomes a serious problem and can lead to broadcast storms.
As a result, network performance deteriorates, or can even result in a complete breakdown.
Using switches to connect LANs can mitigate collisions, but cannot isolate broadcast packets
or improve network quality.
VLAN technology divides a physical LAN into multiple VLANs to isolate broadcast
domains. Hosts within a VLAN can communicate with each other but cannot communicate
directly with hosts in other VLANs. Consequently, broadcast packets are confined to within a
single VLAN.
Figure 3-1 VLAN networking

Router
Router1 Router2
VLAN 2 VLAN 3
Figure 3-1 shows a typical VLAN networking environment. Device Router1 and device
Router2 are deployed in different locations (for example, on different floors of a building).
Each device is connected to two PCs belonging to different VLANs, which likely belong to
different entities or companies.
Benefits
VLAN technology offers the following benefits:
l Limits broadcast domains. Broadcast domains are limited to conserve bandwidth and
improve network efficiency.
l Enhances LAN security. Packets from different VLANs are transmitted separately. Hosts
in a VLAN cannot communicate directly with hosts in another VLAN.
l Improves network robustness. A fault in a VLAN does not affect hosts in other VLANs.
l Allows flexible definition of virtual groups. With VLAN technology, hosts in different
geographical locations can be grouped together, thereby simplifying network
construction and maintenance.

3.2 Understanding VLANs

3.2.1 Intra-VLAN Communication
Packets transmitted between users in a VLAN go through three phases:
l Packet transmission from the source user host

Before sending a frame, the source host compares its IP address with the destination IP
address. If the two IP addresses are on the same network segment, the source host
obtains the MAC address of the destination host and fills the destination field MAC
address of the frame with the obtained MAC address. If the two IP addresses are on
different network segments, the frame needs to be forwarded by the gateway. The source
host obtains the gateway's MAC address, and uses it as the destination MAC address to
send the frame to the gateway.
l Ethernet switching in a device
The device determines whether to forward a received frame at Layer 2 or Layer 3 based
on the information in the destination MAC address, VLAN ID, and Layer 3 forwarding
bit.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry of the device and the Layer 3 forwarding bit is set, the device searches for a
Layer 3 forwarding entry based on the destination IP address. If no entry is found,
the device sends the frame to the CPU. The CPU then searches for a route to
forward the frame at Layer 3.
– If the destination MAC address and VLAN ID of the frame match a MAC address
entry but the Layer 3 forwarding bit is not set, the device directly forwards the
frame from the outbound interface specified in the matching MAC address entry.
– If the destination MAC address and VLAN ID of the frame do not match any MAC
address entry, the device broadcasts the frame to all the interfaces allowing the
VLAN specified in the VID to obtain the MAC address of the destination host.
l Adding and removing VLAN tags during the exchange between devices
Frames processed in a device all carry VLAN tags. The device needs to add or remove
VLAN tags according to the interface setting to communicate with other network
devices. For details on how VLAN tags are added and removed on different interfaces,
see 3.2.3.4 Adding and Removing VLAN Tags.
After VLANs are assigned, broadcast packets are forwarded at Layer 2 in the same VLAN.
That is, users in the same VLAN can directly communicate at Layer 2. There are two intra-
VLAN communication scenarios depending on whether hosts in the same VLAN connect to
the same or multiple devices.
Intra-VLAN Communication Through the Same Device

As shown in Figure 3-2, Host_1 and Host_2 connect to the same device, belong to VLAN 2,
and are located on the same network segment. The interfaces connected to Host_1 and Host_2
are access interfaces.

Figure 3-2 Intra-VLAN communication through the same device
Router
IF_1 IF_2
Access Access
Host_1 VLAN2 VLAN2 Host_2
MAC：1-1-1 MAC：2-2-2
IP：10.1.1.2 IP：10.1.1.3
Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the router):
1. Host_1 determines that the destination IP address is on the same network segment as its
IP address, and therefore broadcasts an ARP Request packet to obtain the MAC address
of Host_2. The ARP Request packet carries the all-F destination MAC address and
destination IP address of 10.1.1.3 (Host_2's IP address).
2. When the packet reaches IF_1 on the Router, the Router detects that the ARP Request
packet is untagged and adds VLAN 2 (PVID of IF_1) to the packet. The Router then
adds the binding of the source MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) to
its MAC address table.
3. The Router does not find a MAC address entry matching the destination MAC address
and VLAN ID of the ARP Request packet, so it broadcasts the ARP Request packet to
all interfaces that allow VLAN 2 (IF_2 in this example).
4. Before sending the ARP Request packet, IF_2 on the Router removes the tag with
VLAN 2 from the packet.
5. Host_2 receives the ARP Request packet and records the mapping between the MAC
address and IP address of Host_1 in the ARP table. Then Host_2 compares the
destination IP address with its own IP address. If they are the same, Host_2 sends an
ARP Reply packet. The ARP Reply packet carries Host_2's MAC address of 2-2-2 and
Host_1's IP address of 10.1.1.2 as the destination IP address.
6. After receiving the ARP Reply packet, IF_2 on the Router tags the packet with VLAN 2.
7. The Router adds the mapping between the source MAC address, VLAN ID, and
interface (2-2-2, 2, IF_2) to its MAC address table, and then searches for an entry in its
MAC address table based on the destination MAC address and VLAN ID (1-1-1, 2). The
entry is found because the mapping has been recorded before (see step 5). The Router
forwards the ARP Reply packet to IF_1.
8. Before forwarding the ARP Reply packet to IF_1, the Router removes the tag with
VLAN 2 from the packet.
9. Host_1 receives the ARP Reply packet and records the mapping between the MAC
address and IP address of Host_2 in the ARP table.
Host_1 and Host_2 have learned the MAC address of each other, so they directly fill the
destination MAC address fields of packets with the learned MAC addresses of the packets in
subsequent communication.
In the preceding networking, if hosts in the same VLAN are on different network segments,
they encapsulate the gateway's MAC address into packets, hosts can communicate through
VLANIF interfaces (with primary and secondary IP addresses configured). The principles are
similar to those in Inter-VLAN Communication Through the Same Device, and are not
mentioned here.

Intra-VLAN Communication Through Multiple Devices

As shown in Figure 3-3, Host_1 and Host_2 connect to different devices, belong to VLAN 2,
and are located on the same network segment. The devices are connected using a trunk link
over which frames can be identified and sent across devices.
Figure 3-3 Intra-VLAN communication through multiple devices

Router_1 Router_2
Trunk Trunk
VLAN2 VLAN2
IF_2 IF_2
IF_1 Access Access IF_1
VLAN2 VLAN2
Host_1 Host_2
MAC：1-1-1 MAC：2-2-2
IP：10.1.1.2 IP：10.1.1.3
Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
forwarding entry exists on Router_1 and Router_2):
1. The first two steps are similar to steps 1 and 2 in Intra-VLAN Communication
Through the Same Device. After the two steps are complete, Host_1 broadcasts the
ARP Request packet to IF_2 on Router_1.
2. IF_2 on Router_1 transparently transmits the ARP Request packet to IF_2 on Router_2
without removing the tag of the packet, because the VLAN ID of the packet is different
from the PVID of IF_2 on Router_1.
3. After receiving the ARP Request packet, IF_2 on Router_2 determines that VLAN 2 is
an allowed VLAN and accepts the packet.
4. Following the four steps similar to steps 3 to 6 in Intra-VLAN Communication
Through the Same Device, Router_2 forwards the ARP Reply packet of Host_2 to
IF_2. IF_2 on Router_2 transparently transmits the ARP Reply packet to IF_2 on
Router_1, because IF_2 is a trunk interface and its PVID is different from the VLAN ID
of the packet.
5. After receiving the ARP Reply packet, IF_2 on Router_1 determines that VLAN 2 is an
allowed VLAN and accepts the packet. Subsequent steps are similar to steps 7 to 9 in
Intra-VLAN Communication Through the Same Device.
In addition to transmitting frames from multiple VLANs, a trunk link can transparently
transmit frames without adding or removing the tags of the packets.
In the preceding networking, if hosts in the same VLAN are on different network segments,
hosts can communicate through VLANIF interfaces. The principles are similar to those in
Inter-VLAN Communication Through the Same Device, and are not mentioned here.
3.2.2 Inter-VLAN Communication

After VLANs are assigned, broadcast packets are only forwarded in the same VLAN. That is,
hosts in different VLANs cannot communicate at Layer 2. Therefore, VLAN technology

isolates broadcast domains. In real-world applications, hosts in different VLANs often need to
communicate, so inter-VLAN communication needs to be implemented to resolve this.
Similar to intra-VLAN communication described in 3.2.1 Intra-VLAN Communication,
inter-VLAN communication goes through three phases: packet transmission from the source
host, Ethernet switching in a device, and adding and removing VLAN tags during the
exchange between devices. According to the Ethernet switching principle, broadcast packets
are only forwarded in the same VLAN and hosts in different VLANs cannot directly
communicate at Layer 2. Layer 3 routing or VLAN translation technology is required to
implement inter-VLAN communication.
Inter-VLAN Communication Technologies

Huawei provides a variety of technologies to implement inter-VLAN communication. The
following two technologies are commonly used.
l VLANIF interface
A VLANIF interface is a Layer 3 logical interface. After an IP address is configured for
a VLANIF interface, the device adds the MAC address and VLAN ID of the VLANIF
interface to the MAC address table and sets the Layer 3 forwarding bit for the MAC
address entry. When the destination MAC address of a packet matches the MAC address
entry, the device forwards the packet at Layer 3, thereby implementing inter-VLAN
Layer 3 connectivity.
It is simple to configure a VLANIF interface, so VLANIF interfaces are the most
commonly used for inter-VLAN communication. However, a VLANIF interface needs to
be configured for each VLAN and each VLANIF interface requires an IP address. As a
result, this technology wastes IP addresses.
l Dot1q termination sub-interface
A sub-interface is also a Layer 3 logical interface. A device implements inter-VLAN
Layer 3 connectivity through sub-interfaces in a similar way as through VLANIF
interfaces. After a sub-interface is configured with Dot1q termination and an IP address,
the device adds a MAC address entry of the sub-interface to the MAC address table and
sets the Layer 3 forwarding bit.
A Dot1q termination sub-interface applies to scenarios where a Layer 3 Ethernet
interface connects to multiple VLANs. In such a scenario, data flows from different
VLANs preempt bandwidth of the primary Ethernet interface; therefore, the primary
Ethernet interface may become a bottleneck when the network is busy.
For details about the Dot1q termination sub-interface, see 6 VLAN Termination
Configuration.
Huawei devices implement inter-VLAN communication using VLANIF interfaces. A
VLANIF interface is a Layer 3 logical interface. After an IP address is configured for a
VLANIF interface, the device adds the MAC address and VLAN ID of the VLANIF interface
to the MAC address table and sets the Layer 3 forwarding bit for the MAC address entry.
When the destination MAC address of a packet matches the MAC address entry, the device
forwards the packet at Layer 3, thereby implementing inter-VLAN Layer 3 connectivity. It is
simple to configure a VLANIF interface, so VLANIF interfaces are the most commonly used
for inter-VLAN communication. However, a VLANIF interface needs to be configured for
each VLAN and each VLANIF interface requires an IP address. As a result, this technology
wastes IP addresses.
VLANIF interfaces require that users in VLANs be located on different network segments.
(When hosts are located on the same network segment, a host encapsulates the destination

host' MAC address in packets. The device determines that packets should be forwarded at
Layer 2. Layer 2 switching is performed only in the same VLAN, and broadcast packets
cannot reach different VLANs. In this case, the device cannot obtain destination hosts' MAC
addresses and therefore cannot forward packets to the destination host.) On a network, VLAN
aggregation can allow hosts on the same network segment in different VLANs to
communicate.
VLAN aggregation, also known as super-VLAN, associates a super-VLAN with multiple sub-
VLANs. The sub-VLANs share the IP address of the super-VLAN as the gateway IP address
to implement Layer 3 connectivity with an external network. Proxy ARP can be enabled
between sub-VLANs to implement Layer 3 connectivity between sub-VLANs. VLAN
aggregation conserves IP addresses in inter-VLAN Layer 3 communication.
VLAN aggregation applies to scenarios where multiple VLANs share a gateway. For details
about VLAN aggregation, see 4 VLAN Aggregation Configuration.
Inter-VLAN Communication Through the Same Device

As shown in Figure 3-4, Host_1 (source host) and Host_2 (destination host) connect to the
same router, are located on different network segments, and belong to VLAN 2 and VLAN 3,
respectively. After VLANIF 2 and VLANIF 3 are created on the router and allocated IP
addresses, the default gateway addresses of the hosts are set to IP addresses of the VLANIF
interfaces.
Figure 3-4 Using VLANIF interfaces to implement inter-VLAN communication through the
same device
VLANIF2 VLANIF3
IP: 10.1.1.1/24 IP: 10.2.2.1/24
MAC: 3-3-3 Router MAC: 4-4-4
IF_1 IF_2
Access Access
VLAN2 VLAN3
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.2.2.2
Gateway address: 10.1.1.1 Gateway address: 10.2.2.1
forwarding entry exists on the router):
1. Host_1 determines that the destination IP address is on a different network segment from
its own IP address, and therefore sends an ARP Request packet to request the gateway
MAC address. The ARP Request packet carries the destination IP address of 10.1.1.1
(gateway's IP address) and all-F destination MAC address.
2. When the ARP Request packet reaches IF_1 on the Router, the Router tags the packet
with VLAN 2 (PVID of IF_1). The Router then adds the mapping between the source
MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) in its MAC address table.
3. The Router detects that the packet is an ARP Request packet and the destination IP
address is the IP address of VLANIF 2. The Router then encapsulates VLANIF 2's MAC
address of 3-3-3 into the ARP Reply packet and removes the tag with VLAN 2 from the
packet before sending it from IF_1. In addition, the Router adds the binding of the IP
address and MAC address of Host_1 in its ARP table.
4. After receiving the ARP Reply packet from the Router, Host_1 adds the binding of the
IP address and MAC address of VLANIF 2 on the Router in its ARP table and sends a

packet to the Router. The packet carries the destination MAC address of 3-3-3 and
destination IP address of 10.2.2.2 (Host_2's IP address).
5. After the packet reaches IF_1 on the Router, the Router tags the packet with VLAN 2.
6. The Router updates its MAC address table based on the source MAC address, VLAN ID,
and inbound interface of the packet, and compares the destination MAC address of the
packet with the MAC address of VLANIF 2. If they are the same, the Router determines
that the packet should be forwarded at Layer 3 and searches for a Layer 3 forwarding
entry based on the destination IP address. If no entry is found, the Router sends the
packet to the CPU. The CPU then searches for a routing entry to forward the packet.
7. The CPU looks up the routing table based on the destination IP address of the packet and
detects that the destination IP address matches a directly connected network segment
(network segment of VLANIF 3). The CPU continues to look up its ARP table but finds
no matching ARP entry. Therefore, the Router broadcasts an ARP Request packet with
the destination address of 10.2.2.2 to all interfaces in VLAN 3. Before sending the ARP
Request packet from IF_2, the Router removes the tag with VLAN 2 from the packet.
8. After receiving the ARP Request packet, Host_2 detects that the IP address is its own IP
address and sends an ARP Reply packet with its own. Additionally, Host_2 adds the
mapping between the MAC address and IP address of VLANIF 3 to its ARP table.
9. After IF_2 on the Router receives the ARP Reply packet, IF_2 tags the packet with
VLAN 3 to the packet and adds the binding of the MAC address and IP address of
Host_2 in its ARP table. Before forwarding the packet from Host_1 to Host_2, the
Router removes the tag with VLAN 3 from the packet. The Router also adds the binding
of Host_2's IP address, MAC address, VLAN ID, and outbound interface in its Layer 3
forwarding table.
The packet sent from Host_1 then reaches Host_2. The packet transmission process from
Host_2 to Host_1 is similar. Subsequent packets between Host_1 and Host_2 are first sent to
the gateway (Router), and the Router forwards the packets at Layer 3 based on its Layer 3
forwarding table.
Inter-VLAN Communication Through Multiple Devices

When hosts in different VLANs connect to multiple routers, you need to configure static
routes or a dynamic routing protocol in addition to VLANIF interface addresses. This is
because IP addresses of VLANIF interfaces can only be used to generate direct routes.
As shown in Figure 3-5, Host_1 (source host) and Host_2 (destination host) are located on
different network segments, connect to Router_1 and Router_2, and belong to VLAN 2 and
VLAN 3, respectively. On Router_1, VLANIF 2 and VLANIF 4 are created and allocated IP
addresses of 10.1.1.1 and 10.1.4.1. On Router_2, VLANIF 3 and VLANIF 4 are created and
allocated IP addresses of 10.1.2.1 and 10.1.4.2. Static routes are configured on Router_1 and
Router_2. On Router_1, the destination network segment in the static route is 10.1.2.0/24 and
the next hop address is 10.1.4.2. On Router_2, the destination network segment in the static
route is 10.1.1.0/24 and the next hop address is 10.1.4.1.

Figure 3-5 Using VLANIF interfaces to implement inter-VLAN communication through

multiple devices
Router_1 Router_2
Trunk
VLAN4
IF_2 IF_2
IF_1 Access Access IF_1
VLAN2 VLAN3
Host_1 Host_2
MAC: 1-1-1 MAC: 2-2-2
IP: 10.1.1.2 IP: 10.1.2.2
Gateway address: 10.1.1.1 Gateway address: 10.1.2.1
forwarding entry exists on Router_1 and Router_2):
1. The first six steps are similar to steps 1 to 6 in inter-VLAN communication when hosts
connect to the same device. After the steps are complete, Router_1 sends the packet to
its CPU and the CPU looks up the routing table.
2. The CPU of Router_1 looks up the routing table based on the destination IP address of
10.1.2.2 and finds a matching entry with the network segment 10.1.2.0/24 corresponding
to VLANIF 3 and the next hop IP address 10.1.4.2. The CPU continues to look up its
ARP table but finds no matching ARP entry. Therefore, Router_1 broadcasts an ARP
Request packet with the destination address of 10.1.4.2 to all interfaces in VLAN 4. IF_2
on Router_1 transparently transmits the ARP Request packet to IF_2 on Router_2
without removing the tag from the packet.
3. After the ARP Request packet reaches Router_2, Router_2 finds that the destination IP
address of the ARP Request packet is the IP address of VLANIF 4. Router_2 then sends
an ARP Reply packet with the MAC address of VLANIF 4 to Router_1.
4. IF_2 on Router_2 transparently transmits the ARP Reply packet to Router_1. After
Router_1 receives the ARP Reply packet, it adds the binding of the MAC address and IP
address of VLANIF4 in its ARP table.
5. Before forwarding the packet of Host_1 to Router_2, Router_1 changes the destination
MAC address of the packet to the MAC address of VLANIF 4 on Router_2 and the
source MAC address to the MAC address of VLANIF 4 on itself. In addition, Router_1
records the forwarding entry (10.1.2.0/24, next hop IP address, VLAN, and outbound
interface) in its Layer 3 forwarding table. Similarly, the packet is transparently
transmitted to IF_2 on Router_2.
6. After Router_2 receives packets of Host_1 forwarded by Router_1, the steps similar to
steps 6 to 9 in inter-VLAN communication when hosts connect to the same device
are performed. In addition, Router_2 records the forwarding entry (Host_2's IP address,
MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table.
VLAN Damping
In a specified VLAN where a VLANIF interface has been configured, when all interfaces in
the VLAN go Down, the VLAN becomes Down. The interface Down event is reported to the
VLANIF interface, causing the VLANIF interface status change.

To avoid network flapping due to the status change of the VLANIF interface, you can enable
VLAN damping on the VLANIF interface and set a delay after which the VLANIF interface
goes Down.
With VLAN damping enabled, when the last Up interface in the VLAN goes Down, the
Down event will be reported to the VLANIF interface after a delay (the delay can be set as
required). If an interface in the VLAN goes Up during the delay, the status of the VLANIF
interface keeps unchanged. That is, the VLAN damping function postpones the time at which
the VLAN reports a Down event to the VLANIF interface, avoiding unnecessary route
flapping.
3.2.3 Basic Concepts of VLAN
3.2.3.1 VLAN Tags
Definition and Function

A device identifies packets from different VLANs according to the information contained in
VLAN tags. IEEE 802.1Q adds a 4-byte VLAN tag between the Source address and Length/
Type fields of an Ethernet frame, as shown in Figure 3-6.
Figure 3-6 IEEE 802.1Q tagged frame format

Traditional Ethernet data frame
6Byte 6Byte 2Byte 46-1500Byte 4Byte
Destination Source Data FCS
Length/Type
address address
VLAN data frame

6Byte 6Byte 4Byte 2Byte 46-1500Byte 4Byte
Destination Source VLAN Length/ Data FCS
address address Tag Type
TPID PRI CFI VID
2Byte 3bit 1bit 12bit
A VLAN tag contains four fields. Table 3-1 describes the fields.

Table 3-1 Fields in a VLAN tag

Field Leng Description Value
th
TPID 2 Tag Protocol Identifier (TPID), The value 0x8100 indicates an 802.1Q-
bytes indicating the frame type. tagged frame. An 802.1Q-incapable
device discards the 802.1Q frames.
IEEE 802.1Q protocol defines the
value of the field as 0x8100. However,
manufacturers can define their own
TPID values and users can then modify
the value to realize interconnection of
devices from different manufacturers.
PRI 3 bits Priority (PRI), indicating the The value ranges from 0 to 7. A larger
frame priority. value indicates a higher priority. If
congestion occurs, the device sends
packets with higher priorities first.
CFI 1 bit Canonical Format Indicator The value 0 indicates that the MAC
(CFI), indicating whether a address is encapsulated in canonical
MAC address is encapsulated in format, and the value 1 indicates that
canonical format over different the MAC address is encapsulated in
transmission media. CFI is used non-canonical format. The CFI field
to ensure compatibility between has a fixed value of 0 on Ethernet
Ethernet and token ring networks.
networks.
VID 12 VLAN ID (VID), indicating the VLAN IDs range from 0 to 4095. The
bits VLAN to which a frame values 0 and 4095 are reserved, and
belongs. therefore valid VLAN IDs range from
1 to 4094.
The device identifies the VLAN that a frame belongs to according to the information
contained in the VID field. Broadcast frames are forwarded only in the local VLAN. That is, a
broadcast domain is confined to within a single VLAN.
VLAN Tags in Received and Sent Frames

In a VLAN, Ethernet frames are classified into the following types:
l Tagged frame: frame with a 4-byte VLAN tag
l Untagged frame: frame without a 4-byte VLAN tag
Common devices process tagged and untagged frames as follows:
l User hosts, servers and hubs can only receive and send untagged frames.
l Switches, routers, and ACs can receive and send both tagged and untagged frames.
l Voice terminals and APs can receive and send tagged and untagged frames
simultaneously.
All frames processed in a device carry VLAN tags so as to improve frame processing
efficiency.

3.2.3.2 Link and Interface Types
All frames processed in a router carry VLAN tags. On a live network, some devices
connected to a router can only receive and send untagged frames. To enable communication
between the Router and these devices, the Router interface must be able to identify the
untagged frames and add or remove VLAN tags from the frames. Hosts in the same VLAN
may be connected to different Routers, and more than one VLAN may span multiple Routers.
To enable communication between hosts, interfaces between Routers must be able to identify
and send VLAN frames.
To accommodate different connections and networking, the device defines three interface
types (access, trunk, and hybrid) and two link types (access and trunk), as shown in Figure
3-7.
Figure 3-7 Link and interface types

2
3
Router Router
4
2
4
Router Router
Hub Hub
VLAN2 VLAN3 VLAN4 VLAN2 VLAN3 VLAN4
Access link
Trunk link Untagged frame
Access interface 2 Tagged frame, VID=2
Trunk interface 3 Tagged frame, VID=3
4 Tagged frame, VID=4
Hrbrid interface
Link Types
As shown in Figure 3-7, Ethernet links fall into the following types, depending on the number
of allowed VLANs:
l Access link
An access link can transmit data frames of only one VLAN. It connects a device to a user
terminal, such as a host or server. Generally, user terminals do not need to know the
VLANs to which they belong and cannot identify tagged frames; therefore, only
untagged frames are transmitted along an access link.

l Trunk link
A trunk link can transmit data frames from multiple VLANs. It connects devices. Frames
on a trunk link must be tagged so that other network devices can correctly identify
VLAN information in the frames.
Interface Types
As shown in Figure 3-7, Ethernet interfaces are classified into the following types depending
on the objects connected to them and the way they process frames:
l Access interface
An access interface often connects to a user terminal such as a user host or server that
cannot identify VLAN tags, or is used when VLANs do not need to be differentiated.
Access interfaces can only receive and send untagged frames, and can add only a unique
VLAN tag to untagged frames.
l Trunk interface
A trunk interface often connects to a switch, router, AP, or voice terminal that can
receive and send tagged and untagged frames simultaneously. It allows tagged frames
from multiple VLANs and untagged frames from only one VLAN.
l Hybrid interface
A hybrid interface can connect to not only a user terminal (such as a user host or server)
or network device (such as a hub) that cannot identify tags, but also a switch, router,
voice terminal, or AP that can receive and send tagged and untagged frames. It allows
tagged frames from multiple VLANs. Frames sent out from a hybrid interface are tagged
or untagged according to the VLAN configuration.
Hybrid and trunk interfaces are interchangeable in some scenarios, yet hybrid interfaces
are required in certain specific scenarios. For example, if an interface connects to
different VLAN network segments (such as the router interface connected to a hub in
Figure 3-7 ), the interface must be a hybrid interface because it needs to add tags to
untagged frames of multiple VLANs.
3.2.3.3 Default VLAN
The default VLAN ID of an interface is called the port default VLAN ID (PVID). Frames
processed in a device all carry VLAN tags. When the device receives an untagged frame, it
adds a VLAN tag to the frame according to the default VLAN of the interface that receives
the frame.
For details on how to add or remove tags when the interface receives and sends frames, see
3.2.3.4 Adding and Removing VLAN Tags.
Each interface has a default VLAN. By default, the default VLAN ID of all interfaces is
VLAN 1. You can change the default VLAN ID as required.
l The default VLAN of an access interface is the VLAN allowed by the access interface.
You can change the default VLAN of an access interface to change the allowed VLAN.
l Trunk and hybrid interfaces allow multiple VLANs but have only one default VLAN.
Default VLAN and VLANs allowed by the trunk and hybrid interfaces should be
configured separately.
3.2.3.4 Adding and Removing VLAN Tags

Ethernet data frames are tagged or untagged based on the interface type and default VLAN.
The following describes how access, trunk, and hybrid interfaces process data frames.
Access Interface
Figure 3-8 and Figure 3-9 shows how an access interface adds and removes VLAN tags.
Figure 3-8 Access interface adding VLAN tags

Receive a
frame
No
Carry tag?
Yes
Same No
Discard
VID and PVID?
Yes
Accept it and add
Accept the frame
PVID
Further
processing
Figure 3-9 Access interface removing VLAN tags

Prepare for
sending a frame
Remove tag
Send the frame
Trunk Interface
Figure 3-10 and Figure 3-11 shows how a trunk interface adds and removes VLAN tags.

Figure 3-10 Trunk interface adding VLAN tags

Receive a
frame
No
Carry tag?
Yes
Accept it and add No

Is VID allowed? Discard
PVID
Yes
Accept the frame
Further
processing
Figure 3-11 Trunk interface removing VLAN tags

Prepare for
sending a frame
No
Same as PVID?
Yes
Retain tag Remove tag
Send the frame
Hybrid Interface
Figure 3-12 and Figure 3-13 shows how a hybrid interface adds and removes VLAN tags.

Figure 3-12 Hybrid interface adding VLAN tags

Receive a
frame
No
Carry tag?
Yes
No
Add the PVID Is VID allowed? Discard
Yes
Accept the frame
Further
processing
Figure 3-13 Hybrid interface removing VLAN tags

Prepare for
sending a frame
No Does device
add tag to it?
Yes
Remove tag Retain tag
Send the frame

Frame Processing on Different Interfaces
Table 3-2 Frame processing based on the port type

Port Untagged Frame Tagged Frame Frame
Type Processing Processing Transmission
Access Accepts an untagged l Accepts the tagged After the PVID tag is
port frame and adds a tag with frame if the frame's stripped, the frame is
the default VLAN ID to VLAN ID matches the transmitted.
the frame. default VLAN ID.
l Discards the tagged
frame if the frame's
VLAN ID differs from
the default VLAN ID.
Trunk l Adds a tag with the l Accepts a tagged l If the frame's

port default VLAN ID to frame if the VLAN ID VLAN ID
the untagged frame carried in the frame is matches the
and then transmits it if permitted by the port. default VLAN ID
the default VLAN ID l Discards a tagged and the VLAN ID
is permitted by the frame if the VLAN ID is permitted by the
port. carried in the frame is port, the device
l Adds a tag with the denied by the port. removes the tag
default VLAN ID to and transmits the
the untagged frame frame.
and then discards it if l If the frame's
the default VLAN ID VLAN ID differs
is denied by the port. from the default
VLAN ID, but the
VLAN ID is still
permitted by the
port, the device
will directly
transmit the
frame.
Hybrid l Adds a tag with the l Accepts a tagged If the frame's VLAN
port default VLAN ID to an frame if the VLAN ID ID is permitted by the
untagged frame and carried in the frame is port, the frame is
accepts the frame if the permitted by the port. transmitted. The port
port permits the default l Discards a tagged can be configured
VLAN ID. frame if the VLAN ID whether to transmit
l Adds a tag with the carried in the frame is frames with tags.
default VLAN ID to an denied by the port.
untagged frame and
discards the frame if
the port denies the
default VLAN ID.
Interfaces process received frames as follows:

l Access, trunk, and hybrid interfaces add VLAN tags to received untagged frames. Trunk
and hybrid interfaces determine whether to accept untagged frames depending on
whether VLANs specified by the VLAN IDs in the frames are allowed, whereas an
access interface accepts the untagged frames unconditionally.
l Access, trunk, and hybrid interfaces determine whether to accept tagged frames
depending on whether VLANs specified by the VLAN IDs in the frames are allowed (the
VLAN ID allowed by an access interface is the default VLAN ID).
l Interfaces send frames as follows:
– An access interface directly removes VLAN tags from frames before sending the
frames.
– A trunk interface removes VLAN tags from frames only when their VLAN IDs are
the same as the PVID on the interface.
– A hybrid interface determines whether to remove VLAN tags from frames based on
the interface configuration.
Frames sent by an access interface are all untagged. On a trunk interface, only frames of
one VLAN are sent with tags, and frames of other VLANs are sent without tags. On a
hybrid interface, you can specify the VLANs of which frames are sent with or without
tags.
3.2.4 Intra-VLAN Layer 2 Isolation

You can add different users to different VLANs to implement Layer 2 isolation between users.
If an enterprise has many users, VLANs have to be allocated to all users that are not allowed
to communicate with each other. This user isolation method uses a large number of VLANs
and makes configuration more complex, increasing the maintenance workload of the network
administrator.
Huawei provides intra-VLAN Layer 2 isolation technologies including port isolation, MUX
VLAN, and Modular QoS Command-Line Interface (MQC).
Port Isolation
Port isolation can isolate interfaces in a VLAN. You can add interfaces to a port isolation
group to disable Layer 2 packet transmission between the interfaces. Interfaces in different
port isolation groups or out of port isolation groups can exchange packets with other
interfaces. In addition, interfaces can be isolated unidirectionally, providing more secure and
flexible networking.
For details about port isolation, see Configuring Interface Isolation in Huawei AR Series
Access Routers Configuration Guide - Interface Management.
MUX VLAN
Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources using
VLANs. It can implement inter-VLAN communication and intra-VLAN isolation.
For example, an enterprise has the following requirements:
l Employees can communicate with each other but customers are isolated.
l Both employees and customers can access enterprise servers.
You can deploy the MUX VLAN to meet the preceding requirements.

For details about the MUX VLAN feature, see 5 MUX VLAN Configuration.
Intra-VLAN Layer 2 Isolation Based on the Traffic Policy

A traffic policy is configured by binding traffic classifiers to traffic behaviors. You can define
traffic classifiers on a device to match packets with certain characteristics and associate the
traffic classifiers with the permit or deny behavior in a traffic policy. The device then permits
or denies packets matching the traffic classifiers. In this way, intra-VLAN unidirectional or
bidirectional isolation is implemented based on the traffic policy.
The device supports intra-VLAN Layer 2 isolation based on MQC and simplified ACL-based
traffic policies. For details about MQC and simplified ACL-based traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in Huawei AR Series
Access Routers Configuration Guide - QoS.
3.2.5 Inter-VLAN Layer 3 Isolation
After inter-VLAN Layer 3 connectivity is implemented between two VLANs, all users in the
VLANs can communicate. In some scenarios, communication between some users needs to
be prevented or only unidirectional communication is allowed. For example, user hosts and
servers often use unidirectional communication, and visitors to an enterprise are often allowed
to access only the Internet or some servers. In these scenarios, you need to configure inter-
VLAN isolation.
Inter-VLAN isolation is often implemented using a traffic policy. You can define traffic
classifiers on a device to match packets with certain characteristics and associate the traffic
classifiers with the permit or deny behavior in a traffic policy. The device then permits or
rejects the packets matching the traffic classifiers. This technology implements flexible inter-
VLAN isolation.
The device supports inter-VLAN Layer 3 isolation based on MQC and simplified ACL-based
traffic policies. For details about MQC and simplified ACL-based traffic policies, see MQC
Configuration and ACL-based Simplified Traffic Policy Configuration in Huawei AR Series
Access Routers Configuration Guide - QoS.
3.2.6 Management VLAN

To use a remote network management system (NMS) to manage devices in a centralized
manner, configure a management IP address on the device. You can then use the management
IP address to log in to the device using STelnet and manage the device. If a user-side interface
is added to the VLAN corresponding to the management IP address, users connected to the
interface can also log in to the device. This poses security risks to the device.
To enhance security, you can configure the VLAN as the management VLAN (mVLAN).
Access or Dot1q tunnel interfaces cannot be added to the mVLAN. (The VLANs not specified
as the mVLAN are service VLANs.) Access and Dot1q tunnel interfaces are often connected
to users. When these interfaces are prevented from joining the mVLAN, users connected to
the interfaces cannot log in to the device, improving device security.
3.3 Application Scenarios for VLANs

3.3.1 Using VLAN Assignment to Implement Layer 2 Isolation

As shown in Figure 3-14, there are multiple companies in a building. These companies share
network resources to reduce costs. Networks of the companies connect to different interfaces
of Router2 and access the Internet through an egress.
Figure 3-14 Networking of interface-based VLAN assignment
Router1
Router2
CompanyA CompanyB CompanyC

VLAN 2 VLAN 3 VLAN 4
To isolate services and ensure service security of different companies, add interfaces
connected to the companies to different VLANs. Each company has a virtual router and each
VLAN is a virtual work group.
3.3.2 Using VLANIF Interfaces to Implement Inter-VLAN Layer 3

Connectivity
VLANIF interfaces are used to implement inter-VLAN Layer 3 connectivity when devices are
connected to the same router or different routers.
Inter-VLAN Layer 3 Connectivity Between Devices Connected to the Same

Device
As shown in Figure 3-15, departments 1 and 2 of a small-scale company belong to VLAN 2
and VLAN 3, respectively, and connect to Router through Layer 2 switches. Packets
exchanged between the two departments need to pass Router.

Figure 3-15 Using VLANIF interfaces to implement inter-VLAN communication through the
same device
Router
VLANIF2 VLANIF3
Switch_1 Switch_2
Department 1 Department 2
PC_1 PC_2
VLAN2 VLAN3
Assign VLANs on Switch_1 and Switch_2, configure Switch_1 and Switch_2 to transparently
transmit VLAN packets to Router, and configure a VLANIF interface for each VLAN on
Router to allow communication between VLAN 2 and VLAN 3.
Inter-VLAN Layer 3 Connectivity Between Devices Connected to Different Layer

3 Routers
As shown in Figure 3-16, departments 1 and 2 of a medium- or large-scale company are
connected across two or more routers, and belong to VLAN 2 and VLAN 3 respectively.
Packets exchanged between the two departments need to pass the routers.
Figure 3-16 Using VLANIF interfaces to implement inter-VLAN communication through

multiple Layer 3 routers
Router_1 Router_2
Layer 3 network
VLANIF2 VLANIF3
Switch Switch
PC_1 PC_2
VLAN2 VLAN3
Assign VLANs on the switches, and configure the switches to transparently transmit VLAN
packets to Router_1 and Router_2. Configure a VLANIF interface for each user VLAN and

interconnected VLANs on switches, and configure VLANIF interfaces for interconnected

VLANs on other Layer 3 devices. In addition, configure static routes or a dynamic routing
protocol between Router_1 and Router_2 (a dynamic routing protocol is recommended when
devices are connected across more than two routers).
3.3.3 Using a Traffic Policy to Implement Inter-VLAN Access

Control
As shown in Figure 3-17, to ensure communication security, a company divides the network
into visitor area, employee area, and server area, and assigns VLAN 10, VLAN 20, and
VLAN 30 to the areas respectively. The company has the following requirements:
l Employees, visitors, and servers can access the Internet.
l Visitors cannot communicate with employees and can access only Server_1 in the server
area.
Figure 3-17 Using a traffic policy to implement inter-VLAN access control
Internet
Router_0
VLANIF100
Router
VLANIF10 VLANIF30
VLANIF20
Switch Switch Switch
Visitor Employee Server

area area area
Visitor_1 Employee_1 Server_1
10.1.1.2/24 10.1.2.2/24 10.1.3.2/24
VLAN10 VLAN20 VLAN30
After the central router (Router) is configured with VLANIF 10, VLANIF 20, VLANIF 30,
and VLANIF 100 and a route to the Router_0, employees, visitors, and servers can access the
Internet and communicate with each other. To control access rights of visitors, configure a
traffic policy on the central router and define the following rules:
l ACL rule 1: denies the packets sent from the IP network segment of visitors to the IP
segment of employees.
l ACL rule 2: permits the packets from the IP network segment of visitors to the IP
address of Server_1, and denies the packets from the IP network segment of visitors and
to the IP segment of servers.

l ACL rule 3: denies the packets from the IP network segment of employees to the IP
segment of visitors.
l ACL rule 4: denies the packets from the IP network segment of servers to the IP segment
of visitors.
Apply the traffic policy to the inbound and outbound direction of the central router interface
connected to the visitor area. Visitors can then only access Server_1 and cannot communicate
with employees.
3.4 Summary of VLAN Configuration Tasks

Table 3-3 describes the VLAN configuration tasks. Figure 3-18 illustrates the logical
relationship between configuration tasks.
Figure 3-18 Logical relationship between configuration tasks
Assign VLANs
Configure VLANIF
Configure MQC-based
interfaces to
intra-VLAN Layer 2 Configure VLAN
implement inter-VLAN
isolation
communication
Configure MQC to
implement inter-VLAN
isolation
Table 3-3 VLAN configuration tasks

Configuration Task Description
3.7.1 Configuring VLAN VLANs can isolate the hosts that do not need to
Assignment communicate with each other, which improves network
security, reduces broadcast traffic, and mitigates broadcast
storms.

Configuration Task Description
3.7.2 Configuring Inter- After VLANs are assigned, users in different VLANs
VLAN Communication cannot directly communicate with each other. If users in
different VLANs need to communicate, configure VLANIF
interfaces to implement inter-VLAN Layer 3 connectivity.
3.7.3 Configuring a Traffic After VLANs are assigned, users in the same VLAN can
Policy to Implement Intra- directly communicate with each other. If some users in the
VLAN Layer 2 Isolation same VLAN need to be isolated, configure MQC-based
intra-VLAN Layer 2 isolation.
NOTE
Intra-VLAN isolation can also be implemented using port
isolation. For details about port isolation, see Configuring
Interface Isolation in Huawei AR Series Access Routers
Configuration Guide - Interface Management.
3.7.4 Configuring a Traffic After VLANIF interfaces are configured to implement

Policy to Implement Inter- inter-VLAN connectivity, users in different VLANs can
VLAN Layer 3 Isolation communicate at Layer 3. If some users in different VLANs
require unidirectional communication or need to be
isolated, configure a traffic policy.
3.7.5 Configuring an To use the NMS to manage devices in a centralized

mVLAN manner, assign VLANs and configure a VLAN as the
management VLAN.
3.5 Default Settings for VLANs

Table 3-4 Default setting for VLANs
Parameter Default Setting
Default Interf Hybrid

configu ace
ration type
of an
interfac Defa VLAN 1
e ult
VLA
N
VLA VLAN 1 that interfaces join in untagged mode (port hybrid untagged
N vlan 1)
that
an
interf
ace
joins
Damping time 0s

Traffic statistics Disabled

collection in a
VLAN
3.6 Licensing Requirements and Limitations for VLANs

None
VLAN is a basic feature of a router and is not under license control.
Feature Limitations
When deploying VLAN on the router, pay attention to the following:
l You are advised to plan service and management VLANs so that any broadcast storms in
service VLANs do not affect device management.
l In practice, specify VLANs from which packets need to be transparently transmitted by a
trunk interface. Do not use the port trunk allow-pass vlan all command if possible.
l All interfaces join VLAN 1 by default. When unknown unicast, multicast, or broadcast
packets of VLAN 1 exist on the network, broadcast storms may occur. When VLAN 1 is
used, pay attention to the following points:
– Remove the interfaces that do not need to join VLAN 1 from VLAN 1 to prevent
loops.
– You are advised to remove interfaces from VLAN 1 in Eth-Trunk or ring
networking.
– When connecting to an access device, to prevent broadcast storms in VLAN 1, do
not configure the uplink interface of the access device to transparently transmit
packets from VLAN 1.
3.7 Configuring VLAN

3.7.1 Configuring VLAN Assignment
Context
VLANs can isolate the hosts that do not need to communicate with each other, which
improves network security, reduces broadcast traffic, and mitigates broadcast storms.
After an interface is added to a VLAN, the interface can forward packets from the VLAN.
Interface-based VLAN assignment allows hosts in the same VLAN to communicate and

prevents hosts in different VLANs from communicating, so broadcast packets are limited in a
VLAN.
Ethernet interfaces are classified into access, trunk, and hybrid interfaces according to the
objects connected to the Ethernet interfaces and number of VLANs from which untagged
frames are permitted (see Interface Types):
l Access interface
The router processes only tagged frames and an access interface connected to devices
only receive and send untagged frames, so the access interface needs to add a VLAN tag
to received frames. That is, you must configure the default VLAN for the access
interface. After the default VLAN is configured, the access interface joins the VLAN.
An access interface needs to process only untagged frames. If a user connects a
switching device to a user-side interface without permission, the user-side interface may
receive tagged frames. You can configure the user-side interface to discard tagged
frames, preventing unauthorized access.
l Trunk interface
When a trunk interface connects to a device such as an AP or a voice terminal that can
receive and send tagged and untagged frames simultaneously, you need to configure the
default VLAN for the trunk interface so that the trunk interface can add the VLAN tag to
untagged frames.
l Hybrid interface
When a hybrid interface connects to an AP, a voice terminal, a hub, a host, or a server
that sends untagged frames to the router, you need to configure the default VLAN for the
hybrid interface so that the hybrid interface can add the VLAN tag to untagged frames.
Frames sent by a router all carry VLAN tags. In some scenarios, VLAN tags need to be
removed from frames sent by a hybrid interface. A trunk interface allows untagged
packets from only one VLAN, so the interface must be configured as hybrid.
By default, the type of an interface is hybrid, the default VLAN is VLAN 1, and an interface
joins VLAN 1 in untagged mode.
Procedure
l Configuring the default VLAN for an access interface
a. Run system-view
b. Run vlan vlan-id
A VLAN is created and the VLAN view is displayed, or the view of an existing
VLAN is displayed.
c. Run quit
Return to the system view.
d. Run interface interface-type interface-number
The view of the Ethernet interface to be added to the VLAN is displayed.
e. (Optional) Run portswitch
mode.

f. Run port link-type access

The Ethernet interface is configured as the access interface.
g. Run port default vlan vlan-id
The default VLAN is configured for the interface and the interface is added to the
specified VLAN.
l Configuring the default VLAN for a trunk interface
a. Run system-view
b. Run vlan vlan-id
VLAN is displayed.
c. Run quit
mode.
f. Run port link-type trunk
The Ethernet interface is configured as the trunk interface.
g. Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The interface is added to the specified VLAN.
h. (Optional) Run port trunk pvid vlan vlan-id
The default VLAN is configured for the trunk interface.
This step is not supported in the VE interface view.
NOTE
When the VLAN allowed by an interface is the default VLAN of the interface, packets from the
VLAN are forwarded in untagged mode.
l Configuring the default VLAN for a hybrid interface
a. Run system-view
b. Run vlan vlan-id
VLAN is displayed.
c. Run quit

mode.
f. Run port link-type hybrid
The Ethernet interface is configured as the hybrid interface.
g. Run the following commands as required.
n Run port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is added to the VLAN in untagged mode.
n Run port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
The hybrid interface is added to the VLAN in tagged mode.
h. (Optional) Run port hybrid pvid vlan vlan-id
The default VLAN is configured for the hybrid interface.
This step is not supported in the VE interface view.
----End
Configuration Tips
Creating VLANs in a batch
To create multiple VLANs in a batch, run the vlan batch command in the system view.
For example:
l Create 10 contiguous VLANs: VLANs 11 to 20.
[Huawei] vlan batch 11 to 20
l Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to 30.
[Huawei] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four incontiguous VLAN ranges.
Configuring a name for a VLAN

When multiple VLANs are created on the device, you are advised to configure names for the
VLANs to facilitate management. After a name is configured for a VLAN, you can directly
enter the VLAN view using the name.
# Set the name of VLAN 10 to huawei.
[Huawei] vlan 10
[Huawei-vlan10] name huawei
# After a name is configured for a VLAN, you can directly enter the VLAN view using the
name.
[Huawei] vlan vlan-name huawei

Adding interfaces to a VLAN in a batch
To perform the same VLAN configuration for multiple Ethernet interfaces, use the port group,
which can reduce the workload. To add access interfaces to a VLAN in a batch, you can also
run the port interface-type { interface-number1 [ to interface-number2 ] }&<1-10> command
in the VLAN view. For details, see 3.10.2 How to Add Interfaces to a VLAN in a Batch.
Restoring the default VLAN configuration of an interface
If the VLAN planning of an interface is changed, you need to delete the original VLAN
configuration of the interface. If many incontiguous VLANs are configured on the interface,
you need to delete the original VLAN configuration multiple times. To reduce deletion
operations, restore the default VLAN configuration of the interface. For details, see 3.10.3
How to Restore the Default VLAN Configuration of an Interface.
Changing the interface type
When the interface planning changes or the current interface type is different from the
configured one, the interface type needs to be changed. For details, see 3.10.4 How to
Change the Link Type of an Interface.
Deleting a VLAN
If a VLAN is not in use, you are advised to delete it immediately by running the command
undo vlan vlan-id or undo vlan batch vlan-id1 to vlan-id2, in order to save VLAN resources
and reduce packets on a network.

l Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to
check information about all VLANs or a specified VLAN.
3.7.2 Configuring Inter-VLAN Communication
Context
After VLANs are assigned, users in the same VLAN can communication with each other
while users in different VLANs cannot. If some users in different VLANs need to
communicate, configure inter-VLAN communication.
A VLANIF interface is a Layer 3 logical interface and can implement inter-VLAN Layer 3
connectivity. It is simple to configure a VLANIF interface, so the VLANIF interface is the
most commonly used technology. Each VLAN corresponds to a VLANIF interface. After an
IP address is configured for a VLANIF interface, the VLANIF interface is used as the
gateway of the VLAN and forwards packets across network segments at Layer 3 based on IP
addresses.
If a VLAN goes Down because all interfaces in the VLAN go Down, the system immediately
reports the VLAN Down event to the corresponding VLANIF interface, instructing the
VLANIF interface to go Down. To avoid network flapping caused by the change of the
VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last
interface in Up state in a VLAN goes Down, the device enabled with VLAN damping starts a
delay timer and informs the corresponding VLANIF interface of the VLAN Down event after
the timer expires. If an interface in the VLAN goes Up during the delay, the VLANIF
interface remains Up.

The Maximum Transmission Unit (MTU) determines the maximum number of bytes each
time a sender can send. If the size of packets exceeds the MTU supported by a receiver or a
transit node, the receiver or transit node fragments the packets or even discards them,
aggravating the network transmission load. To avoid this problem, set the MTU of the
VLANIF interface.
After configuring bandwidth for a VLANIF interface, you can use the NMS to query the
bandwidth. This facilitates traffic monitoring.
NOTE
As shown in 3.2.2 Inter-VLAN Communication, in addition to using a VLANIF interface to inter-

VLAN communication, you can also use the VLAN aggregation and Dot1q termination sub-interface.
This section uses the VLANIF interface to implement inter-VLAN communication.
l For details about the Dot1q termination sub-interface, see 6.6 Configuring a Dot1q Termination
Sub-interface to Implement Inter-VLAN Communication.
l For details about VLAN aggregation, see 4 VLAN Aggregation Configuration.
After a VLANIF interface is configured, the corresponding VLAN cannot be configured as a sub-VLAN
or principal VLAN.
Before configuring inter-VLAN communication, complete the following tasks:
l 3.7.1 Configuring VLAN Assignment

l Configuring the default gateway address of hosts as the IP address of the VLANIF
interface
Procedure
Step 2 Run interface vlanif vlan-id
The VLANIF interface view is displayed.
The number of a VLANIF interface must correspond to a created VLAN.
A VLANIF interface goes Up only when at least one physical interface in the corresponding
VLAN is in Up state.
An IP address is configured for the VLANIF interface to implement Layer 3 connectivity.
If IP addresses assigned to VLANIF interfaces belong to different network segments, you

need to configure a routing protocol on the device to provide reachable routes.
Each VLANIF interface can be configured with one primary IP address and multiple
secondary IP addresses. A maximum of 31 secondary IP addresses can be configured.
NOTE
An IP address of a VLANIF interface can be statically configured or dynamically obtained using DHCP.
For details about DHCP, see DHCP Configuration in Huawei AR Series Access Routers Configuration
Guide - IP Services.

Step 4 (Optional) Run damping time delay-time

The delay of VLAN damping is set.
The value ranges from 0 to 20, in seconds. By default, the delay is 0 seconds, indicating that
VLAN damping is disabled.
Step 5 (Optional) Run mtu mtu
The MTU of the VLANIF interface is set.
By default, the value is 1500 bytes.
Step 6 (Optional) Run bandwidth bandwidth
The bandwidth of the VLANIF interface is set.
----End

l Run the display interface vlanif [ vlan-id ] command to check the status, configuration,
and traffic statistics of the VLANIF interface.
NOTE
Only the VLANIF interface in Up state can forward packets at Layer 3. When the VLANIF
interface goes Down, rectify the fault according to 3.9.2 A VLANIF Interface Goes Down.
3.7.3 Configuring a Traffic Policy to Implement Intra-VLAN

Layer 2 Isolation
Context
After VLANs are assigned, users in the same VLAN can communication with each other. If
users in a VLAN need to be isolated unidirectionally or bidirectionally, configure a traffic
policy.
A traffic policy is configured by binding traffic classifiers to traffic behaviors. The device
classifies packets according to packet information, and associates a traffic classifier with a
traffic behavior to reject the packets matching the traffic classifier, implementing intra-VLAN
isolation.
Router provides intra-VLAN Layer 2 isolation based on MQC and based on the simplified
ACL-based traffic policy.
Before configuring a traffic policy to implement intra-VLAN Layer 2 isolation, complete the
following task:
Procedure
l Configure MQC to implement intra-VLAN Layer 2 isolation.
Perform the following MQC configurations to implement intra-VLAN Layer 2 isolation:

– Specify permit or deny in the traffic behavior.

– Apply the traffic policy to a VLAN or an interface that allows the VLAN.
For details about how to configure MQC, see Configuring Packet Filtering in Huawei AR
Series Access Routers Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement intra-VLAN Layer 2
isolation.
For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in Huawei AR Series Access Routers
Configuration Guide - QoS.
----End
3.7.4 Configuring a Traffic Policy to Implement Inter-VLAN

Layer 3 Isolation
Context
After inter-VLAN Layer 3 connectivity is configured, if some users in different VLANs
require unidirectional access or need to be isolated, configure inter-VLAN Layer 3 isolation.
Inter-VLAN Layer 3 isolation is implemented using a traffic policy. A traffic policy is

configured by binding traffic classifiers to traffic behaviors. The router classifies packets
according to IP addresses or other information in packets, and associates a traffic classifier
with a traffic behavior to reject the packets matching the traffic classifier, implementing inter-
VLAN Layer 3 isolation.
Router provides inter-VLAN Layer 3 isolation based on MQC and based on the simplified
ACL-based traffic policy. You can select one of them according to your needs.
Before configuring a traffic policy to implement inter-VLAN Layer 3 isolation, complete the
following task:
l 3.7.2 Configuring Inter-VLAN Communication
Procedure
l Configure MQC to implement inter-VLAN Layer 3 isolation.
Perform the following MQC configurations to implement inter-VLAN Layer 3 isolation:

– Specify permit or deny in the traffic behavior.
– Apply the traffic policy to a VLAN or an interface that allows the VLAN.
For details about how to configure MQC, see Configuring Packet Filtering in Huawei AR
Series Access Routers Configuration Guide - QoS.
l Configure a simplified ACL-based traffic policy to implement inter-VLAN Layer 3
isolation.

For details about how to configure a simplified ACL-based traffic policy, see
Configuring ACL-based Packet Filtering in Huawei AR Series Access Routers
Configuration Guide - QoS.
----End
3.7.5 Configuring an mVLAN
Context
Management VLAN (mVLAN) allows you to use the VLANIF interface of the mVLAN to
log in to the management router to manage devices in a centralized manner.
To use a remote network management system (NMS) to manage devices in a centralized
manner, configure a management IP address on the device. You can then log in to the device
in Telnet mode and manage the device by using the management IP address. The management
IP address can be configured on a management interface or VLANIF interface. If a user-side
interface is added to the VLAN, users connected to the interface can also log in to the device.
This brings security risks to the device.
After a VLAN is configured as an mVLAN, no access interface or Dot1q tunnel interface can
be added to the VLAN. Access and Dot1q tunnel interfaces are often connected to users.
When these interfaces are prevented from joining the mVLAN, users connected to the
interfaces cannot log in to the device, improving device security.
Generally, a VLANIF interface needs to be configured with only one management IP
addresses. In specified scenarios, for example, users in the same mVLAN belong to multiple
different network segments, you need to configure a primary management IP address and
multiple secondary management IP addresses.
You can only log in to the local device using the management interface, whereas you can log
in to both local and remote devices using a VLANIF interface of an mVLAN. When logging
in to the remote device using the VLANIF interface of an mVLAN, you need to configure
VLANIF interfaces on both local and remote devices and assign IP addresses on the same
network segment to them.
Before configuring an mVLAN, complete the following task:
NOTE
Only trunk and hybrid interfaces can join the mVLAN.
Procedure
Step 3 Run management-vlan

The VLAN is configured as the mVLAN.

VLAN 1 cannot be configured as the mVLAN.
Step 4 Run quit
Exit from the VLAN view.
A VLANIF interface is created and its view is displayed.
An IP address is assigned to the VLANIF interface.
----End
Follow-up Procedure
Log in to the router to implement centralized management through the NMS. Select either of
the following login modes according to your needs:
l To manage local devices, log in to the local router using Telnet, STelnet. For details, see
Configuring Telnet Login, Configuring STelnet Login in Huawei AR Series Access
Routers Configuration Guide – Basic Configurations.
l To manage remote devices, log in to the local device using Telnet or STelnet and log in
to remote devices using Telnet or STelnet from the local device. For details, see
(Optional) Using Telnet to Log In to Another Device From the Local Device, or
(Optional) Using STelnet to Log In to Another Device from the Local Device in Huawei
AR Series Access Routers Configuration Guide – Basic Configurations.
The login IP address is the IP address of the VLANIF interface of an mVLAN.

l Run the display vlan command to check the mVLAN configuration. In the command
output, the VLAN marked with a * is the mVLAN.
3.8 Configuration Examples for VLANs
3.8.1 Example for Configuring VLAN Assignment
As shown in Figure 3-19, multiple user terminals are connected to devices in an enterprise.
Users who use the same service access the enterprise network using different devices.
To ensure the communication security and avoid broadcast storms, the enterprise wants to
allow users who use the same service to communicate with each other and isolate users who
use different services.
Configure interface-based VLAN assignments on the device and add interfaces connected to
terminals of users who use the same service to the same VLAN. Users in different VLANs
communicate at Layer 2, and users in the same VLAN can communicate directly.

Figure 3-19 Networking of interface-based VLAN assignment

Eth2/0/3 Eth2/0/3
RouterA RouterB
Eth2/0/1 Eth2/0/2 Eth2/0/1 Eth2/0/2
User1 User3 User2 User4

VLAN2 VLAN3 VLAN2 VLAN3
1. Create VLANs and add interfaces connecting to user terminals to VLANs to isolate
Layer 2 traffic between users who use different services.
2. Configure the type of link between RouterA and RouterB and VLANs to allow users
who use the same service to communicate.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on RouterA, and add interfaces connected to user terminals to
different VLANs. The configuration of RouterB is similar to that of RouterA, and is not
mentioned here.
[RouterA] vlan batch 2 3
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 2
Step 2 Configure the type of the interface connected to RouterB on RouterA and VLANs. The
configuration of RouterB is similar to that of RouterA, and is not mentioned here.

[RouterA-Ethernet2/0/3] port trunk allow-pass vlan 2 3
# Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24; add
User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
# Only User1's and User2's terminals can ping each other, and only User3's and User4's
terminals can ping each other.
----End

Configuration Files
#
sysname RouterA
#
vlan batch 2 to 3
#
port link-type access
port default vlan 2
#
port default vlan 3
#
port trunk allow-pass vlan 2 to 3
#
return

#
sysname RouterB
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
3.8.2 Example for Configuring VLANIF Interfaces to Implement

Inter-VLAN Communication
Different user hosts of a company transmit the same service, and are located on different
network segments. User hosts transmitting the same service belong to different VLANs and
need to communicate.
As shown in Figure 3-20, User1 and User2 use the same service but belong to different
VLANs and are located on different network segments. User1 and User2 need to
communicate.

Figure 3-20 Configuring VLANIF interfaces to implement inter-VLAN communication

Router
Eth2/0/0 Eth2/0/1
VLANIF10 VLANIF20
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
User1 User2
10.10.10.3/24 10.10.20.3/24
1. Create VLANs and determine VLANs that users belong to.

2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 connectivity.
NOTE
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
Procedure
Step 1 Configure the router.
# Create VLANs.
[Router] vlan batch 10 20
# Add interfaces to VLANs.

[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 10
# Assign IP addresses to VLANIF interfaces.

[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.10.10.2 24
[Router-Vlanif10] quit

# Configure the IP address of 10.10.10.3/24 and default gateway address as 10.10.10.2/24

(VLANIF 10's IP address) for User1 in VLAN 10.
# Configure the IP address of 10.10.20.3/24 and default gateway address as 10.10.20.2/24
(VLANIF 20's IP address) for User2 in VLAN 20.
# After the configuration is complete, User1 in VLAN 10 and User2 in VLAN 20 can
communicate.
----End
Configuration Files
#
sysname Router
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 10.10.20.2 255.255.255.0
#
port default vlan 10
#
#
return

Intra-VLAN Communication
As shown in Figure 3-21, Router_1 and Router_2 are connected to Layer 2 networks that
VLAN 10 belongs to. Router_1 communicates with Router_2 through a Layer 3 network
where OSPF is enabled.
PCs of the two Layer 2 networks need to be interwork at Layer 3.

Figure 3-21 Configuring VLANIF interfaces to implement intra-VLAN communication
Router_1 Router_2
Eth2/0/2 Eth2/0/2
OSPF
Eth2/0/1 Eth2/0/1
Eth2/0/2 Router_3 Router_4 Eth2/0/2
Eth2/0/1 Eth2/0/1
VLAN10 VLAN10
1. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
2. Configure IP addresses for VLANIF interfaces to implement Layer 3 connectivity.
3. Configure basic OSPF functions to implement interworking.
Procedure
Step 1 Configure Router_1.
# Create VLAN 10 and VLAN 30.

[Huawei] sysname Router_1
[Router_1] vlan batch 10 30
# Add Eth2/0/1 to VLAN 10 and Eth2/0/2 to VLAN 30.

[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 10
[Router_1-Ethernet2/0/1] quit
# Configure IP addresses of 10.10.10.1/24 and 10.10.30.1/24 for VLANIF 10 and VLANIF

30 respectively.
[Router_1] interface vlanif 10
[Router_1-Vlanif10] ip address 10.10.10.1 24
[Router_1-Vlanif10] quit


# Configure basic OSPF functions.

[Router_1] router id 1.1.1.1
[Router_1] ospf
[Router_1-ospf-1] area 0
[Router_1-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[Router_1-ospf-1-area-0.0.0.0] quit

[Router_2] vlan batch 10 30
# Add Eth2/0/1 to VLAN 10 and Eth2/0/2 to VLAN 30.

# Configure IP addresses of 10.10.20.1/24 and 10.10.30.2/24 for VLANIF 10 and VLANIF

30 respectively.

[Router_2] router id 2.2.2.2
[Router_2] ospf
# Create VLAN 10, add Eth2/0/1 to VLAN 10 in untagged mode and Eth2/0/2 to VLAN 10 in
tagged mode. The configuration of Router_4 is similar to that of Router_3, and is not
mentioned here.
[Router_3] vlan batch 10
[Router_3-Ethernet2/0/1] port link-type access
[Router_3-Ethernet2/0/1] port default vlan 10


# On the PC of the Layer 2 network connected to Router_1, set the default gateway address to
the IP address of VLANIF10, that is, 10.10.10.1/24.
# On the PC of the Layer 2 network connected to Router_2, set the default gateway address to
the IP address of VLANIF10, that is, 10.10.20.1/24.
# After the configuration is complete, PCs on the two Layer 2 networks are interwork at Layer
3.
----End
Configuration Files
l Router_1 configuration file
#
sysname Router_1
#
router id 1.1.1.1
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return

#
sysname Router_2
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.10.20.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#
#
ospf 1

area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return

#
sysname Router_3
#
vlan batch 10
#
#
#
return

#
sysname Router_4
#
vlan batch 10
#
#
#
return

Communication of Hosts on Different Network Segments in the
Same VLAN
On the enterprise network shown in Figure 3-22, hosts in the same VLAN belong to network
segments of 10.1.1.1/24 and 10.1.2.1/24. Hosts on the two network segments are required to
access the Internet through the Router and communicate.

Figure 3-22 Configuring VLANIF interfaces to implement communication of hosts on

different network segments in the same VLAN
Internet
Router_1 10.10.10.2/24
VLANIF10
Eth2/0/3 Primary IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
Router VLANIF20
10.10.10.1/24
Eth2/0/1 Eth2/0/2
VLAN10
Host1 Host2
10.1.1.2/24 10.1.2.2/24
If only one IP address is configured for the VLANIF interface on the Router, only hosts on
one network segment can access the Internet through the Router. To enable all hosts on the
LAN can access the Internet through the Router, configure a secondary IP address for the
VLANIF interface. To enable hosts on the two network segments to communicate, the hosts
on the two network segments need to use the primary and secondary IP addresses of the
VLANIF interface as default gateway addresses.
1. Create VLANs and add interfaces to the VLANs.
2. Configure VLANIF interfaces and assign IP addresses to them so that hosts on the two
network segments can communicate.
3. Configure a routing protocol so that hosts can access the Internet through the Router.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs on Router.
[Router] vlan batch 10 20
# Add Eth2/0/1 and Eth2/0/2 to VLAN 10 and Eth2/0/3 to VLAN 20.



[Router-Ethernet2/0/3] port link-type trunk
[Router-Ethernet2/0/3] port trunk allow-pass vlan 20
Step 2 Configure VLANIF interfaces on Router.

# Create VLANIF 10 and configure the primary IP address of 10.1.1.1/24 and secondary IP
address of 10.1.2.1/24 for VLANIF 10, and create VLANIF 20 and configure the IP address
of 10.10.10.1/24 for VLANIF 20.
[Router-Vlanif10] ip address 10.1.2.1 24 sub
Step 3 Configure a routing protocol.

# Configure basic OSPF functions and configure OSPF to advertise network segments of
hosts and the network segment between the Router and Router_1.
[Router] ospf
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
NOTE
Perform the following configurations on the Router_1:

l Add the interface connected to the Router to VLAN 20 in tagged mode and specify an IP address
for VLANIF 20 on the same network segment as 10.10.10.1.
l Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Router and Router_1.
For details, see the router documentation.

# Configure the IP address of 10.1.1.2 and default gateway address of 10.1.1.1/24 (primary IP
address of VLANIF 10) for Host1; configure the IP address of 10.1.2.2 and default gateway
address of 10.1.2.1/24 (secondary IP address of VLANIF 10) for Host2.
# After the configuration is complete, Host1 and Host2 can ping each other successfully, and
they can ping 10.10.10.2/24, IP address of the router interface connected to the Router. That
is, they can access the Internet.
----End
Configuration Files
#
sysname Router
#
vlan batch 10 20

#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
#
interface Vlanif20
ip address 10.10.10.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.10.10.0 0.0.0.255
#
return
3.8.5 Example for Configuring a Traffic Policy to Implement

Inter-VLAN Layer 3 Isolation
As shown in Figure 3-23, to ensure communication security, a company assigns visitors,
employees, and servers to VLAN 10, VLAN 20, and VLAN 30 respectively. The
requirements are as follows:
l Employees, visitors, and servers can access the Internet.
l Visitors can access only the Internet, and cannot communicate with employees in any
other VLANs.
l Employee A can access all resources in the server area, and other employees can access
port 21 (FTP service) of server A.

Figure 3-23 Configuring a traffic policy to implement inter-VLAN Layer 3 isolation
Internet
Router
VLANIF100
Eth2/0/4 10.1.100.1/24
Eth2/0/1 Eth2/0/3
Router_4 Eth2/0/2
Eth2/0/2 Eth2/0/3 Eth2/0/2

Router_1 Router_2 Router_3
Eth2/0/1 Eth2/0/1 Eth2/0/2 Eth2/0/1
Visitor Employee Server
area area area
Visitor A Employee A Employee B Server A
10.1.1.2/24 10.1.2.2/24 10.1.2.3/24 10.1.3.2/24
VLAN10 VLAN20 VLAN30
1. Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of
visitors, employees, and servers.
2. Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
3. Configure a routing protocol so that visitors, employees, and servers can access the
Internet through the Router.
4. Configure and apply a traffic policy so that employee A can access all resources in the
server area, other employees can access only port 21 (FTP service) of server A,
employees can access only servers, and visitors can access only the Internet.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs to implement Layer 2 isolation of visitors,
employees, and servers.
# Create VLAN 10 on Router_1, add Eth2/0/1 to VLAN 10 in untagged mode and Eth2/0/2 to
VLAN 10 in tagged mode. The configurations of Router_2 and Router_3 are similar to the
configuration of Router_1, and are not mentioned here.
[Router_1] vlan batch 10


[Router_1-Ethernet2/0/1] port link-type access
[Router_1-Ethernet2/0/1] port default vlan 10
# Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 on Router_4, and add Eth2/0/1-
Eth2/0/4 to VLAN 10, VLAN 20, VLAN 30, and VLAN 100 in tagged mode.
[Router_4] vlan batch 10 20 30 100
Step 2 Configure VLANIF interfaces and assign IP addresses to them to implement Layer 3
connectivity between employees, servers, and visitors.
# On Router_4, Create VLAN 10, VLAN 20, VLAN 30, and VLAN 100 and assign IP
addresses of 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.100.1/24 to them respectively.
Step 3 Configure a routing protocol so that visitors, employees, and servers can access the Internet
through the Router.
# Configure basic OSPF functions on Router_4 and configure OSPF to advertise network
segments of hosts and the network segment between Router_4 and the router.
[Router_4] ospf
[Router_4-ospf-1] quit

NOTE
Perform the following configurations on the Router:

l Add the interface connected to the Router to VLAN 100 in tagged mode and specify an IP address
for VLANIF 100 on the same network segment as 10.1.100.1.
l Configure basic OSPF functions and configure OSPF to advertise the network segment between
the Router and router_4.
For details, see the router documentation.
Step 4 Configure and apply a traffic policy to control access of employees, visitors, and servers.
1. Configure ACLs to define flows.
# Configure ACL 3000 on Router_4 to prevent visitors from accessing employees' PCs
and servers.
[Router_4] acl 3000
[Router_4-acl-adv-3000] rule deny ip destination 10.1.2.1 0.0.0.255
[Router_4-acl-adv-3000] quit
# Configure ACL 3001 on Router_4 so that employee A can access all resources in the
server area and other employees can access only port 21 of server A.
[Router_4] acl 3001
[Router_4-acl-adv-3001] rule permit tcp destination 10.1.3.2 0 destination-
port eq 21
[Router_4-acl-adv-3001] rule permit ip source 10.1.2.2 0 destination 10.1.3.1
0.0.0.255
[Router_4-acl-adv-3001] quit
2. Configure traffic classifiers to differentiate different flows.

# Configure traffic classifiers c_custom, and c_staff on Router_4 and reference ACLs
3000, and 3001 in the traffic classifiers respectively.
[Router_4] traffic classifier c_custom
[Router_4-classifier-c_custom] if-match acl 3000
[Router_4-classifier-c_custom] quit
[Router_4] traffic classifier c_staff
[Router_4-classifier-c_staff] if-match acl 3001
[Router_4-classifier-c_staff] quit
3. Configure a traffic behavior and define an action.

# Configure a traffic behavior named b1 on Router_4 and define the permit action.
[Router_4] traffic behavior b1
[Router_4-behavior-b1] permit
[Router_4-behavior-b1] quit
4. Configure traffic policies and associate traffic classifiers with the traffic behavior in the
traffic policies.
# Create traffic policies p_custom, and p_staff on Router_4, and associate traffic
classifiers c_custom, and c_staff with traffic behavior b1.
[Router_4] traffic policy p_custom
[Router_4-trafficpolicy-p_custom] classifier c_custom behavior b1
[Router_4-trafficpolicy-p_custom] quit
[Router_4] traffic policy p_staff
[Router_4-trafficpolicy-p_staff] classifier c_staff behavior b1
[Router_4-trafficpolicy-p_staff] quit
5. Apply the traffic policies to control access of employees, visitors, and servers.
# On Router_4, apply traffic policies p_custom, and p_staff in the inbound direction of
VLANIF 10, and VLANIF 20 respectively.
[Router_4-Vlanif10] traffic-policy p_custom inbound

[Router_4-Vlanif20] traffic-policy p_staff inbound

# Configure the IP address of 10.1.1.2 and default gateway address of 10.1.1.1/24 (VLANIF
10's IP address) for visitor A; configure the IP address of 10.1.2.2 and default gateway
address of 10.1.2.1/24 (VLANIF 20's IP address) for employee A; configure the IP address of
10.1.2.3 and default gateway address of 10.1.2.1/24 (VLANIF 20's IP address) for employee
B; configure the IP address of 10.1.3.2 and default gateway address of 10.1.3.1/24 (VLANIF
30's IP address) for server A.
# After the configuration is complete, the following situations occur:
l Visitor A fails to ping employee A or server A, and employee A and server A fail to ping
visitor A.
l Employee A can successfully ping server A. That is, employee A can use server A and
the FTP service of server A.
l Employee B fails to ping server A, and can only use the FTP service of server A.
l Visitors, employees A and B, server A all can ping 10.1.100.2/24, IP address of the
router interface connected to Router_4. That is, they can access the Internet.
----End
Configuration Files
#
sysname Router_1
#
vlan batch 10
#
#
#
return

#
sysname Router_2
#
vlan batch 20
#
#
#
#
return


#
sysname Router_3
#
vlan batch 30
#
#
#
return

#
sysname Router_4
#
vlan batch 10 20 30 100
#
acl number 3000
rule 5 deny ip destination 10.1.2.0 0.0.0.255
acl number 3001
rule 5 permit tcp destination 10.1.3.2 0 destination-port eq ftp
rule 10 permit ip source 10.1.2.2 0 destination 10.1.3.0 0.0.0.255
#
traffic classifier c_custom operator and
if-match acl 3000
traffic classifier c_staff operator and
if-match acl 3001
#
traffic behavior b1
permit
#
traffic policy p_custom
classifier c_custom behavior b1
traffic policy p_staff
classifier c_staff behavior b1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
traffic-policy p_custom inbound
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
traffic-policy p_staff inbound
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.1.100.1 255.255.255.0
#
#
#
#

#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.100.0 0.0.0.255
#
return
3.8.6 Example for Configuring an mVLAN to Implement Remote

Management
As shown in Figure 3-24, users need to securely log in to the Router for remote management.
There is no idle management interface on the Router.
Figure 3-24 Configuring an mVLAN to implement remote management

10.1.1.1/24 10.10.10.2/24
IP Eth2/0/0
Network
PC Router
A management interface or VLANIF interface of an mVLAN can be used to log in to the
device for remote management. The device has no idle management interface, so the mVLAN
is used. STelnet is used to ensure login security. The configuration roadmap is as follows:
1. Configure an mVLAN on the Router and add an interface to the mVLAN.
2. Configure a VLANIF interface and assign an IP address to it on the Router.
3. Enable STelnet on the Router and configure an SSH user.
4. Log in to the Router using STelnet from a user PC.
NOTE
l The user PC needs to be configured with the software for logging in to the SSH server, key pair
generation software, and public key conversion software.
l To ensure device security, change the password periodically.
Procedure
Step 1 Configure an mVLAN and add an interface to the mVLAN.
# Create VLAN 10 on the Router and specify VLAN 10 as the mVLAN, and add Eth2/0/0 to
VLAN 10 in tagged mode.

[Router] vlan 10
[Router-vlan10] management-vlan
[Router-vlan10] quit
[Router-Ethernet2/0/0] port link-type trunk
[Router-Ethernet2/0/0] port trunk allow-pass vlan 10
Step 2 Configure a VLANIF interface and assign an IP address to the VLANIF interface.
# Create VLANIF 10 on the Router and configure the IP address of 10.10.10.2/24 for it.
Step 3 Enable the STelnet service and configure an SSH user.

1. Configure the Router to generate a local key pair.
[Router] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is less than 2048,
It will introduce potential security risks.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
........++++++++
..++++++++
............+++++++++
......+++++++++
2. Configure an SSH user.

# Configure the VTY user interface on the Router.
[Router] user-interface vty 0 14
[Router-ui-vty0-14] authentication-mode aaa
[Router-ui-vty0-14] protocol inbound ssh
[Router-ui-vty0-14] quit
# Create an SSH user named client001 on the Router and configure password
authentication.
[Router] aaa
[Router-aaa] local-user client001 password irreversible-cipher Huawei@123
[Router-aaa] local-user client001 privilege level 3
[Router-aaa] local-user client001 service-type ssh
[Router-aaa] quit
[Router] ssh user client001 authentication-type password
3. Enable the STelnet service.

# Enable the STelnet service on the Router.
[Router] stelnet server enable
# Configure the STelnet service for SSH user client001.

[Router] ssh user client001 service-type stelnet
NOTE
The PC connects to Router through the intermediate device. The intermediate device needs to
transparently transmit packets from mVLAN 10 and has a route from 10.1.1.1/24 to 10.10.10.2/24.

# After the configuration is complete, the user can log in to the Router from the PC using
password authentication.

# Run the Putty software on the user PC. The dialog box shown in Figure 3-25 is displayed.
Enter 10.10.10.2 (IP address of the Router) and select SSH.
Figure 3-25 Configuring an mVLAN to implement remote management
# Click Open. On the page that is displayed on the Router, enter the user name and password,
and press Enter.
login as: client001
SSH server: User Authentication
Using keyboard-interactive authentication.
Password:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
The current login time is 2014-02-25 05:45:41+00:00.
<Router>
# The user can successfully log in to the Router for remote management.
----End
Configuration Files
#
sysname Router
#
vlan batch 10

#
vlan 10
management-vlan
#
aaa
local-user client001 password irreversible-cipher %^%#EqZEVTq=/
@T2XM0q0W{Ec[Fs2@&4YII@-=(lbr[K>4Dq76]3#BgqMOAxu^%$%^%#
local-user client001 privilege level 3
local-user client001 service-type ssh
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
#
user-interface vty 0 14
authentication-mode aaa
#
return
3.9 Troubleshooting VLANs
3.9.1 A VLANIF Interface Fails to Be Created
Fault Symptom
When a user attempts to create a VLANIF interface, the system displays an error message. As
a result, the VLANIF interface fails to be created.
Procedure
Step 1 Check the error message during VLANIF interface creation.
Rectify the fault according to the error message. See Table 3-5.
Table 3-5 Fault rectification according to the error message
Message Cause Analysis and Solution

Check Method
Error: The VLAN does not exist. The VLAN is not created Run the vlan vlan-id
on the device. command to create a
Run the display vlan VLAN corresponding to
summary command to the VLANIF interface and
check whether the value then create a VLANIF
of the static vlan field is interface.
the VLAN corresponding
to the VLANIF interface.

Message Cause Analysis and Solution

Check Method
Error: The VLAN is used by The VLAN corresponding Create a VLANIF

XXX. to the VLANIF interfaces interface corresponding to
NOTE is a dynamic, control, or another VLAN.
XXX indicates a feature, such as reserved VLAN.
SEP, or GVRP.
Run the display vlan
summary command to
check whether the value
of the dynamic vlan or
reserved vlan field is the
VLAN corresponding to
the VLANIF interface.
Step 2 If the fault persists, collect alarms and logs and contact Huawei technical support personnel.
----End
3.9.2 A VLANIF Interface Goes Down

Fault Symptom
A VLANIF interface goes Down.
Common Causes and Solutions

Table 3-6 describes common causes and solutions.

Table 3-6 Common causes and solutions
Common Cause Solution
The interface is not added to the VLAN. Run the following commands as required.
NOTE l Run the port default vlan vlan-id
l The port trunk pvid vlan vlan-id command command in the interface view to add an
only configures the PVID on a trunk access interface to a VLAN.
interface, but does not add a trunk interface
to a VLAN. l Run the port trunk allow-pass vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10> |
l The port hybrid pvid vlan vlan-id command
only configures the PVID on a hybrid all } command in the interface view to
interface, but does not add a hybrid interface add a trunk interface to a VLAN.
to a VLAN. l You can add a hybrid interface to a
VLAN in tagged or untagged mode.
– Run the port hybrid tagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in tagged mode.
– Run the port hybrid untagged vlan
{ { vlan-id1 [ to vlan-id2 ] }&<1-10>
| all } command to add a hybrid
interface to a VLAN in untagged
mode.
The physical status of all interfaces added to Rectify this fault. A VLANIF interface goes
the VLAN is Down. Up as long as one interface in the VLAN is
Up.
No IP address is assigned to the VLANIF Run the ip address command in the

interface. VLANIF interface view to assign an IP
address to the VLANIF interface.
The VLANIF interface is shut down. Run the undo shutdown command in the
VLANIF interface view to start the
VLANIF interface.
3.9.3 Users in a VLAN Cannot Communicate
Fault Symptom
Users in a VLAN cannot communicate.
Procedure
Step 1 Check that the interfaces connected to user terminals are in Up state.
Run the display interface interface-type interface-number command in any view to check the
status of the interfaces.
l If the interface is Down, rectify the interface fault.

l If the interface is Up, go to Step 2.

Step 2 Check whether the IP addresses of user terminals are on the same network segment. If they
are on different network segments, change the IP addresses of the user terminals to be on the
same network segment. If the fault persists, go to Step 3.
Step 3 Check that the MAC address entry is correct.
Run the display mac-address command on the Router to check whether MAC addresses,
interfaces, and VLANs in the learned MAC address entries are correct. If the learned MAC
address entries are incorrect, run the undo mac-address mac-address vlan vlan-id command
in the system view to delete MAC address entries so that the Router can learn MAC address
entries again.
After the MAC address table is updated, check the MAC address entries again.
l If the MAC address entries are incorrect, go to Step 4.
l If the MAC address entries are correct, go to Step 5.
Step 4 Check that the VLAN is properly configured.
Check the VLAN configuration according to the following table.
Check Item Method
Whether the Run the display vlan vlan-id command in any view to check whether
VLAN has been the VLAN has been created. If not, run the vlan command in the
created system view to create the VLAN.
Whether the Run the display vlan vlan-id command in any view to check whether
interfaces are the VLAN contains the interfaces. If not, add the interfaces to the
added to the VLAN.
VLAN NOTE
If the interfaces are located on different devices, add the interfaces connecting
the devices to the VLAN.
The default type of an interface is Hybrid. You can run the port link-type
command to change the link type of an interface.
l Add an access interface to the VLAN by using either of the
following methods:
– Run the port default vlan command in the interface view.
– Run the port command in the VLAN view.
l Add a trunk interface to the VLAN.
Run the port trunk allow-pass vlan command in the interface
view.
l Add a hybrid interface to the VLAN by using either of the
following methods:
– Run the port hybrid tagged vlan command in the interface
view.
– Run the port hybrid untagged vlan command in the interface
view.

Check Item Method
Whether Correctly connect user terminals to device interfaces.

connections
between interfaces
and user terminals
are correct
After the preceding operations, if the MAC address entries are correct, go to Step 5.
Step 5 Check whether port isolation is configured.
Run the interface interface-type interface-number command in the system view to enter the
interface view, and then run the display this command to check whether port isolation is
configured on the interface.
l If port isolation is not configured, go to Step 6.
l If port isolation is configured, run the undo port-isolate enable command on the
interface to disable port isolation. If the fault persists, go to Step 6.
Step 6 Check whether correct static Address Resolution Protocol (ARP) entries are configured on the
user terminals. If the static ARP entries are incorrect, modify them. Otherwise, go to Step 7.
Step 7 Collect logs and alarms and contact Huawei technical support personnel.
----End
3.9.4 Directly Connected Devices Cannot Communicate
Fault Symptom
As shown in Figure 3-26, the IP address of VLANIF 10 on Router_2 cannot be pinged from
Router_1. Similarly, the IP address of VLANIF 10 on Router_1 cannot be pinged from
Router_2.
Figure 3-26 Connected routers

Router_1 Router_2
VLANIF10
VLANIF10
Procedure
Step 1 Check whether the VLANIF interface is Up.
Run the display interface vlanif vlan-id command on Router_1 and Router_2 and check the
current state and Line protocol current state fields.
l If the value of any one of the two fields is DOWN, the VLANIF interface is Down.
Rectify this fault according to 3.9.2 A VLANIF Interface Goes Down.
l If the value of the two fields is UP, the VLANIF interface is Up. Go to Step 2.

Step 2 Check whether the connected Ethernet interfaces between devices join a VLAN.
Run the display vlan vlan-id command on Router_1 and Router_2 and check the Interface
field. Check whether the connected Ethernet interfaces exist in the VLAN.
l If the connected Ethernet interfaces do not exist in the VLAN, add the connected
Ethernet interfaces to the VLAN.
l If the connected Ethernet interfaces exist in the VLAN and at least one of them joins the
VLAN in untagged mode, change the untagged mode to tagged mode.
l If none of the preceding configurations exists, go to Step 3.
Step 3 Check whether the PVID values on the connected Ethernet interface between devices are the
same.
Run the display port vlan interface-type interface-number command on Router_1 and
Router_2 to check the PVID values.
l If the PVID values are different, change them to be the same.
l If the PVID values are the same, go to Step 4.
Step 4 Collect logs and alarms and contact Huawei technical support personnel.
----End
3.10 FAQ About VLANs
3.10.1 How to Create and Delete VLANs in a Batch

l Run the vlan batch command in the system view to create VLANs in a batch.
– Create 10 contiguous VLANs: VLANs 11 to 20.
[Huawei] vlan batch 11 to 20
– Create 10 incontiguous VLANs in a batch: VLAN 10, VLANs 15 to 19, VLAN 25,
VLANs 28 to 30.
[Huawei] vlan batch 10 15 to 19 25 28 to 30
NOTE
You can create a maximum of 10 incontiguous VLANs or VLAN range at one time. If there are
more than 10 VLANs, run this command multiple times. For example, the vlan batch 10 15 to 19
25 28 to 30 command creates four incontiguous VLAN ranges.
l Run the undo vlan batch command in the system view to delete VLANs in a batch.
– Delete VLANs 10 to 20.
[Huawei] undo vlan batch 10 to 20
3.10.2 How to Add Interfaces to a VLAN in a Batch

You can add interfaces to a VLAN in a batch using a port group, and can directly add access
interfaces to a VLAN in a batch in the system view.
l Access interface
# Add Eth2/0/1-Eth2/0/5 to VLAN 10 in a batch.
– Add interfaces to a VLAN in a batch using a port group.

[Huawei] port-group pg1
[Huawei-port-group-pg1] group-member Ethernet 2/0/1 to Ethernet 2/0/5
[Huawei-port-group-pg1] port link-type access
[Huawei-port-group-pg1] port default vlan 10
– Add interfaces to a VLAN in a batch in the VLAN view.

[Huawei] vlan 10
[Huawei-vlan10] port Ethernet 2/0/1 to 2/0/5
NOTE
Before performing this operation, configure interfaces to be added to a VLAN as access

interface.
l Trunk interface
# Add Eth2/0/1-Eth2/0/5 to VLAN 10 and VLAN 20 in a batch.
[Huawei-port-group-pg1] port link-type trunk
[Huawei-port-group-pg1] port trunk allow-pass vlan 10 20
l Hybrid interface
# Add Eth2/0/1-Eth2/0/5 to VLAN 10 and VLAN 20 in a batch.
[Huawei-port-group-pg1] port link-type hybrid
[Huawei-port-group-pg1] port hybrid tagged vlan 10
[Huawei-port-group-pg1] port hybrid untagged vlan 20
3.10.3 How to Restore the Default VLAN Configuration of an

Interface
The default VLAN configuration of an interface involves the default VLAN of the interface
and the VLAN that the interface joins. By default, the default VLAN of an interface is VLAN
1 and an interface joins VLAN 1 in untagged mode.
Run the display this command in the interface view to check the link type of the interface,
and perform the following operations to restore the default VLAN configuration of the
interface.
l Restore the default VLAN configuration of an access interface.

[Huawei-Ethernet2/0/0] undo port default vlan
l Restore the default VLAN configuration of a trunk interface.

[Huawei-Ethernet2/0/0] undo port trunk pvid vlan
[Huawei-Ethernet2/0/0] undo port trunk allow-pass vlan all
l Restore the default VLAN configuration of a hybrid interface.

[Huawei-Ethernet2/0/0] undo port hybrid pvid vlan
[Huawei-Ethernet2/0/0] undo port hybrid vlan all
[Huawei-Ethernet2/0/0] port hybrid untagged vlan 1

3.10.4 How to Change the Link Type of an Interface

The link type of an interface can be access, trunk, or hybrid. When an interface joins VLAN 1
by default and the PVID of the interface is VLAN 1, you can run the port link-type { access |
trunk | hybrid } command to change the link type of the interface.
l Change the link type of the interface to access.
[Huawei] interface Ethernet2/0/0
[Huawei-Ethernet2/0/0] port link-type access
l Change the link type of the interface to trunk.

l Change the link type of the interface to hybrid.

[Huawei-Ethernet2/0/0] port link-type hybrid
NOTE
The default VLAN configuration of an interface involves the default VLAN of the interface and the
VLAN that the interface joins. By default, the default VLAN of an interface is VLAN 1 and an interface
joins VLAN 1 in untagged mode.
Run the display this command in the interface view to check the link type of the interface, and perform
the following operations to restore the default VLAN configuration of the interface.
l Restore the default VLAN configuration of an access interface.
[Huawei] interface Ethernet 2/0/0
[Huawei-Ethernet2/0/0] undo port default vlan
l Restore the default VLAN configuration of a trunk interface.

[Huawei-Ethernet2/0/0] undo port trunk pvid vlan
[Huawei-Ethernet2/0/0] undo port trunk allow-pass vlan all
l Restore the default configuration of a hybrid interface.

[Huawei-Ethernet2/0/0] undo port hybrid pvid vlan
[Huawei-Ethernet2/0/0] undo port hybrid vlan all
3.10.5 How to Verify That an Interface Is Added to a VLAN

Run the display vlan vlan-id command and verify that the interface is listed in the command
output.
For example, interface Ethernet2/0/0 is added to VLAN 10.
<Huawei> display vlan 10
* : management-vlan
---------------------
VLAN ID Type Status MAC Learning Broadcast/Multicast/Unicast Property
--------------------------------------------------------------------------------
10 common enable enable forward forward forward default
-------------------
Untagged Port: Ethernet2/0/0
-------------------
Active Untag Port: Ethernet2/0/0
-------------------

Interface Physical
Ethernet2/0/0 UP
3.10.6 How to Rapidly Query the Link Types, Default VLANs,

and Allowed VLANs of All Interfaces
Run the display port vlan command to check the link types and default VLANs of all
interfaces.
<Huawei> display port vlan
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------------
Eth-Trunk1 hybrid 1 -
Eth-Trunk63 hybrid 1 -
Ethernet2/0/0 trunk 1 1-4094
Ethernet2/0/1 access 1 -
Ethernet2/0/2 hybrid 1 2-100
Ethernet2/0/3 trunk 1 1
Ethernet2/0/4 hybrid 1 -
The Link Type field indicates the link type of an interface, the PVID field indicates the
default VLAN, and the Trunk VLAN List field indicates the list of VLANs allowed by a
trunk interface or VLANs that hybrid interfaces join in tagged mode. The value is displayed
as - if the link type of the interface is access or the hybrid interface does not join the VLAN in
tagged mode.
3.10.7 Can Multiple Network Segments Be Configured in a VLAN

Hosts on multiple network segments in the same VLAN can communicate by configuring the
primary and secondary IP addresses for a VLANIF interface.
As shown in Figure 3-27, Host_1 and Host_2 in VLAN 10 belong to 10.1.1.1/24 and
10.1.2.1/24 respectively. The two hosts need to communicate.
Figure 3-27 Communication for hosts on multiple network segments in the same VLAN
Router
VLANIF10
Primagry IP: 10.1.1.1/24
Secondary IP: 10.1.2.1/24
Eth2/0/1 Eth2/0/2
VLAN10
Host_1 Host_2
10.1.1.2/24 10.1.2.2/24
Configure the Router.



[Router-Vlanif10] ip address 10.1.2.1 24 sub
After the preceding configurations are performed, Host_1 and Host_2 can communicate.

Configuration 4 VLAN Aggregation Configuration
4 VLAN Aggregation Configuration
About This Chapter
This chapter describes how to configure VLAN aggregation. VLAN aggregation implements
communication of hosts on the same network segment in different VLANs. A network can
significantly save IP addresses with VLAN aggregation technology.
4.1 Overview of VLAN Aggregation
4.2 Understanding VLAN Aggregation
4.3 Application Scenarios for VLAN Aggregation
4.4 Default Settings for VLAN Aggregation
4.5 Licensing Requirements and Limitations for VLAN Aggregation
4.6 Configuring VLAN Aggregation
4.7 Configuration Examples for VLAN Aggregation
4.8 FAQ About VLAN Aggregation
4.1 Overview of VLAN Aggregation

Definition
VLAN aggregation, also called super-VLAN, partitions a broadcast domain into multiple
VLANs (sub-VLANs) on a physical network and aggregates the sub-VLANs into a single
logical VLAN (super-VLAN). The sub-VLANs use the same IP subnet and default gateway
address.
Purpose
VLAN technology is widely applied to packet switching networks because it is capable of
flexibly controlling broadcast domains and is easy to deploy. Usually, a router uses a Layer 3
logical interface in each VLAN to allow hosts in different broadcast domains to communicate.
This wastes IP addresses. On a subnet corresponding to a VLAN, the subnet ID, directed
broadcast address, and subnet default gateway address cannot be used as IP addresses of hosts

in the VLAN. In addition, the number of hosts on a subnet may be less than the number of IP
addresses available in the subnet. These remaining IP addresses are essentially wasted
because they cannot be used by other VLANs.
As shown in Figure 4-1, VLAN 2 requires 10 host addresses. The subnet 10.1.1.0/28 with a
28-bit mask is assigned to VLAN 2, where 10.1.1.0 is the subnet ID, 10.1.1.15 is the directed
broadcast address, and 10.1.1.1 is the default gateway address. Hosts cannot use these three
addresses, but the other 13 addresses ranging from 10.1.1.2 to 10.1.1.14 are available to them.
VLAN 2 requires only 10 IP addresses, the remaining 3 IP addresses cannot be used by other
VLANs and are wasted. If more VLANs are added, more IP addresses will be wasted.
Figure 4-1 Networking of a common VLAN

Router
VLANIF2:10.1.1.1 VLANIF4:10.1.1.25
VLANIF3:10.1.1.17
VLAN2 VLAN3 VLAN4

10.1.1.0/28 10.1.1.16/29 10.1.1.24/30
VLAN aggregation is used to solve the preceding problem. VLAN aggregation maps each
sub-VLAN to a broadcast domain, associates a super-VLAN with multiple sub-VLANs, and
assigns only one IP subnet to the super-VLAN. This ensures that all sub-VLANs share the IP
address of the associated super-VLAN as the gateway IP address, effectively implementing
Layer 3 connectivity.
Sub-VLANs share one gateway address so that the number of subnet IDs, subnet default
gateway addresses, and directed broadcast IP addresses used is reduced. The switch assigns IP
addresses to hosts in sub-VLANs according to the actual number of hosts, ensuring that each
sub-VLAN is used as an independent broadcast domain to implement isolation. Therefore,
VLAN aggregation conserves IP addresses and implements flexible addressing.
4.2 Understanding VLAN Aggregation

Implementation
VLAN aggregation defines the super-VLAN and sub-VLAN. A sub-VLAN, as an
independent broadcast domain, contains only physical interfaces; a super-VLAN contains no
physical interface, and is used for creating a Layer 3 VLANIF interface. Through the mapping
between a super VLAN and sub-VLANs, VLAN aggregation associates the Layer 3 VLANIF
interface with physical interfaces so that all sub-VLANs share one gateway to communicate

with an external network. In addition, Proxy ARP is used to implement Layer 3 connectivity
between sub-VLANs. This technology isolates broadcast domains and saves IP addresses.
l Sub-VLAN: contains only physical interfaces, and is used to isolate broadcast domains.
A sub-VLAN cannot be used for creating a Layer 3 VLANIF interface. Hosts in each
sub-VLAN use the VLANIF interface of the associated super-VLAN to communicate
with external devices at Layer 3.
l Super-VLAN: is only used for creating a Layer 3 VLANIF interface and contains no
physical interface. It corresponds to the subnet gateway. Unlike a VLANIF interface that
is Up as long as a physical interface in a common VLAN is Up, a VLANIF interface in a
super-VLAN is Up as long as a physical interface in any associated sub-VLAN is Up.
A super-VLAN can contain one or more sub-VLANs. A sub-VLAN does not occupy an
independent subnet. IP addresses of hosts in any sub-VLAN of a super-VLAN belong to the
subnet corresponding to the sub-VLAN.
That is, sub-VLANs share the same gateway. VLAN aggregation reduces subnet IDs, subnet
default gateway addresses, and directed broadcast IP addresses, allows different broadcast
domains to use the same subnet address, implements flexible addressing, and conserves IP
addresses.
The network topology used in 4.1 Overview of VLAN Aggregation is used as an example.
Configure VLAN 10 as the super-VLAN, assign the subnet address 10.1.1.0/24 to VLAN 10,
and configure VLAN 2, VLAN 3, and VLAN 4 as sub-VLANs of super-VLAN 10, as shown
in Figure 4-2.
Figure 4-2 Networking of VLAN aggregation

Router Super-VLAN10
VLANIF10：10.1.1.1/24
Sub-VLAN2 Sub-VLAN3 Sub-VLAN4

10.1.1.2-10.1.1.11 10.1.1.12-10.1.1.16 10.1.1.17
Gateway: Gateway: Gateway:
10.1.1.1/24 10.1.1.1/24 10.1.1.1/24
Sub-VLAN 2, sub-VLAN 3, and sub-VLAN 4 share a subnet (10.1.1.1/24). The subnet ID

(10.1.1.0), default gateway address (10.1.1.1), and directed broadcast address of the subnet
(10.1.1.255) cannot be used as host IP addresses. VLAN aggregation allows the device to
assign IP addresses to hosts in sub-VLANs according to the actual number of hosts. For
example, when sub-VLAN 2 requires 10 addresses, 10.1.1.2-10.1.1.11 are assigned to sub-
VLAN 2.

Communications Between Sub-VLANs

VLAN aggregation allows different sub-VLANs to use IP addresses on the same network
segment, but cannot implement Layer 3 forwarding between sub-VLANs. Hosts in different
common VLANs can communicate with each other at Layer 3 through their respective
gateways. In a super-VLAN, hosts in all sub-VLANs use IP addresses on the same network
segment and share the gateway address, so the hosts in different sub-VLANs implement only
Layer 2 forwarding but not Layer 3 forwarding through a gateway. In practice, hosts in
different sub-VLANs are isolated at Layer 2. As a result, sub-VLANs are unable to
communicate with each other.
To address this issue, configure proxy ARP.
NOTE
For details about proxy ARP, see Proxy ARP in Huawei AR Series Access Routers Configuration Guide
- IP Services.
The networking in Figure 4-2 is used as an example. Assuming that Host_1 in sub-VLAN 2
needs to communicate with Host_2 in sub-VLAN 3, enable proxy ARP on the VLANIF
interface of super-VLAN 10, as shown in Figure 4-3.
Figure 4-3 Using proxy ARP to implement Layer 3 communication between sub-VLANs
Super-VLAN10
Router VLANIF10：10.1.1.1/24
Proxy ARP
Host_1 Host_2 Host_3

Sub-VLAN2 Sub-VLAN3 Sub-VLAN4
10.1.1.2/24 10.1.1.12/24 10.1.1.17/24
Host_1 in sub-VLAN 2 communicates with Host_2 in sub-VLAN 3 as follows (assume that

the ARP table of Host_1 in sub-VLAN 2 has no entry of Host_2 in sub-VLAN 3):
1. Host_1 in sub-VLAN 2 compares the IP address of Host_2 in sub-VLAN 3 with its IP
address, and finds that both IP addresses are on the same network segment 10.1.1.0/24.
However, the ARP table of Host_1 in sub-VLAN 2 has no entry of Host_2 in sub-VLAN
3.
2. Host_1 in sub-VLAN 2 broadcasts an ARP Request packet with the destination IP
address of 10.1.1.12 to request the MAC address of Host_2 in sub-VLAN 3.
3. The Router (gateway) is enabled with proxy ARP between sub-VLANs. After receiving
the ARP Request packet from Host_1 in sub-VLAN 2, the Router searches its routing
table for the destination IP address in the ARP Request packet. The Router finds a
matched route in which the next hop address is the directly connected network segment

(10.1.1.0/24 of VLANIF 10), and broadcasts an ARP Request packet to all sub-VLANs
in super-VLAN 10, requesting the MAC address of Host_2 in sub-VLAN 3.
4. After receiving the ARP Request packet, Host_2 in sub-VLAN 3 sends an ARP Reply
packet.
5. After receiving the ARP Reply packet, the Router encapsulates its MAC address into the
ARP Reply packet and sends it to Host_1 in sub-VLAN 2.
6. Subsequent packets sent by Host_1 in sub-VLAN 2 to Host_2 in sub-VLAN 3 are first
sent to the gateway. The gateway then performs Layer 3 forwarding.
The packets sent by Host_2 in sub-VLAN 3 to Host_1 in sub-VLAN 2 are processed in the
same way as the packets sent by Host_1 in sub-VLAN 2 to Host_2 in sub-VLAN 3.
Layer 3 Communication Between Hosts in Sub-VLANs and on an External

Network
The networking in Figure 4-4 is used as an example to describe the communication between
hosts in Sub-VLANs and on an external network.
As shown in Figure 4-4, user hosts and servers are on different network segments, sub-
VLANs 2 to 4 and VLAN 10 are configured on Router_1, and VLAN 10 and VLAN 20 are
configured on Router_2.
Figure 4-4 Layer 3 communication between hosts in sub-VLANs and on an external network
Router_2 VLANIF20
10.1.2.1/24
VLANIF10
10.1.10.2/24
Server
10.1.2.2/24
VLANIF10
10.1.10.1/24
Super-VLAN4
Router_1 VLANIF4
10.1.1.1/24
Host_1 Host_2
Sub-VLAN2 Sub-VLAN3
10.1.1.2/24 10.1.1.12/24
When Host_1 in sub-VLAN 2 wants to communicate with the server connected to Router_2,
the packet forwarding process is as follows (assume that a route to 10.1.2.0/24 has been
configured on Router_1, a route to 10.1.1.0/24 has been configured on Router_2, and no
Layer 3 forwarding entry exists on the two devices):
1. Host_1 compares the server's IP address (10.1.2.2) with its network segment 10.1.1.0/24
and finds that they are on different network segments. Host_1 then sends an ARP
Request packet to its gateway to request the gateway's MAC address. The ARP Request
packet carries an all-F destination MAC address and destination IP address 10.1.1.1.

2. After receiving the ARP Request packet, Router_1 searches the mapping between the
super-VLAN and sub-VLANs. Router_1 then sends an ARP Reply packet with the MAC
address of VLANIF 4 (corresponding to super-VLAN 4) from an interface of sub-VLAN
2 to Host_1.
3. After learning the gateway's MAC address, Host_1 sends a packet with the destination
MAC address as the MAC address of VLANIF 4 (corresponding to super-VLAN 4) and
destination IP address of 10.1.2.2.
4. After receiving the packet from Host_1, Router_1 determines that the packet should be
forwarded at Layer 3 according to the mapping between the super-VLAN and sub-
VLANs and destination MAC address. Router_1 searcher its Layer 3 forwarding table
for a matching entry, but no entry is found. Router_1 sends the packet to the CPU, and
the CPU searches its routing table and obtains the next hop address of 10.1.10.2 and the
outbound interface of VLANIF 10. Router_1 determines the outbound interface
according to the ARP entry and MAC address entry, and sends the packet to Router_2.
5. Router_2 sends the packet to server according to the Layer 3 forwarding process.
After receiving the packet from Host_1, the server sends a response packet with the
destination IP address of 10.1.1.2 and destination MAC address as the MAC address of
VLANIF 20 on the Router_2. The process is as follows:
1. The response packet reaches Router_1 according to the Layer 3 forwarding process.
When the response packet reaches Router_1, the destination MAC address is changed to
the MAC address of VLANIF 10 on Router_1.
2. After receiving the packet, Router_1 determines that the packet should be forwarded at
Layer 3 according to the destination MAC address. Router_1 searcher its Layer 3
forwarding table for a matching entry, but no entry is found. Router_1 sends the packet
to the CPU, and the CPU searches its routing table and obtains the next hop address of
10.1.1.2 and the outbound interface of VLANIF 4. Router_1 searches the mapping
between the super-VLAN and sub-VLANs and determines that the packet should be sent
to Host_1 from an interface in sub-VLAN 2 according to the ARP entry and MAC
address entry.
3. The response packet reaches Host_1.
Layer 2 Communication Between Hosts in Sub-VLANs and Other Devices

The networking in Figure 4-5 is used as example to describe Layer 2 communication between
hosts in sub-VLANs and other devices. Sub-VLAN 2, sub-VLAN 3, and super-VLAN 4 are
configured on Router_1; IF_1 and IF_2 on Router_1 are access interfaces; IF_3 is a trunk
interface that allows VLAN 2 and VLAN 3; the interface of Router_2 connected to Router_1
is a trunk interface and allows VLAN 2 and VLAN 3.

Figure 4-5 Layer 2 communication between hosts in sub-VLANs and on an external network
Internet
Router_2
Trunk IF_1
Allowed VLAN=2,3 IF_3
Super-VLAN4
Router_1 VLANIF4
10.1.1.1/24
IF_1 IF_2
Host_1 Host_2
Sub-VLAN2 Sub-VLAN3
10.1.1.2/24 10.1.1.12/24
The tag with VLAN 2 is added to packets sent from Host_1 to Router_1. Although sub-
VLAN 2 belongs to super-VLAN 4, Router_1 does not change the tag with VLAN 2 to the
tag with VLAN 4 in packets. That is, packets sent from IF_3 of Router_1 still carry VLAN 2.
Router_1 itself does not send packets from VLAN 4. When another device sends packets from
VLAN 4 to Router_1, Router_1 discards the packets because there is no physical interface
corresponding to super-VLAN 4 on Router_1. Actually, IF_3 on Router_1 does not allow
packets from super-VLAN 4. For other devices, only sub-VLAN 2 and sub-VLAN 3 are
valid, and all packets are exchanged in the VLANs.
The communication between Router_1 configured with VLAN aggregation and other devices
is similar to normal Layer 2 communication without using the super-VLAN, and is not
described here.
4.3 Application Scenarios for VLAN Aggregation

As shown in Figure 4-6, a company has many departments. To improve service security, the
company adds different departments to different VLANs. All departments want to access the
Internet; department 1 and department 2 need to communicate with each other; department 3
and department 4 need to communicate with each other; IP addresses of the company are
limited.

Internet
Router
Proxy ARP
L2 switch L2 switch L2 switch L2 switch
Super-VLAN2 Super-VLAN3
Sub-VLAN Sub-VLAN Sub-VLAN Sub-VLAN

21 22 31 32
Department1 Department2 Department3 Department4
VLAN aggregation can be deployed to meet the preceding requirements. Deploy super-
VLAN 2 and super-VLAN 3 on the router, and add sub-VLAN 21 and sub-VLAN 22 to
super-VLAN 2 and sub-VLAN 31 and sub-VLAN 32 to super-VLAN 3. After IP addresses
are assigned to super-VLAN 2 and super-VLAN 3 on the router, users in department 1 and
department 2 can access the Internet using the IP address of super-VLAN 2, and users in
department 3 and department 4 can access the Internet using the IP address of super-VLAN 3.
VLAN aggregation implements Internet access for each department and conserves IP
addresses.
Configure proxy ARP in super-VLAN 2 and super-VLAN 3 on the router to implement
communication between department 1 and department 2, and between department 3 and
department 4.
4.4 Default Settings for VLAN Aggregation

Table 4-1 Default setting for VLAN aggregation
Super-VLAN Not configured
Proxy ARP on a VLANIF interface Disabled

corresponding to a super-VLAN

4.5 Licensing Requirements and Limitations for VLAN

Aggregation
None
VLAN aggregation is a basic feature of a router and is not under license control.
Feature Limitations
When deploying VLAN aggregation on the router, pay attention to the following:
l VLAN 1 cannot be configured as a super-VLAN.
l A physical interface cannot be added to a VLAN configured as a super-VLAN.
l A traffic policy takes effect in a super-VLAN only after the traffic policy is configured in
all sub-VLANs of the super-VLAN.
l The VLAN terminated by a sub-interface cannot be configured as a super-VLAN or sub-
VLANs.
l An IP address must have been assigned to the VLANIF interface corresponding to the
super-VLAN. Otherwise, proxy ARP cannot take effect.
4.6 Configuring VLAN Aggregation
4.6.1 Creating a Sub-VLAN
Context
In VLAN aggregation, physical interfaces can be added to a sub-VLAN but no VLANIF
interface can be created for the sub-VLAN. All the interfaces in a sub-VLAN use the same IP
address of the VLANIF interface corresponding to a super-VLAN. VLAN aggregation
reduces subnet IDs, subnet default gateway addresses, and directed broadcast IP addresses,
allows the device to assign IP addresses to hosts in sub-VLANs according to the actual
number of hosts, ensures that each sub-VLAN is used as independent broadcast domain to
implement isolation, saves IP addresses, and implements flexible addressing.
Procedure

Step 3 Run port link-type access
The link type of the interface is set to access.
Step 4 Run quit
A sub-VLAN is created and its view is displayed.
Step 6 Run port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
An interface is added to the sub-VLAN.
----End
4.6.2 Creating a Super-VLAN
Context
A super-VLAN consists of several sub-VLANs. No physical interface can be added to a
super-VLAN, but a VLANIF interface can be configured for the super-VLAN and an IP
address can be assigned to the VLANIF interface.
NOTE
Before configuring a super-VLAN, ensure that sub-VLANs have been configured.
Procedure
A VLAN is created and the VLAN view is displayed.
The VLAN ID of a super-VLAN must be different from each sub-VLAN ID.
Step 3 Run aggregate-vlan
A super-VLAN is created.
A super-VLAN cannot contain any physical interfaces.
VLAN 1 cannot be configured as a super-VLAN.
Step 4 Run access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
A sub-VLAN is added to a super-VLAN.
Before adding sub-VLANs to a super-VLAN, ensure that these sub-VLANs are not
configured with VLANIF interfaces.
----End

4.6.3 Configuring a VLANIF Interface Corresponding to a Super-

VLAN
Context
The IP address of the VLANIF interface corresponding to a super-VLAN must contain the
subnets that users in sub-VLANs belong to. All the sub-VLANs use the IP address of the
VLANIF interface corresponding to the super-VLAN, thereby saving IP addresses.
Procedure
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is
displayed.
Step 3 Run ip address ip-address { mask | mask-length }
An IP address is assigned to the VLANIF interface.
----End
4.6.4 (Optional) Enabling Proxy ARP on the VLANIF Interface

Corresponding to a Super-VLAN
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in
different sub-VLANs from communicating with each other at the network layer.
PCs in common VLANs can communicate with each other at the network layer using
different gateway addresses. VLAN aggregation enables PCs in a super-VLAN to use the
same subnet address and gateway address. Because PCs in different sub-VLANs belong to
one subnet, they communicate with each other only at Layer 2 but not Layer 3. These PCs are
isolated from each other at Layer 2. Consequently, PCs in different sub-VLANs cannot
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another
sub-VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are
created, proxy ARP must be enabled to allow the super-VLAN to forward or process ARP
Request and Reply packets. Proxy ARP allows PCs in sub-VLANs to communicate with each
other at the network layer.
NOTE
After proxy ARP is enabled on the VLANIF interface corresponding to a super-VLAN, hosts in all sub-
VLANs of the super-VLAN can communicate.
VLAN aggregation simplifies configurations for the network where many VLANs are
configured and PCs in different VLANs need to communicate with each other.

Procedure
The view of the VLANIF interface corresponding to the super-VLAN is displayed.
Step 3 Run arp-proxy inter-sub-vlan-proxy enable
Proxy ARP is enabled between sub-VLANs.
----End
4.6.5 Verifying the VLAN Aggregation Configuration

Procedure
l Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to
check information about all VLANs or a specified VLAN.
l Run the display interface vlanif [ vlan-id ] command to check the VLANIF interface
configuration.
l Run the display sub-vlan [ vlan-id ] command to check the sub-VLAN configuration.
l Run the display super-vlan [ vlan-id ] command to check the super-VLAN
configuration.
----End
4.7 Configuration Examples for VLAN Aggregation
4.7.1 Example for Configuring VLAN Aggregation

As shown in Figure 4-7, a company has many departments on the same network segment. To
improve service security, the company adds different departments to different VLANs. VLAN
2 and VLAN 3 belong to different departments. Each department wants to access the Internet,
and PCs in different departments need to communicate to meet service requirements.

Internet
Router
Eth2/0/1
VLAN10
RouterB Super-VLAN 4
Eth2/0/5
Eth2/0/5
RouterA
Eth2/0/1 Eth2/0/4
Eth2/0/2 Eth2/0/3
VLAN2 VLAN3
Configure VLAN aggregation on RouterB to add VLANs of different departments to a super-
VLAN so that PCs in different departments can access the Internet using the super-VLAN.
Deploy proxy ARP in the super-VLAN so that PCs in different departments can
communicate. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on RouterA and RouterB, add PCs of different
departments to different VLANs, and configure interfaces to transparently transmit
packets from VLANs to RouterB.
2. Configure a super-VLAN, a VLANIF interface, and a static route on RouterB so that
PCs in different departments can access the Internet.
3. Configure proxy ARP in the super-VLAN on RouterB so that PCs in different
departments can communicate at Layer 3.
Procedure
Step 1 Configure VLANs and interfaces on RouterA and RouterB, add PCs of different departments
to different VLANs, and configure interfaces to transparently transmit packets from VLANs
to RouterB.
1. Configure RouterA.
# Configure Eth2/0/1 as an access interface. The configurations of Eth2/0/2, Eth2/0/3,
and Eth2/0/4 are similar to the configuration of Eth2/0/1, and are not mentioned here.

# Create VLAN 2 and add Eth2/0/1 and Eth2/0/2 to VLAN 2.

[RouterA] vlan 2
[RouterA-vlan2] port ethernet 2/0/1 2/0/2
[RouterA-vlan2] quit
# Create VLAN 3 and add Eth2/0/3 and Eth2/0/4 to VLAN 3.

[RouterA] vlan 3
[RouterA-vlan3] port ethernet 2/0/3 2/0/4
# Configure the interface of RouterA connected to RouterB to transparently transmit

packets from VLAN 2 and VLAN 3 to RouterB.
[RouterA-Ethernet2/0/5] port trunk allow-pass vlan 2 3
2. Configure RouterB.
# Create VLAN 2, VLAN 3, VLAN 4, and VLAN 10 and configure the interface of
RouterB connected to RouterA to transparently transmit packets from VLAN 2 and
VLAN 3 to RouterB.
[RouterB] vlan batch 2 3 4 10
[RouterB-Ethernet2/0/5] port link-type trunk
[RouterB-Ethernet2/0/5] port trunk allow-pass vlan 2 3
Step 2 Configure a super-VLAN and a VLANIF interface corresponding to the super-VLAN.

# Configure super-VLAN 4 on RouterB and add VLAN 2 and VLAN 3 to super-VLAN 4 as
sub-VLANs.
[RouterB] vlan 4
[RouterB-vlan4] aggregate-vlan
[RouterB-vlan4] access-vlan 2 to 3
[RouterB-vlan4] quit
# Create and configure VLANIF 4 so that PCs in different departments can access the Internet
using super-VLAN 4.
[RouterB] interface vlanif 4
[RouterB-Vlanif4] ip address 10.1.1.1 255.255.255.0
[RouterB-Vlanif4] quit
Step 3 Configure a static route.

# Configure the uplink interface Eth2/0/1 on RouterB to transparently transmit packets from
the VLAN that RouterB and router belong to.
[RouterB-Ethernet2/0/1] port trunk allow-pass vlan 10
# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the IP
address for connecting RouterB and the router (egress gateway).
[RouterB-Vlanif10] ip address 10.10.1.1 255.255.255.0
# Configure a static route to the router on RouterB so that PCs can access the Internet.
[RouterB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2

Step 4 Assign IP addresses to PCs.

Configure an IP address for each PC and make the PCs reside on the same network segment
as VLAN 4.
After the configuration is complete, PCs in each department can access the Internet, and PCs
in VLAN 2 and VLAN 3 cannot ping each other.
Step 5 Configure proxy ARP.
# Configure proxy ARP in super-VLAN 4 on RouterB so that PCs in different departments
can communicate at Layer 3.
[RouterB-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

# After the configuration is complete, PCs in VLAN 2 and VLAN 3 can ping each other and
access the Internet.
----End
Configuration Files
l RouterA configuration file
#
sysname RouterA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
#
return
l RouterB configuration file

#
sysname RouterB
#
vlan batch 2 to 4 10
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.1 255.255.255.0

arp-proxy inter-sub-vlan-proxy enable

#
interface Vlanif10
ip address 10.10.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
#
return
4.8 FAQ About VLAN Aggregation
4.8.1 Can a Traffic Policy Be Configured in a Super-VLAN or Sub-

VLAN to Make the Traffic Policy Take Effect
The packets received and sent by the router configured with VLAN aggregation carry sub-
VLAN tags but not super-VLAN tags, so a traffic policy must be configured in all sub-
VLANs of a super-VLAN. A traffic policy in the super-VLAN does not take effect.

Configuration 5 MUX VLAN Configuration
5 MUX VLAN Configuration
About This Chapter
This chapter describes how to configure Multiplex VLAN (MUX VLAN). MUX VLAN
allows communication between some users, and prohibits communication between other
users.
5.1 Overview of MUX VLANs
5.2 Licensing Requirements and Limitations for MUX VLANs
5.3 Default Settings for MUX VLANs
5.4 Configuring MUX VLANs
5.5 Configuration Examples for MUX VLANs
5.1 Overview of MUX VLANs

Background
The MUX VLAN function is used to control network resources based on VLANs.
For example, both enterprise employees and customers can access the servers on an enterprise
network. The enterprise allows employees to communicate with each other but prevents
customers from communicating with each other.
To allow all users to access the enterprise servers, inter-VLAN communication must be
configured. If there are a large number of users in an enterprise, VLANs need to be assigned
to the users that the enterprise wishes to restrict communication. This wastes VLAN IDs and
adds significant workload to network configuration and maintenance.
MUX VLAN meets the isolation requirements.
Basic Concepts
A MUX VLAN consists of principal VLANs and subordinate VLANs; subordinate VLANs
are classified into separate VLANs and group VLANs. See Table 5-1 for a description of
these roles.

Table 5-1 Roles in MUX VLAN

MUX VLAN VLAN Type Associated Access Authority
Interface
Principal - Principal A principal interface can

VLAN interface communicate with all interfaces in a
MUX VLAN.
Subordinate Separate Separate A separate interface can

VLAN VLAN interface communicate only with a principal
interface and is isolated from other
types of interfaces.
Each separate VLAN must be
bound to a principal VLAN.
Group VLAN Group A group interface can communicate

interface with a principal interface and the
other interfaces in the same group,
but cannot communicate with
interfaces in other groups or a
separate interface.
Each group VLAN must be bound
to a principal VLAN.
Communication in the MUX VLAN

As shown in Figure 5-1, the principal port connects to the enterprise server; the separate port
connects to enterprise customers; the group port connects to enterprise employees.
Accordingly, both enterprise customers and employees can access the enterprise server,
enterprise employees can communicate with each other, enterprise customers cannot
communicate with each other, and enterprise customers and employees cannot communicate
with each other.
Figure 5-1 MUX VLAN

Router
Principal port
Group port Separate port Enterprise

server
Enterprise Enterprise
employee customer

5.2 Licensing Requirements and Limitations for MUX

VLANs
None
MUX VLAN is a basic feature of a router and is not under license control.
Feature Limitation
When deploying MUX VLAN on the router, pay attention to the following:
Only the AR2220-S, AR2240-S, AR2220E-S, AR2240C-S, and AR3200-S series support
MUX VLAN.
Only the 8FE1GE, 24ES2GP, and 24GE cards support MUX VLAN.
l The VLAN ID assigned to a principal, group or separate VLAN cannot be used to

configure VLANIF interface, VLAN mapping, VLAN stacking, super-VLAN, or sub-
VLAN.
l Disabling MAC address learning or limiting the number of learned MAC addresses on
an interface will compromise the performance of the MUX VLAN function.
l MUX VLAN and port security cannot be configured on the same interface.
l MUX VLAN and MAC address authentication cannot be configured on the same
interface.
l MUX VLAN and 802.1x authentication cannot be configured on the same interface.
l If a DHCP server is configured in the subordinate VLAN and DHCP clients are
configured in the principal VLAN, the DHCP clients may fail to obtain IP addresses.
Therefore, when the DHCP snooping function is configured, configure the DHCP server
in the principal VLAN.
l After the MUX VLAN function is enabled on an interface, VLAN mapping or VLAN
stacking cannot be configured on the interface.
5.3 Default Settings for MUX VLANs

Table 5-2 Default setting for MUX VLANs
MUX VLAN on an interface Disabled

5.4 Configuring MUX VLANs

The MUX VLAN can implement inter-VLAN communication and intra-VLAN isolation.
5.4.1 Configuring a Principal VLAN for MUX VLAN
Context
Interfaces in a principal VLAN can communicate with other interfaces in the same MUX
VLAN.
Procedure
A VLAN is created and the VLAN view is displayed. If the VLAN already exists, the VLAN
view is displayed.
The VLAN ID ranges from 1 to 4094. To create VLANs in a batch, run the vlan batch { vlan-
id1 [ to vlan-id2 ] } &<1-10> command. Then run the vlan vlan-id command to enter the
view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configure names for the VLANs to facilitate VLAN
management.
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run
the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
Step 3 Run mux-vlan

The VLAN is configured as a principal VLAN.
The VLAN ID assigned to a principal VLAN cannot be used to configure VLANIF interface,
VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
----End
5.4.2 Configuring a Group VLAN for a Subordinate VLAN
Context
A VLAN associated with a group interface is called a group VLAN. Group interfaces in a
group VLAN can communicate with each other.
Procedure

Step 2 Run vlan batch vlan-id1 [ to vlan-id2 ] &<1-10>
A VLAN to be configured as a subordinate group VLAN is created.
The view of a created principal VLAN is displayed.
Step 4 Run subordinate group { vlan-id1 [ to vlan-id2 ] } &<1-10>
The VLAN is configured as a subordinate group VLAN.
Ensure that the VLAN has been created.
A principal VLAN can be configured with a maximum of 128 subordinate group VLANs.
The VLAN ID assigned to a subordinate group VLAN cannot be used to configure a VLANIF
interface, VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
----End
5.4.3 Configuring a Separate VLAN for a Subordinate VLAN
Context
A VLAN associated with separate interfaces is called a separate VLAN. Interfaces in a
separate VLAN cannot communicate with each other.
Procedure
Step 2 Run vlan batch vlan-id
A VLAN to be configured as a subordinate separate VLAN is created.
The view of a created principal VLAN is displayed.
Step 4 Run subordinate separate vlan-id
The VLAN is configured as a subordinate separate VLAN.
Ensure that the VLAN has been created.
A principal VLAN can be configured with only one subordinate separate VLAN.
The subordinate group VLAN and subordinate separate VLAN of the same MUX VLAN
must be unique.
The VLAN ID assigned to a subordinate separate VLAN cannot be used to configure a

VLANIF interface, VLAN mapping, VLAN stacking, super-VLAN, or sub-VLAN.
----End

5.4.4 Enabling the MUX VLAN Function on an Interface
Context
After the MUX VLAN function is enabled on an interface, the principal VLAN and
subordinate VLAN can communicate with each other; interfaces in a group VLAN can
communicate with each other; interfaces in a separate VLAN cannot communicate with each
other.
Before enable MUX VLAN function, complete the following task:
l The port has been added to only a VLAN. If the port has been added to multiple VLANs,
the MUX VLAN function cannot be enabled on this port.
l The port has been added to a principal or subordinate VLAN in untagged mode as an
access or hybrid interface.
Procedure
Step 3 Run port mux-vlan enable
The MUX VLAN function is enabled.
NOTE
l Disabling MAC address learning or limiting the number of learned MAC addresses on an interface
will compromise the performance of the MUX VLAN function.
l MUX VLAN and port security cannot be configured on the same interface.
l MUX VLAN and MAC address authentication cannot be configured on the same interface.
l MUX VLAN and 802.1x authentication cannot be configured on the same interface.
----End
5.4.5 Verifying the MUX VLAN Configuration
Procedure
l Run the display mux-vlan command to check information about the MUX VLAN.
----End
5.5 Configuration Examples for MUX VLANs

5.5.1 Example for Configuring the MUX VLAN Function
An enterprise forbids communication between some departments and allows communication
between other departments. All employees in the enterprise are allowed to access certain
servers.
The MUX VLAN function can be configured to meet the preceding requirements. The
enterprise needs to add the servers to the principal VLAN, add the hosts that need to
communicate to a group VLAN, and add the hosts that need to be isolated to a separate
VLAN. Employing this function reduces the needed VLAN IDs.
As shown in Figure 5-2, Ethernet 2/0/1 is connected to Server A; Ethernet 2/0/2 is connected
to Host B; Ethernet 2/0/3 is connected to Host C; Ethernet 2/0/4 is connected to Host D;
Ethernet 2/0/5 is connected to Host E. To meet the preceding requirements, the enterprise
needs to perform the following configurations: configure VLAN 2 as a principal VLAN and
add Ethernet 2/0/1 to VLAN 2; configure VLAN 3 as a subordinate group VLAN and add
Ethernet 2/0/2 and Ethernet 2/0/3 to VLAN 3; configure VLAN 4 as a subordinate separate
VLAN and add Ethernet 2/0/4 and Ethernet 2/0/5 to VLAN 4.
Figure 5-2 Network diagram of MUX VLAN

VLAN2
ServerA
Eth2/0/1
Router
Eth2/0/2 Eth2/0/5
Eth2/0/3 Eth2/0/4
HostB HostC HostD HostE

VLAN3 VLAN4
1. Configure the principal VLAN.

2. Configure the group VLAN.
3. Configure the separate VLAN.

4. Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
Procedure
Step 1 Configure the MUX VLAN function.
# Create VLAN 2, VLAN 3, and VLAN 4.
[Router] vlan batch 2 3 4
# Configure the principal and subordinate VLANs.

[Router] vlan 2
[Router-vlan2] mux-vlan
[Router-vlan2] subordinate group 3
[Router-vlan2] subordinate separate 4
[Router-vlan2] quit
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[Router-Ethernet2/0/1] port mux-vlan enable

# Server A can ping Hosts B to E. Hosts B to E can also ping Server A.
# Host B and Host C can ping each other.
# Host D and Host E cannot ping each other.
# Host B and Host C cannot ping Host D or host E. Host D and Host E cannot ping Host B or
Host C.
----End
Configuration Files
Configuration file of the Router
#
sysname Router

#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
port default vlan 2
port mux-vlan enable
#
port default vlan 3
#
port default vlan 3
#
port default vlan 4
#
port default vlan 4
#
return
5.5.2 Example for Configuring Inter-Device MUX VLAN
An enterprise forbids communication between some departments and allows communication
between other departments. All employees in the enterprise are allowed to access certain
servers.
The MUX VLAN function can be configured to meet the preceding requirements. The
enterprise needs to add the servers to the principal VLAN, add the hosts that are allowed to
communicate to a group VLAN, and add the hosts that need to be isolated to a separate
VLAN. Employing this function reduces the needed VLAN IDs.
When employees connect to servers through multiple devices, inter-device MUX VLAN can
be configured.
As shown in Figure 5-3, Ethernet2/0/1 of each Router is connected a server, Ethernet2/0/2 to
Ethernet2/0/5 are connected to PCs. The Routers use Ethernet2/0/6 to communicate with each
other. To meet the preceding requirements, the enterprise needs to perform the following
configurations on the Routers: configure VLAN 2 as a principal VLAN and add Ethernet2/0/1
to VLAN 2; configure VLAN 3 as a subordinate group VLAN and add Ethernet2/0/2 and
Ethernet2/0/3 to VLAN 3; configure VLAN 4 as a subordinate separate VLAN and add
Ethernet2/0/4 and Ethernet2/0/5 to VLAN 4. Configure Ethernet2/0/6 to allow VLAN 2,
VLAN 3, and VLAN 4 to pass through.

Figure 5-3 Network diagram of inter-device MUX VLAN

VLAN2 VLAN2
ServerA ServerB
Eth2/0/1 Eth2/0/1
Eth2/0/6 Eth2/0/6
RouterA RouterB
/3 2
Eth h2/0/4
2/0 /2
Et h2/0/
/
Eth th2/0
Eth 2/0
Et
h2
/3
Et
2/0
h
/0/
2/0
Et
E
/5
5
4
HostA HostB HostC HostD HostE HostF HostG HostH
VLAN3 VLAN4 VLAN3 VLAN4
1. Configure the principal VLAN.
2. Configure the subordinate group VLAN.
3. Configure the subordinate separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
5. Configure the interfaces between RouterA and RouterB to allow the principal VLAN and
subordinate VLANs to pass through.
Procedure
Step 1 Configure the MUX VLAN function on RouterA.
[RouterA] vlan batch 2 3 4
# Configure the principal VLAN and subordinate VLANs.

[RouterA] vlan 2
[RouterA-vlan2] mux-vlan
[RouterA-vlan2] subordinate group 3
[RouterA-vlan2] subordinate separate 4
# Add Ethernet2/0/1 to Ethernet2/0/5 to VLANs and enable the MUX VLAN function on the
interfaces.


[RouterA-Ethernet2/0/1] port mux-vlan enable
# Configure Ethernet2/0/6 to allow the principal VLAN and subordinate VLANs to pass
through.
[RouterA-Ethernet2/0/6] port trunk allow-pass vlan 2 to 4
Step 2 Configure the MUX VLAN function on RouterB.

[RouterB] vlan batch 2 3 4
# Configure the principal VLAN and subordinate VLANs.

[RouterB] vlan 2
[RouterB-vlan2] mux-vlan
[RouterB-vlan2] subordinate group 3
[RouterB-vlan2] subordinate separate 4
# Add Ethernet2/0/1 to Ethernet2/0/5 to VLANs and enable the MUX VLAN function on the
interfaces.
[RouterB-Ethernet2/0/1] port link-type access
[RouterB-Ethernet2/0/1] port default vlan 2
[RouterB-Ethernet2/0/1] port mux-vlan enable


# Configure Ethernet2/0/6 to allow the principal VLAN and subordinate VLANs to pass
through.
[RouterB-Ethernet2/0/6] port trunk allow-pass vlan 2 to 4

# All the hosts can access Server A and Server B in the principal VLAN.
# Host A, Host B, Host E, and Host F in the group VLAN can communicate with each other.
# Host C, Host D, Host G, and Host H in the separate VLAN cannot communicate with each
other.
# Hosts in the group VLAN cannot communicate with hosts in the separate VLAN.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate group 3
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
port default vlan 4
#
port default vlan 4


#
#
return
Configuration file of RouterB
#
sysname RouterB
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate group 3
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
port default vlan 4
#
port default vlan 4
#
#
return

Configuration 6 VLAN Termination Configuration
6 VLAN Termination Configuration
About This Chapter
This chapter describes how to configure VLAN termination. The VLAN termination function
includes two sub-functions: Dot1q termination and QinQ termination. It implements inter-
VLAN Layer 3 connectivity on a LAN and interworking of users across an ISP network.
6.1 Overview of VLAN Termination
This section describes the definition, classification, and purpose of VLAN termination.
6.2 Application Scenarios for VLAN Termination
6.3 Summary of VLAN Termination Configuration Tasks
6.4 Default Settings for VLAN Termination
6.5 Licensing Requirements and Limitations for VLAN Termination
This section describes the product models that support VLAN termination and notes about
configuring VLAN termination.
6.6 Configuring a Dot1q Termination Sub-interface to Implement Inter-VLAN
Communication
When a router connects to users located in different VLANs through a Layer 3 Ethernet
interface, configure Dot1q termination sub-interfaces on this Layer 3 Ethernet interface to
6.7 Configuring a Dot1q Termination Sub-interface and Connecting It to an L2VPN
When users are connected through an L2VPN and each packet that CEs send to PEs carries
one VLAN tag, configure a Dot1q termination sub-interface and connect it to the L2VPN.
6.8 Configuring a Dot1q Termination Sub-interface and Connecting It to an L3VPN
6.9 Configuring a QinQ Termination Sub-interface and Connecting It to an L2VPN
double VLAN tags, configure a QinQ termination sub-interface and connect it to the L2VPN.
6.10 Configuring a QinQ Termination Sub-interface and Connecting It to an L3VPN

6.11 Configuration Examples for VLAN Termination
6.1 Overview of VLAN Termination

This section describes the definition, classification, and purpose of VLAN termination.
Definition
VLAN termination is a VLAN tag processing mechanism. After VLAN termination is
enabled on a device, the device identifies VLAN tags in received packets, removes single or
double tags from the packets, and then forwards packets at Layer 3 or takes other actions.
These VLAN tags are only useful before termination, and are not used in Layer 3 forwarding
or other processing.
A device with VLAN termination enabled processes incoming and outgoing packets as
follows:
l Removes VLAN tags from the packets received on interfaces, and then forwards the
packets at Layer 3 or takes other actions.
l Adds VLAN tags to the packets that will be sent out through interfaces.
Classification
Depending on the modes in which VLAN tagged packets are processed, VLAN termination
has the following sub-functions:
l Dot1q termination: removes the outer VLAN tag from the received single-tagged or
double-tagged packets, and adds a VLAN tag to the packets to be sent by an interface.
l QinQ termination: removes double VLAN tags from the received double-tagged packets,
and adds double VLAN tags to the packets to be sent by an interface.
Generally, VLAN termination is configured on sub-interfaces. A sub-interface that terminates
single tags in packets is called a Dot1q termination sub-interface, and a sub-interface that
terminates double tags in packets is called a QinQ termination sub-interface.
NOTE
Dot1q and QinQ VLAN tag termination sub-interfaces do not support transparent transmission of
packets that do not contain a VLAN tag, and discard received packets that do not contain a VLAN tag.
Purpose
After VLANs are assigned on a network, hosts in the same VLAN can communicate with
each other at Layer 2, whereas hosts in different VLANs cannot. You can use VLANIF
interfaces on a router to implement inter-VLAN Layer 3 connectivity. As shown in Figure
6-1, when a router uses only one Layer 3 Ethernet interface to connect to users or a network,
this interface needs to transmit packets from multiple VLANs. A VLANIF interface cannot
provide this function. You can virtualize a Layer 3 Ethernet interface into multiple logical
sub-interfaces. The Layer 3 Ethernet interface is the main interface for the logical sub-
interfaces.

Figure 6-1 Networking of configuring sub-interfaces to implement interworking
Router
Port1.1 Port1.2
VLAN Trunk
Switch
Host1 Host2 Host3 Host4

VLAN2 VLAN3
By default, a Layer 3 Ethernet sub-interface treats received VLAN packets as invalid packets
and discards them; therefore, VLAN termination needs to be configured on the Layer 3
Ethernet sub-interface so that the sub-interface can remove VLAN tags from packets.
6.2 Application Scenarios for VLAN Termination
6.2.1 Using a Dot1q Termination Sub-interface to Implement

Inter-VLAN Communication
As shown in Figure 6-2, the router connects to the switch through a Layer 3 Ethernet
interface. User hosts are assigned to VLAN 2 and VLAN 3, and need to communicate with
each other.

Figure 6-2 Using a Dot1q termination sub-interface to implement inter-VLAN

communication
Router
Port1.1 Port1.2
VLAN Trunk
Switch
Host1 Host2 Host3 Host4

VLAN2 VLAN3
Perform the following operations to implement inter-VLAN communication:

l Create sub-interfaces Port1.1 and Port1.2 on the Ethernet interface connecting Router to
Switch.
l Configure Dot1q termination on Port1.1 and Port1.2 to remove VLAN tags in packets
sent by Switch.
l Assign IP addresses to Port1.1 and Port1.2.
l Configure the IP addresses of Port1.1 and Port1.2 as the default gateway addresses for
user hosts.
After the preceding operations are performed, user hosts in VLAN 2 and VLAN 3 can
communicate at Layer 3. When a host in VLAN 2 sends packets to a host in VLAN 3, the
process is as follows:
1. Port1.1 removes the VLAN tag of the packets sent from VLAN 2 through Switch, and
forwards the packets to Port1.2 at Layer 3.
2. Before sending the packets out, Port1.2 adds VLAN 3 to the packets so that the packets
can reach user hosts in VLAN 3.
The process is reversed when a host in VLAN 3 sends packets to a host in VLAN 2.
6.2.2 Using a Dot1q Termination Sub-interface to Connect to a

VPN
Using a Dot1q Termination Sub-interface to Connect to a PWE3/VLL Network

As shown in Figure 6-3, different branches of an enterprise are interconnected through a
carrier's PWE3/VLL network. PEs serve as edge devices of the carrier's PWE3/VLL network
and connect to branch networks through sub-interfaces, and packets sent by CEs to PEs carry
one or double VLAN tags. User hosts in different branches need to communicate with each
other.

Figure 6-3 Using a Dot1q termination sub-interface to connect to a PWE3/VLL network
ISP
PE1 PWE3/VLL PE2
Port1.1 Port1.1
CE1 CE2
Branch 1 Branch 2
Single-tagged packet
Dot1q termination and PWE3/VLL are deployed on sub-interfaces of PE1 and PE2. When the
outer VLAN tag of data packets sent by CE1 to PE1 matches the Dot1q termination
configuration on Port1.1, PE1 encapsulates double MPLS labels into the packets and forwards
the packets to the carrier's PWE3/VLL network. The VLAN tags are invisible on the carrier's
PWE3/VLL network. Before sending packets, PE2 removes double MPLS labels from the
packets. PE2 then forwards the packets to CE2 according to the Dot1q termination
configuration on Port1.1. CE2 then forwards packets to user hosts to implement interworking
of different branches, and so on.
Using a Dot1q Termination Sub-interface to Connect to an L3VPN

carrier's MPLS L3VPN. PEs serve as edge devices of the carrier's MPLS L3VPN and connect
to branch networks through sub-interfaces, and packets sent by CEs to PEs carry one or
double VLAN tags. Hosts of the same services in different branches need to communicate.

Figure 6-4 Using a Dot1q termination sub-interface to connect to an L3VPN
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
PE1 PE2
Port1.1 ISP Port1.1
MPLS L3VPN
Port1.2 Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
Dot1q termination and L3VPN are deployed on sub-interfaces of PE1 and PE2. When
receiving data packets from CE1, PE1 removes the outer VLAN tag from the packets
according to the Dot1q termination on Port1.1, binds the outer VLAN tag to the VPN instance
VPN1, and then connects to the L3VPN. After the packets reach PE2, PE2 determines that the
packets are destined for CE3 according to the VPN instance. PE2 adds the outer VLAN tag to
the packets according to the configuration of Port1.1, and then forwards the packets. The
packets then reach user hosts through CE3 to implement interworking, and so on.
6.2.3 Using a QinQ Termination Sub-interface to Connect to a

VPN
Using a QinQ Termination Sub-interface to Connect to a PWE3/VLL Network

carrier's PWE3/VLL network. PEs serve as edge devices of the carrier's PWE3/VLL network
and connect to branch networks through sub-interfaces, and packets sent by CEs to PEs carry
double VLAN tags. User hosts in different branches need to communicate with each other.

Figure 6-5 Using a QinQ termination sub-interface to connect to a PWE3/VLL network
ISP
PE1 PWE3/VLL PE2
Port1.1 Port1.1
CE1 CE2
Branch 1 Branch 2
Double-tagged packet
QinQ termination and PWE3/VLL are deployed on sub-interfaces of PE1 and PE2. When
inner and outer VLAN tags of data packets sent by CE1 to PE1 match the QinQ termination
configuration on Port1.1, PE1 encapsulates double MPLS labels into the packets and forwards
the packets to the carrier's PWE3/VLL network. The VLAN tags are invisible on the carrier's
PWE3/VLL network. Before sending packets, PE2 removes double MPLS labels from the
packets. PE2 then forwards the packets to CE2 according to the QinQ termination
configuration on Port1.1. CE2 then forwards packets to user hosts to implement interworking
of different branches, and so on.
Using a QinQ Termination Sub-interface to Connect to an L3VPN

carrier's MPLS L3VPN. PEs serve as edge devices of the carrier's MPLS L3VPN and connect
to branch networks through sub-interfaces, and packets sent by CEs to PEs carry double
VLAN tags. Hosts of the same services in different branches need to communicate.

Figure 6-6 Using a QinQ termination sub-interface to connect to an L3VPN
VPN1 VPN1
Branch 1 Branch 2
CE1 CE3
PE1 PE2
Port1.1 ISP Port1.1
MPLS L3VPN
Port1.2 Port1.2
CE2 CE4
Branch 1 Branch 2
VPN2 VPN2
QinQ termination and L3VPN are deployed on sub-interfaces of PE1 and PE2. When
receiving data packets from CE1, PE1 removes the inner and outer VLAN tags from the
packets according to the QinQ termination on Port1.1, binds the inner and outer VLAN tags
to the VPN instance VPN1, and then connects to the L3VPN. After the packets reach PE2,
PE2 determines that the packets are destined for CE3 according to the VPN instance. PE2
adds inner and outer VLAN tags to the packets according to the configuration of Port1.1, and
then forwards the packets. The packets then reach user hosts through CE3 to implement
interworking, and so on.
6.3 Summary of VLAN Termination Configuration Tasks

Table 6-1 describes the VLAN termination configuration tasks. The configuration tasks can
be performed in any sequence.
Table 6-1 VLAN termination configuration tasks

Configuration Applicable Scenario
Task
6.6 Configuring A router connects to user hosts residing in different VLANs through a
a Dot1q Layer 3 Ethernet interface, and these user hosts need to communicate
Termination with each other.
Sub-interface to
Implement
Inter-VLAN
Communication

Configuration Applicable Scenario

Task
6.7 Configuring A carrier's network provides the L2VPN service for users. PEs
a Dot1q function as user access devices and connect to CEs through sub-
Termination interfaces to access user networks. The data packets that CEs send to
Sub-interface PEs carry one VLAN tag. Interworking is required between user
and Connecting networks.
It to an L2VPN
a Dot1q function as user access devices and connect to CEs through sub-
Sub-interface PEs carry one VLAN tag. Interworking is required between user
It to an L3VPN
a QinQ function as user access devices and connect to CEs through sub-
Sub-interface PEs carry double VLAN tags. Interworking is required between user
It to an L2VPN
a QinQ function as user access devices and connect to CEs through sub-
Sub-interface PEs carry double VLAN tags. Interworking is required between user
It to an L3VPN
6.4 Default Settings for VLAN Termination
Table 6-2 Default setting for VLAN termination

Dot1q termination and QinQ termination on Not configured

each sub-interface

Termination
This section describes the product models that support VLAN termination and notes about
configuring VLAN termination.


None
VLAN termination is a basic feature of a router and is not under license control.
Feature Limitations
l Termination sub-interfaces cannot be configured on an Eth-Trunk member interface.
l You are advised to add member interfaces to an Eth-Trunk and configure termination
sub-interfaces on the Eth-Trunk in sequence. Termination sub-interfaces can be
configured successfully on an Eth-Trunk only when all series of cards where member
interfaces reside support termination sub-interfaces.
l The VLAN IDs terminated by a sub-interface cannot be created in the system view or be
displayed using a display command.
l When VLAN IDs terminated by a sub-interface are used for Layer 3 forwarding, only
the first VLAN takes effect even if multiple inner VLAN IDs are specified.
l The VLAN terminated by a sub-interface cannot be configured as a super-VLAN or sub-
VLANs.
6.6 Configuring a Dot1q Termination Sub-interface to

Implement Inter-VLAN Communication
When a router connects to users located in different VLANs through a Layer 3 Ethernet
interface, configure Dot1q termination sub-interfaces on this Layer 3 Ethernet interface to
Context
When a router connects to users on different network segments across different VLANs,
configure Dot1q termination and IP addresses for the sub-interfaces to implement Layer 3
connectivity.
NOTE
To implement inter-VLAN communication, hosts in each VLAN must use the IP address of the
corresponding sub-interface as the default gateway address.
Procedure
Step 2 Run interface interface-type interface-number.subinterface-number
The sub-interface view is displayed.
An IP address is assigned to the sub-interface.

Step 4 Run dot1q termination vid low-pe-vid

Dot1q termination is configured on the sub-interface.
Each sub-interface can only terminate one VLAN.
Sub-interfaces of different main interfaces can be associated with the same VLAN, but sub-
interfaces of the same main interface cannot be associated with the same VLAN.
Step 5 Run arp broadcast enable
ARP broadcast is enabled on the sub-interface.
When you enable or disable ARP broadcast on a sub-interface, the routing status on the sub-
interface alternates between Down and Up. This may result in route flapping on the entire
network, and affects normal operation of services.
----End
6.7 Configuring a Dot1q Termination Sub-interface and

Connecting It to an L2VPN
Before configuring a Dot1q termination sub-interface and connecting it to an L2VPN,
complete the following tasks:
l Connecting devices correctly
l Configuring VLANs to which CEs belong and basic Layer 2 forwarding so that each
packet sent from CEs to PEs carries one VLAN tag
6.7.1 Configuring a Dot1q Termination Sub-interface

Context
When a VPN connects to an ISP network through a sub-interface, the sub-interface needs to
remove VLAN tags of the packets that the VPN has sent to the ISP network. When each
packet that CEs send to PEs carries one VLAN tag, the sub-interface terminates the single
VLAN tag. This sub-interface is called Dot1q termination sub-interface.
Procedure
Step 1 On the PE device, run:
system-view

The view of the sub-interface connecting the PE to the CE is displayed.
Step 3 Run dot1q termination vid low-pe-vid [ to high-pe-vid ]

NOTE
l high-pe-vid is supported by only the AR3200-S.

l You can specify high-pe-vid only after the termination-vid batch enable command is used to
enable a sub-interface to batch terminate VLAN tags.
l The value of high-pe-vid must be greater than or equal to the value of low-pe-vid.
l When this command is executed on an Eth-Trunk sub-interface, you cannot specify high-pe-vid.
----End
6.7.2 Configuring L2VPN

After a Dot1q termination sub-interface is configured, you need to configure the virtual
private network (VPN) service on the sub-interface so that users at both ends of the L2VPN
can communicate with each other.
For details about L2VPN, see "VLL Configuration" and "VPLS Configuration" in Huawei AR
Series Access Routers Configuration Guide - VPN.
6.7.3 Verifying the Configuration of a Dot1q Termination Sub-

interface and Its Connection to an L2VPN
Procedure
l Run the display dot1q information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display vll ccc [ ccc-name | type local ] command to check CCC connection
information.
l Run the display mpls static-l2vc command to check static VC information.
l Run the display mpls l2vc command to check local VC information.
l Run the display mpls l2vc remote-info command to check remote VC information.
----End
6.8 Configuring a Dot1q Termination Sub-interface and

Before configuring a Dot1q termination sub-interface and connecting it to an L3VPN,
l Configuring VLANs to which CEs belong and basic Layer 2 forwarding so that each
packet sent from CEs to PEs carries one VLAN tag

6.8.1 Configuring a Dot1q Termination Sub-interface
Context
When a VPN connects to an ISP network through a sub-interface, the sub-interface needs to
remove VLAN tags of the packets that the VPN has sent to the ISP network. When each
packet that CEs send to PEs carries one VLAN tag, the sub-interface terminates the single
VLAN tag. This sub-interface is called Dot1q termination sub-interface.
Procedure
Step 1 On the PE device, run:
system-view

NOTE

----End

After a Dot1q termination sub-interface is configured, you need to configure the VPN service
so that users at both ends of the L3VPN can communicate with each other.
Configure L3VPN on the CE, PE, and P. For details, see BGP/MPLS IP VPN Configuration
in Huawei AR Series Access Routers Configuration Guide - VPN.
6.8.3 Verifying the Configuration of a Dot1q Termination Sub-

Procedure
number [.subinterface-number ] ] command to check dot1q termination sub-interface
information.
l Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
VPN instance information.
----End

6.9 Configuring a QinQ Termination Sub-interface and

Before configuring a QinQ termination sub-interface and connecting it to an L2VPN,
l Configuring VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags
Procedure
6.9.1 Configuring a QinQ Sub-interface
Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. When data packets sent by CEs to PEs carry double VLAN
tags, the sub-interface terminates double VLAN tags. This sub-interface is called QinQ
termination sub-interface.
Procedure
Step 3 Run qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2 ]
QinQ termination is configured on the sub-interface.
----End

For details about L2VPN, see "VLL Configuration" and "VPLS Configuration" in Huawei AR
Series Access Routers Configuration Guide - VPN.

NOTE
A QinQ termination sub-interface can be bound to a VLL that provides homogeneous or heterogeneous
transport in the following modes:
l Local CCC connection
l Remote CCC connection
l Remote SVC connection
l Remote Martini connection
6.9.3 Verifying the Configuration of a QinQ Termination Sub-

Procedure
l Run the display qinq information termination [ interface interface-type interface-
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
l Run the display vll ccc [ ccc-name | type local ] command to check CCC connection
information.
l Run the display mpls static-l2vc command to check static VCs information.
l Run the display mpls l2vc command on the PE to check VCs information on the local
PE.
l Run the display mpls l2vc remote-info command on the PE to check the VCs
information on the remote PE.
----End
6.10 Configuring a QinQ Termination Sub-interface and

Before configuring a QinQ termination sub-interface and connecting it to an L3VPN,
l Configuring VLANs to which CEs belong and basic Layer 2 forwarding so that packets
sent from CEs to PEs carry double VLAN tags
Procedure
6.10.1 Configuring a QinQ Sub-interface

Context
When a VPN network connects to an ISP network through a sub-interface, the sub-interface
needs to terminate VLAN tags. When data packets sent by CEs to PEs carry double VLAN

tags, the sub-interface terminates double VLAN tags. This sub-interface is called QinQ
termination sub-interface.
Procedure
QinQ termination is configured on the sub-interface.
----End

After a QinQ termination sub-interface is configured, you need to configure the VPN service
so that users at both ends of the L3VPN can communicate with each other.
Configure L3VPN on the CE, PE, and P. For details, see "BGP/MPLS IP VPN Configuration"
in Huawei AR Series Access Routers Configuration Guide - VPN.
6.10.3 Verifying the Configuration of a QinQ Termination Sub-

Procedure
number [.subinterface-number ] ] command to check QinQ termination sub-interface
information.
VPN instance information.
----End
6.11 Configuration Examples for VLAN Termination
6.11.1 Example for Configuring Dot1q Termination Sub-interfaces

to Implement Inter-VLAN Communication
An enterprise's departments are located on different network segments and use the same
services such as Internet access and VoIP. To allow the departments in different VLANs to use
the same service, inter-VLAN communication must be implemented.

In the networking example shown in Figure 6-7, both department 1 and department 2 located
in different VLANs and network segments need to use the Internet access service, and users
in department 1 and department 2 need to communicate with each other.
Figure 6-7 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication
Router
GE1/0/0.1 GE2/0/0.1
10.10.10.1/24 10.10.20.1/24
Eth2/0/2 Eth2/0/2
RouterA RouterB
Eth2/0/1 Eth2/0/1
PC1 PC2
10.10.10.2/24 10.10.20.2/24
VLAN 10 VLAN 20
The configuration roadmap is as follows.
1. Configure the ID of the VLAN to which each interface belongs.
2. Configure Dot1q termination sub-interfaces.
3. Assign IP addresses to the sub-interfaces.
Procedure
Step 1 Configure VLANs on interfaces of RouterA and RouterB.
# Add the uplink interface of RouterA to VLAN 10 in tagged mode and user-side interface to
VLAN 10 in untagged mode.
[RouterA] vlan batch 10
# Add the uplink interface of RouterB to VLAN 20 in tagged mode and user-side interface to
VLAN 20 in untagged mode.

[RouterB] vlan batch 20

[RouterB] interface ethernet2/0/2
Step 2 Configure the interface on the Router connected to RouterA.

# Create and configure Ethernet sub-interface GE1/0/0.1.
[Router] interface gigabitEthernet 1/0/0.1
[Router-GigabitEthernet1/0/0.1] dot1q termination vid 10
[Router-GigabitEthernet1/0/0.1] ip address 10.10.10.1 24
[Router-GigabitEthernet1/0/0.1] arp broadcast enable
[Router-GigabitEthernet1/0/0.1] quit
Step 3 Configure the interface on the Router connected to RouterB.

# Create and configure Ethernet sub-interface GE2/0/0.1.
[Router] interface gigabitEthernet 2/0/0.1
[Router-GigabitEthernet2/0/0.1] dot1q termination vid 20
[Router-GigabitEthernet2/0/0.1] ip address 10.10.20.1 24
[Router-GigabitEthernet2/0/0.1] arp broadcast enable
[Router-GigabitEthernet2/0/0.1] quit

# On PC1 in VLAN 10, set the IP address (10.10.10.1/24) of GE1/0/0.1 as the default
gateway address.
# On PC2 in VLAN 20, set the IP address (10.10.20.1/24) of GE2/0/0.1 as the default
gateway address.
After the configuration is complete, PC1 in VLAN 10 and PC2 in VLAN 20 can
----End
Configuration Files
l Configuration file of the Router
#
sysname Router
#
interface GigabitEthernet1/0/0.1
dot1q termination vid 10
ip address 10.10.10.1 255.255.255.0
arp broadcast enable
#
ip address 10.10.20.1 255.255.255.0
#
return
l Configuration file of the RouterA

#
sysname RouterA
#

vlan batch 10
#
#
#
return
l Configuration file of the RouterB
#
sysname RouterB
#
vlan batch 20
#
#
#
return
6.11.2 Example for Configuring Dot1q Termination Sub-interfaces

to Implement Inter-VLAN Communication Across Different
Networks
In the networking example shown in Figure 6-8, RouterA and RouterB are connected to
Layer 2 networks to which VLAN 10 and VLAN 20 belong. RouterA communicates with
RouterB through a Layer 3 network where OSPF is run.
PCs of the two Layer 2 networks need to be isolated at Layer 2 and interwork at Layer 3.
Figure 6-8 Networking for configuring Dot1q termination sub-interfaces to implement inter-
VLAN communication across a network
RouterA RouterB
Eth2/0/2 Eth2/0/1
OSPF
GE1/0/0.1 GE2/0/0.1
VLAN 10 VLAN 20
PC A PC B
10.10.10.2/24 10.10.20.2/24

1. Configure VLANs that interfaces belong to.
2. Assign IP addresses to VLANIF interfaces.
3. Set the encapsulation mode of sub-interfaces.
4. Configure VLANs allowed by sub-interfaces.
5. Assign IP addresses to the sub-interfaces.
6. Configure basic OSPF functions.
NOTE
The VLANs allowed by a sub-interface cannot be created in the system view.
Procedure
# Create a VLAN.
[RouterA] vlan batch 30
# Add an interface to the VLAN.

# Assign an IP address to a VLANIF interface.

[RouterA] interface vlanif 30
[RouterA-Vlanif30] ip address 10.10.30.1 24
[RouterA-Vlanif30] quit
# Create and configure GE1/0/1.1.

[RouterA] interface gigabitethernet 1/0/0.1
[RouterA-GigabitEthernet1/0/0.1] dot1q termination vid 10
[RouterA-GigabitEthernet1/0/0.1] ip address 10.10.10.1 24
[RouterA-GigabitEthernet1/0/0.1] arp broadcast enable
[RouterA-GigabitEthernet1/0/0.1] quit

[RouterA] router id 1.1.1.1
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] return

# Create a VLAN.
[RouterB] vlan batch 30

# Add an interface to the VLAN.

# Assign an IP address to a VLANIF interface.

[RouterB-Vlanif30] ip address 10.10.30.2 24
# Create and configure GE1/0/2.1.

[RouterB] interface gigabitethernet 2/0/0.1
[RouterB-GigabitEthernet2/0/0.1] dot1q termination vid 20
[RouterB-GigabitEthernet2/0/0.1] ip address 10.10.20.1 24
[RouterB-GigabitEthernet2/0/0.1] arp broadcast enable
[RouterB-GigabitEthernet2/0/0.1] quit

[RouterB] router id 2.2.2.2
[RouterB] ospf
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] return

# On the PCs residing on the Layer 2 network connected to RouterA, set the default gateway
address to 10.10.10.1/24, which is the IP address of GE1/0/0.1. The switch connected to
RouterA allows VLAN 10.
# On the PCs residing on the Layer 2 network connected to RouterB, set the default gateway
address to 10.10.20.1/24, which is the IP address of GE2/0/0.1. The switch connected to
RouterB allows VLAN 20.
After the configuration is complete, PCs on the two Layer 2 networks are isolated at Layer 2
and interwork at Layer 3.
----End
Configuration Files
#
sysname RouterA
#
router id 1.1.1.1
#
vlan batch 30
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
ip address 10.10.10.1 255.255.255.0
#
#

ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return

#
sysname RouterB
#
router id 2.2.2.2
#
vlan batch 30
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#
ip address 10.10.20.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
return
6.11.3 Example for Connecting a Dot1q Sub-interface to a VLL

Network
As shown in Figure 6-9, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
A Martini VLL is created between PE1 and PE2 so that user networks connected to CE1 and
CE2 can communicate.
Figure 6-9 Networking diagram for connecting a Dot1q VLAN tag termination sub-interface
to a VLL network
Loopback1 Loopback1 Loopback1
10.10.1.9/32 10.20.2.9/32 10.30.3.9/32
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
Martini
GE1/0/0 GE1/0/0
CE1 CE2

1. Configure a routing protocol on devices (PE and P) of the backbone network to
implement interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP for data
transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to implement VLL
access.
Procedure
Step 1 Configure IP addresses for interfaces on CEs, PEs, and the P devices according to Figure 6-9.
# Configure CE1. The configuration details of other devices are not mentioned here.
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0.1
[CE1-GigabitEthernet1/0/0.1] ip address 10.100.1.1 255.255.255.0
[CE1-GigabitEthernet1/0/0.1] quit
Step 2 Configure CEs to add a VLAN tag to packets destined for PEs.
# VLAN 10 is used as an example. Configure CE1.
[CE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
# Configure CE2.
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used as an example.
# Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the LSR IDs.
# Configure PE1. The configuration details of other devices are not mentioned here.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
Step 4 Configure basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls lsr-id 10.10.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 2/0/0

[PE1-GigabitEthernet2/0/0] mpls
[PE1-GigabitEthernet2/0/0] mpls ldp
[PE1-GigabitEthernet2/0/0] quit
# Configure P.
[P] mpls lsr-id 10.20.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface gigabitethernet 2/0/0
[P-GigabitEthernet2/0/0] mpls
[P-GigabitEthernet2/0/0] mpls ldp
[P-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
Step 5 Set up a remote LDP session between PEs.

# Configure PE1.
[PE1] mpls ldp remote-peer 10.30.3.9
[PE1-mpls-ldp-remote-10.30.3.9] remote-ip 10.30.3.9
[PE1-mpls-ldp-remote-10.30.3.9] quit
# Configure PE2.
# After the configuration is complete, run the display mpls ldp session command on PE1 to
view the LDP session setup. You can see that an LDP session is set up between PE1 and PE2.
[PE1] display mpls ldp session
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
10.20.2.9:0 Operational DU Passive 0000:00:11 46/45
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.
Step 6 Enable MPLS L2VPN and create VCs on PEs.

# On PE1, create a VC on GE1/0/0.1 connected to CE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] interface gigabitethernet 1/0/0.1

[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10

[PE1-GigabitEthernet1/0/0.1] mpls l2vc 10.30.3.9 101
[PE1-GigabitEthernet1/0/0.1] quit

[PE2] mpls l2vpn
[PE2-l2vpn] quit

# Check L2VPN connections on PEs. You can see that an L2VC connection has been set up
and is in Up state.
[PE1] display mpls l2vc interface gigabitethernet 1/0/0.1
*client interface : GigabitEthernet1/0/0.1 is up
Administrator PW : no
session state : up
AC status : up
Ignore AC state : disable
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
destination : 10.30.3.9
local group ID : 0 remote group ID : 0
local VC label : 1024 remote VC label : 1024
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --
PW template name : --
primary or secondary : primary
load balance type : flow
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x5
Backup TNL type : lsp , TNL ID : 0x0
create time : 0 days, 0 hours, 27 minutes, 15 seconds
up time : 0 days, 0 hours, 2 minutes, 22 seconds
last change time : 0 days, 0 hours, 2 minutes, 22 seconds
VC last up time : 2011/09/26 15:29:03
VC total up time : 0 days, 0 hours, 2 minutes, 22 seconds
CKey : 5
NKey : 4
PW redundancy mode : frr
AdminPw interface : --
AdminPw link state : --

Diffserv Mode : uniform

Service Class : --
Color : --
DomainId : --
Domain Name : --
# CE1 and CE2 can ping each other.

[CE1] ping 10.100.1.2
0.00% packet loss
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
interface GigabitEthernet1/0/0
#
ip address 10.100.1.1 255.255.255.0
#
return
l PE1 configuration file

#
sysname PE1
#
mpls lsr-id 10.10.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 10.30.3.9
remote-ip 10.30.3.9
#
#
mpls l2vc 10.30.3.9 101
#
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0

network 10.10.1.9 0.0.0.0

network 10.1.1.0 0.0.0.255
#
return
l P configuration file
#
sysname P
#
mpls
#
mpls ldp
#
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 10.10.1.9
#
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
mpls l2vc 10.10.1.9 101
#
interface LoopBack1
ip address 10.30.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return


#
sysname CE2
#
#
ip address 10.100.1.2 255.255.255.0
#
return
6.11.4 Example for Connecting QinQ Termination Sub-interfaces

to a VLL Network
VLANs.
A Martini VLL connection is set up between PE1 and PE2 to implement interworking
between CE1 and CE2.
Figure 6-10 Networking for connecting Dot1q termination sub-interfaces to a VLL network
10.10.1.9/32 10.20.2.9/32 10.30.3.9/32
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
Martini
GE1/0/0 GE1/0/0
CE1 CE2
1. Configure an IGP on PEs and the P on the backbone network to ensure reachability
between them, and enable MPLS.
2. Use the default tunnel policy to set up LSPs for transmitting user data.
3. Enable MPLS L2VPN and create VCs on PEs.
4. On PE interfaces connected to CEs, create QinQ sub-interfaces and connect the sub-
interfaces to the VLL network.

Procedure
Step 1 Create a bridge group and add a sub-interface to the bridge group.
# The display on CE1 is used as an example. The configuration of CE2 is similar to that of
CE1, and is not mentioned here.
[CE1] bridge 1
[CE1-bridge1] quit
[CE1-GigabitEthernet1/0/0.1] bridge 1
[CE1-GigabitEthernet1/0/0.1] bridge vlan-transmit enable
Step 2 Configure CEs to send double-tagged packets to PEs.
# Here, the inner VLAN ID is VLAN 10 and outer VLAN ID is VLAN 100. # The display on
CE1 is used as an example. The configuration of CE2 is similar to that of CE1, and is not
mentioned here.
[CE1-GigabitEthernet1/0/0.1] vlan stacking vid 10 pe-vid 100
Step 3 Configure PEs to terminate double-tagged packets.
# The display on PE1 is used as an example. The configuration of PE2 is similar to that of
PE1, and is not mentioned here.
[Huawei] sysname PE1
[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
Step 4 Assign an IP address to each device.
# The display on PE1 is used as an example. The configuration of PE2 and P is similar to that
of PE1, and is not mentioned here.
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 10.10.1.9 255.255.255.255
[PE1-LoopBack1] quit
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.1 255.255.255.0
Step 5 Configure an IGP on the MPLS backbone network. This example uses OSPF.
# Configure OSPF to advertise the loopback interface addresses of 32-bit mask length on
PE1, PE2, and P, which are used as the LSR IDs.
# The display on PE1 is used as an example. The configurations of other devices are similar to
the configuration of PE1, and are not mentioned here.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit

Step 6 Configure basic MPLS functions and enable MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
Step 7 Create a remote LDP session between PE1 and PE2.

# Configure PE1.
# Configure PE2.
view the LDP session status. You can see that an LDP session is set up between PE1 and PE2.

------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
Step 8 Enable MPLS L2VPN on PEs and establish VCs.

[PE1] mpls l2vpn
[PE1-l2vpn] quit

[PE2] mpls l2vpn
[PE2-l2vpn] quit
# On PEs, check the L2VPN connections. You can see that an L2VC connection is set up and
is in Up state.
*client interface : GigabitEthernet1/0/0.1 is
up
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up
Access-port : false


VC last up time : 2011/09/26 15:29:03
CKey : 5
NKey : 4
Service Class : --
Color : --
DomainId : --
Domain Name : --
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
bridge 1
#
#
bridge 1
bridge vlan-transmit enable
vlan stacking vid 10 pe-vid 100
#
return

#
sysname CE2
#
bridge 1
#
#
bridge 1
vlan stacking vid 10 pe-vid 100
#
return
l Configuration file of PE1

#
sysname PE1
#
mpls
#
mpls l2vpn
#
mpls ldp
#

remote-ip 10.30.3.9
#
#
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 10.30.3.9 101
#
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.10.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
l Configuration file of the P
#
sysname P
#
mpls
#
mpls ldp
#
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 10.10.1.9
#
ip address 10.2.2.1 255.255.255.0
mpls

mpls ldp
#
#
mpls l2vc 10.10.1.9 101
#
interface LoopBack1
ip address 10.30.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
6.11.5 Example for Connecting a Dot1q VLAN Tag Termination

Sub-interface to an L3VPN
As shown in Figure 6-11, CE1 and CE3 belong to VPN-A, and CE2 and CE4 belong to VPN-
B. The VPN targets of VPN-A and VPN-B are 111:1 and 222:2 respectively. Users in
different VPNs cannot communicate with each other.
to an L3VPN
AS: 65410 AS: 65430

VPN-A VPN-A
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
10.20.2.9/32
GE1/0/0 GE1/0/0
PE1 GE1/0/0 GE2/0/0 PE2
Loopback1 172.16.1.2/24 172.26.1.1/24 Loopback1
10.10.1.9/32 GE3/0/0 GE3/0/0 10.30.3.9/32
172.16.1.1/24 P 172.26.1.2/24
GE2/0/0 AS: 100 GE2/0/0
VPN Backbone
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440

1. Configure VPN instances on PEs connected to CEs on the backbone network, bind
interfaces connected to CEs to VPN instances, and assign IP addresses to interfaces
connected to CEs.
2. Configure OSPF on PEs to implement interworking.
3. Configure basic MPLS functions and MPLS LDP, and set up MPLS LSPs.
4. Configure the Multi-protocol Extensions for Interior Border Gateway Protocol (MP-
IBGP) on PEs to exchange VPN routing information.
5. Configure EBGP on CEs and PEs to exchange VPN routing information.
6. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to connect the Dot1q
sub-interfaces to the L3VPN.
Procedure
Step 1 Configure OSPF on the MPLS backbone network so that the PEs and P can communicate
with each other.
# Configure PE1.
[PE1-LoopBack1] ip address 10.10.1.9 32
[PE1-GigabitEthernet3/0/0] ip address 172.16.1.1 24
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[Huawei] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 10.20.2.9 32
[P-LoopBack1] quit
[P-GigabitEthernet1/0/0] ip address 172.16.1.2 24
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.


[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. The OSPF neighbor relationship status is
Full. Run the display ip routing-table command. PEs have learned the routes to each other's
Loopback1 interface.
# The display on PE1 is used as an example.

[PE1] display ip routing-table
Route Flags: R - relay,
D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.10.1.9/32 Direct 0 0 D 10.0.0.1 LoopBack1

10.20.2.9/32 OSPF 10 1 D 172.16.1.2
GigabitEthernet3/0/0
10.30.3.9/32 OSPF 10 2 D 172.16.1.2
10.0.0.0/8 Direct 0 0 D 10.0.0.1 InLoopBack0
172.16.1.0/24 Direct 0 0 D 172.16.1.1
172.16.1.1/32 Direct 0 0 D 10.0.0.1
172.16.1.255/32 Direct 0 0 D 10.0.0.1
172.26.1.0/24 OSPF 10 2 D 172.16.1.2
[PE1] display ospf peer
OSPF Process 1 with Router ID 10.10.1.9

Neighbors
Area 0.0.0.0 interface 172.16.1.1(GigabitEthernet3/0/0)'s neighbors

Router ID: 10.20.2.9 Address: 172.16.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: 172.16.1.1 BDR: 172.16.1.2 MTU: 0
Dead timer due in 37 sec
Retrans timer interval: 5
Neighbor is up for 00:16:21
Authentication Sequence: [ 0 ]
Step 2 Configure basic MPLS functions and MPLS LDP on the MPLS backbone network to set up
LDP LSPs.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit

[PE1] mpls ldp

[PE1-mpls-ldp] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# After the configuration is complete, LDP sessions can be set up between PE1 and the P, and
between the P and PE2. Run the display mpls ldp session command. The command output
shows that the Status field is Operational. Run the display mpls ldp lsp command.
Information about the established LDP LSPs is displayed.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
10.20.2.9:0 Operational DU Active 0000:00:01 6/6
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
10.10.1.9/32 3/NULL 10.20.2.9 10.0.0.1 InLoop0
*10.10.1.9/32 Liberal/1024 DS/10.20.2.9
10.20.2.9/32 NULL/3 - 172.16.1.2 GE3/0/0
10.20.2.9/32 1024/3 10.20.2.9 172.16.1.2 GE3/0/0
10.30.3.9/32 NULL/1025 - 172.16.1.2 GE3/0/0
10.30.3.9/32 1025/1025 10.20.2.9 172.16.1.2 GE3/0/0
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.

A '*' before an LSP means the LSP is not established

A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
# Here, the VLAN ID in packets sent by CE1 and CE3 is VLAN 10, and the VLAN ID in
packets sent by CE2 and CE4 is VLAN 20.
# Configure CE1.
# Configure CE2.
# Configure CE3.
# Configure CE4.
Step 4 Configure VPN instances on PEs and bind the instances to the interfaces connected to CEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24

[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb

# Configure PE2.
# After the configuration is complete, run the display ip vpn-instance verbose command on
PEs to check the VPN instance configuration. Each PE can ping its connected CE.
NOTE
If multiple interfaces of a PE are bound to the same VPN instance, run the ping -vpn-instance vpn-
instance-name -a source-ip-address dest-ip-address command with -a source-ip-address specified to
ping the CE connected to the remote PE. Otherwise, the ping operation may fail.

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Interfaces : GigabitEthernet1/0/0.1
Address family ipv4
Create date : 2012/07/25 00:58:17
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per route
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Address family ipv4
Create date : 2012/07/25 00:58:17
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1



0.00% packet loss
Step 5 Set up an MP-IBGP peer relationship between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 10.30.3.9 as-number 100
[PE1-bgp] peer 10.30.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 10.30.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
# After the configuration is complete, run the display bgp peer or display bgp vpnv4 all
peer command on PEs. The command output shows that a BGP peer relationship has been
established between PEs.
[PE1] display bgp peer
BGP local router ID : 10.10.1.9

Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down

State PrefRcv
10.30.3.9 4 100 12 6 0 00:02:21

Established 0
[PE1] display bgp vpnv4 all peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down State

PrefRcv
10.30.3.9 4 100 12 18 0 00:09:38 Established 0
Step 6 Set up EBGP peer relationships between PEs and CEs and import VPN routes into BGP.
# Configure CE1. The configurations of other CEs are similar to the configuration on CE1,
and are not mentioned here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit

# Configure PE1. The configuration of PE2 is similar to the configuration of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
# After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on PEs. The command output shows that BGP peer relationships have been
established between PEs and CEs.
# The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer

VPN-Instance vpna, Router ID 10.10.1.9:


PrefRcv
10.1.1.1 4 65410 6 3 0 00:00:02

Established 4

# Run the display ip routing-table vpn-instance command on PEs to view the routes to the
remote CEs.
[PE1] display ip routing-table vpn-instance vpna
D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpna
10.1.1.0/24 Direct 0 0 D 10.1.1.2

10.1.1.2/32 Direct 0 0 D 10.0.0.1
10.1.1.255/32 Direct 0 0 D 10.0.0.1
10.3.1.0/24 IBGP 255 0 RD 10.30.3.9
[PE1] display ip routing-table vpn-instance vpnb
D - download to fib
------------------------------------------------------------------------------
Routing Tables: vpnb

10.2.1.0/24 Direct 0 0 D 10.2.1.2

10.2.1.2/32 Direct 0 0 D 10.0.0.1
10.2.1.255/32 Direct 0 0 D 10.0.0.1
10.4.1.0/24 IBGP 255 0 RD 10.30.3.9
# CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
# For example, CE1 can ping CE3 at 10.3.1.1 but cannot ping CE4 at 10.4.1.1.
[CE1] ping 10.3.1.1
0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
----End
Configuration Files
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
#
mpls
#
mpls ldp
#
#
ip binding vpn-instance vpna

ip address 10.1.1.2 255.255.255.0

#
#
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
bgp 100
peer 10.30.3.9 as-number 100
peer 10.30.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 10.30.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 10.10.1.9 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
#
sysname P
#
mpls
#
mpls ldp
#
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 172.26.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 172.16.1.0 0.0.0.255

network 172.26.1.0 0.0.0.255

#
return
#
sysname PE2
#
ip vpn-instance
vpna
ipv4-family
#
ip vpn-instance
vpnb
ipv4-family
#
mpls
#
mpls ldp
#
#
ip address 10.3.1.2 255.255.255.0
#
#
ip address 10.4.1.2 255.255.255.0
#
ip address 172.26.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.30.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
#
import-route direct
#
import-route direct
#
ospf 1

area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 172.26.1.0 0.0.0.255
#
return

#
sysname CE1
#
#
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
#
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE3
#
#
ip address 10.3.1.1 255.255.255.0
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE4

#
#
ip address 10.4.1.1 255.255.255.0
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return
6.11.6 Example for Connecting a QinQ VLAN Tag Termination

Figure 6-12 Networking diagram for connecting a QinQ VLAN tag termination sub-interface
to an L3VPN
AS: 65410 AS: 65430

VPN-A VPN-A
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
10.20.2.9/32
GE1/0/0 GE1/0/0
PE1 GE1/0/0 GE2/0/0 PE2
10.10.1.9/32 GE3/0/0 GE3/0/0 10.30.3.9/32
172.16.1.1/24 P 172.26.1.2/24
GE2/0/0 AS: 100 GE2/0/0
VPN Backbone
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440

connected to CEs.
6. Configure QinQ sub-interfaces on PE interfaces connected to CEs to connect the QinQ
sub-interfaces to the L3VPN network.
Procedure
with each other.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[Huawei] sysname P
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.


[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
relationships. Run the display ospf peer command. The command output shows that the
OSPF neighbor relationship status is Full. Run the display ip routing-table command. The
command output shows that PEs have learned the routes to the each other's Loopback1
interface.
D - download to fib
------------------------------------------------------------------------------

10.20.2.9/32 OSPF 10 1 D 172.16.1.2
10.30.3.9/32 OSPF 10 2 D 172.16.1.2
172.16.1.0/24 Direct 0 0 D 172.16.1.1
172.16.1.1/32 Direct 0 0 D 10.0.0.1
172.16.1.255/32 Direct 0 0 D 10.0.0.1
172.26.1.0/24 OSPF 10 2 D 172.16.1.2

Neighbors

DR: 172.16.1.1 BDR: 172.16.1.2 MTU: 0
LDP LSPs.
# Configure PE1.
[PE1] mpls

[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
10.10.1.9/32 3/NULL 10.20.2.9 10.0.0.1 InLoop0
*10.10.1.9/32 Liberal/1024 DS/10.20.2.9
10.20.2.9/32 NULL/3 - 172.16.1.2 GE3/0/0
10.20.2.9/32 1024/3 10.20.2.9 172.16.1.2 GE3/0/0
10.30.3.9/32 NULL/1025 - 172.16.1.2 GE3/0/0
10.30.3.9/32 1025/1025 10.20.2.9 172.16.1.2 GE3/0/0
-------------------------------------------------------------------------------



# Here, the inner VLAN ID in packets sent by CE1 and CE3 is VLAN 10, and outer VLAN
ID is VLAN 100; the inner VLAN ID in packets sent by CE2 and CE4 is VLAN 20, and outer
VLAN ID is VLAN 200.
# Configure CE1.
[CE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
# Configure CE2.
# Configure CE3.
# Configure CE4.
# Configure PE1.

# Configure PE2.
NOTE
The display on PE1 is used as an example.


Address family ipv4
Create date : 2012/07/25 00:58:17
Log Interval : 5

Address family ipv4
Create date : 2012/07/25 00:58:17
Log Interval : 5



0.00% packet loss

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit


State PrefRcv
10.30.3.9 4 100 12 6 0 00:02:21

Established 0


PrefRcv
10.30.3.9 4 100 12 18 0 00:09:38 Established 0
[CE1] bgp 65410


[CE1-bgp] quit
mentioned here.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp-vpnb] quit
[PE1-bgp] quit



PrefRcv
10.1.1.1 4 65410 6 3 0 00:00:02

Established 4

remote CEs.
D - download to fib
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2

10.1.1.2/32 Direct 0 0 D 10.0.0.1
10.1.1.255/32 Direct 0 0 D 10.0.0.1
10.3.1.0/24 IBGP 255 0 RD 10.30.3.9
D - download to fib
------------------------------------------------------------------------------

10.2.1.0/24 Direct 0 0 D 10.2.1.2

10.2.1.2/32 Direct 0 0 D 10.0.0.1
10.2.1.255/32 Direct 0 0 D 10.0.0.1
10.4.1.0/24 IBGP 255 0 RD 10.30.3.9
[CE1] ping 10.3.1.1
0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
----End
Configuration Files
#
sysname PE1
#
ipv4-family
#
ipv4-family
#
mpls
#
mpls ldp
#
#

ip address 10.1.1.2 255.255.255.0
#
#
ip address 10.2.1.2 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 10.10.1.9 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
#
sysname P
#
mpls
#
mpls ldp
#
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 172.26.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1

area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.26.1.0 0.0.0.255
#
return
#
sysname PE2
#
ip vpn-instance
vpna
ipv4-family
#
ip vpn-instance
vpnb
ipv4-family
#
mpls
#
mpls ldp
#
#
ip address 10.3.1.2 255.255.255.0
#
#
ip address 10.4.1.2 255.255.255.0
#
ip address 172.26.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.30.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
#
import-route direct
#
import-route direct


#
ospf 1
area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 172.26.1.0 0.0.0.255
#
return

#
sysname CE1
#
#
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
#
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE3
#
#
ip address 10.3.1.1 255.255.255.0
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return


#
sysname CE4
#
#
ip address 10.4.1.1 255.255.255.0
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return

Configuration 7 Voice VLAN Configuration
7 Voice VLAN Configuration
About This Chapter
This chapter describes how to configure voice VLAN.

7.1 Overview of Voice VLANs
7.2 Understanding Voice VLANs
7.3 Application Scenarios for Voice VLANs
This section describes the applicable scenario of the voice VLAN.
7.4 Default Settings for Voice VLANs
7.5 Licensing Requirements and Limitations for Voice VLANs
7.6 Configuring an Automatic Voice VLAN
7.7 Configuring a Manual Voice VLAN
7.8 Configuration Examples for Voice VLANs
7.9 FAQ About Voice VLANs
7.1 Overview of Voice VLANs

Definition
Voice VLAN is a technology that transmits voice data.
Purpose
Data, voice, and video services are often transmitted simultaneously over a network. Packet
loss and delay seriously affect the voice communication quality. Voice services, in particular,
require a higher forwarding priority than data or video services. When bandwidth is limited,
voice data must have transmission preference over other types of data. This can be done by
configuring a voice VLAN on the switch to transmit voice data and setting QoS parameters in
the voice VLAN so that voice data is given preference when congestion occurs.

7.2 Understanding Voice VLANs

Introduction to Voice VLAN
Voice data and non-voice data are often transmitted on a same network. Voice data requires a
higher priority than non-voice data during transmission. This helps shorten the packet delay
and reduce packet loss during the transmission.
A commonly used method to ensure preferred transmission of voice data is to configure an

access control list (ACL) to identify voice data flow, and use quality of service (QoS)
mechanisms to ensure high quality of voice services, but the configuration is complex. To
simplify user configuration and manage the voice data transmission more conveniently, voice
VLAN is introduced.
The interface enabled with voice VLAN determines whether the incoming data is voice data
based on source MAC addresses of the data packets. If a source MAC address matches the
Organizationally Unique Identifier (OUI), the data with the source MAC address is
considered as voice data. Then the interface that receives voice data is automatically added to
the voice VLAN. In this manner, voice data can be managed more conveniently.
As shown in Figure 7-1, PC and IP Phone are all transmitted to the Router. To differentiate
voice data from other data, the IP Phone traffic is isolated through different VLANs and is
assigned a higher priority to ensure voice quality. In this case, you can configure voice VLAN
on the router. The router assigns a higher priority to voice packets tagged with the voice
VLAN ID from IP phones so that the voice packets can be preferentially forwarded and voice
quality is ensured.
Figure 7-1 Networking of the voice VLAN

Router_1 Router_2
Internet
IP Phone_1
IP Phone_3
IP Phone_2
PC_1 PC_3
On different interfaces of the router, you can specify different VLANs as voice VLANs. On
an interface, however, you can specify only one VLAN as a voice VLAN.

Basic Concepts
l OUI
An OUI indicates a MAC address segment.
You can perform the AND operation on a 48-bit MAC address and a mask to obtain the
OUI. The length of all 1s in the mask determines the number of matched bits between
the MAC address of a device and the OUI. For example, if the specified MAC address is
0001-0001-0001 and the mask is FFFF-FF00-0000, the OUI is 0001-0000-0000. In this
example, if the first 24 bits of the MAC address of the device match the first 24 bits of
the OUI, the interface enabled with voice VLAN considers the data from the access
device as voice data, and the device as a voice device.
l Mode in which an interface is added to a voice VLAN
Table 7-1 describes the mode in which an interface is added to a voice VLAN.
Table 7-1 Mode in which an interface is added to a voice VLAN

Mode Description
Automatic mode The interface enabled with voice VLAN

determines whether the incoming data is voice
data according to the source MAC addresses of
the data packets. If a source MAC address
matches the OUI of a voice device, the data with
the source MAC address is considered as voice
data. The interface that receives the voice data is
automatically added to a voice VLAN.
Manual mode When an interface is enabled with voice VLAN,

you must manually add the interface that
connects to the voice device to the voice VLAN
or remove the interface from the voice VLAN.
In this manner, voice VLAN enabled on the
interface can take effect.
You can add different interfaces to voice VLANs in different modes, which are
independent of each other.
l Working mode of a voice VLAN
Table 7-2 shows the working mode of a voice VLAN.

Table 7-2 Working mode of a voice VLAN

Wor Scenario Packet Processing Configuration Note
kin
g
Mo
de
Secu The inbound interface If the source MAC Transmitting voice and
re enabled with the voice address does not match service data at the same
VLAN function allows the OUI, the interface time in a voice VLAN is
only the voice packets does not change the not recommended. If a
in which the source priority of voice packets voice VLAN must
MAC address matches and prevents the voice transmit both voice and
the OUI address of the packets from being service data, ensure that
voice VLAN, and forwarded in the voice the voice VLAN works
discards non-voice VLAN. in normal mode.
packets from the voice If the source MAC
VLAN and forwards address matches the
packets from other OUI, the interface
VLANs. changes the priority of
voice packets and
allows the voice packets
to be forwarded in the
voice VLAN.
Nor The inbound interface If the source MAC

mal enabled with the voice address does not match
VLAN function the OUI, the interface
transmits both voice does not change the
packets and non-voice priority of voice packets
packets. In normal and allows the voice
mode, the interface is packets to be forwarded
vulnerable to attacks in the voice VLAN.
from malicious data If the source MAC
traffic. address matches the
OUI, the interface
changes the priority of
voice packets and
allows the voice packets
to be forwarded in the
voice VLAN.
7.3 Application Scenarios for Voice VLANs

This section describes the applicable scenario of the voice VLAN.
In Figure 7-2, PCs and IP phones connect to the Internet through switching device. Because
the voice service is sensitive to the delay and jitter, the priority of voice data flows needs to be
increased so that they can be preferentially forwarded when congestion occurs. The router

adds the voice VLAN tag and assigns a higher priority to the VoIP traffic, so the VoIP traffic
can be transmitted preferentially and voice quality is ensured.
NOTE
The device cannot process untagged packets.
Figure 7-2 Applicable scenario of the voice VLAN

Router_1 Router_2
Internet
IP Phone_1
IP Phone_3
IP Phone_2
PC_1 PC_3
7.4 Default Settings for Voice VLANs

Voice VLAN function Disabled
Mode in which an interface is Auto mode

added to the voice VLAN NOTE
l Currently, the AR120-S&AR150-S&AR160-S&AR200-S
and AR1200E-S support only the manual mode.
l The 4GE-2S, 4ES2G-S, 4ES2GP-S, 9ES2, 8ES2G and
8ES2GS cards do not support automatic voice VLAN.
802.1p priority of the voice 6

VLAN
DSCP priority of the voice 46

VLAN
Working mode of the voice Security mode

VLAN
Compatibility with non-Huawei Disabled

voice devices

7.5 Licensing Requirements and Limitations for Voice

VLANs
None
Voice VLAN is a basic feature of a router and is not under license control.
Feature Limitations
None
7.6 Configuring an Automatic Voice VLAN

Before configuring an automatic voice VLAN, complete the following tasks:
l Create VLANs.
l Set the type of interfaces to be added to the voice VLAN to trunk or hybrid.
7.6.1 Configuring an OUI for a Voice VLAN

Context
An Organizationally Unique Identifier (OUI) is the first 24 bits of a MAC address, and is a
unique identifier assigned to a device vendor.
An OUI represents a MAC address segment that is obtained by performing the AND
operation between a 48-bit MAC address and a mask. If the first 24 bits of the MAC address
of a device are the same as an OUI, a voice VLAN-enabled port considers the device as a
voice device and data from the device as voice data.
Procedure
Step 2 Run voice-vlan mac-address mac-address mask oui-mask [ description text ]
An OUI is configured.
When configuring an OUI for a voice VLAN, note the following:
l The mac-address value cannot be all 0s or a multicast or broadcast address.
l A device can be configured with a maximum of 16 OUIs. When the device is configured
with 16 OUIs, subsequent configurations will not take effect.

l When using the undo voice-vlan mac-address mac-address command to delete an OUI,
specify the mac-address value in this command as the result of the AND operation by
using the configured MAC address and mask.
----End
7.6.2 Enabling the Voice VLAN Function
Context
When source MAC addresses of packets match the OUI of a voice VLAN, the device enabled
with voice VLAN identifies voice data packets based on the source MAC addresses and
changes the priority of voice data packets to improve the voice data transmission quality.
Procedure
Step 3 Run voice-vlan vlan-id enable
A voice VLAN is configured and the voice VLAN function is enabled on the port.
By default, the voice VLAN function is disabled on a port.
NOTE
l VLAN 1 cannot be configured as a voice VLAN.

l The voice VLAN and default VLAN on a port must be assigned different VLAN IDs to ensure that
every function works properly.
l Only one VLAN on a port can be configured as a voice VLAN at a time.
l Before deleting a voice VLAN, run the undo voice-vlan enable command to disable the voice
VLAN function.
l The port enabled with the voice VLAN function cannot be configured with VLAN mapping, VLAN
stacking, or traffic policies.
----End
7.6.3 Configuring the Auto Mode of Adding a Port to the Voice

VLAN
Procedure

Step 3 Run voice-vlan mode auto

The mode in which ports are added to a voice VLAN is set to auto.
By default, ports are automatically added to a voice VLAN.
NOTE
Access ports cannot be automatically added to a voice VLAN. To add an access port to a voice VLAN,
run the port link-type command to change the link type to trunk or hybrid.
----End
7.6.4 (Optional) Configuring the Secure or Normal Mode of a

Voice VLAN
Context
Based on the data filtering mechanism, a voice VLAN works in either secure or normal mode.
Table 7-2 shows how to process frames in different voice VLAN working modes.
Procedure
l Security mode
a. Run the system-view command to enter the system view.
b. Run the interface interface-type interface-number command to enter the view of
interface.
c. Run the voice-vlan security enable command to configure the voice VLAN work
in security mode.
By default, a voice VLAN works in security mode.
l Normal mode
interface.
c. Run the undo voice-vlan security enable command to configure the voice VLAN
work in normal mode.
----End
7.6.5 (Optional) Configuring an 802.1p Priority and a DSCP Value

for the Voice VLAN
Context
By default, the 802.1p priority and DSCP value for a voice VLAN are 6 and 46 respectively.
Manual configuration of the 802.1p priority and DSCP value will allow you to plan priorities
for different voice services at will.
The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN
frame. This field determines the transmission priority for data packets when a switching
device is congested.

The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4
packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks.
The traffic controller on the network gateway takes actions merely based on the information
carried by the 6 bits.
Procedure
Step 2 Run voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *
An 802.1p priority and a DSCP value are configured for a voice VLAN.
NOTE
The AR120-S&AR150-S&AR160-S&AR200-S and AR1200-S do not support this function.
----End
7.6.6 (Optional) Configuring a Port to Communicate with a Voice

Device of Another Vendor
Context
The switch can encapsulate voice VLAN information into LLDPDUs and send them to
connected IP phones. However, IP phones of some vendors send Cisco Discovery Protocol
(CDP) packets. You can run the voice-vlan legacy enable command to enable CDP-
compatible function so that the switch encapsulates voice VLAN information in CDP packets
and sends them to connected IP phones.
Procedure
Step 3 Run voice-vlan legacy enable
The port is configured to communicate with a voice device of another vendor.
By default, ports on Huawei devices cannot communicate with voice devices of other
vendors.
----End

7.6.7 Verifying the Voice VLAN Configuration
Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about the
voice VLAN, including the working mode, security mode, and the 802.1p priority and
DSCP value as well as the configuration of the port enabled with the voice VLAN
function.
l Run the display voice-vlan oui command to check information about the OUI of the
voice VLAN, including the mask and description of the OUI.
----End
7.7 Configuring a Manual Voice VLAN

Before configuring a manual voice VLAN, complete the following task:
l Create VLANs.
7.7.1 Configuring an OUI for a Voice VLAN
Context
An Organizationally Unique Identifier (OUI) is the first 24 bits of a MAC address, and is a
unique identifier assigned to a device vendor.
An OUI represents a MAC address segment that is obtained by performing the AND
operation between a 48-bit MAC address and a mask. If the first 24 bits of the MAC address
of a device are the same as an OUI, a voice VLAN-enabled port considers the device as a
voice device and data from the device as voice data.
Procedure
Step 2 Run voice-vlan mac-address mac-address mask oui-mask [ description text ]
An OUI is configured.
When configuring an OUI for a voice VLAN, note the following:

l The mac-address value cannot be all 0s or a multicast or broadcast address.
l A device can be configured with a maximum of 16 OUIs. When the device is configured
with 16 OUIs, subsequent configurations will not take effect.
l When using the undo voice-vlan mac-address mac-address command to delete an OUI,
specify the mac-address value in this command as the result of the AND operation by
using the configured MAC address and mask.
----End

7.7.2 Enabling the Voice VLAN Function

Context
When source MAC addresses of packets match the OUI of a voice VLAN, the device enabled
with voice VLAN identifies voice data packets based on the source MAC addresses and
changes the priority of voice data packets to improve the voice data transmission quality.
Procedure
The view of the interface is displayed.
Step 3 Run voice-vlan vlan-id enable
A voice VLAN is configured and the voice VLAN function is enabled on the port.
By default, the voice VLAN function is disabled on a port.
NOTE
l VLAN 1 cannot be configured as a voice VLAN.

l The voice VLAN and default VLAN on a port must be assigned different VLAN IDs to ensure that
every function works properly.
l Only one VLAN on a port can be configured as a voice VLAN at a time.
l Before deleting a voice VLAN, run the undo voice-vlan enable command to disable the voice
VLAN function.
l The port enabled with the voice VLAN function cannot be configured with VLAN mapping, VLAN
stacking, or traffic policies.
----End
7.7.3 Configuring the Mode in Which Ports Are Added to a Voice

VLAN
Procedure
Step 3 Run voice-vlan mode manual
The mode in which ports are added to a voice VLAN is set to manual.
By default, ports are automatically added to a voice VLAN.
Step 4 Add ports to a voice VLAN.

l If access ports are connected to voice devices, run the port default vlan vlan-id
command to manually add these ports to a voice VLAN.
l If trunk ports are connected to voice devices, run the port trunk allow-pass vlan vlan-id
command to manually add these ports to a voice VLAN.
l If hybrid ports are connected to voice devices, do as follows as required:
– Run the port hybrid untagged vlan vlan-id command to manually add these ports
to a voice VLAN in untagged mode.
NOTE
Only the 8FE1GE and 24GE cards support untagged packets.
– Run the port hybrid tagged vlan vlan-id command to manually add these ports to
a voice VLAN in tagged mode.
----End
7.7.4 (Optional) Configuring the Secure or Normal Mode of a

Voice VLAN
Context
Based on the data filtering mechanism, a voice VLAN works in either secure or normal mode.
Table 7-2 shows how to process frames in different voice VLAN working modes.
Procedure
l Security mode
interface.
c. Run the voice-vlan security enable command to configure the voice VLAN work
in security mode.
l Normal mode
interface.
c. Run the undo voice-vlan security enable command to configure the voice VLAN
work in normal mode.
----End

7.7.5 (Optional) Configuring an 802.1p Priority and a DSCP Value

for the Voice VLAN
Context
Manual configuration of the 802.1p priority and DSCP value will allow you to plan priorities
for different voice services at will.
The 802.1p priority is indicated by the value in the 3-bit PRI field in each 802.1Q VLAN
frame. This field determines the transmission priority for data packets when a switching
device is congested.
The DSCP value is indicated by the 6 bits in the Type of Service (ToS) field in the IPv4
packet header. DSCP, as the signaling for DiffServ, is used for QoS guarantee on IP networks.
The traffic controller on the network gateway takes actions merely based on the information
carried by the 6 bits.
Procedure
Step 2 Run voice-vlan remark { 8021p 8021p-value | dscp dscp-value } *

An 802.1p priority and a DSCP value are configured for a voice VLAN.
NOTE
The AR120-S&AR150-S&AR160-S&AR200-S and AR1200-S do not support this function.
----End
7.7.6 (Optional) Configuring a Port to Communicate with a Voice

Device of Another Vendor
Context
The switch can encapsulate voice VLAN information into LLDPDUs and send them to
connected IP phones. However, IP phones of some vendors send Cisco Discovery Protocol
(CDP) packets. You can run the voice-vlan legacy enable command to enable CDP-
compatible function so that the switch encapsulates voice VLAN information in CDP packets
and sends them to connected IP phones.
Procedure

Step 3 Run voice-vlan legacy enable

The port is configured to communicate with a voice device of another vendor.
By default, ports on Huawei devices cannot communicate with voice devices of other
vendors.
----End
7.7.7 Verifying the Voice VLAN Configuration

Procedure
l Run the display voice-vlan [ vlan-id ] status command to check information about the
voice VLAN, including the working mode, security mode, and the 802.1p priority and
DSCP value as well as the configuration of the port enabled with the voice VLAN
function.
l Run the display voice-vlan oui command to check information about the OUI of the
voice VLAN, including the mask and description of the OUI.
----End
7.8 Configuration Examples for Voice VLANs

7.8.1 Example for Configuring a Voice VLAN in Auto Mode
As shown in Figure 7-3, Router_1 connects to IP phones and a PC. Router_1 uses VLAN 2 to
transmit voice packets and VLAN 3 to transmit data packets. PC_1 connects to IP Phone_1
and they connect to Router_1, and IP Phone_2 separately connects to Router_1. Users require
high quality of the VoIP service; therefore, voice data flows must be transmitted with a high
priority to ensure the call quality.
Figure 7-3 Networking diagram of a voice VLAN in auto mode

Router_1 Router_2
Internet
Eth2/0/0 Eth2/0/1 Eth2/0/0
IP Phone_1
MAC:0003-6B00-0001
Mask:ffff-ff00-0000
IP Phone_3
IP Phone_2
MAC:0003-6B00-0002
Mask:ffff-ff00-0000
PC_1 PC_3
286E-D400-0001

1. Create VLANs and VLANIF interfaces on Router and configure interfaces so that users
can access the WAN.
2. Configure an OUI so that the switch adds a VLAN tag to voice packets in which the
source MAC address matches the OUI.
3. Configure a voice VLAN and set the mode in which interfaces are added to the voice
VLAN to auto so that voice data packets are transmitted in the voice VLAN with a high
priority.
Procedure
Step 1 Create VLANs and configure interfaces on the Router.
# Configure VLANs allowed by Eth2/0/0. The configuration of Eth2/0/1 is similar to the

configuration of Eth2/0/0, and is not mentioned here.
[Huawei-Ethernet2/0/0] port hybrid pvid vlan 3
Step 2 Configure an OUI.

[Huawei] voice-vlan mac-address 0003-6B00-0000 mask ffff-ff00-0000
NOTE
The configured OUI must match the MAC address of the downlink voice device.
Step 3 Configure the voice VLAN on the Router.

# Enable the voice VLAN on Ethernet2/0/0.
[Huawei-Ethernet2/0/0] voice-vlan 2 enable
# Configure the mode in which Ethernet2/0/0 is added to the voice VLAN.

[Huawei-Ethernet2/0/0] voice-vlan mode auto
# Configure the working mode of the voice VLAN.

[Huawei-Ethernet2/0/0] voice-vlan security enable
The configuration of Eth2/0/1 is similar to the configuration of Eth2/0/0, and is not mentioned
here.
# Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<Huawei> display voice-vlan oui
---------------------------------------------------

OuiAddress Mask Description

---------------------------------------------------
0003-6b00-0000 ffff-ff00-0000
# Run the display voice-vlan 2 status command to check the voice VLAN configuration,
including the status and mode in which the interface is added to the voice VLAN.
<Huawei> display voice-vlan 2 status
Voice VLAN Configurations:
-----------------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN 8021p remark : 6

Voice VLAN dscp remark : 46
-----------------------------------------------------------
Port Information:
-----------------------------------------------------------
Port Add-Mode Security-Mode Legacy
-----------------------------------------------------------
Ethernet2/0/1 Auto Security Disable
Ethernet2/0/0 Auto Security Disable
----End
Configuration Files
#
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000
#
vlan batch 2 to 3
#
voice-vlan 2 enable
#
voice-vlan 2 enable
#
return
7.8.2 Example for Configuring a Voice VLAN in Manual Mode

As shown in Figure 7-3, Router_1 connects to IP phones and a PC. Router_1 uses VLAN 2 to
transmit voice packets and VLAN 3 to transmit data packets. PC_1 connects to IP Phone_1
and they connect to Router_1, and IP Phone_2 separately connects to Router 1. Users require
high quality of the VoIP service; therefore, voice data flows must be transmitted with a high
priority to ensure the call quality.

Figure 7-4 Networking diagram of a voice VLAN in manual mode

Router_1 Router_2
Internet
Eth2/0/0 Eth2/0/1 Eth2/0/0
IP Phone_1
MAC:0003-6B00-0001
Mask:ffff-ff00-0000
IP Phone_3
IP Phone_2
MAC:0003-6B00-0002
Mask:ffff-ff00-0000
PC_1 PC_3
286E-D400-0001
1. Create VLANs and VLANIF interfaces on Router and configure interfaces so that users
can access the WAN.
2. Configure an OUI so that the switch adds a VLAN tag to voice packets in which the
source MAC address matches the OUI.
3. Configure a voice VLAN and set the mode in which interfaces are added to the voice
VLAN to auto so that voice data packets are transmitted in the voice VLAN with a high
priority.
Procedure
Step 1 Create VLANs and configure interfaces on the Router.
# Configure VLANs allowed by Eth2/0/0. The configuration of Eth2/0/1 is similar to the

configuration of Eth2/0/0, and is not mentioned here.
[Huawei-Ethernet2/0/0] port hybrid pvid vlan 3
Step 2 Configure an OUI.

[Huawei] voice-vlan mac-address 0003-6B00-0000 mask ffff-ff00-0000
NOTE
The configured OUI must match the MAC address of the downlink voice device.

Step 3 Configure the voice VLAN on the Router.

# Enable the voice VLAN on Ethernet2/0/0.
[Huawei-Ethernet2/0/0] voice-vlan 2 enable
# Configure the mode in which Ethernet2/0/0 is added to the voice VLAN.

[Huawei-Ethernet2/0/0] voice-vlan mode manual
# Configure the working mode of the voice VLAN.

[Huawei-Ethernet2/0/0] voice-vlan security enable
The configuration of Eth2/0/1 is similar to the configuration of Eth2/0/0, and is not mentioned
here.
# Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<Huawei> display voice-vlan oui
---------------------------------------------------
OuiAddress Mask Description
---------------------------------------------------
0003-6b00-0000 ffff-ff00-0000
# Run the display voice-vlan 2 status command to check the voice VLAN configuration,
including the status and mode in which the interface is added to the voice VLAN.
<Huawei> display voice-vlan 2 status
Voice VLAN Configurations:
-----------------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
-----------------------------------------------------------
Port Information:
-----------------------------------------------------------
Port Add-Mode Security-Mode Legacy
-----------------------------------------------------------
Ethernet2/0/1 Manual Security Disable
Ethernet2/0/0 Manual Security Disable
----End
Configuration Files
#
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000
#
vlan batch 2 to 3
#
voice-vlan 2 enable
voice-vlan mode manual
port hybrid untagged vlan 2 to 3
#
voice-vlan 2 enable

voice-vlan mode manual

port hybrid untagged vlan 2 to 3
#
return
7.9 FAQ About Voice VLANs
7.9.1 How Can I Change the Voice Vlan Priority on the AR?
The voice VLAN priorities of low-end and high-end ARs are configured in the following
methods:
l High-end AR(such as the AR2200-S and AR3200-S) whose chips support ACL: After an
interface is added to the voice VLAN, the ACL sets the priority of a packet to 6 by
default, or you can run the voice-vlan remark { 8021p 8021p-value| dscp dscp-value }*
command to change the priority.
l Low-end ARs (such as the AR160-S, AR200-S and AR1200-S) whose chips do not
support ACL: You can change the VLAN priority only by running the vlan vlan-id
priority new-priority-value command.

Configuration 8 QinQ Configuration
8 QinQ Configuration
About This Chapter
This chapter describes the concepts and configuration procedure of 802.1Q-in-802.1Q

(QinQ), and provides configuration examples.
8.1 Overview of QinQ
8.2 Understanding QinQ
8.3 Application Scenarios for QinQ
This section describes the applicable environment of QinQ.
8.4 Summary of QinQ Configuration Tasks
8.5 Licensing Requirements and Limitations for QinQ
This section describes the points of attention when configuring QinQ.
8.6 Configuring QinQ Tunneling
This section describes how to configure QinQ tunneling, including basic QinQ and selective
QinQ.
8.7 Configuring a VLAN Tag Termination Sub-interface to Connect to an L2VPN
CEs connect to an ISP network through PEs, and service data packets sent by a CE to a PE
contain one or two tags. You need to connect sub-interfaces on PEs to a L2VPN so that CEs
8.8 Configuring a VLAN Tag Termination Sub-interface to Connect to an L3VPN
contain one or two tags. You need to connect sub-interfaces on PEs to an L3VPN so that CEs
8.9 Configuring the TPID Value in an Outer VLAN Tag
To enable interoperation between devices from different vendors, set the same TPID value in
outer VLAN tags on the devices.
8.10 Configuration Examples for QinQ
8.1 Overview of QinQ

Definition
QinQ expands VLAN space by adding an additional 802.1Q tag to 802.1Q tagged packets. It
allows services in a private VLAN to be transparently transmitted over a public network. A
packet transmitted on the backbone network carries two 802.1Q tags: a public VLAN tag and
a private VLAN tag.
Purpose
Ethernet is widely used on ISP networks, but 802.1Q VLANs are unable to identify and
isolate large numbers of users on metro Ethernet networks because the 12-bit VLAN tag field
defined in IEEE 802.1Q only identifies a maximum of 4096 VLANs. QinQ was developed to
expand VLAN space beyond 4096 VLANs so that a larger number of users can be identified
on a metro Ethernet network.
QinQ technology encapsulates an 802.1Q tag to an 802.1Q packet. With this extra tag, the
number of VLANs increases to 4094 x 4094.
In addition to expanding VLAN space, QinQ is applied in other scenarios with the
development of metro Ethernet networks and carriers' requirements on refined service
operation. The outer and inner VLAN tags can be used to differentiate packets based on users
and services. For example, the inner tag represents a user, while the outer tag represents a
service. Moreover, QinQ functions as a simple and practical VPN technology by transparently
transmitting private VLAN services over a public network. It extends core MPLS VPN
services to metro Ethernet networks and implements an end-to-end VPN.
Benefits
QinQ offers the following benefits:
l Extends the VLAN space to isolate and identify more users.
l Facilitates service deployment by allowing the inner and outer tags to represent different
information. For example, the inner tag identifies a user and the outer tag identifies a
service.
l Allows ISPs to implement refined service operation by providing diversified
encapsulation and termination modes.
8.2 Understanding QinQ
8.2.1 QinQ Fundamentals

QinQ expands VLAN space by adding an additional 802.1Q VLAN tag to an 802.1Q-tagged
packet. Devices forward packets over the public network according to outer VLAN tags of the
packets, and learn MAC addresses from the outer VLAN tags. The private VLAN tags in the
packets are forwarded as payload of the packets.
QinQ Packet Encapsulation Format

A QinQ packet has a fixed format, in which an 802.1Q tag is added outside the existing
802.1Q tag of the packet. A QinQ packet has 4 more bytes than an 802.1Q packet.

Figure 8-1 802.1Q encapsulation

802.1Q Encapsulation
DA SA 802.1Q TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
QinQ
Encapsulation
DA SA 802.1Q TAG 802.1Q TAG LEN/ETYPE DATA FCS
6 Bytes 6 Bytes 4 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
TPID Priority CFI VLAN ID
QinQ Encapsulation
QinQ encapsulation changes a single-tagged packet into a double-tagged packet.
QinQ encapsulation falls into basic QinQ and selective QinQ depending on the data
encapsulated. Basic QinQ refers to interface-based QinQ, and selective QinQ includes VLAN
ID-based QinQ and 802.1p priority-based QinQ.
l Interface-based QinQ encapsulation
This encapsulation mode is also called QinQ tunneling. It encapsulates packets arriving
at the same interface with the same outer VLAN tag, and therefore cannot distinguish
users and services at the same time.
l VLAN ID-based QinQ encapsulation
This encapsulation mode determines whether to add outer VLAN tags and which outer
VLAN tags to add based on data flows.
Traffic can be classified based on VLAN ID ranges if a customer uses different VLAN
IDs for different services. For example, PC users access the Internet through VLANs 101
to 200, IPTV users through VLANs 201 to 300, and VoIP users through VLANs 301 to
400. When receiving service data, the underlayer provider edge (UPE) adds outer tag
100 to packets from PCs, outer tag 300 to packets from IPTV users, and outer tag 500 to
packets from VoIP users.
l 802.1p priority-based QinQ encapsulation
This encapsulation mode determines whether to add outer VLAN tag and which outer
VLAN tags to add based on priorities of data flows.
For example, when different services of a user have different priorities, these services
can be transmitted over different data channels based on priorities.
QinQ Implementation
QinQ can be implemented in either of the following ways:
1. Basic QinQ
Basic QinQ is implemented based on interfaces. After basic QinQ is configured on an
interface, the device adds the default VLAN tag of this interface to all packets regardless
of whether the packets carry VLAN tags.

– If a single-tagged packet is received, the packet becomes a double-tagged packet.

– If an untagged packet is received, the packet is tagged with the default VLAN ID of
the local interface.
2. Selective QinQ
Selective QinQ is implemented based on interfaces and VLAN IDs. That is, an interface
can forward packets based on a single VLAN tag or double VLAN tags. In addition, the
device processes packets received on an interface as follows based on their VLAN IDs:
– Adds different outer VLAN tags to packets carrying different inner VLAN IDs.
– Marks outer 802.1p fields and adds different outer VLAN tags to packets according
to the 802.1p fields in inner VLAN tags.
In addition to separating carrier and customer networks, selective QinQ provides
extensive service features and allows flexible networking.
QinQ/Dot1q VLAN Tag Termination Sub-interface

Termination removes the single or double tags from packets before the packets are sent.
Different termination modes are used in different situations when QinQ technology is applied
to an MPLS/IP core network.
Termination is performed on a sub-interface; therefore, a sub-interface used for terminating
VLAN tags is called a termination sub-interface. A termination sub-interface can be either of
the following:
l Dot1q VLAN tag termination sub-interface: removes a single VLAN tag from packets.
l QinQ VLAN tag termination sub-interface: removes double VLAN tags from packets.
NOTE
The Dot1q and QinQ termination sub-interfaces cannot transparently transmit untagged packets. They
directly discard untagged packets.
QinQ VLAN tag termination sub-interfaces provide different functions in different scenarios.
8.2.2 Basic QinQ

Basic QinQ is implemented based on interfaces. Basic QinQ allows the device to add the
outer tag to a packet received on an interface. If the received packet carries a VLAN tag, the
device adds the outer VLAN tag to the packet. If the received packet does not carry any
VLAN tag, the device adds the inner VLAN tag and then the outer VLAN tag.
As shown in Figure 8-2, enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively.

Figure 8-2 Networking diagram of basic QinQ
50
20
to
10
10
to
20
PE1 PE2
50
Network
50 20
to 10
10 to
50
20 CE2
CE1
Enterprise A Enterprise A
Branch 1 Branch 2
VLAN 10 to 50 VLAN 10 to 50
Enterprise A has different services, so different VLANs are assigned. Basic QinQ is
configured on the CE interface connected to the carrier network. The outer VLAN 20 is added
to the packet passing through the CE interface and removed after the packet reaches another
branch. Traffic between two branches is transparently transmitted on the public network so
that users using the same service in different branches of enterprise A can communicate and
users using different services are isolated.
8.2.3 Selective QinQ

Selective QinQ, also known as VLAN Stacking or QinQ Stacking, is performed based on
ports and VLAN IDs. Besides basic QinQ functions, selective QinQ has the following
functions:
l VLAN ID-based selective QinQ: adds outer VLAN tags based on VLAN IDs.
l 802.1p priority-based selective QinQ: adds outer VLAN tags based on 802.1p priorities
in inner VLAN tags.
Selective QinQ is an extension of basic QinQ and is more flexible. The difference is as
follows:
l Basic QinQ: adds the same outer VLAN tag to all the frames entering a Layer 2 port.
l Selective QinQ: adds different outer VLAN tags to the frames entering a Layer 2 port
based on the inner VLAN tags.
through PE1 and PE2 respectively.

Figure 8-3 Networking diagram of selective QinQ
30
20
to
50
10
10
21
to
to
31
31
20
30
PE1
to
PE2
21
50
Network
30 20
to
10 50 10
to
20 to 21 30
CE1 31 31 CE2
21 to
50
Branch 1 Branch 2
VLAN 10 to 50 Data: VLAN 10 to 30 VLAN 10 to 50
Voice: VLAN 31 to 50
Enterprise A has different services, so different VLANs are assigned. Data services are
transmitted in VLAN 10 to VLAN 30, and voice services are transmitted in VLAN 31 to
VLAN 50.
Selective QinQ is configured on the user-side interface of the CE to add outer VLAN 20 to
packets with VLAN IDs 10 to 30, and outer VLAN 21 to packets with VLAN IDs 31 to 50,
and the device is configured to increase the priority of voice packets. Traffic between two
branches can be transparently transmitted through the public network so that users using the
same service in different branches of enterprise A can communicate, users using different
services are isolated, and voice services are transmitted preferentially.
8.2.4 TPID
The Tag Protocol Identifier (TPID) specifies the protocol type of a VLAN tag. The TPID
value defined in IEEE 802.1Q is 0x8100.
Figure 8-4 shows the Ethernet packet format defined in IEEE 802.1Q. An IEEE 802.1Q tag,
containing the TPID, lies between the Source Address field and the Length/Type field. A
device checks the TPID value in a received packet to determine whether the VLAN tag is an
S-VLAN tag or C-VLAN tag. The device compares the configured TPID value with the TPID
value in the packet. For example, if a frame carries the VLAN tag with TPID 0x8100 but the
TPID configured for a customer network on a device is 0x8200, the device considers the
frame untagged.

Figure 8-4 802.1Q encapsulation

802.1Q Encapsulation
DA SA 802.1Q TAG Length/Type Data FCS
6 Bytes 6 Bytes 4 Bytes 2 Bytes 46 Bytes~1500 Bytes 4 Bytes
TPID 2 Bytes TCI 2 Bytes

0X8100 Priority CFI VLAN ID
3bits 1bit 12bits
Carrier's systems may use different TPID values in outer VLAN tags. When a Huawei device
needs to interoperate with such a carrier system, set the TPID value to the value used by the
carrier so that QinQ packets sent from the Huawei device can be transmitted across the carrier
network. To prevent errors in packet forwarding and processing, do not set the TPID to any of
values listed in Table 8-1.
Table 8-1 Protocol types and values

Protocol Type Value
ARP 0x0806
RARP 0x8035
IP 0x0800
IPv6 0x86DD
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
LACP 0x8809
802.1x 0x888E
HGMP 0x88A7
Reserved 0xFFFD/0xFFFE/0xFFFF
8.3 Application Scenarios for QinQ

This section describes the applicable environment of QinQ.
Basic QinQ
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs

are assigned. To save public VLAN IDs, it is required that traffic between two branches of
enterprise A be transparently transmitted through the public network, users using the same
service in different branches of enterprise A be allowed to communicate, and users using
different services be isolated. You can configure QinQ on the network-side interface of the CE
to meet the preceding requirements.
Figure 8-5 Typical networking of basic QinQ
50
20
to
10
10
to
PE1 20 PE2
50
Network
50 20
to 10
10 to
50
20 CE2
CE1
Branch 1 Branch 2
Selective QinQ
are assigned. Data services are transmitted in VLAN 10 to VLAN 30, and voice services are
transmitted in VLAN 31 to VLAN 50. To save public VLAN IDs, it is required that traffic
between two branches of enterprise A be transparently transmitted through the public
network, users using the same service in different branches of enterprise A be allowed to
communicate, users using different services be isolated, and voice services be transmitted
preferentially. You can configure selective QinQ on the user-side interface of the CE to meet
the preceding requirements.

Figure 8-6 Typical networking of selective QinQ
30
20
to
50
10
10
21
to
to
31
31
20
30
PE1
to
PE2
21
50
Network
30 20
to
10 50 10
to
20 to 21 30
CE1 31 31 CE2
21 to
50
Branch 1 Branch 2
8.4 Summary of QinQ Configuration Tasks

Table 8-2 describes the QinQ configuration tasks.
Table 8-2 QinQ configuration tasks

Configure QinQ tunneling This section describes how 8.6 Configuring QinQ
to configure QinQ Tunneling
tunneling, including basic
QinQ and selective QinQ.
Configure a sub-interface to CEs connect to an ISP 8.7 Configuring a VLAN

connect to an L2VPN network through PEs, and Tag Termination Sub-
service data packets sent by interface to Connect to an
a CE to a PE contain one or L2VPN
two tags. You need to
connect sub-interfaces on
PEs to a L2VPN so that CEs
can communicate with each
other.

Configure a sub-interface to CEs connect to an ISP 8.8 Configuring a VLAN

connect to an L3VPN network through PEs, and Tag Termination Sub-
service data packets sent by interface to Connect to an
a CE to a PE contain one or L3VPN
two tags. You need to
connect sub-interfaces on
PEs to an L3VPN so that
CEs can communicate with
each other.
Set the TPID value in an To enable interoperation 8.9 Configuring the TPID
outer VLAN tag between devices from Value in an Outer VLAN
different vendors, set the Tag
same TPID value in outer
VLAN tags on the devices.
8.5 Licensing Requirements and Limitations for QinQ

This section describes the points of attention when configuring QinQ.

None
QinQ is a basic feature of a router and is not under license control.
Feature Limitations
When deploying QinQ on the router, pay attention to the following:
l Before configuring QinQ on an interface, add the interface to a network bridge. If the
interface is deleted from the network bridge, the QinQ configuration is also deleted from
the interface.
l You can configure only QinQ, selective QinQ, or VLAN mapping on a sub-interface.
NOTE
Only the AR100-S, AR110-S, AR120-S, AR150-S, AR160-S, AR200-S series routers support QinQ
tunneling.
Only the AR1200-S, AR2200-S, AR3200-S series routers support termination sub-interface access to the
VPN.
8.6 Configuring QinQ Tunneling

This section describes how to configure QinQ tunneling, including basic QinQ and selective
QinQ.

8.6.1 Configuring Basic QinQ
Context
Dot1q tunnel isolates a carrier network from a user network and is widely used when users
connect to a carrier network. When private networks connect to a carrier network through CEs
and PEs, run the vlan dot1q-tunnel command on CE interfaces connected to PEs so that the
CE interfaces add the outer VLAN tag allocated by the carrier to user packets. This
implementation saves VLAN IDs and allows user packets to be transparently transmitted on
the carrier network.
Procedure
l Configure basic QinQ on a sub-interface.
a. Run system-view

b. Run bridge bridge-id
A bridge group is created and the bridge group view is displayed.

c. Run quit
Exit from the bridge group view.

d. Run interface { ethernet | gigabitethernet } interface-number.subinterface-
number
The Ethernet sub-interface view is displayed.
NOTE
Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works in

Layer 2 mode and supports switching between Layer 2 and Layer 3 modes, run the undo
portswitch command to switch the interface in Layer 3 mode before creating a sub-interface
on the interface.
e. Run bridge bridge-id
The Ethernet sub-interface is added to the bridge group.

f. Run bridge vlan-transmit enable
The Ethernet sub-interface is enabled to transparently transmit VLAN IDs.

g. Run vlan allow-pass { vid vlan-id1 [ to vlan-id2 ] | default }
The VLANs allowed by the Ethernet sub-interface are configured.
NOTE
VLANs allowed by all sub-interfaces of a main interface cannot overlap.

The vlan allow-pass default command can be executed only on a sub-interface among all sub-
interfaces of each main interface. Packets are forwarded through the default sub-interface when
the packets do not match other QinQ or VLAN mapping entries on a sub-interface.
h. Run vlan dot1q-tunnel tunnel-vlan-id [ native vid native-vlan-id ]
The vlan dot1q-tunnel command can be only executed at one time on a sub-
interface and the VLAN specified by tunnel-vlan-id must be allowed by the sub-
interface.

Basic QinQ is configured on the sub-interface.

l Configure basic QinQ on a Layer 2 VE interface.
a. Run system-view
b. Run interface virtual-ethernet ve-number
A VE interface is created and the VE interface view is displayed.
c. Run portswitch
The VE interface is switched from Layer 3 to Layer 2.
d. Run port link-type access
The link type of the interface is set to access.
By default, the link type of an interface is hybrid.
e. Run vlan dot1q-tunnel enable
Basic QinQ is enabled on the Layer 2 VE interface.
f. Run port default vlan vlan-id
The default VLAN is configured for the interface and the interface is added to the
specified VLAN.
By default, VLAN 1 is the default VLAN of all interfaces.
----End
8.6.2 Configuring Selective QinQ

Context
You can configure either of the following selective QinQ modes:
l VLAN ID-based selective QinQ
When private networks connect to a carrier network through CEs and PEs, run the vlan
stacking command on CE interfaces connected to PEs so that the CE interfaces add the
outer VLAN tag allocated by the carrier to user packets. This implementation saves
VLAN IDs and allows user packets to be transparently transmitted on the carrier
network.
l 802.1p priority-based selective QinQ
An 802.1p priority indicates a packet priority. Generally, different services of a user use
different priorities. A carrier can establish different data transmission networks for
different services based on 802.1p priorities so that services on the carrier network can
be differentiated.
Procedure
l Configure VLAN ID-based VLAN stacking.
– Configure VLAN ID-based VLAN stacking on a Layer 3 sub-interface.
i. Run system-view


ii. Run bridge bridge-id
iii. Run quit
iv. Run interface { ethernet | gigabitethernet } interface-number.subinterface-
number
NOTE
Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works

in Layer 2 mode and supports switching between Layer 2 and Layer 3 modes, run the
undo portswitch command to switch the interface in Layer 3 mode before creating a
sub-interface on the interface.
v. Run bridge bridge-id
vi. Run bridge vlan-transmit enable
vii. Run vlan stacking { default | vid low-ce-vid [ to high-ce-vid ] } pe-vid pe-vid
[ remark-8021p 8021p-value2 ]
VLAN ID-based VLAN stacking is configured.
NOTE
The VLANs allowed by all sub-interfaces of the same main interface cannot overlap.
The vlan stacking default command can be executed on only one sub-interface of each
main interface. Packets are forwarded through the default sub-interface when the packets do
not match VLAN stacking entries on other sub-interfaces.
– Configure VLAN ID-based VLAN stacking on a Layer 2 VE interface.
i. Run system-view
ii. Run interface virtual-ethernet ve-number
iii. Run portswitch
iv. Run port link-type hybrid
The link type of the interface is set to hybrid.
v. Run vlan stacking vid low-ce-vid [ to high-ce-vid ] pe-vid pe-vid-
value[ remark-8021p 8021p-val ]
VLAN ID-based VLAN stacking is configured on the Layer 2 VE interface.

NOTE
l VLAN stacking and VLAN mapping can take effect, but VLAN IDs of multiple
CEs must be unique, VLAN IDs in the original and mapped tags must be different,
and VLAN IDs of multiple PEs must be unique.
l Layer 2 Ethernet interfaces support only VLAN ID-based VLAN stacking, and do
not support VLAN stacking based on 802.1p priorities or VLAN IDs and 802.1p
priorities.
l When VLAN stacking is canceled on a Layer 2 Ethernet interface, the VLAN ID
range allowed must be the same as the configured VLAN ID range.
l This command can be configured on an interface multiple times, and a maximum
of 128 VLAN stacking entries can be configured on all interfaces.
l Configure 802.1p priority-based selective QinQ.
a. Run system-view


c. Run quit

number
NOTE

on the interface.


NOTE

h. Run vlan stacking 8021p 8021p-value1 pe-vid pe-vid [ remark-8021p 8021p-
value2 ]
802.1p priority-based selective QinQ is configured.
----End

8.7 Configuring a VLAN Tag Termination Sub-interface to

Connect to an L2VPN
contain one or two tags. You need to connect sub-interfaces on PEs to a L2VPN so that CEs
8.7.1 Configuring a Dot1q VLAN Tag Termination Sub-interface

Context
A Dot1q VLAN tag termination sub-interface can terminate single-tagged user packets.
Perform the following operations on a user-side interface of a PE.
Procedure
Step 2 Run interface { ethernet | gigabitethernet } interface-number.subinterface-number
The sub-interface is configured to terminate single-tagged packets.
NOTE

l After a VLAN tag termination sub-interface is configured, ensure that ARP broadcast is enabled on
the sub-interface. For details, see the arp broadcast enable command.
Step 4 (Optional) Run ce-vlan ignore

The Dot1q termination sub-interface is enabled to ignore the inner tag in QinQ packets and
terminate the outer tag. The Dot1q termination sub-interface then can process both Dot1q and
QinQ packets.
When VLANs are assigned on a VPN, run this command to implement transparent
transmission of user packets over the ISP network.
NOTE
You can run this command on a sub-interface only after the L2VPN function is enabled on the sub-
interface.
For details on how to configure VLL, see "VLL Configuration" and "VPLS Configuration" in the AR
Configuration Guide - VPN.
----End

8.7.2 Configuring a QinQ VLAN Tag Termination Sub-interface

Context
A QinQ VLAN tag termination sub-interface can terminate double-tagged user packets.
A QinQ VLAN tag termination sub-interface connects to an L2VPN in symmetrical or
asymmetrical mode. User packets are transmitted over an L2VPN in different modes. PEs
process these packets in the ways described in the following tables.
Table 8-3 Packet processing on the inbound interface

Mode VLL/PWE3
Ethernet Encapsulation VLAN Encapsulation
Symmetrical Strips the outer tag. Reserves the double tags,

and takes no action.
Asymmetrical Strips the double tags. Strips two tags and adds one
tag.
Table 8-4 Packet processing on the outbound interface

Mode VLL/PWE3
Ethernet Encapsulation VLAN Encapsulation
Symmetrical Adds the outer tag. Replaces the outer tag.
Asymmetrical Adds double tags. Strips one tag and adds

double tags.
Procedure
Step 3 Run qinq termination l2 { symmetry | asymmetry }
A mode of the QinQ VLAN tag termination sub-interface is configured.
By default, a QinQ termination sub-interface uses the asymmetrical mode.
The sub-interface is configured to terminate double-tagged packets.

NOTE

----End
8.7.3 Configuring the L2VPN

Termination sub-interfaces support VLL and VPLS access. You can configure L2VPN on the
CE, PE, and P. For details, see "VLL Configuration" and "VPLS Configuration" in the
Huawei AR Series Access Routers Configuration Guide - VPN.
8.7.4 Verifying the Configuration of the Access of a Sub-interface

to an L2VPN Network
Procedure
number [.subinterface-number ] ] command to check the Dot1q sub-interface
configuration.
number [.subinterface-number ] ] command to check the QinQ sub-interface
configuration.
l Run the display vll ccc [ ccc-name | type local ] command to check information about a
CCC connection.
l Run the display mpls static-l2vc command to check information about an SVC L2VPN
VC.
l Run the display mpls l2vc command on a PE to check information about the Martini
VLL on the PE.
l Run the display mpls l2vc remote-info command on a PE to check information about
the Martini VLL on the remote PE.
----End
8.8 Configuring a VLAN Tag Termination Sub-interface to

Connect to an L3VPN
contain one or two tags. You need to connect sub-interfaces on PEs to an L3VPN so that CEs

8.8.1 Configuring a Dot1q VLAN Tag Termination Sub-interface

Context
A Dot1q VLAN tag termination sub-interface can terminate single-tagged user packets.
Procedure
Step 3 Run ip binding vpn-instance vpn-instance-name
A VPN instance is bound to the sub-interface.
An IP address is configured for the Ethernet sub-interface.
NOTE
When two or more IP addresses are configured for an Ethernet interface, use sub to specify the second
IP address and subsequent IP addresses.

The sub-interface is configured to terminate single-tagged packets.
NOTE

----End
8.8.2 Configuring a QinQ VLAN Tag Termination Sub-interface

Context
A QinQ VLAN tag termination sub-interface can terminate double-tagged user packets.
Procedure

Step 3 Run ip binding vpn-instance vpn-instance-name
A VPN instance is bound to the sub-interface.
An IP address is configured for the Ethernet sub-interface.
NOTE
When two or more IP addresses are configured for an Ethernet interface, use sub to specify the second
IP address and subsequent IP addresses.
The sub-interface is configured to terminate double-tagged packets.
NOTE

----End

Connecting a VLAN tag termination sub-interface to an L3VPN means that the sub-interface
supports L3VPN functions.
Configure L3VPN functions on the CE, PE, and P. For details, see "BGP/MPLS IP VPN
Configuration" in the Huawei AR Series Access Routers Configuration Guide - VPN.
8.8.4 Verifying the Configuration of Connecting a Sub-interface

to an L3VPN
Procedure
number [.subinterface-number ] ] command to check the Dot1q sub-interface
configuration.
number [.subinterface-number ] ] command to check the QinQ sub-interface
configuration.
information about a VPN instance.
----End

8.9 Configuring the TPID Value in an Outer VLAN Tag

To enable interoperation between devices from different vendors, set the same TPID value in
outer VLAN tags on the devices.
Context
Devices from different vendors or in different network plans may use different TPID values in
VLAN tags of VLAN packets. To adapt to an existing network plan, the device supports TPID
value configuration. You can set the TPID value on the device to be the same as the TPID
value in the network plan to ensure compatibility with the current network.
NOTE
l To implement interoperability with a non-Huawei device, ensure that the protocol type in the outer
VLAN tag added by the router can be identified by the non-Huawei device.
l The qinq protocol command identifies incoming packets, and adds or changes the TPID value of
outgoing packets.
l The protocol ID configured on an interface by the qinq protocol command must be different from
other commonly used protocol IDs; otherwise, the interface cannot distinguish packets of these
protocols. For example, protocol-id cannot be set to 0x0806, which is the ARP protocol ID.
Procedure
Step 3 Run qinq protocol protocol-id
The protocol type in the outer VLAN tag is set.
By default, the TPID value in the outer VLAN tag is 0x8100.
----End
8.10 Configuration Examples for QinQ
8.10.1 Example for Configuring Basic QinQ
are assigned.
The requirements are as follows:

l VLANs are assigned independently in enterprise A, and are independent of carrier

VLANs or VLANs of other enterprises.
l Traffic between two branches of enterprise A is transparently transmitted through the
public network, devices transmitting the same service in different branches of enterprise
A are allowed to communicate, and devices transmitting different services are isolated.
Figure 8-7 Networking diagram for configuring basic QinQ
GE0/0/1 GE0/0/0
VL
20
AN
AN
20
PE1
VL Network PE2
GE0/0/0 GE0/0/0
0 VL
2 AN
AN GE0/0/1 20
VL GE0/0/1
CE2
CE1
GE0/0/0 GE0/0/0
Branch 1 Branch 2
You can configure the basic QinQ function on a CE connected to a PE and implement
communication between two branches of enterprise A through VLAN 20 provided by the
carrier.
1. Create a bridge group and add a sub-interface to the bridge group.
2. Configure VLANs allowed by the sub-interface.
3. Configure basic QinQ on the CE interface connected to the PE so that the CE can add the
S-VLAN tag to user packets.
4. Add interfaces of the PE and P to VLAN 20 so that packets from VLAN 20 are allowed
to pass through.
Procedure
# Create a bridge group and add a sub-interface to the bridge group on CE1. The
configuration of CE2 is similar to that of CE1.
[CE1] bridge 1

[CE1-bridge1] quit
Step 2 Configure VLANs allowed by the sub-interface.

# Configure VLANs allowed by the sub-interface on CE1. The configuration of CE2 is
similar to that of CE1.
[CE1-GigabitEthernet0/0/0.1] vlan allow-pass vid 10 to 50
Step 3 Configure an interface on CE connected to a PE to add a VLAN tag to user packets.

# Configure an interface on CE1 connected to a PE to add a VLAN tag to user packets. The
configuration of CE2 is similar to that of CE1.
[CE1-GigabitEthernet0/0/0.1] vlan dot1q-tunnel 20
Step 4 Add interfaces on PE1, PE2, and P to VLAN 20 in trunk mode. The configurations of PE2
and P are similar to the configuration of PE1.
# Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 in trunk mode.
[PE1] vlan batch 20
[PE1-GigabitEthernet0/0/0] port link-type trunk
[PE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 20

# On a PC in a VLAN of a branch in enterprise A, ping a PC in the same VLAN of the other
branch in enterprise A. The ping operation succeeds, indicating that devices transmitting the
same service can communicate with each other.
----End
Configuration Files
#
sysname CE1
#
bridge 1
#
bridge 1
vlan allow-pass vid 10 to 50
vlan dot1q-tunnel 20
#
return

#
sysname CE2
#
bridge 1
#

bridge 1
#
return

#
sysname PE1
#
vlan batch 20
#
#
#
return

#
sysname PE2
#
vlan batch 20
#
#
#
return
#
sysname P
#
vlan batch 20
#
#
#
return
8.10.2 Example for Configuring Selective QinQ
are assigned. Data services are transmitted in VLAN 10 to VLAN 30, and voice services are
transmitted in VLAN 31 to VLAN 50.


public network, devices transmitting the same service in different branches of enterprise
A are allowed to communicate, and devices transmitting different services are isolated.
l High-priority voice services are transmitted first.
Figure 8-8 Networking diagram for configuring selective QinQ
GE0/0/1 GE0/0/0
PE1 Network PE2

GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/1
CE1 CE2
GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/1
Branch 1 Branch 2
You can configure selective QinQ on the CE user-side interface and implement
communication between two branches of enterprise A through VLAN 60 and VLAN 61
provided by the carrier.
1. Create a bridge group and add sub-interfaces to the bridge group.
2. Configure VLANs allowed by the user-side sub-interfaces of the CE, configure the CE
user-side interface to add different outer VLAN tags to packets with different user
VLAN IDs, and re-mark voice services with high priority.
3. Add the CE interface connected to the PE, PE interface, and P interface to VLAN 20 and
VLAN 21 so that packets from VLAN 20 and VLAN 21 are allowed to pass through.
Procedure
Step 1 Create a bridge group and add sub-interfaces to the bridge group.

[CE1] bridge 1
[CE1-bridge1] quit
# The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 2 Configure CE1 user-side interface to add VLAN tags to user packets and re-mark voice
services with high priority.
[CE1-GigabitEthernet0/0/1.1] vlan stacking vid 10 to 30 pe-vid 60
[CE1-GigabitEthernet0/0/1.2] vlan stacking vid 31 to 50 pe-vid 61 remark-8021p 7
# The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 3 Add sub-interfaces of GE0/0/0 on CE1 to bridge 1, VLAN 60, and VLAN 61. Add GE0/0/0
and GE0/0/1 on PE1 to VLAN 60 and VLAN 61 in trunk mode.
# Add sub-interfaces of GE0/0/0 on CE1 to bridge 1, VLAN 60 and VLAN 61 in trunk mode.
The configuration of CE2 is similar to that of CE1. For details, see the configuration files.
[CE1] vlan batch 60 to 61
[CE1] interface gigabitethernet 0/0/0
[CE1-GigabitEthernet0/0/0.33] vlan allow-pass vlan 60 61
# Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 60 and VLAN 61 in trunk mode. The
configurations of PE2 and P are similar to the configuration of PE1, and are not mentioned
here.
[PE1] vlan batch 60 to 61
[PE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 60 61
[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 60 61
# On a PC in a VLAN of a branch in enterprise A, ping a PC in the same VLAN of the other

branch in enterprise A. The ping operation succeeds, indicating that devices transmitting the
same service can communicate with each other.
----End

Configuration Files
#
sysname CE1
#
vlan batch 60 to 61
#
bridge 1
#
#
bridge 1
vlan allow-pass vlan 60 61
#
#
bridge 1
vlan stacking vid 10 to 30 pe-vid 60
#
bridge 1
vlan stacking vid 31 to 50 pe-vid 61 remark 8021p 7
#
return

#
sysname CE2
#
vlan batch 60 to 61
#
bridge 1
#
#
bridge 1
vlan allow-pass vlan 60 61
#
#
bridge 1
vlan stacking vid 10 to 30 pe-vid 60
#
bridge 1
vlan stacking vid 31 to 50 pe-vid 61 remark 8021p 7
#
return

#
sysname PE1
#
vlan batch 60 to 61
#


#
#
return

#
sysname PE2
#
vlan batch 60 to 61
#
#
#
return
#
sysname P
#
vlan batch 60 to 61
#
#
#
return
8.10.3 Example for Connecting a Dot1q Sub-interface to a VLL

Network
VLANs.
A Martini VLL is created between PE1 and PE2 so that user networks connected to CE1 and

to a VLL network
10.10.1.9/32 10.20.2.9/32 10.30.3.9/32
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
Martini
GE1/0/0 GE1/0/0
CE1 CE2
transmission.
4. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to implement VLL
access.
Procedure
Step 1 Configure IP addresses for interfaces on CEs, PEs, and the P devices according to Figure 8-9.
# Configure CE1. The configuration details of other devices are not mentioned here.
# VLAN 10 is used as an example. Configure CE1.
# Configure CE2.

# Configure PE1. The configuration details of other devices are not mentioned here.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit

# Configure PE1.
# Configure PE2.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------

[PE1] mpls l2vpn
[PE1-l2vpn] quit

[PE2] mpls l2vpn
[PE2-l2vpn] quit
and is in Up state.
*client interface : GigabitEthernet1/0/0.1 is up
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up


Access-port : false
VC last up time : 2011/09/26 15:29:03
CKey : 5
NKey : 4
Service Class : --
Color : --
DomainId : --
Domain Name : --

[CE1] ping 10.100.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
#
ip address 10.100.1.1 255.255.255.0
#
return

#
sysname PE1
#
mpls
#
mpls l2vpn

#
mpls ldp
#
remote-ip 10.30.3.9
#
#
mpls l2vc 10.30.3.9 101
#
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.10.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
mpls
#
mpls ldp
#
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 10.10.1.9

#
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
mpls l2vc 10.10.1.9 101
#
interface LoopBack1
ip address 10.30.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname CE2
#
#
ip address 10.100.1.2 255.255.255.0
#
return
8.10.4 Example for Connecting a QinQ Sub-interface to a VLL

Network
VLANs.
A Martini VLL is created between CE1 and CE2 so that user networks connected to CE1 and
Figure 8-10 Networking diagram for configuring a sub-interface for dot1q VLAN tag
termination to access a VLL network
10.10.1.9/32 10.20.2.9/32 10.30.3.9/32
GE2/0/0 GE1/0/0
10.1.1.2/24 10.2.2.2/24
PE1 PE2
GE2/0/0 GE 1/0/0
GE1/0/0 10.1.1.1/24 P 10.2.2.1/24 GE2/0/0
Martini
GE1/0/0 GE1/0/0
CE1 CE2

transmission.
4. Configure QinQ sub-interfaces on PE interfaces connected to CEs to implement VLL
access.
Procedure
Step 1 Configure IP addresses for interfaces on CEs, PEs, and P according to Figure 8-10.
# CE1 is used as an example. The configuration details of other devices are not mentioned
here.

# Here, the inner VLAN ID is VLAN 10 and outer VLAN ID is VLAN 100.
# Configure CE1.
# Configure CE2.
# PE1 is used as an example. The configuration details of other devices are not mentioned
here.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE1.
[PE1] mpls

[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# Configure PE1.
# Configure PE2.
After the configuration is complete, run the display mpls ldp session command on PE1 to
Take the display on PE1 for example.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------


[PE1] mpls l2vpn
[PE1-l2vpn] quit

[PE2] mpls l2vpn
[PE2-l2vpn] quit

and is in Up state.
*client interface : GigabitEthernet1/0/0.1 is
up
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
link state : up
Access-port : false


VC last up time : 2011/09/26 15:29:03
CKey : 5
NKey : 4
Service Class : --
Color : --
DomainId : --
Domain Name : --

[CE1] ping 10.100.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
#
ip address 10.100.1.1 255.255.255.0
#
return

#
sysname PE1
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 10.30.3.9
#
#
mpls l2vc 10.30.3.9 101
#

ip address 10.1.1.1 255.255.255.0

mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.10.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
mpls
#
mpls ldp
#
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
#
sysname PE2
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 10.10.1.9
#
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
mpls l2vc 10.10.1.9 101
#
interface LoopBack1

ip address 10.30.3.9 255.255.255.255

#
ospf 1
area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname CE2
#
#
ip address 10.100.1.2 255.255.255.0
#
return
8.10.5 Example for Connecting a Dot1q VLAN Tag Termination

to an L3VPN
AS: 65410 AS: 65430

VPN-A VPN-A
CE1 CE3
GE1/0/0 GE1/0/0
Loopback1
10.20.2.9/32
GE1/0/0 GE1/0/0
PE1 GE1/0/0 GE2/0/0 PE2
10.10.1.9/32 GE3/0/0 GE3/0/0 10.30.3.9/32
172.16.1.1/24 P 172.26.1.2/24
GE2/0/0 AS: 100 GE2/0/0
VPN Backbone
GE1/0/0 GE1/0/0
CE2 CE4
VPN-B VPN-B
AS: 65420 AS: 65440

connected to CEs.
6. Configure Dot1q sub-interfaces on PE interfaces connected to CEs to connect the Dot1q
sub-interfaces to the L3VPN.
Procedure
with each other.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[Huawei] sysname P
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.

[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
relationships. Run the display ospf peer command. The OSPF neighbor relationship status is
Full. Run the display ip routing-table command. PEs have learned the routes to each other's
Loopback1 interface.
D - download to fib
------------------------------------------------------------------------------

10.20.2.9/32 OSPF 10 1 D 172.16.1.2
10.30.3.9/32 OSPF 10 2 D 172.16.1.2
172.16.1.0/24 Direct 0 0 D 172.16.1.1
172.16.1.1/32 Direct 0 0 D 10.0.0.1
172.16.1.255/32 Direct 0 0 D 10.0.0.1
172.26.1.0/24 OSPF 10 2 D 172.16.1.2

Neighbors

DR: 172.16.1.1 BDR: 172.16.1.2 MTU: 0
LDP LSPs.
# Configure PE1.
[PE1] mpls

[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
10.10.1.9/32 3/NULL 10.20.2.9 10.0.0.1 InLoop0
*10.10.1.9/32 Liberal/1024 DS/10.20.2.9
10.20.2.9/32 NULL/3 - 172.16.1.2 GE3/0/0
10.20.2.9/32 1024/3 10.20.2.9 172.16.1.2 GE3/0/0
10.30.3.9/32 NULL/1025 - 172.16.1.2 GE3/0/0
10.30.3.9/32 1025/1025 10.20.2.9 172.16.1.2 GE3/0/0
-------------------------------------------------------------------------------


# Here, the VLAN ID in packets sent by CE1 and CE3 is VLAN 10, and the VLAN ID in
packets sent by CE2 and CE4 is VLAN 20.
# Configure CE1.
# Configure CE2.
# Configure CE3.
# Configure CE4.
# Configure PE1.


# Configure PE2.
NOTE


Address family ipv4
Create date : 2012/07/25 00:58:17
Log Interval : 5

Address family ipv4
Create date : 2012/07/25 00:58:17
Log Interval : 5



0.00% packet loss

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit


State PrefRcv
10.30.3.9 4 100 12 6 0 00:02:21

Established 0


PrefRcv
10.30.3.9 4 100 12 18 0 00:09:38 Established 0
[CE1] bgp 65410
[CE1-bgp] quit

mentioned here.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp-vpnb] quit
[PE1-bgp] quit



PrefRcv
10.1.1.1 4 65410 6 3 0 00:00:02

Established 4

remote CEs.
D - download to fib
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2

10.1.1.2/32 Direct 0 0 D 10.0.0.1
10.1.1.255/32 Direct 0 0 D 10.0.0.1
10.3.1.0/24 IBGP 255 0 RD 10.30.3.9
D - download to fib
------------------------------------------------------------------------------

10.2.1.0/24 Direct 0 0 D 10.2.1.2

10.2.1.2/32 Direct 0 0 D 10.0.0.1
10.2.1.255/32 Direct 0 0 D 10.0.0.1
10.4.1.0/24 IBGP 255 0 RD 10.30.3.9
[CE1] ping 10.3.1.1
0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
----End
Configuration Files
#
sysname PE1
#
ipv4-family
#
ipv4-family
#
mpls
#
mpls ldp
#
#

ip address 10.1.1.2 255.255.255.0

#
#
ip address 10.2.1.2 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 10.10.1.9 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
#
sysname P
#
mpls
#
mpls ldp
#
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 172.26.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.20.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.20.2.9 0.0.0.0
network 172.16.1.0 0.0.0.255

network 172.26.1.0 0.0.0.255

#
return
#
sysname PE2
#
ip vpn-instance
vpna
ipv4-family
#
ip vpn-instance
vpnb
ipv4-family
#
mpls
#
mpls ldp
#
#
ip address 10.3.1.2 255.255.255.0
#
#
ip address 10.4.1.2 255.255.255.0
#
ip address 172.26.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.30.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
#
ipv4-family vpnv4
policy vpn-target
#
import-route direct
#
import-route direct
#
ospf 1

area 0.0.0.0
network 10.30.3.9 0.0.0.0
network 172.26.1.0 0.0.0.255
#
return

#
sysname CE1
#
#
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
#
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE3
#
#
ip address 10.3.1.1 255.255.255.0
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE4

#
#
ip address 10.4.1.1 255.255.255.0
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return

Configuration 9 VLAN Mapping Configuration
9 VLAN Mapping Configuration
About This Chapter
This chapter describes how to configure VLAN mapping. VLAN mapping technology
changes VLAN tags in packets to implement the mapping between different VLANs.
9.1 Overview of VLAN Mapping
9.2 Understanding VLAN Mapping
9.3 Application Scenarios for VLAN Mapping
This section describes the applicable environment of VLAN mapping.
9.4 Summary of VLAN Mapping Configuration Tasks
9.5 Licensing Requirements and Limitations for VLAN Mapping
This section describes VLAN Mapping configuration notes.
9.6 Configuring VLAN Mapping
9.7 Configuration Examples for VLAN Mapping
9.1 Overview of VLAN Mapping
Definition
VLAN mapping technology changes VLAN tags in packets to implement the mapping
between different VLANs.
Purpose
In some scenarios, two Layer 2 user networks in the same VLAN are connected through the
backbone network. To implement Layer 2 connectivity between users and deploy Layer 2
protocols such as MSTP uniformly, the two user networks need to seamlessly interwork with
each other. In this case, the backbone network needs to transmit VLAN packets from the user
networks. Generally, VLAN plan on the backbone network and user network is different, so
the backbone network cannot directly transmit VLAN packets from a user network.

One method is to configure a Layer 2 tunneling technology such as QinQ or VPLS to

encapsulate VLAN packets into packets on the backbone network so that VLAN packets are
transparently transmitted. However, this method increases extra cost because packets are
encapsulated. In addition, Layer 2 tunneling technology may not support transparent
transmission of packets of some protocol packets. The other method is to configure VLAN
mapping. When VLAN packets from a user network enter the backbone network, an edge
device on the backbone network changes the C-VLAN ID to the S-VLAN ID. After the
packets are transmitted to the other side, the edge device changes the S-VLAN ID to the C-
VLAN ID. This method implements seamless interworking between two user networks.
VLAN IDs in two directly connected Layer 2 networks are different because of different
plans. The user needs to manage the two networks as a single Layer 2 network. For example,
Layer 2 connectivity and Layer 2 protocols need to be deployed uniformly. VLAN mapping
can be configured on the switch connecting the two user networks to map VLAN IDs on the
two user networks. This implements Layer 2 connectivity and uniform management.
9.2 Understanding VLAN Mapping
Basic Principles
After receiving a tagged packet, the router determines to replace the outer tag based on the
VLAN mapping mode. Then the router learns the MAC addresses contained in the packet.
Based on the source MAC address and mapped VLAN ID, the switch updates the MAC
address entries in the VLAN mapping table. Based on the destination MAC address and the
mapped VLAN ID, the switch searches for the MAC address entries. If the destination MAC
address matches no entry, the switch broadcasts the packet in the specified VLAN; if the
destination MAC address matches an entry, the switch forwards the packet through the
corresponding outbound interface.
As shown in Figure 9-1, VLAN mapping between VLAN 2 and VLAN 3 is configured on
Interface1. Before sending packets from VLAN 2 to VLAN 3, Interface1 replaces the VLAN
tags with VLAN 3 tags. When receiving packets from VLAN 3, Interface1 replaces the
VLAN tags with VLAN 2 tags. Then packets are forwarded according to the Layer 2
forwarding process. This implements communication between devices in VLAN 2 and VLAN
3.

Figure 9-1 VLAN mapping

VLAN2 VLAN3
2 3
Interface1
3
RouterA RouterB
2 3
2 3
172.16.0.1/16 172.16.0.7/16
Implementation Modes
The device supports VLAN ID-based and 802.1p priority-based VLAN mapping.
l VLAN ID-based VLAN mapping
When an interface configured with VLAN mapping receives a single-tagged packet, the
interface maps the VLAN tag in the packet to a new VLAN tag.
When an interface configured with VLAN mapping receives a double-tagged packet, the
interface maps the outer tag of the packet to a specified tag and transparently transmits
the inner tag as the data.
l 802.1p priority-based VLAN mapping
When an interface configured with VLAN mapping receives a single-tagged packet, the
interface replaces the 802.1p priority in the packet with a new 802.1p priority.
When an interface configured with VLAN mapping receives a double-tagged packet, the
interface replaces the 802.1p priority in the outer tag of the packet with a new 802.1p
priority.
9.3 Application Scenarios for VLAN Mapping

This section describes the applicable environment of VLAN mapping.
VLAN ID-based VLAN Mapping

are assigned. Different VLANs in the two branches are assigned to department 1. To
implement interworking of department 1, configure VLAN ID-based VLAN mapping and
dot1q tunnel.

Figure 9-2 Typical networking of VLAN ID-based VLAN mapping
PE1 Network PE2
CE1 CE2
VLAN Mapping
Branch 1 Department 1:VLAN 10 Branch 2
Department 1:VLAN 100 VLAN 100
802.1p Priority-based VLAN Mapping

As shown in Figure 9-3, enterprise A has two branches. Voice services reaching an enterprise
branch need to be preferentially forwarded. You can configure 802.1p priority-based VLAN
mapping and dot1q tunnel.

Figure 9-3 Typical networking of 802.1p Priority-based VLAN mapping
PE1 Network PE2
CE1 CE2
VLAN Mapping
VolP PC VolP PC
9.4 Summary of VLAN Mapping Configuration Tasks

Table 9-1 describes the VLAN mapping configuration tasks.
Table 9-1 VLAN Mapping configuration tasks

Configuring VLAN ID- When packets are sent from 9.6.1 Configuring VLAN
based VLAN Mapping one LAN to another, if ID-based VLAN Mapping
VLAN ID plans are
different, their VLAN IDs
need to be changed. You can
configure VLAN ID-based
VLAN mapping on the LAN
edge device to map VLAN
IDs in received packets.
Then the LAN edge device
forwards packets based on
mapped VLAN IDs.

Configuring 802.1p Priority- When packets are sent from 9.6.2 Configuring 802.1p
based VLAN Mapping one LAN to another, if Priority-based VLAN
different networks use Mapping
different priority policies,
their 802.1p priorities need
to be changed. You can
configure 802.1p priority-
based VLAN mapping on
the LAN edge device to map
802.1p priorities in received
packets. Then the LAN edge
device forwards packets
based on mapped 802.1p
priorities.

Mapping
This section describes VLAN Mapping configuration notes.

None
VLAN Mapping is a basic feature of a router and is not under license control.
Feature Limitations
When deploying VLAN Mapping on the router, pay attention to the following:
l Before configuring VLAN mapping on an interface, add the interface to a network
bridge. If the interface is deleted from the network bridge, the VLAN mapping
configuration is also deleted from the interface.
l You can configure only one of QinQ, selective QinQ, and VLAN mapping on a sub-
interface.
NOTE
Only the AR100-S&AR120-S&AR150-S&AR160-S&AR200-S, AR1220F-S, and AR1220E-S support

VLAN mapping.
9.6 Configuring VLAN Mapping

9.6.1 Configuring VLAN ID-based VLAN Mapping
When packets are sent from one LAN to another, if VLAN ID plans are different, their VLAN
IDs need to be changed. You can configure VLAN ID-based VLAN mapping on the LAN

edge device to map VLAN IDs in received packets. Then the LAN edge device forwards
packets based on mapped VLAN IDs.
Procedure
l Configure VLAN ID-based VLAN mapping on a sub-interface.
a. Run system-view


c. Run quit

number
NOTE

on the interface.


NOTE

h. Run vlan mapping vid vlan-id1 map-vlan vlan-id2
VLAN ID-based VLAN mapping is configured.
NOTE
The sub-interface has been added to a bridge group and the VLANs allowed by the sub-
interface has been configured using the vlan allow-pass command.
The VLANs allowed by the sub-interface include VLANs specified by vlan-id1 in vlan
mapping vid vlan-id1 map-vlan vlan-id2.
When the vlan mapping vid command is executed multiple times, vlan-id2 in the vlan
mapping vid command on a sub-interface must be different from vlan-id1 and vlan-id2 in
the vlan mapping vid command on other sub-interfaces of the same main interface.
l Configure VLAN ID-based VLAN mapping on a Layer 2 VE interface.

a. Run system-view

b. Run interface virtual-ethernet ve-number

c. Run portswitch

d. Run port link-type { access | hybrid | trunk }
The link type of the interface is configured as hybrid or trunk.

e. Run vlan mapping vid vid-value1 map-vlan vid-value2 [ remark-8021p 8021p-
val ]
VLAN ID-based VLAN mapping is configured on the Layer 2 VE interface.
NOTE
l The VLAN ID in the tag of the received frame on an interface must be different from the
mapped VLAN ID.
l The mapped outer VLAN must exist and the interface must join the original and mapped
VLANs in tagged mode.
l VLAN stacking and VLAN mapping can take effect, but VLAN IDs of multiple CEs
must be unique, VLAN IDs in the original and mapped tags must be different, and
VLAN IDs of multiple PEs must be unique.
l Layer 2 Ethernet interfaces support only VLAN ID-based VLAN mapping, and do not
support VLAN mapping based on 802.1p priorities or VLAN IDs and 802.1p priorities.
l This command can be configured on an interface multiple times, and a maximum of 128
VLAN mapping entries can be configured on all interfaces.
----End
9.6.2 Configuring 802.1p Priority-based VLAN Mapping

When packets are sent from one LAN to another, if different networks use different priority
policies, their 802.1p priorities need to be changed. You can configure 802.1p priority-based
VLAN mapping on the LAN edge device to map 802.1p priorities in received packets. Then
the LAN edge device forwards packets based on mapped 802.1p priorities.
Procedure
Step 2 Run bridge bridge-id
Step 3 Run quit

NOTE
Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works in Layer 2 mode
and supports switching between Layer 2 and Layer 3 modes, run the undo portswitch command to
switch the interface in Layer 3 mode before creating a sub-interface on the interface.
Step 6 Run bridge vlan-transmit enable
Step 7 Run vlan allow-pass { vid vlan-id1 [ to vlan-id2 ] | default }
NOTE

The vlan allow-pass default command can be executed only on a sub-interface among all sub-interfaces of
each main interface. Packets are forwarded through the default sub-interface when the packets do not match
other QinQ or VLAN mapping entries on a sub-interface.
Step 8 Run vlan mapping 8021p 8021p-value1 map-8021p 8021p-value2
802.1p priority-based VLAN mapping is configured.
----End
9.7 Configuration Examples for VLAN Mapping
9.7.1 Example for Configuring VLAN ID-based VLAN Mapping
are assigned.
Because of plan or operation causes, department 1 in branch 1 uses VLAN 10, and branch 2
assigns VLAN 100 to department 1.

public network, users using the same service in different branches of enterprise A are
allowed to communicate, and users using different services must be isolated.
l Department 1 in two branches can communicate.

Figure 9-4 Networking diagram for configuring VLAN ID-based VLAN Mapping functions
GE0/0/1 GE0/0/0
Network
PE1 PE2
GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/1
CE1 CE2
GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/1
VLAN Mapping
Branch 1 Department 1:VLAN 10 Branch 2
VLAN 100
Department 1:VLAN 100
You can configure VLAN Mapping and Dot1q Tunnel on the CE connected to the PE and
implement communication between two branches of enterprise A through VLAN 20 provided
by the carrier. VLAN mapping is configured on a user-side interface of CE2 so that
department 1 in two branches can communicate.
2. Configure VLANs allowed by a sub-interface.
3. Configure QinQ mapping on a user-side interface of CE2 to map VLAN 100 to VLAN
10 so that department 1 in two branches can communicate.
4. Configure dot1q tunnel on the CE interface connected to the PE so that the CE can add
the S-VLAN tag to user packets.
to pass through.
Procedure
[CE1] bridge 1
[CE1-bridge1] quit


The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 2 Configure VLANs allowed by a sub-interface.
# Configure VLANs allowed by a sub-interface on the CE1.


[CE2-GigabitEthernet0/0/1.1] vlan allow-pass vid 100
Step 3 Configure VLAN mapping on a user-side interface of CE2 to map VLAN 100 to VLAN 10.
[CE2-GigabitEthernet0/0/1.1] vlan mapping vid 100 map-vlan 10
Step 4 Configure CE1 interface connected to the PE to add a VLAN tag to user packets.
Step 5 Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 in trunk mode.

[PE1] vlan batch 20
The configurations of PE2 and P are similar to the configuration of PE1, and are not
mentioned here.
# Ping a PC in VLAN 100 of branch 2 from a PC in VLAN 10 of branch 1. The ping

operation succeeds, indicating that department 1 in different branches can communicate.
----End

Configuration Files
#
sysname CE1
#
bridge 1
#
#
bridge 1
#
#
bridge 1
#
return

#
sysname CE2
#
bridge 1
#
#
bridge 1
#
#
bridge 1
vlan allow-pass vid 100
vlan mapping vid 100 map-vlan 10
#
return

#
sysname PE1
#
vlan batch 20
#
#
#
return

#
sysname PE2

#
vlan batch 20
#
#
#
return
l Configuration file of P
#
sysname P
#
vlan batch 20
#
#
#
return
9.7.2 Example for Configuring 802.1p Priority-based VLAN

Mapping
As shown in Figure 9-5, common Internet access users (using PCs) and VoIP users (using
VoIP terminals) connect to the carrier network through PE1 and PE2 and communicate with
each other through the carrier network.
In enterprise A, VLAN 50 is allocated to VoIP terminals and VLAN 51 is allocated to PCs.
The default priority is 0.
public network, users using the same service in different branches of enterprise A are
allowed to communicate, and users using different services must be isolated.
l On an enterprise branch, voice services are transmitted preferentially, and the priority of
data services remains unchanged.

Figure 9-5 Networking diagram for configuring 802.1p Priority-based VLAN Mapping
functions
GE0/0/1 GE0/0/0
Network
PE1 PE2
GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/1
CE1 CE2
GE0/0/0 GE0/0/0
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
VLAN Mapping
VolP PC VolP PC
VLAN mapping or dot1q tunnel can meet the preceding requirements. You can configure the
dot1q tunnel function on the CE connected to the PE and implement communication between
two branches of enterprise A through VLAN 20 provided by the carrier, and configure VLAN
mapping on the user-side interface of CE2 to map a higher priority for voice services and a
lower priority for data services.
2. Configure VLANs allowed by a sub-interface.
3. Configure the user-side interface on CE2 to map the 802.1p priority of voice services
from 0 to 7 so that voice services are transmitted preferentially.
4. Configure dot1q tunnel on the CE interface connected to the PE so that the CE can add
the S-VLAN tag to user packets.
to pass through.
Procedure
[CE1] bridge 1
[CE1-bridge1] quit


Step 2 Configure VLANs allowed by a sub-interface.
Step 3 Configure GE0/0/1 on CE2 to map the 802.1p priority of voice services from 0 to 7.
[CE2-GigabitEthernet0/0/1.1] vlan mapping 8021p 0 map-8021p 7
Step 4 Configure CE1 interface connected to the PE to add a VLAN tag to user packets.
Step 5 Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 in trunk mode.
[PE1] vlan batch 20
The configurations of PE2 and P are similar to the configuration of PE1, and are not
mentioned here.
----End
Configuration Files
#
sysname CE1
#

bridge 1
#
#
bridge 1
#
#
bridge 1
#
#
bridge 1
#
return

#
sysname CE2
#
bridge 1
#
#
bridge 1
#
#
bridge 1
vlan mapping 8021p 0 map-8021p 7
#
#
bridge 1
#
return

#
sysname PE1
#
vlan batch 20
#
#

#
return

#
sysname PE2
#
vlan batch 20
#
#
#
return
l Configuration file of P
#
sysname P
#
vlan batch 20
#
#
#
return

Configuration 10 GVRP Configuration
10 GVRP Configuration
About This Chapter
This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes
with a GVRP configuration example.
10.1 Overview of GVRP
10.2 Understanding GVRP
10.3 Application Scenarios for GVRP
10.4 Default Settings for GVRP
10.5 Licensing Requirements and Limitations for GVRP
10.6 Configuring GVRP
10.7 Clearing GVRP Statistics
10.8 Configuration Examples for GVRP
10.1 Overview of GVRP
Definition
The Generic Attribute Registration Protocol (GARP) provides a mechanism to propagate
attributes so that a protocol entity can register and deregister attributes. By filling different
attributes into GARP packets, GARP supports different upper-layer applications.
The Generic Attribute Registration Protocol (GVRP) is used to register and deregister VLAN
attributes.
GARP identifies applications through destination MAC addresses. IEEE Std 802.1Q assigns
01-80-C2-00-00-21 to the VLAN application (GVRP).
Purpose
To deploy certain VLANs on all devices on a network, the network administrator needs to
manually create these VLANs on each device. As shown in Figure 10-1, three routers are

connected through trunk links. VLAN 2 is configured on Router A, and VLAN 1 is

configured on Router B and Router C. To forward packets of VLAN 2 from Router A to
Router C, the network administrator must manually create VLAN 2 on Router B and Router
C.
Figure 10-1 Networking of GVRP application
RouterA RouterC
RouterB
When a network is complicated and the network administrator is unfamiliar with the network
topology or when many VLANs are configured on the network, huge workload is required for
manual configuration. In addition, configuration errors may occur. In this case, you can
configure GVRP on the network to implement automatic registration of VLANs.
Benefits
GVRP is based on GARP and is used to maintain VLAN attributes dynamically on devices.
Through GVRP, VLAN attributes of one device can be propagated throughout the entire
switching network. GVRP enables network devices to dynamically deliver, register, and
propagate VLAN attributes, reducing workload of the network administrator and ensuring
correct configuration.
10.2 Understanding GVRP
10.2.1 Basic Concepts
Participant
On a device, each port running a protocol is considered as a participant. On a device running
GVRP, each GVRP-enabled port is considered as a GVRP participant, as shown in Figure
10-2.

Figure 10-2 GVRP participant

GVRP participants
RouterA RouterC
RouterB
VLAN Registration and Deregistration

GVRP implements automatic registration and deregistration of VLAN attributes. The
functions of VLAN registration and deregistration are:
l VLAN registration: adds a port to a VLAN.
l VLAN deregistration: removes a port from a VLAN.
GVRP registers and deregisters VLAN attributes through attribute declarations and reclaim
declarations as follows:
l When a port receives a VLAN attribute declaration, it registers the VLAN specified in
the declaration. That is, the port is added to the VLAN.
l When a port receives a VLAN attribute reclaim declaration, it deregisters the VLAN
specified in the declaration. That is, the port is removed from the VLAN.
A port registers or deregisters VLANs only when it receives GVRP messages.
Figure 10-3 VLAN registration and deregistration
Declaration
Register
Reclaim
Deregister
RouterA declaration RouterB
GARP Messages
GARP participants exchange VLAN information through GARP messages. Major GARP
messages are Join messages, Leave messages, and LeaveAll messages.

l Join message
When a GARP participant expects other devices to register its attributes, it sends Join
messages to other devices. When the GARP participant receives a Join message from
another participant or is configured with attributes statically, it also sends Join messages
to other devices for the devices to register the new attributes.
Join messages are classified into JoinEmpty messages and JoinIn messages. The
difference between the two types of messages is:
– JoinEmpty: declares an unregistered attribute.
– JoinIn: declares a registered attribute.
l Leave message
When a GARP participant expects other devices to deregister its attributes, it sends
Leave messages to other devices. When the GARP participant receives a Leave message
from another participant or some of its attributes are deregistered statically, it also sends
Leave messages to other devices.
Leave messages are classified into LeaveEmpty messages and LeaveIn messages. The
difference between the two types of messages is:
– LeaveEmpty: deregisters an unregistered attribute.
– LeaveIn: deregisters a registered attribute.
l LeaveAll message
When a participant starts, it starts the LeaveAll timer. When the LeaveAll timer expires,
the participant sends LeaveAll messages to other devices.
A participant sends LeaveAll messages to deregister all attributes so that other
participants can re-register attributes of the local participant. LeaveAll messages are used
to periodically delete useless attributes on the network. For example, an attribute of a
participant is deleted but the participant does not send Leave messages to request other
participants to deregister the attribute because of a sudden power failure. Then this
attribute becomes useless.
GARP Timers
The GARP protocol defines four timers:
l Join timer
The Join timer controls sending of Join messages including JoinIn messages and
JoinEmpty messages.
After sending the first Join message, a participant starts the Join timer. If the participant
receives a JoinIn message before the Join timer expires, it does not send the second Join
message. If the participant does not receive any JoinIn message, it sends the second Join
message when the Join timer expires. This ensures that the Join message can be sent to
other participants. Each port maintains an independent Join timer.
l Hold timer
The Hold timer controls sending of Join messages (JoinIn messages and JoinEmpty
messages) and Leave messages (LeaveIn messages and LeaveEmpty messages).
After a participant is configured with an attribute or receives a message, it does not send
the message to other participants before the Hold timer expires. The participant
encapsulates messages received within the hold time into a minimum number of packets,
reducing the packets sent to other participants. If the participant does not use the Hold
timer but forwards a message immediately after receiving one, a large number of packets

are transmitted on the network. This makes the network unstable and wastes data fields
of packets.
Each port maintains an independent Hold timer. The Hold timer value must be equal to
or smaller than half of the Join timer value.
l Leave timer
The Leave timer controls attribute deregistration.
A participant starts the Leave timer after receiving a Leave or LeaveAll message. If the
participant does not receive any Join message of the corresponding attribute before the
Leave timer expires, the participant deregisters the attribute.
A participant sends a Leave message if one of its attributes is deleted, but this attribute
may still exist on other participants. Therefore, the participant receiving the Leave
message cannot deregister the attribute immediately and needs to wait for messages from
other participants.
For example, an attribute has two sources on the network: participant A and participant
B. Other participants register the attribute through GARP. If the attribute is deleted from
participant A, participant A sends a Leave message to other participants. After receiving
the Leave message, participant B sends a Join message to other participants because the
attribute still exists on participant B. After receiving the Join message from participant
B, other participants retain the attribute. Other participants deregister the attribute only if
they do not receive any Join message of the attribute within a period longer than two
times the Join timer value. Therefore, the Leave timer value must be greater than two
times the Join timer value.
Each port maintains an independent Leave timer.
l LeaveAll timer
When a GARP participant starts, it starts the LeaveAll timer. When the LeaveAll timer
expires, the participant sends a LeaveAll message and restarts the LeaveAll timer.
After receiving a LeaveAll message, a participant restarts all GARP timers. The
participant sends another LeaveAll message when its LeaveAll timer expires. This
reduces LeaveAll messages sent in a period of time.
If LeaveAll timers of multiple devices expire at the same time, they send LeaveAll
messages at the same time, which causes unnecessary LeaveAll messages. To solve this
problem, each device uses a random value between the LeaveAll timer value and 1.5
times the LeaveAll timer value as its LeaveAll timer value. When a LeaveAll event
occurs, all attributes on the entire network are deregistered. The LeaveAll event affects
the entire network; therefore, you need to set the LeaveAll timer to a proper value, at
least greater than the Leave timer value.
Each device maintains a global LeaveAll timer.
Registration Modes
A manually configured VLAN is a static VLAN, and a VLAN created through GVRP is a
dynamic VLAN. GVRP provides three registration modes. Static VLANs and dynamic
VLANs are processed differently in each registration mode as follows:
l Normal mode: Dynamic VLANs can be registered on a port, and the port can send
declarations of static VLANs and dynamic VLANs.
l Fixed mode: Dynamic VLANs cannot be registered on a port, and the port can send only
declarations of static VLANs.

l Forbidden mode: Dynamic VLANs cannot be registered on a port. All VLANs except
VLAN 1 are deleted from the port, and the port can send only the declaration of VLAN
1.
10.2.2 Packet Structure

GARP packets are encapsulated in the IEEE 802.3 Ethernet format, as shown in Figure 10-4.
Figure 10-4 GARP packet structure
DA SA length DSAP SSAP Ctrl PDU Ethernet Frame

1 3 N
Protocol ID Message 1 … Message N End Mark GARP PDU structure
1 2 N
Attribute Type Attribute List Message structure
1 N
Attribute 1 … Attribute N End Mark Attribute List structure

1 2 3 N
Attribute Length Attribute Event Attribute Value Attribute structure
The following table describes the fields in a GARP packet.
Field Description Value
Protocol ID Indicates the protocol ID. The value is 1.
Message Indicates the messages in -

the packet. Each message
consists of the Attribute
Type and Attribute list
fields.
Attribute Type Indicates the type of an The value is 0x01 for

attribute, which is defined GVRP, indicating that the
by the GARP application. attribute value is a VLAN
ID
Attribute List Indicates the attribute list of -

a message, which consists of
multiple attributes.
Attribute Indicates an attribute, which -

consists of the Attribute
Length, Attribute Event, and
Attribute Value fields.

Field Description Value
Attribute Length Indicates the length of an The value ranges from 2 to

attribute. 255, in bytes.
Attribute Event Indicates the event that an The value can be:
attribute describes. l 0: LeaveAll Event
l 1: JoinEmpty Event
l 2: JoinIn Event
l 3: LeaveEmpty Event
l 4: LeaveIn Event
l 5: Empty Event
Attribute Value Indicates the value of an The value is a VLAN ID for

attribute. GVRP. This field is invalid
in a LeaveAll attribute.
End Mark Indicates the end of a GARP The value is 0x00.

PDU.
10.2.3 Working Procedure
This section describes the working procedure of GVRP by using an example. This example
illustrates how a VLAN attribute is registered and deregistered on a network in four phases.
One-Way Registration
Figure 10-5 One-way registration of a VLAN attribute
RouterA RouterC
Static vlan 2
Port 4
Port 1 JoinEmpty
JoinEmpty
Port 2 Port 3
RouterB
Static VLAN 2 is created on RouterA. Ports on RouterB and RouterC can join VLAN 2
automatically through one-way registration. The process is as follows:
1. After VLAN 2 is created on RouterA, Port 1 of RouterA starts the Join timer and Hold
timer. When the Hold timer expires, Port 1 sends the first JoinEmpty message to

RouterB. When the Join timer expires, Port 1 restarts the Hold timer. When the Hold
timer expires again, Port 1 sends the second JoinEmpty message.
2. After Port 2 of RouterB receives the first JoinEmpty message, RouterB creates dynamic
VLAN 2 and adds Port 2 to VLAN 2. In addition, RouterB requests Port 3 to start the
Join timer and Hold timer. When the Hold timer expires, Port 3 sends the first JoinEmpty
message to RouterC. When the Join timer expires, Port 3 restarts the Hold timer. When
the Hold timer expires again, Port 3 sends the second JoinEmpty message. After Port 2
receives the second JoinEmpty message, RouterB does not take any action because Port
2 has been added to VLAN 2.
3. After Port 4 of RouterC receives the first JoinEmpty message, RouterC creates dynamic
VLAN 2 and adds Port 4 to VLAN 2. After Port 4 receives the second JoinEmpty
message, RouterC does not take any action because Port 4 has been added to VLAN 2.
4. Every time the LeaveAll timer expires or a LeaveAll message is received, each router
restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Then Port 1 repeats
step 1 to send JoinEmpty messages. Port 3 of RouterB sends JoinEmpty messages to
RouterC in the same way.
Two-Way Registration
Figure 10-6 Two-way registration of a VLAN attribute
RouterA RouterC
Static vlan 2 Static vlan 2
Port 4
JoinEmpty
Port 1 JoinIn
JoinIn
JoinEmpty
JoinIn JoinIn
Port 2 Port 3
RouterB
After one-way registration is complete, Port 1, Port 2, and Port 4 are added to VLAN 2 but
Port 3 is not added to VLAN 2 because only ports receiving a JoinEmpty or JoinIn message
can be added to dynamic VLANs. To transmit traffic of VLAN 2 in both directions, VLAN
registration from RouterC to RouterA is required. The process is as follows:
1. After one-way registration is complete, static VLAN 2 is created on RouterC (the
dynamic VLAN is replaced by the static VLAN). Port 4 of RouterC starts the Join timer
and Hold timer. When the Hold timer expires, Port 4 sends the first JoinIn message
(because it has registered VLAN 2) to RouterB. When the Join timer expires, Port 4
restarts the Hold timer. When the Hold timer expires, Port 4 sends the second JoinIn
message.
2. After Port 3 of RouterB receives the first JoinIn message, RouterB adds Port 3 to VLAN
2 and requests Port 2 to start the Join timer and Hold timer. When the Hold timer expires,
Port 2 sends the first JoinIn message to RouterA. When the Join timer expires, Port 2
restarts the Hold timer. When the Hold timer expires again, Port 2 sends the second

JoinIn message. After Port 3 receives the second JoinIn message, RouterB does not take
any action because Port 3 has been added to VLAN 2.
3. When RouterA receives the JoinIn message, it stops sending JoinEmpty messages to
RouterB. Every time the LeaveAll timer expires or a LeaveAll message is received, each
router restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Port 1 of
RouterA sends a JoinIn message to RouterB when the Hold timer expires.
4. RouterB sends a JoinIn message to RouterC.
5. After receiving the JoinIn message, RouterC does not create dynamic VLAN 2 because
static VLAN 2 has been created.
One-Way Deregistration
Figure 10-7 One-way deregistration of a VLAN attribute
RouterA RouterC
Static vlan 2
LeaveEmpty Port 4
Port 1
LeaveIn
Port 2 Port 3
RouterB
When VLAN 2 is not required on the routers, the routers can deregister VLAN 2. The process
is as follows:
1. After static VLAN 2 is manually deleted from RouterA, Port 1 of RouterA starts the
Hold timer. When the Hold timer expires, Port 1 sends a LeaveEmpty message to
RouterB. Port 1 needs to send only one LeaveEmpty message.
2. After Port 2 of RouterB receives the LeaveEmpty message, it starts the Leave timer.
When the Leave timer expires, Port 2 deregisters VLAN 2. Then Port 2 is deleted from
VLAN 2, but VLAN 2 is not deleted from RouterB because Port 3 is still in VLAN 2. At
this time, RouterB requests Port 3 to start the Hold timer and Leave timer. When the
Hold timer expires, Port 3 sends a LeaveIn message to RouterC. Static VLAN 2 is not
deleted from RouterC; therefore, Port 3 can receive the JoinIn message sent from Port 4
after the Leave timer expires. In this case, RouterA and RouterB can still learn dynamic
VLAN 2.
3. After RouterC receives the LeaveIn message, Port 4 is not deleted from VLAN 2
because VLAN 2 is a static VLAN on RouterC.

Two-Way Deregistration
Figure 10-8 Two-way deregistration of a VLAN attribute
RouterA RouterC
LeaveEmpty Port 4
Port 1 LeaveEmpty
LeaveEmpty
LeaveIn
Port 2 Port 3
RouterB
To delete VLAN 2 from all the routers, two-way deregistration is required. The process is as
follows:
1. After static VLAN 2 is manually deleted from RouterC, Port 4 of RouterC starts the
Hold timer. When the Hold timer expires, Port 4 sends a LeaveEmpty message to
RouterB.
2. After Port 3 of RouterB receives the LeaveEmpty message, it starts the Leave timer.
dynamic VLAN 2, and dynamic VLAN 2 is deleted from RouterB. At this time, RouterB
requests Port 2 to start the Hold timer. When the Hold timer expires, Port 2 sends a
LeaveEmpty message to RouterA.
3. After Port 1 of RouterA receives the LeaveEmpty message, it starts the Leave timer.
dynamic VLAN 2, and dynamic VLAN 2 is deleted from RouterA.
10.3 Application Scenarios for GVRP

GVRP enables routers on a network to dynamically maintain and update VLAN information.
With GVRP, you can adjust the VLAN deployment on the entire network by configuring only
a few devices. You do not need to analyze the topology and manage configurations. As shown
in Figure 10-9, GVRP is enabled on all devices. Devices are interconnected through trunk
ports and each trunk port allows packets of all VLANs to pass. You simply need to configure
static VLANs 100 to 1000 on RouterA and RouterC. Then the other devices can learn VLANs
100 to 1000 through GVRP.

Figure 10-9 Typical application of GVRP
RouterB
RouterA RouterC
VLAN 100~1000 VLAN 100~1000
10.4 Default Settings for GVRP

GVRP function The GVRP function is disabled globally and on

interfaces.
Registration mode of the GVRP normal

interface
LeaveAll timer 1000 centiseconds
Hold timer 40 centiseconds
Join timer 80 centiseconds
Leave timer 240 centiseconds
10.5 Licensing Requirements and Limitations for GVRP

None
GVRP is a basic feature of a router and is not under license control.
Feature Limitations
When deploying GVRP on the router, pay attention to the following:
l The 4GE-2S, 4ES2G-S, and 4ES2GP-S cards do not support GVRP.
l AR100-S&AR110-S&AR120-S&AR160-S series routers do not support GVRP.

l Among the AR150-S series routers, only AR151-S2 do not support GVRP.
l Among the AR1200-S series routers, only AR1220E-S do not support GVRP.
10.6 Configuring GVRP
10.6.1 Enabling GVRP
Context
Before enabling GVRP on an interface, you must enable GVRP globally. GVRP can be
enabled only on trunk interfaces. You must perform related configurations to ensure that all
dynamically registered VLANs can pass the trunk interfaces.
Procedure
Step 2 Run gvrp
GVRP is enabled globally.
Step 4 Run port link-type trunk
The link type of the interface is set to trunk.
Step 5 Run port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
The interface is added to the specified VLANs.
Step 6 Run gvrp
GVRP is enabled on the interface.
By default, GVRP is disabled globally and on each interface.
NOTE
The device supports a maximum of 256 dynamic VLANs when using default GARP timers. When the
recommended GARP timer settings are used, the device supports a maximum of 4094 dynamic VLANs.
----End
10.6.2 (Optional) Setting the Registration Mode for a GVRP

Interface
Context
A GVRP interface supports three registration modes:

l Normal: In this mode, the GVRP interface can dynamically register and deregister
VLANs, and transmit dynamic VLAN registration information and static VLAN
registration information.
l Fixed: In this mode, the GVRP interface is disabled from dynamically registering and
deregistering VLANs and can transmit only the static VLAN registration information. If
the registration mode is set to fixed for a trunk interface, the interface allows only the
manually configured VLANs to pass even if it is configured to allow all the VLANs to
pass.
l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering
and deregistering VLANs and can transmit only information about VLAN 1. If the
registration mode is set to forbidden for a trunk interface, the interface allows only
VLAN 1 to pass even if it is configured to allow all the VLANs to pass.
Procedure
Step 3 Run gvrp registration { fixed | forbidden | normal }
The registration mode is set for the interface.
By default, the registration mode of a GVRP interface is normal.
NOTE
Before setting the registration mode for an interface, enable GVRP on the interface.
----End
10.6.3 (Optional) Setting the GARP Timers
Context
When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer
expires, the GARP participant sends LeaveAll messages to request other GARP participants
to re-register all its attributes. Then the LeaveAll timer restarts.
Devices on a network may have different settings for the LeaveAll timer. In this case, all the
devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a
device expires, the device sends LeaveAll messages to other devices. After other devices
receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeaveAll
timer with the smallest value takes effect even if devices have different settings for the
LeaveAll timer.
When using the garp timer command to set the GARP timers, pay attention to the following
points:
l The undo garp timer command restores the default values of GARP timers. If the
default value of a timer is out of the valid range, the undo garp timer command does
not take effect.

l The value range of each timer changes with the values of the other timers. If a value you
set for a timer is not in the allowed range, you can change the value of the timer that
determines the value range of this timer.
l To restore the default values of all the GARP timers, restore the Hold timer to the default
value, and then sequentially restore the Join timer, Leave timer, and LeaveAll timer to
the default values.
It is recommended that you use the following values for the GARP timers:
l GARP Hold timer: 100 centiseconds (1 second)
l GARP Join timer: 600 centiseconds (6 seconds)
l GARP Leave timer: 3000 centiseconds (30 seconds)
l GARP LeaveAll timer: 12000 centiseconds (2 minutes)
When more than 80 dynamic VLANs are created or more than three devices are running
GARP on the network, set the GARP timer to be larger than or equal to the recommended
value. Otherwise, the device CPU is affected. When the number of dynamic VLANs or GARP
devices increases, increase lengths of the GARP timers. Otherwise, traffic may fail to be
forwarded.
Procedure
Step 2 Run garp timer leaveall timer-value
The value of the LeaveAll timer is set.
The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).
The Leave timer length on an interface is restricted by the global LeaveAll timer length.
When configuring the global LeaveAll timer, ensure that all the interfaces configured with a
GARP Leave timer are working properly.
Step 4 Run garp timer { hold | join | leave } timer-value
The value of the Hold timer, Join timer, or Leave timer is set.
By default, the value of the Hold timer is 40 centiseconds, the value of the Join timer is 80
centiseconds, and the value of the Leave timer is 240 centiseconds.
----End
10.6.4 Verifying the GVRP Configuration
Procedure
l Run the display gvrp status command to view the status of global GVRP.
l Run the display gvrp statistics [ interface { interface-type interface-number [ to
interface-type interface-number ] }&<1-5> ] command to view the GVRP statistics on
an interface.

l Run the display garp timer [ interface { interface-type interface-number [ to interface-

type interface-number ] }&<1-5> ] command to view the values of the GARP timers.
----End
10.7 Clearing GVRP Statistics
Context
GVRP statistics cannot be restored after being cleared. Confirm your action before using this
command.
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type
interface-number ] }&<1-10> ] command in the user view to clear GARP statistics on the
specified interfaces.
----End
10.8 Configuration Examples for GVRP
10.8.1 Example for Configuring GVRP
As shown in Figure 10-10, company A, a branch of company A, and company B are
connected using switches. To implement dynamic VLAN registration, enable GVRP. The
branch of company A can communicate with the headquarters using RouterA and RouterB.
Company B can communicate with company A using RouterB and RouterC. Interfaces
connected to company A allow only the VLAN to which company B belongs to pass.

Figure 10-10 Networking diagram of GVRP configuration

RouterB
Eth2/0/1 Eth2/0/2
Eth2/0/1 RouterC
RouterA Eth2/0/1
Company A
Eth2/0/2 Eth2/0/2
Branch of
Company B
company A
1. Enable GVRP to implement dynamic VLAN registration.
2. Configure GVRP on all switch devices of company A and set the registration mode to
normal for the interfaces to simplify configurations.
3. Configure GVRP on all switch devices of company B and set the registration mode to
fixed for the interfaces connecting to company A to allow only the VLAN to which
company B belongs to pass.
Procedure
Step 1 Create VLAN 101 to VLAN 200 on RouterA.
<RouterA> system-view
[RouterA] vlan batch 101 to 200
Step 2 Configure GVRP on Router A.

# Enable GVRP globally.
[RouterA] gvrp
# Set the link type of Eth 2/0/1 and Eth 2/0/2 to trunk, and configure the interfaces to allow all
VLANs to pass through.
[RouterA-Ethernet2/0/1] port trunk allow-pass vlan all
[RouterA-Ethernet2/0/2] port trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes for the interfaces.
[RouterA-Ethernet2/0/1] gvrp
[RouterA-Ethernet2/0/1] gvrp registration normal

[RouterA-Ethernet2/0/2] gvrp
[RouterA-Ethernet2/0/2] gvrp registration normal
The configuration of RouterB is similar to that of RouterA.

Step 3 Configure RouterC.
# Create VLAN 101 to VLAN 200.
<RouterC> system-view
[RouterC] vlan batch 101 to 200
# Enable GVRP globally.

[RouterC] gvrp
# Set the link type of Eth 2/0/1 and Eth 2/0/2 to trunk, and configure the interfaces to allow all
VLANs to pass through.
[RouterC] interface ethernet 2/0/1
[RouterC-Ethernet2/0/1] port link-type trunk
[RouterC-Ethernet2/0/1] port trunk allow-pass vlan all
[RouterC-Ethernet2/0/1] quit
[RouterC-Ethernet2/0/2] port link-type trunk
[RouterC-Ethernet2/0/2] port trunk allow-pass vlan all
# Enable GVRP on the interfaces and set the registration modes for the interfaces.
[RouterC-Ethernet2/0/1] gvrp
[RouterC-Ethernet2/0/1] gvrp registration fixed
[RouterC-Ethernet2/0/2] gvrp
[RouterC-Ethernet2/0/2] gvrp registration normal

# After the configuration is complete, the branch of Company A can communicate with the
headquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with
users in Company B.
# Run the display gvrp status command on RouterA to check whether GVRP is enabled
globally. The following information is displayed:
<RouterA> display gvrp status
Info: GVRP is enabled.
# Run the display gvrp statistics command on RouterA to view GVRP statistics, including
the GVRP state of each interface, number of GVRP registration failures, source MAC address
of the last GVRP PDU, and registration mode of each interface.
<RouterA> display gvrp statistics interface ethernet 2/0/1
GVRP statistics on port Ethernet2/0/1
GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0001-0001-0001
GVRP registration type : Normal
# Verify the configurations of RouterB and RouterC in the same way.
----End

Configuration Files
#
sysname RouterA
#
vlan batch 101 to 200
#
gvrp
#
interface ethernet2/0/1
gvrp
#
gvrp
#
return

#
sysname RouterB
#
gvrp
#
gvrp
#
gvrp
#
return
l Configuration file of RouterC

#
sysname RouterC
#
#
gvrp
#
gvrp
gvrp registration fixed
#
gvrp
#
return

Configuration 11 STP/RSTP Configuration
11 STP/RSTP Configuration
About This Chapter
This chapter describes the concepts and configuration procedures for the Spanning Tree
Protocol (STP) and Rapid Spanning Tree Protocol (RSTP), and provides configuration
examples.
11.1 Overview of STP/RSTP
11.2 Understanding STP/RSTP
11.3 Application Scenarios for STP/RSTP
11.4 Summary of STP/RSTP Configuration Tasks
11.5 Default Settings for STP/RSTP
11.6 Licensing Requirements and Limitations for STP
11.7 Configuring Basic STP/RSTP Functions
You can configure STP/RSTP on an Ethernet network to trim the network into a loop-free tree
topology.
11.8 Setting STP Parameters that Affect STP Convergence
STP cannot implement rapid convergence. However, STP parameters including the network
diameter, timeout interval, Hello timer value, Max Age timer value, and Forward Delay timer
value can affect the STP convergence speed.
11.9 Setting RSTP Parameters that Affect RSTP Convergence
RSTP supports link type and fast transition configuration on ports to implement rapid
convergence.
11.10 Configuring RSTP Protection Functions
Huawei network devices provide the following RSTP protection functions. You can configure
one or more functions.
11.11 Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices
To implement interoperation between Huawei and non-Huawei devices, select the fast
transition mode based on the Proposal/Agreement mechanism of the non-Huawei device.
11.12 Maintaining STP/RSTP

11.13 Configuration Examples for STP/RSTP

This section provides several STP/RSTP configuration examples.
11.14 FAQ About STP/RSTP
11.1 Overview of STP/RSTP
Definition
Generally, redundant links are used on an Ethernet switching network to provide link backup
and enhance network reliability. The use of redundant links, however, may produce loops,
causing broadcast storms and making the MAC address table unstable. As a result, network
communication may encounter quality deterioration or even be interrupted. STP solves this
problem.
STP refers to the spanning tree protocol defined in IEEE 802.1D, RSTP defined in IEEE
802.1W, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1S.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 11-1
compares the STP, RSTP, and MSTP protocols.
Table 11-1 Comparison of STP, RSTP, and MSTP

Spanning Characteristics Usage Scenario
Tree
Protocol
STP l A loop-free tree topology is All VLANs share one spanning tree,
formed in an STP region to and users or services do not need to
prevent broadcast storms while be differentiated.
implementing link redundancy.
l Route convergence is slow.
RSTP l A loop-free tree topology is

formed in an STP region to
prevent broadcast storms while
implementing link redundancy.
l RSTP achieves fast network
convergence.
MSTP l In an MSTP region, multiple Traffic in different VLANs is

loop-free trees are generated. forwarded through different spanning
Therefore, broadcast storms are trees for load balancing. The
prevented and redundancy is spanning trees are independent of
achieved. each other. In this situation, users or
l MSTP achieves fast network services are distinguished by
convergence. VLANs.
l MSTP implements load
balancing among VLANs.
Traffic in different VLANs is
transmitted along different paths.

Purpose
After a spanning tree protocol is configured on an Ethernet switching network, the protocol
calculates the network topology to implement the following functions:
l Loop prevention: The spanning tree protocol blocks redundant links to prevent potential
loops on the network.
l Link redundancy: If an active link fails and a redundant link exists, the spanning tree
protocol activates the redundant link to ensure network connectivity.
11.2 Understanding STP/RSTP
11.2.1 Background
STP prevents loops on a local area network (LAN). The switching devices running STP
exchange information with one another to discover loops on the network, and block certain
ports to eliminate loops. With the growth in scale of LANs, STP has become an important
protocol for a LAN.
Figure 11-1 Typical LAN networking
Host A
port1 1 port1 5
2
S1 S2
port2 3 port2 4
Host B
Data flow
On the network shown in Figure 11-1, the following situations may occur:
l Broadcast storms cause a breakdown of the network.
If a loop exists on the network, broadcast storms may occur, leading to a breakdown of
the network. In Figure 11-1, STP is not enabled on the switching devices. If Host A
sends a broadcast request, both S1 and S2 receive the request on port 1 and forward the
request through their port 2. Then, S1 and S2 receive the request forwarded by each
other on port 2 and forward the request through port 1. As this process repeats, resources
on the entire network are exhausted, and the network finally breaks down.

l Assume that no broadcast storm has occurred on the network shown in Figure 11-1.
HostA sends a unicast packet to HostB. If HostB is temporarily removed from the
network at this time, the MAC address entry for HostB will be deleted on S1 and S2. The
unicast packet sent by HostA to HostB is received by port 1 on S1. S1 has no matching
MAC address entry, so the unicast packet is forwarded to port 2. Then port 2 on S2
receives the unicast packet from port 2 on S1 and sends it out through port 1. In addition,
port 1 on S2 also receives the unicast packet sent by HostA to HostB, and sends it out
through port 2. As such transmissions repeat, port 1 and port 2 on S1 and S2
continuously receive unicast packets from HostA. S1 and S2 modify the MAC address
entries continuously, causing the MAC address table to flap. As a result, MAC address
entries are damaged.
11.2.2 Basic Concepts
Root Bridge
A tree topology must have a root. As defined in STP, the device that functions as the root of a
tree network is called the root bridge.
There is only one root bridge on the entire STP network. The root bridge is the logical center
of but is not necessarily at the physical center of the network. The root bridge changes
dynamically with the network topology.
After network convergence, the root bridge generates and sends configuration BPDUs at a
specific interval. Upon receipt of the configuration BPDUs, non-root bridges compare
whether the priority of the received BPDUs is higher than that of their local configuration
BPDUs. If the priority is higher, the non-root bridges update their configuration BPDU
information stored on their STP interfaces based on the information in the received BPDUs. If
the priority is lower, the non-root bridges discard the received configuration BPDUs.
Metrics for Spanning Tree Calculation

A spanning tree is calculated based on the following metrics: bridge ID (BID), port ID (PID),
and path cost.
l BID and PID

According to IEEE 802.1D, a BID is composed of a bridge priority (leftmost 16 bits) and
a bridge MAC address (rightmost 48 bits).
On an STP network, the device with the smallest BID is elected as the root bridge.
IDs are classified into bridge ID (BID) and port ID (PID).
A PID is composed of a port priority (leftmost 4 bits) and a port number (rightmost 12
bits).
The PID is used to select the designated port.
NOTE
The port priority affects the role of a port in a specified spanning tree instance. For details, see
11.2.4 STP Topology Calculation.
l Path cost
The path cost is a port variable used for link selection. STP calculates path costs to select
robust links and blocks redundant links, and finally trims the network into a loop-free
tree topology.

On an STP network, a port's path cost to the root bridge is the sum of the path costs of all
ports between the port and the root bridge. This path cost is the root path cost.
Root Bridge, Root Port, and Designated Port

Three elements are involved in pruning a ring network into a tree network: root bridge, root
port, and designated port. Figure 11-2 shows the three elements in the STP network
architecture.
Figure 11-2 STP network architecture

root
bridge A B S2
PC=100;RPC=0 PC=100;RPC=100
S1
B A
PC=100;RPC=0 PC=99;RPC=100
A B
PC=100;RPC=100 PC=99;RPC=199
S3
B A
PC=200;RPC=100 PC=200;RPC=300 S4
PC: path cost

RPC: root path cost
root port
designated port
blocked port
l Root bridge
The root bridge is the bridge with the smallest BID. The smallest BID is discovered by
exchanging configuration BPDUs.
l Root port
The root port on an STP device is the port with the smallest path cost to the root bridge
and is responsible for forwarding data to the root bridge. An STP device has only one
root port, and there is no root port on the root bridge.
l Designated port
Table 11-2 explains the designated bridge and designated port.

Table 11-2 Designated bridge and designated port

Reference Designated Bridge Designated Port
Object
Device A directly connected device The designated bridge's port that

that forwards configuration forwards configuration BPDUs
BPDUs to the device to the device
LAN A device that forwards The designated bridge's port that

configuration BPDUs to the forwards configuration BPDUs
LAN to the LAN
As shown in Figure 11-3, AP1 and AP2 are ports of S1; BP1 and BP2 are ports of S2;
CP1 and CP2 are ports of S3.
– S1 sends configuration BPDUs to S2 through AP1, so S1 is the designated bridge
for S2, and AP1 is the designated port on S1.
– S2 and S3 are connected to the LAN. If S2 forwards configuration BPDUs to the
LAN, S2 is the designated bridge for the LAN, and BP2 is the designated port on
S2.
Figure 11-3 Designated bridge and designated port

S1
AP1 AP2
BP1 CP1
S2 S3
BP2 CP2
LAN
After the root bridge, root ports, and designated ports are selected successfully, a tree
topology is set up on the entire network. When the topology is stable, only the root port and
designated ports forward traffic. The other ports are in the Blocking state; they only receive
STP BPDUs and do not forward user traffic.
Comparison Principles
During role election, STP devices compare four fields, which form a BPDU priority vector
{root ID, root path cost, sender BID, PID}.
Table 11-3 describes the four fields carried in a configuration BPDU.

Table 11-3 Four fields

Field Description
Root ID ID of the root bridge. Each STP network has only one
root bridge.
Root path cost Path cost to the root bridge. It is determined by the
distance between the port sending the configuration
BPDU and the root bridge.
Sender BID BID of the device that sends the configuration BPDU.
PID PID of the port that sends the configuration BPDU.
After a device on the STP network receives a configuration BPDU, it compares the fields
listed in Table 11-3 with its own values. The four comparison principles are as follows:
l Smallest BID: used to select the root bridge. Devices on an STP network select the
device with the smallest BID based on the root ID field in Table 11-3.
l Smallest root path cost: used to select the root port on a non-root bridge. On the root
bridge, the path cost of each port is 0.
l Smallest sender BID: used to select the root port among ports with the same root path
cost. The port with the smallest BID is selected as the root port in STP calculation. For
example, S2 has a smaller BID than S3 in Figure 11-2. If the BPDUs received on port A
and port B of S4 contain the same root path cost, port B becomes the root port on S4
because the BPDU received on port B has a smaller sender BID.
l Smallest PID: used to determine which port should be blocked when multiple ports have
the same root path cost. The port with the greatest PID is blocked. The PIDs are
compared in the scenario shown in Figure 11-4. The BPDUs received on port A and port
B of S1 contain the same root path cost and sender BID. Port A has a smaller PID than
port B. Therefore, port B is blocked to prevent loops.
Figure 11-4 Scenario where PIDs need to be compared

S1
A B
S2
designated port
blocked port

Port States
Table 11-4 describes the possible states of ports on an STP device.
Table 11-4 STP port states

Port Purpose Description
State
Forwardi A port in Forwarding state can Only the root port and designated port
ng forward user traffic and process can enter the Forwarding state.
BPDUs.
Learning When a port is in Learning state, the This is a transitional state, which is
device creates MAC address entries designed to prevent temporary loops.
based on user traffic received on the
port but does not forward user traffic
through the port.
Listening All ports are in Listening state before This is a transitional state.
the root bridge, root port, and
designated port are selected.
Blocking A port in Blocking state receives and This is the final state of a blocked
forwards only BPDUs, and does not port.
forward user traffic.
Disabled A port in Disabled state does not The port is Down.

process BPDUs or forward user
traffic.
Figure 11-5 shows the state transitions of a port.

Figure 11-5 STP state transitions of a port
Disabled or
Down
①
⑤
Blocking
②
④ ⑤
Listening
③
④ ⑤
Learning
④ ⑤
Forwarding
1 The port is initialized or enabled, and enters the Blocking state.
2 The port is selected as the root or designated port, and enters

the Listening state.
3 When the time for keeping the port in a temporary state is
reached, the port enters the Learning or Forwarding state. The
port is selected as the root or designated port.
4 The port is not the root or designated port, and enters the
blocking state.
5 The port is disabled or the link fails.
NOTE
By default, a Huawei network device uses the MSTP mode. After a device transitions from the MSTP
mode to the STP mode, its STP ports support only those states defined in MSTP, which are Forwarding,
Learning, and Discarding. Table 11-5 describes the three port states.
Table 11-5 MSTP port states

Port Description
State
Forwardi A port in Forwarding state can forward user traffic and process BPDUs.
ng
Learning This is a transitional state. When a port is in Learning state, it can send and
receive BPDUs, but does not forward user traffic. The device creates MAC
address entries based on user traffic received on the port but does not forward
user traffic through the port.

Port Description
State
Discardin A port in the Discarding state can only receive BPDUs.

g
The following parameters affect the STP port states and convergence.
l Hello Time
The Hello Time specifies the interval at which an STP device sends configuration
BPDUs to detect link failures.
When the Hello Time is changed, the new value takes effect only after a new root bridge
is elected. The new root bridge adds the new Hello Time value in BPDUs it sends to
non-root bridges. When the network topology changes, TCN BPDUs are transmitted
immediately, independent of the Hello Time.
l Forward Delay
The Forward Delay timer specifies the length of delay before a port state transition.
When a link fails, STP calculation is triggered and the spanning tree structure changes.
However, new configuration BPDUs cannot be immediately spread over the entire
network. If the new root port and designated port forward data immediately, transient
loops may occur. Therefore, STP defines a port state transition delay mechanism. The
newly selected root port and designated port must wait for two Forward Delay intervals
before transitioning to the Forwarding state. Within this period, the new configuration
BPDUs can be transmitted over the network, preventing transient loops.
The default Forward Delay timer value is 15 seconds. This means that the port stays in
the Listening state for 15 seconds and then stays in the Learning state for another 15
seconds before transitioning to the Forwarding state. The port does not forward user
traffic when it is in the Listening or Learning state, which is key to preventing transient
loops.
l Max Age
The Max Age specifies the aging time of BPDUs. This parameter is configurable on the
root bridge.
The Max Age is spread to the entire network with configuration BPDUs. After a non-
root bridge receives a configuration BPDU, it compares the Message Age value with the
Max Age value in the received configuration BPDU.
– If the Message Age value is smaller than or equal to the Max Age value, the non-
root bridge forwards the configuration BPDU.
– If the Message Age value is larger than the Max Age value, the non-root bridge
discards the configuration BPDU. When this happens, the network size is
considered too large and the non-root bridge disconnects from the root bridge.
If the configuration BPDU is sent from the root bridge, the value of Message Age is 0.
Otherwise, the value of Message Age is the total time spent to transmit the BPDU from
the root bridge to the local bridge, including the transmission delay. In real world
situations, the Message Age value of a configuration BPDU increases by 1 each time the
configuration BPDU passes through a bridge.
Table 11-6 provides the timer values defined in IEEE 802.1D.

Table 11-6 Values of STP timer parameters

Parameter Default Value Value Range
Hello Time 200 centiseconds (2 100-1000

seconds)
Max Age 2000 centiseconds (20 600-4000

seconds)
Forward Delay 1500 centiseconds (15 400-3000

seconds)
11.2.3 BPDU Format

A BPDU carries the BID, root path cost, and PID. There are two types of STP BPDUs:
l Configuration BPDUs are heartbeat packets. STP-enabled designated ports send
configuration BPDUs at Hello intervals.
l Topology Change Notification (TCN) BPDUs are sent only after a device detects a
network topology change.
A BPDU is encapsulated in an Ethernet frame. Its destination MAC address is a multicast
MAC address 01-80-C2-00-00-00. The Length field specifies the MAC data length, and is
followed by the LLC header. Figure 11-6 shows the Ethernet frame format.
Figure 11-6 Format of an Ethernet frame

6 bytes 6 bytes 2 bytes 3 bytes 38-1492 bytes 4 bytes
DMAC SMAC Length LLC BPDU Data CRC
Configuration BPDU
Configuration BPDUs are used most commonly and are sent to exchange topology
information among STP devices.
During initialization, each bridge actively sends configuration BPDUs. After the network
topology becomes stable, the designated port of each device periodically sends configuration
BPDUs. A configuration BPDU is at least 35 bytes long, including the parameters such as the
BID, path cost, and PID. A BPDU is discarded if both the sender BID and Port ID field values
are the same as those of the local port. Otherwise, the BPDU is processed. In this manner,
BPDUs containing the same information as that of the local port are not processed.
A configuration BPDU is sent in one of the following scenarios:
l After STP is enabled on ports of a device, the designated port on the device sends
configuration BPDUs at Hello intervals.
l When a root port receives a configuration BPDU with a priority higher than that of its
own configuration BPDU, the device where the root port resides updates the
configuration BPDU information stored on its STP ports based on the information in the
received configuration BPDU and sends the information to a downstream device through

a designated port. In contrast, if the root port receives a configuration BPDU with a
priority lower than that of its own configuration BPDU, the root port discards the
received configuration BPDU.
l When a designated port receives an inferior configuration BPDU, the designated port
immediately sends its own configuration BPDU to the downstream device.
Table 11-7 describes fields in a BPDU.
Table 11-7 Fields in a BPDU

Field Byte Description
s
Protocol Identifier 2 The value is fixed at 0, representing a spanning tree

protocol.
Protocol Version 1 The value is fixed at 0, representing the STP protocol

Identifier
BPDU Type 1 Indicates the type of a BPDU. The value is one of the
following:
l 0x00: configuration BPDU
l 0x80: TCN BPDU
Flags 1 Indicates whether the network topology has changed.

l The rightmost bit is the Topology Change (TC) flag.
l The leftmost bit is the Topology Change
Acknowledgment (TCA) flag.
Root Identifier 8 Indicates the BID of the current root bridge.
Root Path Cost 4 Indicates the accumulated path cost from a port to the root
bridge.
Bridge Identifier 8 Indicates the BID of the bridge that sends the BPDU.
Port Identifier 2 Indicates the ID of the port that sends the BPDU.
Message Age 2 Records the time that has elapsed since the original BPDU
was generated on the root bridge.
If the configuration BPDU is sent from the root bridge, the
value of Message Age is 0. Otherwise, the value of Message
Age is the total time spent to transmit the BPDU from the
root bridge to the local bridge, including the transmission
delay. In real world situations, the Message Age value of a
configuration BPDU increases by 1 each time the
configuration BPDU passes through a bridge.
Max Age 2 Indicates the aging time of a BPDU.
Hello Time 2 Indicates the interval at which BPDUs are sent.
Forward Delay 2 Indicates the period during which a port stays in the
Listening and Learning states.

Figure 11-7 shows the Flags field. Only the leftmost and rightmost bits are used in STP.
Figure 11-7 Format of the Flags field
Reserved
Bit7 Bit0
TCA (Topology Change TC (Topology

Acknowledgment flag) Change flag)
TCN BPDU
A TCN BPDU contains only three fields: Protocol Identifier, Version, and Type, as shown in
Table 11-7. The Type field is four bytes long and is fixed at 0x80.
When the network topology changes, TCN BPDUs are transmitted upstream until they reach
the root bridge. A TCN BPDU is sent in either of the following scenarios:
l A port transitions to the Forwarding state.
l A designated port receives a TCN BPDU and sends a copy to the root bridge.
11.2.4 STP Topology Calculation

After STP is enabled on all devices on a network, all devices consider themselves the root
bridge. They only transmit and receive BPDUs and do not forward user traffic. All ports on
the devices are in Listening state. Then the devices select the root bridge, root ports, and
designated ports based on configuration BPDUs.
BPDU Exchange
Figure 11-8 shows the initial information exchange process. The four parameters in a pair of
brackets represent the root ID (S1_MAC and S2_MAC are BIDs of the two devices), root
path cost, sender BID, and PID carried in configuration BPDUs. Configuration BPDUs are
sent at Hello intervals.
Figure 11-8 Initial BPDU exchange
{S1_MAC,0,S1_MAC,A_PID}
A B
S1 {S2_MAC,0,S2_MAC,B_PID} S2
STP Algorithm Implementation

1. Initialization

Because each bridge considers itself the root bridge, the BPDU sent from a port is set as
follows:
The root ID is the BID of the local bridge, the root path cost is 0, the sender BID is the
BID of the local bridge, and the PID is the ID of the port that sends the BPDU.
2. Root bridge election
During network initialization, every device considers itself the root bridge and sets the
root ID to its own BID. Then devices exchange configuration BPDUs and compare their
root IDs to find the device with the smallest BID, which finally becomes the root bridge.
3. Root port and designated port selection
Table 11-8 describes the process of selecting the root port and designated port.
Table 11-8 Selecting the root port and designated port

Ste Process
p
1 A non-bridge device selects the port that receives the optimal configuration
BPDU as the root port. Table 11-9 describes the process of selecting the optimal
configuration BPDU.
2 The device generates a configuration BPDU for each port and calculates the
fields in the configuration BPDU based on the configuration BPDU on the root
port and path cost of the root port:
l Replaces the root ID with the root ID in the configuration BPDU on the root
port.
l Replaces the root path cost with the sum of the root path cost in
configuration BPDU on the root port and the path cost of the root port.
l Replaces the sender BID with the local BID.
l Replaces the PID with the local port ID.
3 The device compares the calculated configuration BPDU with the configuration
BPDU received on the port:
l If the calculated configuration BPDU is superior, the port is selected as the
designated port and periodically sends the calculated configuration BPDU.
l If the port's own configuration BPDU is superior, the configuration BPDU
on the port is not updated and the port is blocked. After that, the port only
receives BPDUs, and does not forward data or send BPDUs.

Table 11-9 Selecting the optimal configuration BPDU

Ste Process
p
1 Each port compares the received configuration BPDU with its own
configuration BPDU:
l If the received configuration BPDU is inferior, the port discards the received
configuration BPDU and does not retain its own configuration BPDU.
l If the received configuration BPDU is superior, the port replaces its own
configuration BPDU with the received one.
2 The device compares configuration BPDUs on all the ports and selects the
optimal one.
Example of STP Topology Calculation

After the root bridge, root ports, and designated ports are selected successfully, a tree
topology is set up on the entire network. The following example illustrates how STP
calculation is implemented.
Figure 11-9 STP networking and calculated topology
DeviceA
DeviceA
Priority=0 Root
Bridge
Port A1 Port A2
STP Topology
5
Pa
st=
Calculation
th
co
co
th
s
Pa
t=1
Port B1 Port C1
0
Path cost=4
Port B2 Port C2
DeviceB DeviceC DeviceB DeviceC
Priority=1 Priority=2
root port
designated port
blocked port
As shown in Figure 11-9, DeviceA, DeviceB, and DeviceC are deployed on the network, with
priorities 0, 1, and 2, respectively. The path costs between DeviceA and DeviceB, DeviceA
and DeviceC, and DeviceB and DeviceC are 5, 10, and 4, respectively.
1. Initial state of each device

Table 11-10 lists the initial state of each device.

Table 11-10 Initial state of each device

Device Port Configuration BPDU
DeviceA Port A1 {0, 0, 0, Port A1}
Port A2 {0, 0, 0, Port A2}
DeviceB Port B1 {1, 0, 1, Port B1}
Port B2 {1, 0, 1, Port B2}
DeviceC Port C1 {2, 0, 2, Port C1}
Port C2 {2, 0, 2, Port C2}
2. Configuration BPDU comparison and result

Table 11-11 describes configuration BPDU comparison process and result.
NOTE
The fields in a configuration BPDU are {root ID, root path cost, sender BID, PID}.
Table 11-11 Topology calculation process and result

Dev Comparison Configuration BPDU
ice After Comparison
Devi l Port A1 receives the configuration BPDU {1, l Port A1: {0, 0, 0, Port
ceA 0, 1, Port B1} from Port B1 and finds it A1}
inferior to its own configuration BPDU {0, 0, l Port A2: {0, 0, 0, Port
0, Port A1}, so Port A1 discards the received A2}
configuration BPDU.
l Port A2 receives the configuration BPDU {2,
0, 2, Port C1} from Port C1 and finds it
inferior to its own configuration BPDU {0, 0,
0, Port A2} superior, so Port A2 discards the
received configuration BPDU.
l DeviceA finds that the root bridge and
designated bridge specified in the
configuration BPDUs on its ports are both
itself. Therefore, DeviceA considers itself as
the root bridge and periodically sends
configuration BPDUs from each port without
modifying the BPDUs.


Devi l Port B1 receives the configuration BPDU {0, l Port B1: {0, 0, 0, Port
ceB 0, 0, Port A1} from Port A1 and finds it A1}
superior to its own configuration BPDU {0, l Port B2: {1, 0, 1, Port
0, 0, Port B1}, so Port B1 updates its B2}
configuration BPDU.
l Port B2 receives the configuration BPDU {2,
0, 2, Port C2} from Port C2 and finds it
inferior to its own configuration BPDU {1, 0,
1, Port B2}, so Port B2 discards the received
configuration BPDU.
l DeviceB compares the configuration BPDU l Root port (Port B1):

on each port and finds that Port B1 has {0, 0, 0, Port A1}
optimal configuration BPDU. DeviceB l Designated port (Port
selects Port B1 as the root port and retains the B2): {0, 5, 1, Port B2}
configuration BPDU on Port B1.
l DeviceB calculates the configuration BPDU
{0, 5, 1, Port B2} for Port B2 based on the
configuration BPDU and path cost of the root
port, and compares the calculated
configuration BPDU with the original
configuration BPDU {1, 0, 1, Port B2} on
Port B2. The calculated configuration BPDU
is superior to the original one, so DeviceB
selects Port B2 as the designated port,
replaces Port B2's configuration BPDU with
the calculated one, and periodically sends the
configuration BPDU from Port B2.
Devi l Port C1 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
ceC 0, 0, Port A2} from Port A2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {1, 0, 1, Port
0, 0, Port C1}, so Port C1 updates its B2}
configuration BPDU.
l Port C2 receives the configuration BPDU {1,
0, 1, Port B2} from Port B2 and finds it
superior to its own configuration BPDU {1,
0, 1, Port C2}, so Port C2 updates its
configuration BPDU.


l DeviceC compares the configuration BPDU l Root port (Port C1):

on each port and finds that the configuration {0, 0, 0, Port A2}
BPDU on Port C1 is optimal. DeviceC selects l Designated port (Port
Port C1 as the root port and retains the C2): {0, 10, 2, Port
configuration BPDU on Port C1. C2}
l DeviceC calculates the configuration BPDU
{0, 10, 2, Port C2} for Port C2 based on the
port, and compares the calculated
configuration BPDU with the original
configuration BPDU {1, 0, 1, Port B2} on
Port C2. The calculated configuration BPDU
is superior to the original one, so DeviceC
selects Port C2 as the designated port and
replaces its configuration BPDU with the
calculated one.
l Port C2 receives the configuration BPDU {0, l Port C1: {0, 0, 0, Port
5, 1, Port B2} from Port B2 and finds it A2}
superior to its own configuration BPDU {0, l Port C2: {0, 5, 1, Port
10, 2, Port C2}, so Port C2 updates its B2}
configuration BPDU.
l Port C1 receives the configuration BPDU {0,
0, 0, Port A2} from Port A2 and finds it the
same as its own configuration BPDU, so Port
C1 discards the received configuration
BPDU.


l The root path cost of Port C1 is 10 (root path l Blocked port (Port C1):
cost 0 in the received configuration BPDU {0, 0, 0, Port A2}
plus the link patch cost 10), and the root path l Root port (Port C2):
cost of Port C2 is 9 (root path cost 5 in the {0, 5, 1, Port B2}
received configuration BPDU plus the link
patch cost 4). DeviceC finds that Port C2 has
a smaller root path cost and therefore
considers the configuration BPDU of Port C2
superior to that of Port C1. DeviceC then
selects Port C2 as the root port and retains its
configuration BPDU.
l DeviceC calculates the configuration BPDU
{0, 9, 2, Port C1} for Port C1 based on the
port, and finds the calculated configuration
BPDU inferior to the original configuration
BPDU {0, 0, 0, Port A2} on Port C2.
DeviceC blocks Port C1 and does not update
its configuration BPDU. Port C1 no longer
forwards data until STP recalculation is
triggered, for example, when the link between
DeviceB and DeviceC is Down.
After the topology becomes stable, the root bridge still sends configuration BPDUs at a
specific interval set by the Hello timer. Upon receipt of the configuration BPDUs, non-root
bridges compare whether the priority of the received BPDUs is higher than that of their local
configuration BPDUs. If the priority is higher, the non-root bridges update their configuration
BPDU information stored on their STP interfaces based on the information in the received
BPDUs. If the priority is lower, the non-root bridges discard the received configuration
BPDUs.
STP Topology Changes

Figure 11-10 shows the packet transmission process after an STP topology change.

Figure 11-10 Packet transmission after a topology change

Root Bridge Root Bridge
T
A topology change is generated on 2nd Step:The root advertises the TC
Point T. 1st Step: A TCN is going for max_age+ forward delay
up to the root.
1. When the status of the interface at point T changes, a downstream device continuously
sends TCN BPDUs to the upstream device.
2. The upstream device processes only the TCN BPDUs received on the designated port
and drops TCN BPDUs on other ports.
3. The upstream device sets the TCA bit of the Flags field in the configuration BPDUs to 1
and returns the configuration BPDUs to instruct the downstream device to stop sending
TCN BPDUs.
4. The upstream device sends a copy of the TCN BPDUs toward the root bridge.
5. Steps 1, 2, 3 and 4 are repeated until the root bridge receives the TCN BPDUs.
6. The root bridge sets the TC bit of the Flags field in the configuration BPDUs to 1 to
instruct the downstream devices to delete MAC address entries.
NOTE
l TCN BPDUs are used to inform the upstream device and root bridge of topology changes.
l Configuration BPDUs with the TCA bit set to 1 are used by the upstream device to inform the
downstream device that the topology changes are known and instruct the downstream device to stop
sending TCN BPDUs.
l Configuration BPDUs with the TC bit set to 1 are used by the upstream device to inform the
downstream device of topology changes and instruct the downstream device to delete MAC address
entries. In this manner, fast network convergence is achieved.
11.2.5 Improvements in RSTP

In 2001, IEEE 802.1w was published to introduce the Rapid Spanning Tree Protocol (RSTP),
an extension of the Spanning Tree Protocol (STP). RSTP was developed based on STP and
makes supplements and modifications to STP.
Disadvantages of STP
STP ensures a loop-free network but has a slow network topology convergence speed, leading
to service quality deterioration. If the network topology changes frequently, connections on
the STP network are frequently torn down, causing frequent service interruption. This is
unacceptable to users.

STP has the following disadvantages:

l STP does not distinguish port states and port roles clearly, making it difficult for less
experienced administrators to learn and deploy this protocol.
A network protocol that clearly defines and distinguishes different situations outperforms
the others that fail to do so.
– Ports in the Listening, Learning, and Blocking states are the same to users because
they are all prevented from forwarding service traffic.
– From the perspective of port use and configuration, the essential differences
between ports lie in the port roles rather than port states.
Both root and designated ports can be in Listening state or Forwarding state, so the
ports cannot be distinguished by their states.
l The STP algorithm determines topology changes after the timer expires, which slows
down network convergence.
l The STP algorithm requires that the root bridge should send configuration BPDUs after
the network topology becomes stable, and other devices process and spread the
configuration BPDUs to the entire network. This also slows down topology convergence.
Improvements Made in RSTP

RSTP deletes three port states, defines two new port roles, and distinguishes port attributes
based on port states and roles. In addition, RSTP provides enhanced features and protection
measures to ensure network stability and fast convergence.
l More port roles are defined to simplify the learning and deployment of the protocol.

Figure 11-11 Diagram of port roles

S1
root bridge
B A
S2 S3
A A a
S1
root bridge
B A
S2 S3
A a
B A
b
root port
designated port
Alternate port
Backup port
As shown in Figure 11-11, RSTP defines four port roles: root port, designated port,
alternate port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The alternate port and backup port are described as follows:
– From the perspective of configuration BPDU transmission:
n An alternate port is blocked after learning a configuration BPDU sent by
another bridge.
n A backup port is blocked after learning a configuration BPDU sent by itself.
– From the perspective of user traffic:
n An alternate port acts as a backup of the root port and provides an alternate
path from the designated bridge to the root bridge.
n A backup port acts as a backup of the designated port and provides a backup
path from the root bridge to the related network segment.
After roles of all RSTP ports are determined, the topology convergence is
completed.

l RSTP redefines port states.

RSTP deletes two port states defined in STP and reduces the number of port states to 3.
Depending on whether a port can forward user traffic and learn MAC addresses, the port
may be in any of the following states:
– If the port does not forward user traffic or learn MAC addresses, it is in the
Discarding state.
– If the port does not forward user traffic but learns MAC addresses, it is in the
Learning state.
– If the port forwards user traffic and learns MAC addresses, it is in the Forwarding
state.
Table 11-12 compares the port states defined in STP and RSTP. Port states are not
necessarily related to port roles. Table 11-12 lists possible states for different port roles.
Table 11-12 Comparison between port states defined in STP and RSTP
STP Port State RSTP Port State Port Role
Forwarding Forwarding Root port or designated port
Learning Learning Root port or designated port
Listening Discarding Root port or designated port
Blocking Discarding Alternate port or backup port
Disabled Discarding -
l RSTP changes the configuration BPDU format and uses the Flags field to describe port
roles.
RSTP retains the basic configuration BPDU format defined in STP and makes minor
changes:
– The value of the Type field is changed from 0 to 2. Devices running STP will drop
the configuration BPDUs sent from devices running RSTP.
– The Flags field uses the six bits reserved in STP. This configuration BPDU is called
an RST BPDU. Figure 11-12 shows the Flags field in an RST BPDU.
Figure 11-12 Format of the Flags field in an RST BPDU
Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0

TCA Agreement Forwarding Learning Port role Proposal TC
Topology Change Topology

Acknowledgment flag Change flag
Port role = 00 Unknown
01 Alternate/Backup port
10 Root port
11 Designated port
l Configuration BPDUs are processed in a different way.

– Configuration BPDU transmission

In STP, the root bridge sends configuration BPDUs at Hello intervals after the
topology becomes stable. Non-root bridges send configuration BPDUs only after
they receive configuration BPDUs from upstream devices. This complicates the
STP calculation and slows down network convergence. RSTP allows non-root
bridges to send configuration BPDUs at Hello time intervals after the topology
becomes stable, regardless of whether they have received configuration BPDUs
from the root bridge.
– BPDU timeout period
In STP, a device has to wait a Max Age period before determining a negotiation
failure. In RSTP, a device determines that the negotiation between its port the
upstream device has failed if the port does not receive any configuration BPDUs
sent from the upstream device for three consecutive Hello intervals.
– Processing of inferior BPDUs
When an RSTP port receives an RST BPDU from the upstream designated bridge,
the port compares the received RST BPDU with its own RST BPDU.
If its own RST BPDU is superior to the received one, the port discards the received
RST BPDU and immediately responds to the upstream device with its own RST
BPDU. After receiving the RST BPDU, the upstream device replaces its own RST
BPDU with the received RST BPDU.
In this manner, RSTP processes inferior BPDUs more rapidly, independent of any
timer.
l Rapid convergence
– Proposal/agreement mechanism
In STP, a port that is selected as a designated port needs to wait at least one Forward
Delay interval (Learning state) before it enters the Forwarding state. In RSTP, such
a port enters the Discarding state, and then the proposal/agreement mechanism
allows the port to immediately enter the Forwarding state. The proposal/agreement
mechanism must be applied on P2P links in full-duplex mode.
For details, see 11.2.6 RSTP Technology Details.
– Fast switchover of the root port
If a root port fails, the best alternate port becomes the root port and enters
Forwarding state. This is because the network segment connected to this alternate
port has a designated port connected to the root bridge.
When the port role changes, the network topology changes accordingly. For details,
see 11.2.6 RSTP Technology Details.
– Edge ports
In RSTP, a designated port on the network edge is called an edge port. An edge port
directly connects to a terminal and does not connect to any other switching devices.
An edge port cannot receive or process configuration BPDUs and does not
participate in RSTP calculation. This port can transition from Disable to
Forwarding state immediately without a delay. An edge port becomes a common
STP port once it is connected to a switching device and receives a configuration
BPDU. The spanning tree needs to be recalculated, causing network flapping.
l Protection functions
Table 11-13 describes protection functions provided by RSTP.

Table 11-13 Protection functions

Protectio Scenario Principle
n
Function
BPDU On a switching device, ports BPDU protection enables a switching

protection directly connected to a user device to set the state of an edge port to
terminal such as a PC or file error-down if the edge port receives an
server are edge ports. RST BPDU. In this case, the port
Usually, no RST BPDUs are remains the edge port, and the switching
sent to edge ports. If a device sends a notification to the NMS.
switching device receives
bogus RST BPDUs on an
edge port, the switching
device automatically sets the
edge port to a non-edge port
and performs STP
calculation. This causes
network flapping.
Root The root bridge on a network If root protection is enabled on a

protection may receive superior RST designated port, the port role cannot be
BPDUs due to incorrect changed. When the designated port
configurations or malicious receives a superior RST BPDU, the port
attacks. When this occurs, the enters the Discarding state and does not
root bridge can no longer forward packets. If the port does not
serve as the root bridge, receive any superior RST BPDUs within
causing an incorrect change a period (generally two Forward Delay
of the network topology. As a periods), the port automatically enters
result, traffic may be the Forwarding state.
switched from high-speed NOTE
links to low-speed links, Root protection takes effect only on
leading to network designated ports.
congestion.

Protectio Scenario Principle

n
Function
Loop On an RSTP network, a Loop protection can be enabled on the

protection switching device maintains root and alternate port of a switching
the states of the root port and device. If the root port or alternate port
blocked ports based on RST does not receive any RST BPDUs from
BPDUs received from the the upstream switching device for a
upstream switching device. specific period of time, the switching
If the ports cannot receive device can send a notification to the
RST BPDUs from the NMS. (The root port enters the
upstream switching device Discarding state in this case.) The
because of link congestion or blocked port remains in the Blocking
unidirectional link failures, state and does not forward packets,
the switching device re- preventing loops on the network. The
selects a root port. Then, the root port or alternate port restores the
previous root port becomes a Forwarding state after receiving new
designated port and the RST BPDUs.
blocked ports change to the NOTE
Forwarding state. As a result, Loop protection takes effect only on the root
port and alternate ports.
loops may occur on the
network.
TC A switching device deletes its After enabling TC BPDU attack defense

BPDU MAC address entries and on a switching device, you can set the
attack ARP entries after receiving number of times the device processes TC
defense TC BPDUs. If an attacker BPDUs within a given time. If the
sends a large number of number of TC BPDUs that the switching
bogus TC BPDUs to the device receives within the given time
switching device in a short exceeds the specified threshold, the
time, the device frequently switching device processes only the
deletes MAC address entries specified number of TC BPDUs. Excess
and ARP entries. This TC BPDUs are processed by the
increases the load of the switching device as a whole after the
switching device and specified period expires. This function
threatens network stability. prevents the switching device from
frequently deleting its MAC address
entries and ARP entries.
11.2.6 RSTP Technology Details

The Proposal/Agreement mechanism enables a designated port to enter the Forwarding state
quickly. As shown in Figure 11-13, root bridge S1 establishes a link with S2. On S2, p2 is an
alternate port; p3 is a designated port and is in the Forwarding state; p4 is an edge port.

Figure 11-13 Proposal/Agreement negotiation process
S1
p0 1 Proposal
3 Agreement
p1
S2
p2 E p4
p3
2 sync 2 sync 2 sync

(leaves the port (blocks the (leaves the port
status unchanged) port) status unchanged)
designated port
alternate port
E edge port
The Proposal/Agreement mechanism works as follows:

1. p0 and p1 become designated ports and send RST BPDUs to each other.
2. The RST BPDU sent from p0 is superior to that of p1, so p1 becomes a root port and
stops sending RST BPDUs.
3. p0 enters the Discarding state and sets the Proposal field in its RST BPDU to 1.
4. After S2 receives an RST BPDU with the Proposal field set to 1, it sets the sync variable
to 1 for all its ports.
5. As p2 has been blocked, its state remains unchanged. p4 is an edge port and does not
participate in calculation. Therefore, only the non-edge designated port p3 needs to be
blocked.
6. After the synced variable of each port is set to 1, p2 and p3 enter the Discarding state,
and p1 enters the Forwarding state and returns an RST BPDU with the Agreement field
being set to 1 to S1.
7. After S1 receives this RST BPDU, it identifies that the RST BPDU is a response to the
proposal that it has sent. Then p0 immediately enters the Forwarding state.
The proposal/agreement process can proceed to downstream devices.
STP can select designated ports quickly; however, to prevent loops, all ports must wait at least
one Forward Delay interval before starting data forwarding. RSTP blocks non-root ports to
prevent loops and uses the proposal/agreement mechanism to shorten the time that an
upstream port waits before transitioning to the Forwarding state.

NOTE
The proposal/agreement mechanism applies only to P2P full-duplex links between two switching
devices. When proposal/agreement fails, a designated port is elected after two Forward Delay intervals,
same as designated port election in STP mode.
RSTP Topology Changes

RSTP considers that the network topology has changed when a non-edge port transitions to
the Forwarding state.
When detecting a topology change, RSTP devices react as follows:
l The local device starts a TC While timer on each non-edge designated port. The TC
While timer value is two times the Hello timer value.
Within the TC While time, the local device clears MAC address entries learned on ports
whose states have changed.
At the same time, these ports send out RST BPDUs with the TC bit set to 1. When the
TC While timer expires, the ports stop sending RST BPDUs.
l When other switching devices receive RST BPDUs, they clear MAC address entries
learned on all their ports except the ports that receive the RST BPDUs. These switching
devices also start a TC While timer on each non-edge designated port and repeat the
preceding process.
RST BPDUs are then flooded on the entire network.
Interoperability with STP

RSTP can interoperate with STP, but its advantages such as fast convergence are lost when it
interoperates with STP.
On a network with both STP-capable and RSTP-capable devices, STP-capable devices drop
RST BPDUs. If a port on an RSTP-capable device receives a configuration BPDU from an
STP-capable device, the port switches to the STP mode and starts to send configuration
BPDUs after two Hello intervals.
After STP-capable devices are removed, Huawei RSTP-capable devices can switch back to
the RSTP mode.
11.3 Application Scenarios for STP/RSTP
STP Application
Loops often occur on a complex network, because multiple physical links are often deployed
between two devices to implement link redundancy. Loops may cause broadcast storms and
damage MAC address entries on network devices.

Figure 11-14 Typical STP application
Network
PE1 Root PE2

Bridge
STP
CE1 CE2
PC1 PC2
Blocked port
As shown in Figure 11-14, STP is deployed on the devices. The devices exchange
information to discover loops on the network and block a port to trim the ring topology into a
loop-free tree topology. The tree topology prevents infinite looping of packets on the network
and ensures packet processing capabilities of the devices.
11.4 Summary of STP/RSTP Configuration Tasks

Table 11-14 summarizes STP/RSTP configuration tasks.
Table 11-14 STP/RSTP configuration tasks

Task Description
11.7 Configuring Basic STP/RSTP Configure STP/RSTP on switching devices

Functions on a network to trim the network into a tree
topology free from loops.

Task Description
11.8 Setting STP Parameters that Affect STP cannot implement rapid convergence.
STP Convergence However, you can set STP parameters,
including the network diameter, timeout
interval, Hello timer value, Max Age timer
value, and Forward Delay timer value to
speed up convergence.
11.9 Setting RSTP Parameters that Affect RSTP supports link type and fast transition
RSTP Convergence configuration on ports to implement rapid
convergence.
11.10 Configuring RSTP Protection You can configure one or more functions
Functions RSTP protection functions on a Huawei
device.
11.11 Setting Parameters for To implement interoperation between a

Interoperation Between Huawei and Non- Huawei device and a non-Huawei device,
Huawei Devices select the fast transition mode based on the
Proposal/Agreement mechanism of the non-
Huawei device.
11.5 Default Settings for STP/RSTP
Working mode MSTP
STP/RSTP status Enabled globally and on an interface
Switching device priority 32768
Port priority 128
Algorithm used to calculate the dot1t, IEEE 802.1t

path cost
Forward Delay 1500 centiseconds (15 seconds)
Hello Time 200 centiseconds (2 seconds)
Max Age 2000 centiseconds (20 seconds)
11.6 Licensing Requirements and Limitations for STP

None

STP is a basic feature of a router and is not under license control.
Feature Limitations
None.
11.7 Configuring Basic STP/RSTP Functions

You can configure STP/RSTP on an Ethernet network to trim the network into a loop-free tree
topology.
11.7.1 Configuring the STP/RSTP Mode
Context
A switching device supports three working modes: STP, RSTP, and MSTP. Use the STP mode
on a ring network running only STP, and use the RSTP mode on a ring network running only
RSTP.
Procedure
Step 2 Run stp mode { stp | rstp }
The working mode of the switching device is set to STP or RSTP.
By default, the working mode of a switching device is MSTP. MSTP is compatible with STP
and RSTP.
----End
11.7.2 (Optional) Configuring the Root Bridge and Secondary

Root Bridge
Context
The root bridge of a spanning tree is automatically calculated. You can also manually specify
a root bridge or secondary root bridge.
l A spanning tree can have only one effective root bridge. When two or more devices are
specified as root bridges for a spanning tree, the device with the smallest MAC address is
elected as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root
bridge fails or is powered off, a secondary root bridge becomes the new root bridge. If a
new root bridge is specified, the secondary root bridge will not become the root bridge.
If there are multiple secondary root bridges, the one with smallest MAC address
becomes the root bridge of the spanning tree.

NOTE
It is recommended that you specify the root bridge and secondary root bridge when configuring STP/
RSTP.
Procedure
l Perform the following operations on the device you want to use as the root bridge.
a. Run system-view
b. Run stp root primary
The device is configured as the root bridge.
By default, a switching device does not function as the root bridge. After you run
this command, the priority value of the device is set to 0 and cannot be changed.
l Perform the following operations on the device you want to use as the secondary root
bridge.
a. Run system-view
b. Run stp root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root bridge. After
you run this command, the priority value of the device is set to 4096 and cannot be
changed.
----End
11.7.3 (Optional) Setting a Priority for a Switching Device

Context
An STP/RSTP network can have only one root bridge, which is the logical center of the
spanning tree. The root bridge should be a high-performance switching device deployed at a
high network layer; however, such a device may not have the highest priority on the network.
Therefore; you need to set a high priority for such a device to ensure that it can be selected as
the root bridge.
Because low-performance devices at lower network layers are not suitable as the root bridge,
set low priorities for these devices.
A smaller priority value indicates a higher priority of the switching device. The switching
device with a higher priority is more likely to be elected as the root bridge.
Procedure
Step 2 Run stp priority priority
A priority is set for the switching device.

The default priority value of a switching device is 32768.

If the stp root primary or stp root secondary command has been executed to configure the
device as the root bridge or secondary root bridge, run the undo stp root command to disable
the root bridge or secondary root bridge function and then run the stp priority priority
command to set a priority.
----End
11.7.4 (Optional) Setting a Path Cost for a Port

Context
The path cost value range is determined by the calculation method. After the calculation
method is determined, it is recommended that you set smaller path cost values for the ports
with higher link rates.
In the Huawei calculation method, the link rate determines the recommended value for the
path cost. Table 11-15 lists the recommended path costs for ports with different link rates.
Table 11-15 Mappings between link rates and path cost values
Link Rate Recommended Recommended Allowable Path
Path Cost Path Cost Range Cost Range
10 Mbit/s 2000 200 to 20000 1 to 200000
100 Mbit/s 200 20 to 2000 1 to 200000
1 Gbit/s 20 2 to 200 1 to 200000
10 Gbit/s 2 2 to 20 1 to 200000
Over 10 Gbit/s 1 1 to 2 1 to 200000
If a network has loops, it is recommended that you set a large path cost for ports with low link
rates. STP/RSTP then blocks these ports.
Procedure
Step 2 (Optional) Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is specified.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path costs.
All Layer 2 switches enabled with STP or RSTP on the same network must use the same path
cost calculation algorithm.
The view of an interface participating in STP calculation is displayed.

Step 4 Run stp cost cost

A path cost is set for the interface.
l When the Huawei calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
11.7.5 (Optional) Setting a Priority for a Port

Context
In spanning tree calculation, priorities of the ports in a ring affect designated port election.
To block a port on a switching device, set a greater priority value than the default priority
value for the port.
Procedure
Step 3 Run stp port priority priority
A priority is set for the interface.
The default priority value of a port on a switching device is 128.
----End
11.7.6 Enabling STP/RSTP

Context
After STP/RSTP is enabled on a ring network, spanning tree calculation starts immediately on
the network. Configurations on a switching device, such as the device priority and port
priority, affect spanning tree calculation. Any change to the configurations may cause network
flapping. To ensure rapid, stable spanning tree calculation, perform basic configuration on the
switching device and its ports before enabling STP/RSTP.
Procedure
l Enable STP/RSTP on a switching device.
a. Run system-view
b. Run stp enable
STP/RSTP is enabled on the switching device.

By default, STP/RSTP is enabled on a router.

l Enable STP/RSTP on an interface device.
a. Run system-view
c. Run stp enable
STP/RSTP is enabled on the interface.
By default, STP/RSTP is enabled on the interface.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths for associated VLANs
are changed. Switching devices need to update the ARP entries corresponding to those
VLANs. Depending on how switching devices process ARP entries, STP/RSTP convergence
mode can be fast or normal.
l In fast mode, ARP entries to be updated are directly deleted.
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0 to immediately age the
ARP entries out. If the number of ARP aging probes is greater than 0, the switching
device performs aging probe for these ARP entries.
Run the stp converge { fast | normal } command in the system view to configure the STP/
RSTP convergence mode.
By default, the normal STP/RSTP convergence mode is used. The normal mode is
recommended. If the fast mode is used, ARP entries will be frequently deleted, causing a high
CPU usage (even 100%). As a result, network flapping will frequently occur.
11.7.7 Verifying the STP/RSTP Configuration

Procedure
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to
view the spanning tree status and statistics.
----End
11.8 Setting STP Parameters that Affect STP Convergence

STP cannot implement rapid convergence. However, STP parameters including the network
diameter, timeout interval, Hello timer value, Max Age timer value, and Forward Delay timer
value can affect the STP convergence speed.
Before setting STP parameters that affect STP convergence, configure basic STP functions.

11.8.1 Setting the STP Network Diameter
Context
Any two terminals on a switching network are connected through a specific path along
multiple devices. The network diameter is the maximum number of devices between any two
terminals. A larger network diameter indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect
communication. Run the stp bridge-diameter command to set an appropriate network
diameter based on the network scale, which helps speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 2 Run stp bridge-diameter diameter
The network diameter is configured.
By default, the network diameter is 7.
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network diameter
cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
value, and Max Age timer value based on the configured network diameter.
----End
11.8.2 Setting the STP Timeout Interval
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval,
the device considers the upstream device to have failed and recalculates the spanning tree.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout
interval because the upstream device is busy. In this case, recalculating the spanning tree will
cause a waste of network resources. To avoid wasting network resources, set a long timeout
interval on a stable network.
If a switching device does not receive any BPDUs from the upstream device within the
timeout interval, spanning tree recalculation is performed. The timeout interval is calculated
as follows:
Timeout interval = Hello time x 3 x Timer Factor

Procedure
Step 2 Run stp timer-factor factor
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello timer value.
----End
11.8.3 Setting the STP Timers

Context
The following timers are used in spanning tree calculation:
l Forward Delay: specifies the delay before a state transition. After the topology of a ring
network changes, it takes some time to spread the new configuration BPDU throughout
the entire network. As a result, the original blocked port may be unblocked before a new
port is blocked. When this occurs, a loop exists on the network. You can set the Forward
Delay timer to prevent loops. When the topology changes, all ports will be temporarily
blocked during the Forward Delay.
l Hello Time: specifies the interval at which hello packets are sent. A switching device
sends configuration BPDUs at the specified interval to detect link failures. If the
switching device does not receive any BPDUs within an interval of Hello Time, the
switching device recalculates the spanning tree.
l Max Age: determines whether BPDUs expire. A switching device determines that a
received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values of Forward Delay, Hello Time, and Max
Age.
You are not advised to directly change the preceding three timers. The three parameters are
relevant to the network scale; therefore, it is recommended that you set the network diameter
so that the spanning tree protocol automatically adjusts these timers. When the default
network diameter is used, the three timers also retain their default values.
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and
Max Age timer values conform to the following formulas:
l 2 x (Forward Delay - 1.0 second) >= Max Age
l Max Age >= 2 x (Hello Time + 1.0 second)
Procedure

Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1. Run stp timer forward-delay forward-delay
The Forward Delay timer is set for the switching device.
By default, the Forward Delay timer is 1500 centiseconds (15 seconds).
2. Run stp timer hello hello-time
The Hello Time is set for the switching device.
By default, the Hello Time is 200 centiseconds (2 seconds).
3. Run stp timer max-age max-age
The Max Age timer is set for the switching device.
By default, the Max Age timer is 2000 centiseconds (20 seconds).
----End
11.8.4 Setting the Maximum Number of Connections in an Eth-

Trunk that Affects Spanning Tree Calculation
Context
The path costs affect spanning tree calculation. Changes of path costs trigger spanning tree
recalculation. The path cost of an interface is affected by its bandwidth, so you can change the
interface bandwidth to affect spanning tree calculation.
As shown in Figure 11-15, deviceA and deviceB are connected through two Eth-Trunk links.
Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member
interfaces in Up state. Each member link has the same bandwidth, and deviceA is selected as
the root bridge.
l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1
on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1,
the path cost of Eth-Trunk 1 is larger than the path cost of Eth-Trunk 2. Therefore, the
two devices perform spanning tree recalculation. Then Eth-Trunk 1 on deviceB becomes
the alternate port and Eth-Trunk 2 becomes the root port.

Figure 11-15 Setting the maximum number of connections in an Eth-Trunk

RouterA RouterB
Before Eth-Trunk1
configuration Eth-Trunk2
Root Bridge
RouterA RouterB
After Eth-Trunk1
Root Bridge
Alternate port
Root port
Designated port
The maximum number of connections affects only the path cost of an Eth-Trunk interface
participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-
Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active
member interfaces in the Eth-Trunk.
Procedure
Step 3 Run max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
By default, the maximum number of connections affecting the bandwidth of an Eth-Trunk is

8.
----End
Procedure
----End

11.9 Setting RSTP Parameters that Affect RSTP

Convergence
RSTP supports link type and fast transition configuration on ports to implement rapid
convergence.
Before configuring RSTP parameters that affect RSTP convergence, configure basic RSTP
functions.
11.9.1 Setting the RSTP Network Diameter

Context
Procedure
NOTE
l RSTP uses a single spanning tree instance on the entire network. As a result, performance
deterioration cannot be prevented when the network scale grows. Therefore, the network diameter
cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network
diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer
value, and Max Age timer value based on the configured network diameter.
----End
11.9.2 Setting the RSTP Timeout Interval

Context

as follows:
Procedure
The Timer Factor value is set. This parameter determines the timeout interval during which
the device waits for BPDUs from the upstream device.
----End
11.9.3 Setting RSTP Timers
Context
Age.

Procedure
Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
The Forward Delay timer is set for the switching device.
By default, the Forward Delay timer is 1500 centiseconds (15 seconds).

The Hello Time is set for the switching device.
By default, the Hello Time is 200 centiseconds (2 seconds).

The Max Age timer is set for the switching device.
By default, the Max Age timer is 2000 centiseconds (20 seconds).
----End

Context
the root bridge.


RouterA RouterB
Before Eth-Trunk1
Root Bridge
RouterA RouterB
After Eth-Trunk1
Root Bridge
Alternate port
Root port
Designated port
Procedure
8.
----End
11.9.5 Setting the Link Type for a Port

Context
P2P links can implement rapid convergence. If the two ports connected by a P2P link are root
or designated ports, they can transit to the Forwarding state quickly by sending Proposal and
Agreement packets. This reduces the forwarding delay.
Procedure

The view of an Ethernet interface participating in STP calculation is displayed.
Step 3 Run stp point-to-point { auto | force-false | force-true }
The link type is set for the interface.
By default, an interface automatically identifies whether it is connected to a P2P link. P2P

links implement rapid network convergence.
l If the Ethernet interface works in full-duplex mode, the interface is connected to a P2P
link. In this case, force-true can be specified in the command to implement rapid
network convergence.
l If the Ethernet interface works in half-duplex mode, you can run the stp point-to-point
force-true command to forcibly set the link type to P2P.
----End
11.9.6 Setting the Maximum Transmission Rate of an Interface
Context
The more BPDUs sent from an interface within a Hello Time interval, the more system
resources consumed. Setting a proper transmission rate (packet-number) on an interface
prevents excess bandwidth usage when network flapping occurs.
Procedure
The view of an Ethernet interface participating in STP calculation is displayed.
Step 3 Run stp transmit-limit packet-number
The maximum transmission rate of BPDUs (BPDUs per second) is set for the interface.
By default, an interface sends a maximum of six BPDUs per second.
NOTE
If the same maximum transmission rate of BPDUs needs to be sent for each interface on a device, run
the stp transmit-limit (system view) command.
----End
11.9.7 Switching to the RSTP Mode
Context
If an interface on an RSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP compatible mode.

If the STP-enabled device is powered off or removed, the interface cannot automatically
switch to the RSTP mode. When the interface goes Up again, the interface needs to be
manually switched to the RSTP mode.
If the STP-enabled switching device is switched to the RSTP mode, the interface can
automatically switch to the RSTP mode.
Procedure
l Switching to the RSTP mode in the interface view
a. Run system-view
The view of an interface participating in spanning tree calculation is displayed.
c. Run stp mcheck
The interface is switched to the RSTP mode.
l Switching to the RSTP mode in the system view
a. Run system-view
b. Run stp mcheck
The device is switched to the RSTP mode.
----End
11.9.8 Configuring Edge Ports and BPDU Filter Ports

Context
As defined in RSTP, a port that is located at the edge of a network and directly connected to a
terminal device is an edge port.
An edge port does not process configuration BPDUs or participate in RSTP calculation. It can
transit from the Disable to Forwarding state without any delay.
Edge ports can still send BPDUs. If the BPDUs are sent to another network, this network may
encounter network flapping. To prevent this problem, configure the BPDU filter function on
edge ports so that the edge ports do not process or send BPDUs.
NOTE
After all ports are configured as edge ports and BPDU filter ports in the system view, none of ports on
the local device send BPDUs or negotiate the STP states with directly connected ports on the peer
device. All ports are in Forwarding state. This may cause loops on the network, leading to broadcast
storms. Exercise caution when deciding to perform this configuration.
After a specified port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs and cannot negotiate the STP state with the directly connected port on
the peer device. Exercise caution when deciding to perform this configuration.
Procedure
l Configuring all ports as edge ports and BPDU filter ports

a. Run system-view
b. Run stp edged-port default
All ports are configured as edge ports.
By default, all ports are non-edge ports.
c. Run stp bpdu-filter default
All ports are configured as BPDU filter ports.
By default, all ports are non-BPDU filter ports.
l Configuring a specified port as an edge port and BPDU filter port
a. Run system-view
The view of an Ethernet interface that participates in spanning tree calculation is
displayed.
c. Run stp edged-port enable
The port is configured as an edge port.
d. Run stp bpdu-filter enable
The port is configured as a BPDU filter port.
By default, a port is a non-BPDU filter port.
----End
Procedure
----End
11.10 Configuring RSTP Protection Functions

Huawei network devices provide the following RSTP protection functions. You can configure
one or more functions.
11.10.1 Configuring BPDU Protection on a Switching Device
Procedure


Step 2 Run stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is disabled on a switching device.
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the delay expires. Note the following when
setting the recovery delay:
l By default, the auto recovery function is disabled; therefore, the recovery delay
parameter does not have a default value. When you enable the auto recovery function,
you must set a recovery delay.
l A smaller value of interval-value indicates a shorter time taken for an edge port to go
Up, and a higher frequency of Up/Down state transitions on the port.
l A larger value of interval-value indicates a longer time taken for the edge port to go Up,
and a longer service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.
11.10.2 Configuring TC Protection on a Switching Device
Procedure
Step 2 Run stp tc-protection threshold threshold
The maximum number of times the switching device processes TC BPDUs and updates
forwarding entries within the specified time period is set.
NOTE
The time period is set by the stp tc-protection interval command.
----End
11.10.3 Configuring Root Protection on a Port
Procedure

Step 3 Run stp root-protection
Root protection is enabled on the interface.
By default, root protection is disabled on the interface. Root protection takes effect only on
designated ports. Root protection and loop protection cannot be configured on the same
interface.
----End
11.10.4 Configuring Loop Protection on a Port
Context
If the root port or alternate port does not receive BPDUs from the upstream device for a long
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
Procedure
The view of the root port or alternate port is displayed.
Step 3 Run stp loop-protection
Loop protection is enabled on the root port ore alternate port.
By default, loop protection is disabled on a port.
NOTE
An alternate port is a backup for a root port. If a switching device has an alternate port, configure loop
protection on both the root port and the alternate port.
Root protection and loop protection cannot be configured on the same port.
----End
Procedure
----End

11.11 Setting Parameters for Interoperation Between

Huawei and Non-Huawei Devices
To implement interoperation between Huawei and non-Huawei devices, select the fast
transition mode based on the Proposal/Agreement mechanism of the non-Huawei device.
Context
A switching device supports the following Proposal/Agreement modes:
l Enhanced mode: The device determines the root port when it calculates the
synchronization flag bit.
a. An upstream device sends a Proposal message to a downstream device to request
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
b. The upstream device sends an Agreement message to the downstream device. After
the downstream device receives the message, the root port transitions to the
Forwarding state.
c. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.
l Common mode: The device ignores the root port when it calculates the synchronization
flag bit.
a. An upstream device sends a Proposal message to a downstream device to request
fast state transition. After receiving the message, the downstream device sets the
port connected to the upstream device as the root port and blocks all non-edge ports.
Then, the root port transitions to the Forwarding state.
b. The downstream device responds with an Agreement message. After receiving the
message, the upstream device sets the port connected to the downstream device as
the designated port, and then the designated port transitions to the Forwarding state.
On an STP network, if a Huawei switching device is connected to a non-Huawei device that
uses a different Proposal/Agreement mechanism, the two devices may fail to interoperate with
each other. Select the enhanced mode or common mode based on the Proposal/Agreement
mechanism of the non-Huawei device.
Before setting parameters for interoperation between Huawei and non-Huawei devices,
configure basic STP/RSTP functions.
Procedure
The view of an interface participating in spanning tree calculation is displayed.

Step 3 Run stp no-agreement-check

The common fast transition mode is specified.
By default, the enhanced fast transition mode is used on a port.
----End
11.12 Maintaining STP/RSTP
11.12.1 Clearing STP/RSTP Statistics

Context
STP/RSTP statistics cannot be restored after being cleared. Exercise caution when deciding to
clear STP/RSTP statistics.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics command to clear statistics about error STP
packets.
----End
11.12.2 Monitoring STP/RSTP Topology Change Statistics
Context
The statistics about STP/RSTP topology changes can be viewed. If the statistics increase,
network flapping occurs.
Procedure
l Run the display stp topology-change command to view statistics about STP/RSTP
topology changes.
----End
11.13 Configuration Examples for STP/RSTP

This section provides several STP/RSTP configuration examples.

11.13.1 Example for Configuring Basic STP Functions

On a complex network, multiple physical links are often deployed between two devices for
link redundancy. Redundant links may cause loops on the network, and loops will result in
broadcast storms and damage MAC address entries.
STP can be deployed on a network to eliminate loops by blocking redundant ports. As shown
in Figure 11-17, loops exist on the network, and RouterA, SwitchA, SwitchB, SwitchC and
SwitchD are all running STP. These devices exchange BPDUs to discover the loops and block
appropriate ports to trim the ring topology into a loop-free tree topology. The tree topology
prevents infinite looping of packets, which in turn helps improve packet processing
performance.
Figure 11-17 Networking diagram of basic STP configurations
Network
Root
Bridge
RouterA
Eth2/0/0 Eth2/0/1
Eth0/0/1 STP Eth0/0/1

Et
SwitchA h0 /3 SwitchB
/0 0 /0
Eth0/0/2 /3 th
E Eth0/0/2
Eth0/0/1 Et Eth0/0/1
0 /4 h0
h 0/ /0
/4
SwitchC Et SwitchD
Eth0/0/2 Eth0/0/3 Eth0/0/2 Eth0/0/3
PC1 PC2 PC3 PC4
Blocked port

1. Configure basic STP functions, including:

a. Configure the STP mode for the switching devices on the ring network.
b. Configure primary and secondary root bridges.
c. Set a path cost for the port to be blocked.
d. Enable STP to eliminate loops.
n Enable STP globally.
n Enable STP on all the ports except those connected to terminals.
NOTE
STP is not required on the ports connected to terminals because these ports do not need to
participate in STP calculation. Disable STP on the ports or configure the ports as edge ports.
Procedure
Step 1 Configure basic STP functions.
1. Configure the STP mode for the switching devices on the ring network.
# Configure the STP mode on RouterA. The configurations of SwitchA, SwitchB,
SwitchC and SwitchD are similar to that of RouterA.
[RouterA] stp mode stp
2. Configure primary and secondary root bridges.

# Configure RouterA as the primary root bridge.
[RouterA] stp root primary
# Configure SwitchA as the secondary root bridge.

[SwitchA] stp root secondary
3. Set a path cost for the port to be blocked.

NOTE
– The path cost value range depends on path cost calculation methods. This example uses the
Huawei proprietary calculation method and sets the path cost to 200000.
– All switching devices on a network must use the same path cost calculation method. To use
other path cost calculation methods, see the list of recommended value ranges for the specific
path cost calculation method.
# On RouterA, set the path cost calculation method to the Huawei proprietary method.
The configurations of SwitchA, SwitchB, SwitchC and SwitchD are similar to that of
RouterA.
[RouterA] stp pathcost-standard legacy
# Set the path cost of ethernet0/0/4 on SwitchC and SwitchD to 200000.

[SwitchC] interface ethernet 0/0/4
[SwitchC-Ethernet0/0/4] stp cost 200000
[SwitchC-Ethernet0/0/4] quit
[SwitchD] interface ethernet 0/0/4
[SwitchD-Ethernet0/0/4] stp cost 200000
[SwitchD-Ethernet0/0/4] quit
4. Enable STP to eliminate loops.

– Disable STP on the ports directly connected to PCs.
# Disable STP on Ethernet0/0/2 and Ethernet0/0/3 of SwitchC. The configuration of
SwitchD is similar to that of SwitchC.


[SwitchC-Ethernet0/0/2] stp disable
[SwitchC-Ethernet0/0/3] stp disable
– Enable STP globally.

# Enable STP globally on RouterA. The configurations of SwitchA, SwitchB,
SwitchC and SwitchD are similar to that of RouterA.
[RouterA] stp enable
– Enable STP on all the ports except those connected to PCs.

# Enable STP on RouterA Eth2/0/0 and Eth2/0/1. The configurations of SwitchA,
SwitchB, SwitchC and SwitchD are similar to that of RouterA.
[RouterA-Ethernet2/0/0] stp enable

# Wait for 35s, and then run the display stp brief command on RouterA to view port roles
and states. Eth2/0/0 and Eth2/0/1 are selected as designated ports through spanning tree
calculation and are both in the Forwarding state.
[RouterA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet2/0/0 DESI FORWARDING NONE
# Run the display stp brief command on SwitchA to view port roles and states. Eth0/0/1 is
selected as the root port, whereas Eth0/0/2 and Eth0/0/3 are selected as designated ports. The
ports are all in the Forwarding state.
[SwitchA] display stp brief
0 Ethernet0/0/1 ROOT FORWARDING NONE
# Run the display stp brief command on SwitchB to view port roles and states. Eth0/0/1 is
selected as the root port, whereas Eth0/0/2 and Eth0/0/3 are selected as designated ports. The
ports are all in the Forwarding state.
[SwitchB] display stp brief
# Run the display stp brief command on SwitchC to view port roles and states. Eth0/0/1 is
selected as root port and is in the Forwarding state. Eth0/0/4 is selected as designated port and
is in the Discarding state.
[SwitchC] display stp brief
0 Ethernet0/0/4 DESI DISCARDING NONE
# Run the display stp brief command on SwitchD to view port roles and states. Eth0/0/1 is
selected as root port and is in the Forwarding state. Eth0/0/4 is selected as designated port and
is in the Discarding state.

[SwitchD] display stp brief

0 Ethernet0/0/4 DESI DISCARDING NONE
----End
Configuration Files
#
sysname RouterA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
#
#
return
l SwitchA configuration file

#
sysname SwitchA
#
stp mode stp
stp instance 0 root secondary
#
#
#
#
return
l SwitchB configuration file

#
sysname SwitchB
#
stp mode stp
#
#
#
#
return
l SwitchC configuration file

#
sysname SwitchC
#
stp mode stp
#
#
stp disable
#
stp disable

#
stp instance 0 cost 200000
#
return
l SwitchD configuration file

#
sysname SwitchD
#
stp mode stp
#
#
stp disable
#
stp disable
#
#
return
11.13.2 Example for Configuring Basic RSTP Functions

On a complex network, multiple physical links are often deployed between two devices for
link redundancy (one as the active link and the others as standby links). Redundant links may
cause loops on the network, and loops will result in broadcast storms and damage MAC
address entries.
RSTP can be deployed on a network to eliminate loops by blocking some ports. As shown in
Figure 11-18, loops exist on the network, and RouterA, SwitchA, SwitchB, SwitchC and
SwitchD are all running RSTP. These devices exchange BPDUs to discover the loops and
block appropriate ports to trim the ring topology into a loop-free tree topology. The tree
topology prevents infinite looping of packets on the network, which in turn helps improve
packet processing performance.

Figure 11-18 Networking diagram of basic RSTP configurations
Network
Root
Bridge
RouterA
Eth2/0/0 Eth2/0/1
Eth0/0/1 RSTP Eth0/0/1

Et 3
SwitchA h0 0/ SwitchB
/0 /
/3 h0
0 /4 h0
h 0/ /0
/4
SwitchC Et SwitchD
Eth0/0/2 Eth0/0/3 Eth0/0/2 Eth0/0/3
PC1 PC2 PC3 PC4
Blocked port
1. Configure basic RSTP functions, including:
a. Configure the RSTP mode for the switching devices on the ring network.
b. Configure primary and secondary root bridges.
c. Set a path cost for the ports to block certain ports.
d. Enable RSTP to eliminate loops.
n Enable RSTP globally.
n Enable RSTP on all the ports except those connected to terminals.
NOTE
RSTP is not required on the ports connected to terminals because these ports do not need to
participate in RSTP calculation.
2. Configure RSTP protection functions. For example, configure root protection on
designated ports of the root bridge.

Procedure
Step 1 Configure basic RSTP functions.
1. Configure the RSTP mode for the devices on the ring network.
# Configure the RSTP mode on RouterA.
[RouterA] stp mode rstp
# Configure the RSTP mode on SwitchA, SwitchB, SwitchC and SwitchD.

2. Configure primary and secondary root bridges.
# Configure RouterA as the primary root bridge.
[RouterA] stp root primary
# Configure SwitchA as a second root bridge according to the configuration guide of

SwitchA.
3. Set a path cost for the port to be blocked.
NOTE
– The path cost value range depends on path cost calculation methods. This example uses the
Huawei proprietary calculation method and sets the path cost to 200000.
– All switching devices on a network must use the same path cost calculation method. To use
other path cost calculation methods, see the list of recommended value ranges for the specific
path cost calculation method.
# On RouterA, set the path cost calculation method to the Huawei proprietary method.
# On SwitchA, SwitchB, SwitchC and SwitchD, set the path cost calculation method to
the Huawei proprietary method according to the configuration guide of the switches.
# Set the path cost of Eth0/0/4 on SwitchC and SwitchD to 200000. (The detailed
configuration is not provided here.)
4. Enable RSTP to eliminate loops.
– Disable RSTP on the ports directly connected to PCs.
# Disable RSTP on the ports of SwitchC and SwitchD connected to PCs.
– Enable RSTP globally.
# Enable RSTP globally on RouterA.
# Enable RSTP globally on other switching devices.

– Enable RSTP on all the ports except those connected to PCs.
# Enable RSTP on RouterA Ethernet2/0/0 and Ethernet2/0/1.
# Enable RSTP on all the ports except those connected to PCs on SwitchA,
SwitchB, SwitchC and SwitchD.
Step 2 Configure RSTP protection.
# Enable root protection on Eth2/0/0 and Eth2/0/1 of RouterA.

[RouterA-Ethernet2/0/0] stp root-protection


# After the preceding configuration is complete and the network becomes stable, perform the
following operation to verify the configuration:
# Run the display stp brief command on RouterA to view the states and protection type on
RSTP ports. The following information is displayed:
0 Ethernet2/0/0 DESI FORWARDING ROOT
# After RouterA is configured as the root bridge, Ethernet2/0/0 connected to SwitchA and
Ethernet2/0/1 connected to SwitchB are elected as designated ports through spanning tree
calculation.
----End
Configuration Files
#
sysname RouterA
#
stp mode rstp
#
stp root-protection
#
stp root-protection
#
return
l SwitchA configuration file

#
sysname SwitchA
#
stp mode rstp
#
#
#
#
return
l SwitchB configuration file

#
sysname SwitchB
#
stp mode rstp
#

#
#
#
return
l SwitchC configuration file

#
sysname SwitchC
#
stp mode rstp
#
#
stp disable
#
stp disable
#
#
return
l SwitchD configuration file

#
sysname SwitchD
#
stp mode rstp
#
#
stp disable
#
stp disable
#
#
return
11.14 FAQ About STP/RSTP
11.14.1 Is STP Required on the AR Router Used as the Access

Device?
It is recommended that STP be disabled on the AR router used as the access device (its WAN-
side interface connects to the Internet and the LAN-side interface connects to the internal
network). This prevents route flapping caused by STP convergence.
11.14.2 Which STP Protocols Do AR Series Routers Support?

AR series routers support Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol
(RSTP), and Multiple Spanning Tree Protocol (MSTP).

NOTE
AR502E series do not support MSTP.
11.14.3 How Does STP Process MAC and ARP Entries After the
Network Topology Changes?
If the network topology changes, the Spanning Tree Protocol (STP) clears media access
control (MAC) addresses, and ages Address Resolution Protocol (ARP) entries by default.

Configuration 12 MSTP Configuration
12 MSTP Configuration
About This Chapter
This chapter describes the concepts and configuration procedure of the Multiple Spanning
Tree Protocol (MSTP), and provides configuration examples.
12.1 Overview of MSTP
This section describes definition and purpose of MSTP.
12.2 Understanding MSTP
This section describes the principles of MSTP.
12.3 Application Scenarios for MSTP
This section describes the applicable environment of MSTP.
12.4 Summary of MSTP Configuration Tasks
12.5 Default Settings for MSTP
12.6 Licensing Requirements and Limitations for MSTP
12.7 Configuring Basic MSTP Functions
MSTP based on the basic STP/RSTP function divides a switching network into multiple
regions, each of which has multiple spanning trees that are independent of each other. MSTP
isolates different VLANs' traffic, and load-balances VLAN traffic.
12.8 Configuring MSTP Parameters on an Interface
Proper MSTP parameter settings achieve rapid convergence.
12.9 Configuring MSTP Protection Functions
Huawei datacom devices provide the following MSTP protection functions. You can
configure one or more functions.
12.10 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei
Devices
To communicate with a non-Huawei device, set proper parameters on the MSTP-enabled
Huawei device.
12.11 Maintaining MSTP
12.12 Configuration Examples for MSTP

12.13 FAQ About MSTP
12.1 Overview of MSTP

This section describes definition and purpose of MSTP.
Definition
causing broadcast storms and rendering the MAC address table unstable. As a result, the
communication quality deteriorates, and the communication service may even be interrupted.
The Spanning Tree Protocol (STP) is introduced to solve this problem.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP) defined
in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 12-1
shows the comparison between STP, RSTP, and MSTP.
Table 12-1 Comparison between STP, RSTP, and MSTP
Spanning Characteristics Usage Scenario

Tree
Protocol
STP l In an STP region, a loop-free tree STP or RSTP is used in a scenario

is generated. Broadcast storms where all VLANs share one spanning
are prevented and redundancy is tree. In this situation, users or
achieved. services do not need to be
l Route convergence is slow. differentiated.
RSTP l In an RSTP region, a loop-free

tree is generated. Broadcast
storms are prevented and
redundancy is achieved.
l RSTP allows fast convergence of
the network topology.
MSTP l In an MSTP region, multiple MSTP is used in a scenario where

loop-free trees are generated. traffic in different VLANs is
Therefore, broadcast storms are forwarded through different spanning
prevented and redundancy is trees that are independent of each
achieved. other to implement load balancing. In
l MSTP achieves fast convergence this situation, users or services are
of the network topology. distinguished by using VLANs.
l MSTP implements load
balancing among VLANs.
Traffic in different VLANs is
transmitted along different paths.

NOTE
The AR111-S, AR121-S and AR151-S2 only support one loop-free tree.
Purpose
After a spanning tree protocol is configured on an Ethernet switching network, it calculates
the network topology and implements the following functions to remove network loops:
l Loop cut-off: The potential loops on the network are cut off by blocking redundant links.
l Link redundancy: When an active path becomes faulty, a redundant link can be activated
to ensure network connectivity.
12.2 Understanding MSTP

This section describes the principles of MSTP.
12.2.1 MSTP Background

RSTP, an enhancement to STP, implements fast convergence of the network topology. There
is a defect for both RSTP and STP: All VLANs on a LAN use one spanning tree, and VLAN-
based load balancing cannot be performed. Once a link is blocked, it will no longer transmit
traffic, wasting bandwidth and causing the failure in forwarding certain VLAN packets.
Figure 12-1 STP/RSTP defect
S1 S4
VLAN3 VLAN2 VLAN2
HostC HostA
(VLAN3) VLAN3 VLAN2 (VLAN2)
VLAN3
VLAN2
S2 S5
HostB VLAN2 VLAN2 HostD

(VLAN2) VLAN3 VLAN3 (VLAN3)
VLAN3
VLAN2 VLAN3
S3 S6
spanning tree(root bridge:S6)
On the network shown in Figure 12-1, STP or RSTP is enabled. The broken line shows the
spanning tree. S6 is the root switching device. The links between S1 and S4 and between S2
and S5 are blocked. VLAN packets are transmitted by using the corresponding links marked
with "VLAN2" or "VLAN3."

Host A and Host B belong to VLAN 2 but they cannot communicate with each other because
the link between S2 and S5 is blocked and the link between S3 and S6 denies packets from
VLAN 2.
To fix the defect of STP and RSTP, the IEEE released 802.1s in 2002, defining the Multiple
Spanning Tree Protocol (MSTP). MSTP implements fast convergence and provides multiple
paths to load balance VLAN traffic.
MSTP divides a switching network into multiple regions, each of which has multiple
spanning trees that are independent of each other. Each spanning tree is called a Multiple
Spanning Tree Instance (MSTI) and each region is called a Multiple Spanning Tree (MST)
region.
NOTE
An instance is a collection of VLANs. Binding multiple VLANs to an instance saves communication

costs and reduces resource usage. The topology of each MSTI is calculated independent of one another,
and traffic can be balanced among MSTIs. Multiple VLANs that have the same topology can be mapped
to one instance. The forwarding status of the VLANs for a port is determined by the port status in the
MSTI.
Figure 12-2 Multiple spanning trees in an MST region
S1 S4
VLAN3 VLAN2 VLAN2
HostC HostA
VLAN3 VLAN2 （VLAN2）
（VLAN3）
VLAN3
VLAN2
S2 S5
HostB VLAN2 VLAN2 HostD

（VLAN2） VLAN3 VLAN3 （VLAN3）
VLAN3
VLAN2 VLAN3
S3 S6

As shown in Figure 12-2, MSTP maps VLANs to MSTIs in the VLAN mapping table. Each
VLAN can be mapped to only one MSTI. This means that traffic of a VLAN can be
transmitted in only one MSTI. An MSTI, however, can correspond to multiple VLANs.
Two spanning trees are calculated:

l MSTI 1 uses S4 as the root switching device to forward packets of VLAN 2.
l MSTI 2 uses S6 as the root switching device to forward packets of VLAN 3.
In this manner, devices within the same VLAN can communicate with each other; packets of
different VLANs are load balanced along different paths.

12.2.2 Basic MSTP Concepts

MSTP Network Hierarchy
As shown in Figure 12-3, the MSTP network consists of one or more MST regions. Each
MST region contains one or more MSTIs. An MSTI is a tree network consisting of switching
devices running STP, RSTP, or MSTP.
Figure 12-3 MSTP network hierarchy
MSTP Network
MSTI1 MSTI1
MSTI2 MSTI0 MSTI2 MSTI0

MST Region MST Region
MSTI1
MSTI2 MSTI0
MST Region
MST Region
An MST region contains multiple switching devices and network segments between them.
The switching devices of one MST region have the following characteristics:
l MSTP-enabled
l Same region name
l Same VLAN-MSTI mappings
l Same MSTP revision level
A LAN can comprise several MST regions that are directly or indirectly connected. Multiple
switching devices can be grouped into an MST region by using MSTP configuration
commands.
As shown in Figure 12-4, the MST region D0 contains the switching devices S1, S2, S3, and
S4, and has three MSTIs.

Figure 12-4 MST region
AP1
D0 S1
MSTI1
Master Bridge
root switch:S3
MSTI2
root switch:S2
MSTI0 (IST)
S2 root switch:S1
S3
VLAN1 MSTI1
VLAN2,VLAN3 MSTI2
other VLANs MSTI0
S4
VLAN Mapping Table

The VLAN mapping table is an attribute of the MST region. It describes mappings between
VLANs and MSTIs.
As shown in Figure 12-4, the mappings in the VLAN mapping table of the MST region D0
are as follows:
l VLAN 1 is mapped to MSTI 1.
l VLAN 2 and VLAN 3 are mapped to MSTI 2.
l Other VLANs are mapped to MSTI 0.
Regional Root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 12-6, the switching devices
closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI regional
root is the root of the MSTI. On the network shown in Figure 12-5, each MSTI has its own
regional root.

Figure 12-5 MSTI
MST Region
VLAN VLA
N 10&
10&20&30 20
VLAN 20&30
VLAN VLAN VLAN

30 VLAN
10&30 20 10&30
VLAN 10
Root
Root
MSTI MSTI MSTI Root

corresponding to corresponding to corresponding to
VLAN 10 VLAN 20 VLAN 30
MSTI links
MSTI links blocked by the protocol
MSTIs are independent of each other. An MSTI can correspond to one or more VLANs, but a
VLAN can be mapped to only one MSTI.
Master Bridge
The master bridge is the IST master, which is the switching device closest to the CIST root in
a region, for example, S1 shown in Figure 12-4.
If the CIST root is in an MST region, the CIST root is the master bridge of the region.

CIST Root
Figure 12-6 MSTP network
A0
CIST Root
D0 Region Root B0
Region Root
C0
Region Root
IST
CST
On the network shown in Figure 12-6, the CIST root is the root bridge of the CIST. The CIST
root is a device in A0.
CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
If each MST region is considered a node, the CST is calculated by using STP or RSTP based
on all the nodes.
As shown in Figure 12-6, the MST regions are connected to form a CST.
IST
An IST resides within an MST region.
An IST is a special MSTI with the MSTI ID being 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 12-6, the switching devices in an MST region are connected to form an
IST.

CIST
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching
network.
As shown in Figure 12-6, the ISTs and the CST form a complete spanning tree, the CIST.
SST
A Single Spanning Tree (SST) is formed in either of the following situations:
l A switching device running STP or RSTP belongs to only one spanning tree.
l An MST region has only one switching device.
As shown in Figure 12-6, the switching device in B0 forms an SST.
Port Role
Based on RSTP, MSTP has two additional port types. MSTP ports can be root ports,
designated ports, alternate ports, backup ports, edge ports, master ports, and regional edge
port.
The functions of root ports, designated ports, alternate ports, and backup ports have been
defined in RSTP. Table 12-2 lists all port roles in MSTP.
NOTE
Except edge ports, all ports participate in MSTP calculation.

A port can play different roles in different spanning tree instances.
Table 12-2 Port roles
Port Description
Role
Root port A root port is the non-root bridge port closest to the root bridge. Root bridges
do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in Figure 12-7, S1 is the root; CP1 is the root port on S3; BP1 is the
root port on S2.
Designate The designated port on a switching device forwards BPDUs to the downstream
d port switching device.
As shown in Figure 12-7, AP2 and AP3 are designated ports on S1; CP2 is a
designated port on S3.
Alternate l From the perspective of sending BPDUs, an alternate port is blocked after a
port BPDU sent by another bridge is received.
l From the perspective of user traffic, an alternate port provides an alternate
path to the root bridge. This path is different than using the root port.
As shown in Figure 12-7, BP2 is an alternate port.

Port Description
Role
Backup l From the perspective of sending BPDUs, a backup port is blocked after a
port BPDU sent by itself is received.
l From the perspective of user traffic, a backup port provides a backup/
redundant path to a segment where a designated port already connects.
As shown in Figure 12-7, CP3 is a backup port.
Master A master port is on the shortest path connecting MST regions to the CIST root.
port BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on ISTs
or CISTs and master ports in instances.
As shown in Figure 12-8, S1, S2, S3, and S4 form an MST region. AP1 on S1,
being the nearest port in the region to the CIST root, is the master port.
Regional A regional edge port is located at the edge of an MST region and connects to
edge port another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and
the CIST instance are the same. If the regional edge port is the master port in
the CIST instance, it is the master port in all the MSTIs in the region.
As shown in Figure 12-8, AP1, DP1, and DP2 in an MST region are directly
connected to other regions, and therefore they are all regional edge ports of the
MST region.
AP1 is a master port in the CIST. Therefore, AP1 is the master port in every
MSTI in the MST region.
Edge port An edge port is located at the edge of an MST region and does not connect to
any switching device.
Generally, edge ports are directly connected to terminals.

Figure 12-7 Root port, designated port, alternate port, and backup port
S1
Root
AP2 AP3
CP1 BP1
S3 S2
CP2 CP3 BP2
root port
designated port
Alternate port
Backup port
Figure 12-8 Master port and regional edge port

Connect to the
CIST root
AP1
Master
S1
S3
S2
S4
DP1 DP2 MST Region
The port is blocked
MSTP Port Status

Table 12-3 lists the MSTP port status, which is the same as the RSTP port status.

Table 12-3 Port status
Port Description
Status
Forwardi A port in the Forwarding state can send and receive BPDUs as well as forward
ng user traffic.
Learning A port in the Learning state learns MAC addresses from user traffic to
construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but not forward
user traffic.
Discardin A port in the Discarding state can only receive BPDUs.

g
There is no necessary link between the port status and the port role. Table 12-4 lists the
relationships between port roles and port status.
Table 12-4 Relationships between port roles and port status
Port Root Port/ Designated Regional Alternate Backup Port

Status Master Port Port Edge Port Port
Forwardi Yes Yes Yes No No

ng
Learning Yes Yes Yes No No
Discardi Yes Yes Yes Yes Yes

ng
Yes: The port supports this status. No: The port does not support this status.
12.2.3 MST BPDUs

MSTP calculates spanning trees on the basis of Multiple Spanning Tree Bridge Protocol Data
Units (MST BPDUs). By transmitting MST BPDUs, spanning tree topologies are computed,
network topologies are maintained, and topology changes are conveyed.
Table 12-5 shows differences between TCN BPDUs, configuration BPDUs defined by STP,
RST BPDUs defined by RSTP, and MST BPDUs defined by MSTP.
Table 12-5 Differences between BPDUs
Version Type Name
0 0x00 Configuration BPDU
0 0x80 TCN BPDU

Version Type Name
2 0x02 RST BPDU
3 0x02 MST BPDU
MST BPDU Format

Figure 12-9 shows the MST BPDU format.
Figure 12-9 MST BPDU format

Octet
Protocol Identifier 1-2
Protocol Version Identifier 3
BPDU Type 4
CIST Flags 5
CIST Root Identifier 6-13
CIST External Path Cost 14-17
CIST Regional Root Identifier 18-25
CIST Port Identifier 26-27
Message Age 28-29
Max Age 30-31
Hello Time 32-33
Forward Delay 34-35
Version 1 Length=0 36
Version 3 Length 37-38
MST Configuration Identifier 39-89
MST 90-93
CIST Internal Root Path Cost
special
CIST Bridge Identifier 94-101
fields
CIST Remaining Hops 102
MSTI Configuration Messages 103-39+Version
(may be absent) 3 Length
The first 36 bytes of an intra-region or inter-region MST BPDU are the same as those of an
RST BPDU.
Fields from the 37th byte of an MST BPDU are MSTP-specific. The field MSTI
Configuration Messages consists of configuration messages of multiple MSTIs.
Table 12-6 lists the major information carried in an MST BPDU.

Table 12-6 Major information carried in an MST BPDU

Protocol 2 Indicates the protocol identifier.

Identifier
Protocol 1 Indicates the protocol version identifier. 0 indicates

Version STP; 2 indicates RSTP; 3 indicates MSTP.
Identifier
BPDU Type 1 Indicates the BPDU type:

l 0x00: Configuration BPDU for STP
l 0x80: TCN BPDU for STP
l 0x02: RST BPDU or MST BPDU
CIST Flags 1 Indicates the CIST flags.
CIST Root 8 Indicates the CIST root switching device ID.

Identifier
CIST External 4 Indicates the total path costs from the MST region
Path Cost where the switching device resides to the MST region
where the CIST root switching device resides. This
value is calculated based on link bandwidth.
CIST Regional 8 Indicates the ID of the regional root switching device

Root Identifier on the CIST, that is, the IST master ID. If the root is in
this region, the CIST Regional Root Identifier is the
same as the CIST Root Identifier.
CIST Port 2 Indicates the ID of the designated port in the IST.

Identifier
Message Age 2 Indicates the lifecycle of the BPDU.
Max Age 2 Indicates the maximum lifecycle of the BPDU. If the

Max Age timer expires, it is considered that the link to
the root fails.
Hello Time 2 Indicates the Hello timer value. The default value is 2
seconds.
Forward Delay 2 Indicates the forwarding delay timer. The default value
is 15 seconds.
Version 1 1 Indicates the BPDUv1 length, which has a fixed value

Length of 0.
Version 3 2 Indicates the BPDUv3 length.

Length
MST 51 Indicates the MST configuration identifier, which has

Configuration four fields.
Identifier

CIST Internal 4 Indicates the total path costs from the local port to the
Root Path Cost IST master. This value is calculated based on link
bandwidth.
CIST Bridge 8 Indicates the ID of the designated switching device on

Identifier the CIST.
CIST 1 Indicates the remaining hops of the BPDU in the CIST.

Remaining
Hops
MSTI 16 Indicates an MSTI configuration message. Each MSTI

Configuration configuration message occupies 16 bytes. If there are n
Messages MSTIs, MSTI configuration messages are of nx16
(may be bytes.
absent)
Configurable MST BPDU Format

Currently, there are two MST BPDU formats:
l dot1s: BPDU format defined in IEEE 802.1s.

l legacy: private BPDU format.
If a port transmits either dot1s or legacy BPDUs by default, the user needs to identify the
format of BPDUs sent by the peer, and then runs a command to configure the port to support
the peer BPDU format. Once the configuration is incorrect, a loop probably occurs due to
incorrect MSTP calculation.
By using the stp compliance command, you can configure a port on a Huawei datacom
device to automatically adjust the MST BPDU format. With this function, the port
automatically adopts the peer BPDU format. The following MST BPDU formats are
supported by Huawei datacom devices:
l auto
l dot1s
l legacy
In addition to dot1s and legacy formats, the auto mode allows a port to automatically switch
to the BPDU format used by the peer based on BPDUs received from the peer. In this manner,
the two ports use the same BPDU format. In auto mode, a port uses the dot1s BPDU format
by default, and keeps pace with the peer after receiving BPDUs from the peer.
Configurable Maximum Number of BPDUs Sent by a Port at a Hello Interval

BPDUs are sent at Hello intervals to maintain the spanning tree. If a switching device does
not receive any BPDU during a certain period of time, the spanning tree will be re-calculated.
After a switching device becomes the root, it sends BPDUs at Hello intervals. Non-root
switching devices adopt the Hello Time value set for the root.

Huawei datacom devices allow the maximum number of BPDUs sent by a port at a Hello
interval to be configured as needed.
The greater the Hello Time value, the more BPDUs sent at a Hello interval. Setting the Hello
Time to a proper value limits the number of BPDUs sent by a port at a Hello interval. This
helps prevent network topology flapping and avoid excessive use of bandwidth resources by
BPDUs.
12.2.4 MSTP Topology Calculation
MSTP Principle
MSTP can divide the entire Layer 2 network into multiple MST regions, and the CST is
generated through calculation. In an MST region, multiple spanning trees are calculated, each
of which is called an MSTI. Among these MSTIs, MSTI 0 is also known as the internal
spanning tree (IST). Like STP, MSTP uses configuration messages to calculate spanning
trees, but the configuration messages are MSTP-specific.
Vectors
Both MSTIs and the CIST are calculated based on vectors, which are carried in MST BPDUs.
Therefore, switching devices exchange MST BPDUs to calculate MSTIs and the CIST.
l Vectors are described as follows:

– The following vectors participate in the CIST calculation:
{ root ID, external root path cost, region root ID, internal root path cost, designated
switching device ID, designated port ID, receiving port ID }
– The following vectors participate in the MSTI calculation:
{ regional root ID, internal root path cost, designated switching device ID,
designated port ID, receiving port ID }
The priorities of vectors in braces are in descending order from left to right.
Table 12-7 describes the vectors.
Table 12-7 Vector description
Vector Name Description
Root ID Identifies the root switching device for the CIST. The root
identifier consists of the priority value (16 bits) and MAC address
(48 bits).
The priority value is the priority of MSTI 0.
External root path Indicates the path cost from a CIST regional root to the root.
cost (ERPC) ERPCs saved on all switching devices in an MST region are the
same. If the CIST root is in an MST region, ERPCs saved on all
switching devices in the MST region are 0s.
Regional root ID Identifies the MSTI regional root. The regional root ID consists
of the priority value (16 bits) and MAC address (48 bits).
The priority value is the priority of MSTI 0.

Vector Name Description
Internal root path Indicates the path cost from the local bridge to the regional root.
cost (IRPC) The IRPC saved on a regional edge port is greater than the IRPC
saved on a non-regional edge port.
Designated Identifies the nearest upstream bridge on the path from the local
switching device bridge to the regional root. If the local bridge is the root or the
ID regional root, this ID is the local bridge ID.
Designated port Identifies the port on the designated switching device connected
ID to the root port on the local bridge. The port ID consists of the
priority value (4 bits) and port number (12 bits). The priority
value must be a multiple of 16.
Receiving port ID Identifies the port receiving the BPDU. The port ID consists of
the priority value (4 bits) and port number (12 bits). The priority
value must be a multiple of 16.
l The vector comparison principle is as follows:

For a vector, the smaller the priority value, the higher the priority.
Vectors are compared based on the following rules:
a. Compare the IDs of the roots.
b. If the IDs of the roots are the same, compare ERPCs.
c. If ERPCs are the same, compare the IDs of regional roots.
d. If the IDs of regional roots are the same, compare IRPCs.
e. If IRPCs are the same, compare the IDs of designated switching devices.
f. If the IDs of designated switching devices are the same, compare the IDs of
designated ports.
g. If the IDs of designated ports are the same, compare the IDs of receiving ports.
If the priority of a vector carried in the configuration message of a BPDU received by a
port is higher than the priority of the vector in the configuration message saved on the
port, the port replaces the saved configuration message with the received one. In
addition, the port updates the global configuration message saved on the device. If the
priority of a vector carried in the configuration message of a BPDU received on a port is
equal to or lower than the priority of the vector in the configuration message saved on
the port, the port discards the BPDU.
CIST Calculation
After completing the configuration message comparison, the switching device with the
highest priority on the entire network is selected as the CIST root. MSTP calculates an IST
for each MST region, and computes a CST to interconnect MST regions. On the CST, each
MST region is considered a switching device. The CST and ISTs constitute a CIST for the
entire network.
MSTI Calculation
In an MST region, MSTP calculates an MSTI for each VLAN based on mappings between
VLANs and MSTIs. Each MSTI is calculated independently. The calculation process is

similar to the process for STP to calculate a spanning tree. For details, see 11.2.4 STP
Topology Calculation.
MSTIs have the following characteristics:
l The spanning tree is calculated independently for each MSTI, and spanning trees of
MSTIs are independent of each other.
l MSTP calculates the spanning tree for an MSTI in the manner similar to STP.
l Spanning trees of MSTIs can have different roots and topologies.
l Each MSTI sends BPDUs in its spanning tree.
l The topology of each MSTI is configured by using commands.
l A port can be configured with different parameters for different MSTIs.
l A port can play different roles or have different status in different MSTIs.
On an MSTP-aware network, a VLAN packet is forwarded along the following paths:
l MSTI in an MST region
l CST among MST regions
MSTP Responding to Topology Changes

MSTP topology changes are processed in the manner similar to that in RSTP. For details
about how RSTP processes topology changes, see 11.2.6 RSTP Technology Details.
12.2.5 MSTP Fast Convergence

MSTP supports both ordinary and enhanced Proposal/Agreement (P/A) mechanisms:
l Ordinary P/A
The ordinary P/A mechanism supported by MSTP is implemented in the same manner as
that supported by RSTP. For details about the P/A mechanism supported by RSTP, see
11.2.6 RSTP Technology Details.
l Enhanced P/A
Figure 12-10 Enhanced P/A mechanism

Upstream Downstream
device device
Sends a proposal
so that the port can
rapidly enter the
Forwarding state The root port blocks
all the other non-
Sends an agreement edge ports
The root port
The designated Sends an agreement enters the
port enters the Forwarding state
Forwarding state
root port
designated port

As shown in Figure 12-10, in MSTP, the P/A mechanism works as follows:

a. The upstream device sends a proposal to the downstream device, indicating that the
port connecting to the downstream device wants to enter the Forwarding state as
soon as possible. After receiving this BPDU, the downstream device sets its port
connecting to the upstream device to the root port, and blocks all non-edge ports.
b. The upstream device continues to send an agreement. After receiving this BPDU,
the root port enters the Forwarding state.
c. The downstream device replies with an agreement. After receiving this BPDU, the
upstream device sets its port connecting to the downstream device to the designated
port, and the port enters the Forwarding state.
By default, Huawei datacom devices use the fast transition mechanism in enhanced mode. To
enable a Huawei datacom device to communicate with a third-party device that uses the fast
transition mechanism in common mode, configure the Proposal/Agreement mechanism on the
Huawei datacom device so that the Huawei datacom device works in common mode.
12.3 Application Scenarios for MSTP

This section describes the applicable environment of MSTP.
Application of MSTP
Figure 12-11 Networking diagram for a typical MSTP application
MST Region
S1 S2
all VLAN
VLAN
VLAN VLAN
10&20 VLAN
20&30 20&30
10&20
VLAN
S3 20&40 S4
MSTP allows packets in different VLANs to be forwarded by using different spanning tree
instances, as shown in Figure 12-11. The configurations are as follows:
l All devices on the network belong to the same MST region.
l VLAN 10 packets are forwarded within MSTI 1; VLAN 30 packets are forwarded within
MSTI 3; VLAN 40 packets are forwarded within MSTI 4; VLAN 20 packets are
forwarded within MSTI 0.
In Figure 12-11, S1 and S2 are devices at the aggregation layer; S3 and S4 are devices at the
access layer. Traffic from VLAN 10 and VLAN 30 is terminated by aggregation devices, and

traffic from VLAN 40 is terminated by the access device. Therefore, S1 and S2 can be
configured as the roots of MSTI 1 and MSTI 3, and S3 can be configured as the root of MSTI
4.
12.4 Summary of MSTP Configuration Tasks

Table 12-8 lists the configuration task summary of MSTP.
Table 12-8 MSTP configuration tasks
Configuring Basic MSTP MSTP is commonly 12.7 Configuring Basic

Functions configured on switching MSTP Functions
devices to trim a ring
network to a loop-free
network. Devices start
spanning tree calculation
after the working mode is
set and MSTP is enabled.
Use any of the following
methods if you need to
intervene in the spanning
tree calculation:
l Manually configure the
root bridge and
secondary root bridge
l Set a priority for a
switching device in an
MSTI
l Set a path cost for a port
in an MSTI
l Set a priority for a port in
an MSTI
Configuring MSTP Proper MSTP parameter 12.8 Configuring MSTP

Parameters on an Interface settings achieve rapid Parameters on an
convergence. Interface
Configuring MSTP This section describes how 12.9 Configuring MSTP

Protection Functions to configure MSTP Protection Functions
protection functions. You
can configure one or more
functions.
Configuring MSTP To communicate with a non- 12.10 Configuring MSTP

Interoperability Between Huawei device, set proper Interoperability Between
Huawei Devices and Non- parameters on the MSTP- Huawei Devices and Non-
Huawei Devices enabled Huawei device. Huawei Devices

12.5 Default Settings for MSTP

Working mode MSTP
MSTP status MSTP is enabled globally and on an interface.
Switching device priority 32768
Port priority 128
Algorithm used to calculate the dot1t, IEEE 802.1t

path cost
Forward Delay Time 1500 centiseconds
Hello Time 200 centiseconds
Max Age Time 2000 centiseconds
12.6 Licensing Requirements and Limitations for MSTP

None
MSTP is a basic feature of a router and is not under license control.
Feature Limitations
When deploying MSTP on the router, pay attention to the following:
The AR160-S series do not support MSTP.
12.7 Configuring Basic MSTP Functions

MSTP based on the basic STP/RSTP function divides a switching network into multiple
regions, each of which has multiple spanning trees that are independent of each other. MSTP
isolates different VLANs' traffic, and load-balances VLAN traffic.
Context
MSTP is commonly configured on switching devices to trim a ring network to a loop-free
network. Devices start spanning tree calculation after the working mode is set and MSTP is
enabled. Use any of the following methods if you need to intervene in the spanning tree
calculation:

l Manually configure the root bridge and secondary root bridge.

l Set a priority for a switching device in an MSTI: The lower the numerical value, the
higher the priority of the switching device and the more likely the switching device
becomes a root bridge; the higher the numerical value, the lower the priority of the
switching device and the less likely that the switching device becomes a root bridge.
l Set a path cost for a port in an MSTI: With the same calculation method, the lower the
numerical value, the smaller the cost of the path from the port to the root bridge and the
more likely the port becomes a root port; the higher the numerical value, the larger the
cost of the path from the port to the root bridge and the less likely that the port becomes
a root port.
l Set a priority for a port in an MSTI: The lower the numerical value, the more likely the
port becomes a designated port; the higher the numerical value, the less likely that the
port becomes a designated port.
12.7.1 Configuring the MSTP Mode
Context
Before configuring basic MSTP functions, set the working mode of a switching device to
MSTP. MSTP is compatible with STP and RSTP.
Procedure
Step 2 Run stp mode mstp
The working mode of the switching device is set to MSTP. By default, the working mode is
MSTP.
STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an
MSTP-enabled switching device is connected to switching devices running STP, interfaces of
the MSTP-enabled switching device connected to devices running STP automatically
transition to STP mode, and other interfaces still work in MSTP mode. This enables devices
running different spanning tree protocols to interwork with each other.
----End
12.7.2 Configuring and Activating an MST Region
Context
An MST region contains multiple switching devices and network segments. These switching
devices are directly connected and have the same region name, same VLAN-to-instance
mapping, and the same configuration revision number after MSTP is enabled. One switching
network can have multiple MST regions. You can use MSTP commands to group multiple
switching devices into one MST region.

NOTE
Two switching devices belong to the same MST region when they have the same:
l Name of the MST region
l Mapping between VLANs and MSTIs
l Revision level of the MST region
Perform the following steps on a switching device that needs to join an MST region.
Procedure
Step 2 Run stp region-configuration
The MST region view is displayed.
Step 3 Run region-name name
The name of an MST region is configured.
By default, the MST region name is the MAC address of the management network interface
on the MPU of the switching device.
Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.
l Run the instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to
configure VLAN-to-instance mappings.
l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping
assignment based on a default algorithm.
By default, all VLANs in an MST region are mapped to MSTI 0.
l The VLAN-to-instance mappings generated using the vlan-mapping modulo modulo
commands cannot meet network requirements. It is recommended that you run the
instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure
VLAN-to-instance mappings.
l The vlan-mapping modulo specifies the formula (VLAN ID-1)%modulo+1. In the
formula, (VLAN ID-1)%modulo means the remainder of (VLAN ID-1) divided by the
value of modulo. This formula is used to map a VLAN to the corresponding MSTI. The
calculation result of the formula is the ID of the mapping MSTI.
Step 5 (Optional) Run revision-level level
The MSTP revision number is set.
By default, the MSTP revision number is 0.
If the revision number of the MST region is not 0, this step is necessary.

NOTE
Changing MST region configurations (especially change of the VLAN mapping table) triggers spanning
tree recalculation and causes route flapping. Therefore:
l After configuring an MST region name, VLAN-to-instance mappings, and an MSTP revision
number, run the check region-configuration command in the MST region view to verify the
configuration. After confirming the region configurations, run the active region-configuration
command to activate MST region configurations.
l You are advised not to modify MST region parameters after the MST region is activated.
Step 6 Run active region-configuration

MST region configurations are activated so that the configured region name, VLAN-to-
instance mappings, and revision number can take effect.
If this step is not done, the preceding configurations cannot take effect.
If you have changed MST region configurations on the switching device after MSTP starts,
run the active region-configuration command to activate the MST region so that the changed
configurations can take effect.
----End
12.7.3 (Optional) Configuring the Root Bridge and Secondary

Root Bridge
Context
The root bridge can be calculated through calculation. You can also manually configure the
root bridge or secondary root bridge.
l A switching device plays different roles in different spanning trees. The switching device
can function as the root switch or secondary root switch of a spanning tree and the root
switch or secondary root switch of another spanning tree. The switching device can
function as only the root switch or secondary root switch of the same spanning tree.
l In a spanning tree, only one root bridge takes effect. When two or more than two devices
are specified as root bridges of a spanning tree, the device with the smallest MAC
address is used as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root
bridge fails or is powered off, the secondary root bridge becomes the new root bridge. If
a new root bridge is specified, the secondary root bridge will not become the root bridge.
If multiple secondary root bridges are configured, the secondary root bridge with
smallest MAC address will become the root bridge of the spanning tree.
NOTE
It is recommended that the root bridge and secondary root bridge be configured manually.
Procedure
l Perform the following operations on the device to be used as the root bridge.
a. Run system-view
b. Run stp [ instance instance-id ] root primary
The device is configured as the root bridge.

By default, a switching device does not function as the root bridge. After the
configuration is complete, the BID of the device is 0 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a root bridge.
l Perform the following operations on the device to be used as the secondary root bridge.
a. Run system-view
b. Run stp [ instance instance-id ] root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root bridge. After
the configuration is complete, the BID of the device is 4096 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a backup root bridge.
----End
12.7.4 (Optional) Configuring a Priority for a Switching Device in

an MSTI
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root
bridge selection, a high-performance switching device at a high network layer should be
selected as the root bridge; however, the priority of such a device may not be the highest on
the network. It is therefore necessary to set a high priority for the switching device to ensure
that the device functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge.
Therefore, set low priorities for these devices.
A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Procedure
Step 2 Run stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.
The default priority value of the switching device is 32768.
If the instance-id is not designated, a priority is set for the switching device in MSTI0.

NOTE
If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary
command has been executed to configure the device as the root bridge or secondary root bridge, to
change the device priority, run the undo stp [ instance instance-id ] root command to disable the root
bridge or secondary root bridge function and run the stp [ instance instance-id ] priority priority
command to set a priority.
----End
12.7.5 (Optional) Configuring a Path Cost of a Port in an MSTI

Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different
path costs for a port in different MSTIs, VLAN traffic can be transmitted along different
physical links for load balancing.
The MSTP path cost determines root port selection in an MSTI. The port with the lowest path
cost to the root bridge is selected as the root port.
In the Huawei calculation method for example, the link rate determines the recommended
value for the path cost. The following table lists the recommended path costs for ports with
different link rates.
Table 12-9 Mappings between link rates and path cost values
Link Rate Recommended Recommended Path Cost Range
Path Cost Path Cost Range
10 Mbit/s 2000 200 to 20000 1 to 200000
100 Mbit/s 200 20 to 2000 1 to 200000
1 Gbit/s 20 2 to 200 1 to 200000
10 Gbit/s 2 2 to 20 1 to 200000
Higher than 10 1 1 to 2 1 to 200000

Gbit/s
If a network has loops, it is recommended that you set a relatively large path cost for ports
with low link rates.
Procedure
Step 2 Run stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.
By default, the IEEE 802.1t standard (dot1t) is used to calculate the path cost.

All switching devices on a network must use the same path cost calculation method.
The Ethernet interface view is displayed.
Step 4 Run stp instance instance-id cost cost
A path cost is set for the port in the current MSTI.
l When the Huawei calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
12.7.6 (Optional) Configuring a Port Priority in an MSTI
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected
as designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the
default value. This port will be blocked during designated port selection.
Procedure
Step 3 Run stp instance instance-id port priority priority
A port priority is set in an MSTI.
By default, the port priority is 128.
The value range of the priority is from 0 to 240, in steps of 16.
----End
12.7.7 Enabling MSTP
Context
After configuring basic MSTP functions on a switching device, enable MSTP function.
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the
network. Configurations on the switching device, such as, the switching device priority and
port priority, will affect spanning tree calculation. Any change to the configurations may
cause network flapping. Therefore, to ensure rapid and stable spanning tree calculation,
perform basic configurations on the switching device and its ports and enable MSTP.

Procedure
l Enable MSTP on a switching device.
a. Run system-view
b. Run stp enable
MSTP is enabled on the switching device.
By default, MSTP is enabled on a router.
l Enable MSTP on an interface device.
a. Run system-view
c. Run stp enable
MSTP is enabled on the interface.
By default, MSTP is enabled on the interface.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are
changed. The ARP entries corresponding to those VLANs on the switching device need to be
updated. MSTP processes ARP entries in either fast or normal mode.
l In fast mode, ARP entries to be updated are directly deleted.
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0. The switching device
rapidly processes these aged entries. If the number of ARP aging probe attempts is not
set to 0, ARP implements aging probe for these ARP entries.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the normal MSTP convergence mode is used.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted,
causing the CPU usage on device to reach 100%. As a result, network flapping will frequently occur.
12.7.8 Verifying the Basic MSTP Configuration

Procedure
l Run the display stp [ instance instance-id ] [ interface interface-type interface-number ]
[ brief ] command to view spanning-tree status and statistics.
l Run the display stp region-configuration command to view configurations of activated
MST regions.

l Run the display stp region-configuration digest command to view the digest
configurations of activated MST regions.
----End
12.8 Configuring MSTP Parameters on an Interface

Proper MSTP parameter settings achieve rapid convergence.
Before configuring MSTP parameters that affect route convergence, complete the following
task:
l Configuring MSTP
12.8.1 Setting the MSTP Network Diameter
Context
Procedure
l RSTP uses a single spanning tree instance on the entire network. As a result,
performance deterioration cannot be prevented when the network scale grows. Therefore,
the network diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the
network diameter. Then, the switching device calculates the optimal Forward Delay
period, Hello timer value, and Max Age timer value based on the set network diameter.
----End

12.8.2 Setting the MSTP Timeout Interval

Context
as follows:
Procedure
The timeout period for waiting for BPDUs from the upstream device is set.
----End
12.8.3 Setting the Values of MSTP Timers

Context
Age.

Procedure
Step 2 Set Forward Delay, Hello Time, and Max Age.
The value of Forward Delay of the switching device is set.
By default, the value of Forward Delay of the switching device is 1500 centiseconds.
The value of Hello Time of the switching device is set.
By default, the value of Hello Time of the switching device is 200 centiseconds.
The value of Max Age of the switching device is set.
By default, the value of Max Age of the switching device is 2000 centiseconds.
----End

Context
the root bridge.


RouterA RouterB
Before Eth-Trunk1
Root Bridge
RouterA RouterB
After Eth-Trunk1
Root Bridge
Alternate port
Root port
Designated port
Procedure

8.
----End
12.8.5 Setting the Link Type of a Port
Context
It is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P
link are root or designated ports, the ports can transit to the forwarding state quickly by
sending Proposal and Agreement packets. This reduces the forwarding delay.

Procedure
The view of the Ethernet interface participating in STP calculation is displayed.
Step 3 Run stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.
By default, an interface automatically determines whether to connect to a P2P link. The P2P
link supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this
case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-
true to forcibly set the link type to P2P.
----End
12.8.6 Setting the Maximum Transmission Rate of an Interface
Context
A larger value of packet-number indicates more BPDUs sent in a hello interval and therefore
more system resources occupied. Setting the proper value of packet-number prevents excess
bandwidth usage when route flapping occurs.
Procedure
Step 3 Run stp transmit-limit packet-number
The maximum number of BPDUs sent by a port in a specified period is set.
By default, the maximum number of BPDUs that a port sends is 6 per second.
----End
12.8.7 Switching to the MSTP Mode
Context
If an interface on an MSTP-enabled device is connected to an STP-enabled device, the
interface switches to the STP compatible mode.

If the STP-enabled device is powered off or removed, the interface cannot automatically
switch to the MSTP mode. When the interface goes Up again, the interface needs to be
manually switched to the MSTP mode.
If the STP-enabled switching device is switched to the MSTP mode, the interface can
automatically switch to the MSTP mode.
Procedure
l Switching to the MSTP mode in the interface view
a. Run system-view
The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
c. Run stp mcheck
The device is switched to the MSTP mode.
l Switching to the MSTP mode in the system view
a. Run system-view
b. Run stp mcheck
The device is switched to the MSTP mode.
----End
12.8.8 Configuring a Port as an Edge Port and BPDU Filter Port

Context
If a designated port is located at the edge of a network and is directly connected to terminal
devices, this port is called edge port.
An edge port does not receive or process configuration BPDUs, or MSTP calculation. It can
transit from Disable to Forwarding without any delay.
After a designated port is configured as an edge port, the port can still send BPDUs. Then
BPDUs are sent to other networks, causing flapping of other networks. You can configure a
port as an edge port and BPDU filter port so that the port does not process or send BPDUs.

After all ports are configured as edge ports and BPDU filter ports in the system view, none of
ports on the device send BPDUs or negotiate the STP status with directly connected ports on
the peer device. All ports are in forwarding state. This may cause loops on the network,
leading to broadcast storms. Exercise caution when you configure a port as an edge port and
BPDU filter port.
After a port is configured as an edge port and BPDU filter port in the interface view, the port
does not process or send BPDUs. The port cannot negotiate the STP status with the directly
connected port on the peer device. Exercise caution when you configure a port as an edge port
and BPDU filter port.
Procedure
l Configuring all ports as edge ports and BPDU filter ports in the system view
a. Run system-view

b. Run stp edged-port default
All ports are configured as edge ports.

c. Run stp bpdu-filter default
All ports are configured as BPDU filter ports.

l Configuring a port as an edge port and BPDU filter port in the interface view
a. Run system-view

The view of the Ethernet interface that participates in spanning tree calculation is
displayed.
c. (Optional) Run stp edged-port enable
The port is configured as an edge port.

d. Run stp bpdu-filter enable
The port is configured as a BPDU filter port.
----End

12.8.9 Setting the Maximum Number of Hops in an MST Region
Context
Switching devices on a Layer 2 network running MSTP communicate with each other by
exchanging MST BPDUs. An MST BPDU has a field that indicates the number of remaining
hops.
l The number of remaining hops in a BPDU sent by the root switching device equals the
maximum number of hops.
l The number of remaining hops in a BPDU sent by a non-root switching device equals
the maximum number of hops minus the number of hops from the non-root switching
device to the root switching device.
l If a switching device receives a BPDU in which the number of remaining hops is 0, the
switching device will discard the BPDU.
Therefore, the maximum number of hops of a spanning tree in an MST region determines the
network scale. The stp max-hops command can be used to set the maximum number of hops
in an MST domain so that the network scale of a spanning tree can be controlled.
Procedure
Step 2 Run stp max-hops hop
The maximum number of hops in an MST region is set.
By default, the maximum number of hops of the spanning tree in an MST region is 20.
----End
12.8.10 Verifying the Configuration of the MSTP Parameters on

an Interface
Procedure
----End
12.9 Configuring MSTP Protection Functions

Huawei datacom devices provide the following MSTP protection functions. You can
configure one or more functions.
Before configuring MSTP protection functions, complete the following task:

l Configuring MSTP
12.9.1 Configuring BPDU Protection on a Switching Device

Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may
send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the
switching device configures the edge ports as non-edge ports and triggers a new spanning tree
calculation. Network flapping then occurs. BPDU protection can be used to protect switching
devices against malicious attacks.
Perform the following procedure on all switching devices that have edge ports.
Procedure
Step 2 Run stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is not enabled on the switching device.
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-
down auto-recovery cause bpdu-protection interval interval-value command in the system
view to configure the auto recovery function and set a recovery delay on the port. Then a port
in error-down state can automatically go Up after the delay expires. Note the following when
setting the recovery delay:
l By default, the auto recovery function is disabled; therefore, the recovery delay
parameter does not have a default value. When you enable the auto recovery function,
you must set a recovery delay.
l A smaller value of interval-value indicates a shorter time taken for an edge port to go
Up, and a higher frequency of Up/Down state transitions on the port.
l A larger value of interval-value indicates a longer time taken for the edge port to go Up,
and a longer service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the error-
down state after the error-down auto-recovery command is executed.
12.9.2 Configuring TC Protection on a Switching Device

Context
If attackers forge TC-BPDUs to attack the switching device, the switching device receives a
large number of TC BPDUs within a short time. If MAC address entries and ARP entries are
deleted frequently, the switching device is heavily burdened, causing potential risks to the
network.

TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are
processed by a switching device within a given time period is configurable. If the number of
TC BPDUs that the switching device receives within a given time exceeds the specified
threshold, the switching device handles TC BPDUs only for the specified number of times.
Excess TC BPDUs are processed by the switching device as a whole for once after the
specified time period expires. This protects the switching device from frequently deleting
MAC entries and ARP entries, therefore avoiding overburden.
Procedure
Step 2 Run stp tc-protection threshold threshold
The number of times the MSTP process handles the received TC BPDUs and updates
forwarding entries within a given time is set.
NOTE
The time is set using the stp tc-protection interval command.
----End
12.9.3 Configuring Root Protection on an Interface
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to
serve as the root bridge and the network topology is changed, triggering spanning tree
recalculation. This also may cause the traffic that should be transmitted over high-speed links
to be transmitted over low-speed links, leading to network congestion. The root protection
function on a switching device is used to protect the root bridge by preserving the role of the
designated port.
NOTE
Root protection takes effect only on designated ports.
Perform the following steps on the root bridge in an MST region.
Procedure
Step 3 Run stp root-protection
Root protection is configured on the switching device.

By default, root protection is disabled.
----End
12.9.4 Configuring Loop Protection on an Interface
Context
On a network running MSTP, a switching device maintains the root port status and status of
blocked ports by receiving BPDUs from an upstream switching device. If the switching
device cannot receive BPDUs from the upstream device because of link congestion or
unidirectional-link failure, the switching device re-selects a root port. The original root port
becomes a designated port and the original blocked ports change to the Forwarding state. This
switching may cause network loops, which can be mitigated by configuring loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a long
time, the switch enabled with loop protection sends a notification to the NMS. If the root port
is used, the root port enters the Discarding state and becomes the designated port. If the
alternate port is used, the alternate port keeps blocked and becomes the designated port. In
this case, loops will not occur. After the link is not congested or unidirectional link failures
are rectified, the port receives BPDUs for negotiation and restores its original role and status.
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to
configure loop protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switching device in an
MST region.
Procedure
Step 3 Run stp loop-protection
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
Root protection and loop protection cannot be configured simultaneously.
----End
12.9.5 Checking the MSTP Protection Function Configuration
Procedure
----End

12.10 Configuring MSTP Interoperability Between

Huawei Devices and Non-Huawei Devices
To communicate with a non-Huawei device, set proper parameters on the MSTP-enabled
Huawei device.
12.10.1 Configuring a Proposal/Agreement Mechanism
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All
switching devices support the following modes:
l Enhanced mode: The current interface counts the root port calculation when it computes
the synchronization flag bit.
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
– The upstream device then sends an Agreement message to the downstream device.
After the downstream device receives the message, the root port transitions to the
Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port, and the designated port transitions to
the Forwarding state.
l Common mode: The current interface ignores the root port when it computes the
synchronization flag bit.
– An upstream device sends a Proposal message to a downstream device, requesting
rapid status transition. After receiving the message, the downstream device sets the
port connected to the upstream device as a root port and blocks all non-edge ports.
The root port then transitions to the Forwarding state.
– The downstream device responds to the Proposal message with an Agreement
message. After receiving the message, the upstream device sets the port connected
to the downstream device as a designated port. The designated port then transitions
to the Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that
used on non-Huawei devices.
Procedure

Step 3 Run stp no-agreement-check
The common rapid transition mechanism is configured.
By default, the interface uses the enhanced rapid transition mechanism.
----End
12.10.2 Configuring the MSTP Protocol Packet Format on an

Interface
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets).
You can specify the packet format and use the auto mode. In auto mode, the switching device
switches the MSTP protocol packet format based on the received MSTP protocol packet
format so that the switching device can communicate with the peer device.
Procedure
Step 3 Run stp compliance { auto | dot1s | legacy }
The MSTP protocol packet format is configured on the interface.
The auto mode is used by default.
NOTE
The negotiation will fail if the format of MSTP packets is set to dot1s at one end and legacy at the other
end.
----End
12.10.3 Enabling the Digest Snooping Function
Context
Interconnected Huawei and non-Huawei devices cannot communicate with each other if they
have the same region name, revision number, and VLAN-to-instance mappings but different
BPDU keys. To address this problem, enable the digest snooping function on the Huawei
device.
Perform the following steps on a switching device in an MST region to enable the digest
snooping function.

Procedure
Step 3 Run stp config-digest-snoop
The digest snooping function is enabled.
----End
12.10.4 Verifying the Configuration of the MSTP Interoperability

Between Huawei Devices and Non-Huawei Devices
Procedure
----End
12.11 Maintaining MSTP
12.11.1 Clearing MSTP Statistics

Context
MSTP statistics cannot be restored after being cleared.
Procedure
l Run the reset stp [ interface interface-type interface-number ] statistics command to
clear spanning-tree statistics.
l Run the reset stp error packet statistics to clear the statistics of error STP packets.
----End
12.11.2 Monitoring the Statistics on MSTP Topology Changes

Procedure
l Run the display stp [ instance instance-id ] topology-change command to view the
statistics about MSTP topology changes.


tc-bpdu statistics command to view the statistics about TC/TCN packets.
----End
12.12 Configuration Examples for MSTP
12.12.1 Example for Configuring Basic MSTP Functions

On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such
a situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and damages MAC address
entries.
MSTP can be deployed to eliminate loops. MSTP blocks redundant links on a Layer 2
network and trims the network into a loop-free tree.
As shown in Figure 12-13, to load balance traffic of VLANs 2 to 10 and traffic of VLANs 11
to 20, multiple MSTIs are created. MSTP defines a VLAN mapping table in which VLANs
are associated with spanning tree instances. Run MSTP on RouterA, SwitchA, SwitchB,
SwitchC and SwitchD.

Figure 12-13 Networking diagram of configuring basic MSTP functions
Network
MST RouterA
Region
Eth2/0/0 Eth2/0/1
Eth0/0/1 RG1 Eth0/0/1

SwitchA SwitchB
3
Et
0/
h0
Eth0/0/2 0/
Eth0/0/2
/0
h
Et
/3
Et
/4
h0
/0
/0
h0
Eth0/0/1 Eth0/0/1
/4
Et
SwitchC SwitchD
Eth0/0/2 Eth0/0/3 Eth0/0/2 Eth0/0/3
PC1 PC2 PC3 PC4
VLAN2~10 MSTI1
VLAN11~20 MSTI2
MSTI1:
Root Switch:RouterA
Blocked port
MSTI2:
Root Switch:RouterA
Blocked port

1. Configure basic MSTP functions, including:
a. Configure the MSTP mode for the ring network.
b. Configure an MST region and create multiple MSTIs to implement load balancing.
c. In the MST region, configure a primary root bridge and a secondary root bridge for
each MSTI.
d. Set path costs for ports to be blocked in each MSTI.
e. Enable MSTP to eliminate loops, including:
n Enable MSTP globally.
n Disable MSTP on the interfaces that connected to terminals, or configure those
interfaces as edge ports.
n Enable MSTP on all the interfaces except the interfaces connected to
terminals.
NOTE
MSTP is not required on the interfaces connected to terminals because these interfaces do
not need to participate in MSTP calculation.
2. Configure MSTP protection functions, for example, configure root protection on a
designated port of a root bridge in each MSTI.
3. Configure the Layer 2 forwarding function on devices.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure the MSTP mode for the devices on the ring network.
# Configure the MSTP mode on RouterA.
[RouterA] stp mode mstp
# Configure the MSTP mode on SwitchA, SwitchB, SwitchC and SwitchD.

2. Add all devices to MST region RG1, and create two MSTIs. MSTI1 maps to VLAN (2
to 10), and MSTI2 maps to VLAN (11 to 20).
# Configure RouterA to MST region.
[RouterA] stp region-configuration
[RouterA-mst-region] region-name RG1
[RouterA-mst-region] instance 1 vlan 2 to 10
[RouterA-mst-region] instance 2 vlan 11 to 20
[RouterA-mst-region] active region-configuration
[RouterA] quit
# Configure SwitchA, SwitchB, SwitchC and SwitchD to MST region RG1, and create
two MSTIs. MSTI1 maps to VLAN (2 to 10), and MSTI2 maps to VLAN (11 to 20).
3. In RG1, configure primary and secondary root bridges for MSTI1 and MSTI2.
# Configure primary root bridge on RouterA in MSTI1.
[RouterA] stp instance 1 root primary

# Configure secondary root bridge on SwitchA in MSTI1.

# Configure primary root bridge on RouterA in MSTI2.
[RouterA] stp instance 2 root primary
# Configure secondary root bridge on SwitchB in MSTI2.

4. Set the path costs of the ports to be blocked in MSTI1 and MSTI2 to be larger than the
default value.
NOTE
– The values of path costs depend on path cost calculation methods. Use the Huawei proprietary
calculation method as an example to set the path costs of the ports to be blocked to 200000.
– If the switches are not Huawei 2300 Series, all switches on a network must use the same path
cost calculation method. Refer to STP List of path costs to get standard of other calculation
methods.
# On RouterA, configure the path cost calculation method as the Huawei proprietary
method.
# On SwitchA, SwitchB, SwitchC and SwitchD, configure the path cost calculation
method as the Huawei proprietary method.
# As shown in Figure 12-13, set the path cost of Eth0/0/4 on SwitchC to 200000 in
MSTI1.
# As shown in Figure 12-13, set the path cost of Eth0/0/4 on SwitchD to 200000 in
MSTI2.
5. Enable MSTP to eliminate loops.
– Disable MSTP on interfaces connected to PCs, or set those interfaces as edge ports.
# As shown in Figure 12-13, disable MSTP on interface Eth0/0/2 and Eth0/0/3 of
SwitchC, or set them as edge ports.
# As shown in Figure 12-13, disable MSTP on interface Eth0/0/2 and Eth0/0/3 of
SwitchD, or set them as edge ports.
– Enable MSTP globally.
# Enable MSTP globally on RouterA.
# Enable MSTP globally on SwitchA, SwitchB, SwitchC and SwitchD.

– Enable MSTP on all the interfaces except the interfaces connected to terminals.
# Enable MSTP on RouterA Eth2/0/0 and Eth2/0/1.
# As shown in Figure 12-13, Enable MSTP on all interfaces except the interfaces
connected to terminals, for SwitchA, SwitchB, SwitchC and SwitchD.
Step 2 Configure MSTP protection function.
# Enable root protection on RouterA Eth2/0/0 and Eth2/0/1.


Step 3 Configure the Layer 2 forwarding function on devices in the ring.

l Create VLANs on RouterA, SwitchA, SwitchB, SwitchC and SwitchD.
# Create VLANs 2 to 20 on RouterA.
[RouterA] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchA and SwitchB.

# Create VLANs 2 to 10 on SwitchC.
# Create VLANs 11 to 20 on SwitchD.
l Add interfaces on the switching devices in the ring to VLANs.
# Add RouterA Eth2/0/0 and Eth2/0/1 to VLAN 2 to 20.
# Add interfaces Eth0/0/1, Eth0/0/2 and Eth0/0/3 on SwitchA and SwitchB to VLAN 2
to 20.
# Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchC to VLAN 2 to
10.
# Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchD to VLAN 11 to
20.
# After the previous configurations, run the following commands to verify the configuration
when the network is stable:
# run display stp brief on RouterA to view the interface status and protection type. The
displayed information is as follows:
# In MSTI1, after RouterA is configured as a root bridge, RouterA Eth2/0/0 and Eth2/0/1 are
elected as designated ports during spanning tree calculation. In MSTI2, after RouterA is
configured as a root bridge, RouterA Eth2/0/0 and Eth2/0/1 are elected as designated ports
during spanning tree calculation.
# Verify the interface status and protection type on SwitchA. In MSTI1, interface Eth0/0/1 is
elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In
MSTI2, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected
# Verify the interface status and protection type on SwitchB. In MSTI1, interface Eth0/0/1 is
elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In

MSTI2, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected
# Verify the interface status and protection type on SwitchC. In MSTI1, interface Eth0/0/1 is
elected as root port, interface Eth0/0/4 is blocked. In MSTI2, interface Eth0/0/1 is elected as
root port, interface Eth0/0/4 is elected as designated port.
# Verify the interface status and protection type on SwitchD. In MSTI1, interface Eth0/0/1 is
elected as root port, interface Eth0/0/4 is elected as designated port. In MSTI2, interface
Eth0/0/1 is elected as root port, interface Eth0/0/4 is blocked.
----End
Configuration Files
#
sysname RouterA
#
vlan batch 2 to 20
#
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
active region-configuration
#
stp root-protection
#
stp root-protection
#
return
l Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 2 to 20
#
#
region-name RG1
#
#
#

#
return
l Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 2 to 20
#
#
region-name RG1
#
#
#
#
return
l Configuration file of SwitchC

#
sysname SwitchC
#
vlan batch 2 to 10
#
#
region-name RG1
#
#
stp disable
#
stp disable
#
#
return

l Configuration file of SwitchD

#
sysname SwitchD
#
vlan batch 11 to 20
#
#
region-name RG1
#
#
stp disable
#
stp disable
#
#
return
12.13 FAQ About MSTP
12.13.1 How Do I Determine Whether Devices Belong to the Same

MST Region?
Check whether the region configurations on devices are the same. If so, the devices belong to
the same Multiple Spanning Tree (MST) region. If not, the devices belong to different MSTP
regions. For example, devices with the same region name, VLAN-instance mapping, and
revision level belong to the same region.
12.13.2 Is the MSTP Status of Interfaces Affected When the MSTP

Status of a Member Interface in the MST Region Changes?
Yes. When the MSTP status of a member interface in the MST region changes, the device
recalculates the MSTP status of all member interfaces in the MST region.
12.13.3 Which Statuses Does an MSTP Interface Have, and How

Does the Interface Process Packets?
l Forwarding: In the forwarding state, interfaces forward user traffic. Only the root
interface and designated interface can be in the forwarding state.

l Learning: This is a transitional status. In the learning state, switches set up media access
control (MAC) address tables based on the received user traffic. A switch in the learning
state, however, does not forward user traffic.
l Discarding: In the discarding state, interfaces block packets, and do not learn MAC
addresses.

Configuration 13 SEP Configuration
13 SEP Configuration
About This Chapter
This chapter describes how to configure Smart Ethernet Protection (SEP). SEP is a ring
network protocol specially used for the Ethernet link layer. It blocks redundant links to
prevent logical loops on a ring network.
13.1 Overview of SEP
13.2 Understanding SEP
13.3 Applications Scenarios for SEP
13.4 Summary of SEP Configuration Tasks
13.5 Licensing Requirements and Limitations for SEP
13.6 Configuring Basic SEP Functions
When there is no faulty link on a ring network running SEP, SEP can eliminate loops on the
Ethernet. When a link fault occurs on the ring network, SEP can immediately restore the
communication between the nodes on the network.
13.7 Specifying an Interface to Block
By default, the blocked interface is one of the two interfaces that complete neighbor
negotiations last. Sometimes, the negotiated blocked interface, however, may not be the
expected one. You can configure a blocked interface to suit your needs.
13.8 Configuring SEP Multi-Instance
13.9 Configuring the Topology Change Notification Function
The topology change notification function is configured on the device that connects a lower-
layer network to an upper-layer network. This function enables the device to notify the peer
device of topology changes in the lower-layer and upper-layer networks. All the devices on
the network where the peer device resides then delete original MAC addresses and ARP
entries and learn new MAC addresses to ensure uninterrupted traffic forwarding.
13.10 Maintaining SEP
13.11 Configuration Examples for SEP

13.1 Overview of SEP
Definition
The Smart Ethernet Protection (SEP) protocol is a ring network protocol specially used for the
Ethernet link layer. A SEP segment consists of interconnected Layer 2 switching devices
configured with the same SEP segment ID and control VLAN ID. A SEP segment is the basic
unit for SEP.
Purpose
causing broadcast storms and rendering the MAC address table unstable. As a result,
communication quality deteriorates, and services may even be interrupted. To solve the loop
problem, Huawei datacom devices support the following ring network protocols:
l STP/RSTP/MSTP
STP, RSTP, and MSTP are standard protocols for breaking loops on Ethernet networks.
They are mature and widely used. Huawei devices running STP, RSTP, or MSTP can
communicate with non-Huawei devices. Networks running these protocols converge
slowly (in seconds), failing to meet transmission requirements of some real-time
services. The convergence time is affected by the network topology.
Huawei developed SEP to overcome the disadvantages of the preceding ring network
protocols. SEP has the following advantages:
l Applies to diverse complex networks and supports all topologies and network topology
query. For example, a network running SEP can connect to a network running STP,
RSTP, or MSTP.
Network topology display helps locate blocked interfaces quickly. When a fault occurs,
SEP can quickly locate the fault, improving network maintainability.
l Allows selectively interface blocking, which effectively implements traffic load
balancing.
l Prevents traffic from being switched back after link recovery, which improves network
stability.
13.2 Understanding SEP
13.2.1 Principles of SEP

SEP is a ring network protocol dedicated to the Ethernet link layer. A SEP segment is the
basic unit for SEP. Only two interfaces on a switching device can be added to the same SEP
segment.
To prevent loops in a SEP segment, a ring protection mechanism is used to selectively block
interfaces to eliminate Ethernet redundant links. When a link on a ring network fails, the
device running SEP immediately unblocks the interface and performs link switching to restore
communication between nodes.

Figure 13-1 shows a typical SEP application. CE1 is connected to Network Provider Edges
(NPEs) through a semi-ring formed by Routers. A VRRP group is deployed on the NPEs.
Initially, NPE1 serves as the master and NPE2 as backup to NPE1. When the link between
NPE1 and Router5 or a node on the link becomes faulty, NPE1 becomes the backup to NPE2,
which then becomes the master. The following situations occur depending on whether SEP is
deployed. The following assumes that the link between Router1 and Router5 becomes faulty.
l If SEP is not deployed on the semi-ring, CE1 traffic is still transmitted along the original
path, but NPE1 does not forward traffic, causing traffic interruption.
l If SEP is deployed on the semi-ring, the blocked interface on Router5 is unblocked,
enters the Forwarding state, and sends link state advertisements (LSAs) to instruct other
nodes on the SEP segment to update their LSA databases. Then CE1 traffic is
transmitted along backup link Router5->Router2->Router4->NPE2, ensuring
uninterrupted traffic transmission.

Figure 13-1 Schematic diagram for SEP

Access Aggregation Core
Router1 Router3 Master Backup
NPE1 IP/MPLS
VRRP+peer BFD Core
NPE2
CE1
Router5
Router2 Router4 Backup Master
a,SEP is not deployed on the semi-ring

Router1 Router3 Master Backup
SEP NPE1 IP/MPLS

Segment VRRP+peer BFD Core
NPE2
CE1
Router5
Router1 Router3
Master Backup
SEP NPE1 IP/MPLS

Segment VRRP+peer BFD Core
NPE2
CE1
Router5
b,SEP is deployed on the semi-ring

Primary Edge Port
Secondary Edge Port
Block Port
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is
blocked, all service data is transmitted only along the path where the primary edge interface is
located. The path where the secondary edge interface is located remains idle, wasting
bandwidth.

SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing. SEP multi-instance allows two SEP segments to be configured on a physical ring.
Each SEP segment independently detects the completeness of the physical ring, blocks or
unblocks interfaces without affecting the other.
For details about SEP multi-instance, see 13.2.3 SEP Implementation Mechanisms.
13.2.2 Basic Concepts of SEP
Network Architecture of SEP

As shown in Figure 13-2, Router1 through Router5 constitute a ring and are dual-homed to
an upper-layer a Layer 2 network. Two edge devices Router1 and Router5 are indirectly
connected. This networking is called open-ring networking. This access mode will cause a
loop on the entire network. To eliminate redundant links and ensure link connectivity, a
mechanism used to prevent loops is required.
Figure 13-2 shows the typical networking of an open ring running SEP. The following
describes the basic concepts of SEP.
Figure 13-2 Networking diagram of an open ring running SEP
Network Network
Router5
Router1 Router1 Router5
SEP SEP
Segment Segment
Router4 Router2 Router4

Router2
Router3 Router3
CE CE
No-Neighbor Primary Edge Port
No-Neighbor Secondary Edge Port
Primary Edge Port
Secondary Edge Port
Block Port
l SEP segment
A SEP segment consists of interconnected Layer 2 switching devices configured with the
same SEP segment ID and control VLAN ID. A SEP segment is the basic unit for SEP.

A SEP segment is a ring or linear Ethernet topology. Each SEP segment has a control
VLAN, edge interfaces, and common interfaces.
l Control VLAN
In a SEP segment, the control VLAN is used to transmit only SEP packets.
Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
Different SEP segments can use the same control VLAN.
Different from a control VLAN, a data VLAN is used to transmit data packets.
l Node
Each Layer 2 switching device in a SEP segment is a node. Each node can have at most
two interfaces added to the same SEP segment.
l Interface role
As defined in SEP, there are two interface roles: common interfaces and edge interfaces.
As shown in Table 13-1, edge interfaces are further classified into primary edge
interfaces, secondary edge interfaces, no-neighbor primary edge interfaces, and no-
neighbor secondary edge interfaces.
NOTE
Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
Table 13-1 Interface roles

Interface Role Sub-role Description
Edge interface Primary edge A SEP segment has only one primary
interface edge interface, which is determined by
the configuration and election.
The primary edge interface initiates
blocked interface preemption, terminates
packets, and sends topology change
notification messages to other networks.
Secondary edge A SEP segment has only one secondary

interface edge interface, which is determined by
the configuration and election.
The secondary edge interface terminates
packets and sends topology change
notification messages to other networks.

Interface Role Sub-role Description
No-neighbor An interface at the edge of a SEP segment

primary edge is a no-neighbor edge interface, which is
interface determined by the configuration and
election.
The no-neighbor primary edge interface
terminates packets and sends topology
change notification messages to other
networks.
No-neighbor primary edge interfaces are
used to interconnect Huawei devices and
non-Huawei devices or interconnect
Huawei devices and devices that do not
support SEP.
No-neighbor A SEP segment has only one no-neighbor

secondary edge secondary edge interface, which is
interface determined by the configuration and
election.
The no-neighbor secondary edge interface
terminates packets and sends topology
change notification messages to other
networks.
No-neighbor secondary edge interfaces
are used to interconnect Huawei devices
and non-Huawei devices or interconnect
Huawei devices and devices that do not
support SEP.
Common - In a SEP segment, all interfaces except

interface edge interfaces are common interfaces.
A common interface monitors the status
of the directly-connected SEP link. When
the link status changes, the interface
sends a topology change notification
message to notify its neighbors. Then the
topology change notification message is
flooded on the link until it finally reaches
the primary edge interface. The primary
edge interface determines how to process
the link change.
l Blocked interface
In a SEP segment, some interfaces are blocked to prevent loops.
Any interface in a SEP segment may be blocked if no interface is specified for blocking.
A complete SEP segment has only one blocked interface.
l Status of a SEP interface
In a SEP segment, a SEP interface has two working states: Forwarding and Discarding,
as shown in Table 13-2.

Table 13-2 Interface status

Interface Description
Status
Forwarding The interface can forward user traffic, receive and send SEP packets.
Discarding The interface can receive and send SEP packets but cannot forward user
traffic.
An interface may be in Forwarding or Discarding state regardless of its role.
SEP Packet
Table 13-3 shows the types of SEP packets.
Table 13-3 Types of SEP packets

Packet Type Packet Subtype Description
Hello packet - After an interface is added to a SEP segment,

neighbor negotiations start. The interface and its
neighbor exchange Hello packets to establish a
neighbor relationship. After neighbor negotiations
succeed, the two interfaces continue to exchange
Hello packets to detect their neighbor status.
LSA LSA request After an interface has SEP enabled, the interface
packet periodically sends LSAs to its neighbor. After the
state machine of the neighbor goes Up, the two
LSA ACK packet interfaces update their LSA databases, that is, all
topology information.
TC packet - When the topology of a SEP segment changes, the

device where the SEP segment and the upper-layer
network are intersected sends a Topology Change
(TC) packet to notify the upper-layer network. Then
all nodes on the upper-layer network need to update
their MAC address tables and ARP tables.
GR packet - When a device is performing an active/standby

switchover, it sends a SEP Graceful Restart (GR)
packet to instruct other nodes to prolong the aging
time of the LSAs received from the device. After the
active/standby switchover is complete, the device
needs to send another GR packet to instruct other
nodes to restore the aging time of the LSAs received
from the device to the previous value.

Packet Type Packet Subtype Description
Primary edge - After an interface has SEP enabled, it considers itself

interface the primary edge interface if it is qualified for
election primary edge interface selection. The interface then
packet periodically sends primary edge interface election
packets without waiting for the success of neighbor
negotiations. A primary edge interface election
packet contains the interface role (primary edge
interface, secondary edge interface, or common
interface), bridge MAC address of the interface,
interface ID, and integrity of the topology database.
Preemption Preemption A preemption packet is used to block a specified

packet request packet interface.
Preemption ACK Preemption packets are sent by the elected primary

packet edge interface or brother interface of a no-neighbor
primary edge interface.
13.2.3 SEP Implementation Mechanisms
Neighbor Negotiation Mechanism

After an interface is added to a SEP segment, neighbor negotiations start. The interface and its
neighbor exchange Hello packets to establish a neighbor relationship. After neighbor
negotiations succeed, the two interfaces continue to exchange Hello packets to detect their
neighbor status.
Neighbor negotiations prevent unidirectional links because neighbor negotiations are

bidirectional. Interfaces at both ends of a link, must send Hello packets to each other, as a
means of status confirmation. If an interface does not receive a Hello packet from an interface
at the other end of a link within a specified period, the interface considers the other to be
Down.
Neighbor negotiations provide information required to obtain the SEP segment topology.
Interfaces establish neighbor relationships through neighbor negotiations, forming a complete
SEP segment. Therefore, the SEP segment topology can be obtained.
Synchronization of SEP LSA Databases and Topology Display

l Synchronization of SEP link state advertisement (LSA) databases
After neighbor negotiations are complete, devices in a SEP segment enter the LSA
database synchronization phase and periodically send LSAs. After a device receives
LSAs from other devices, the device updates its LSA database. This ensures that the
LSA databases of all devices in the SEP segment are consistent.
If a device does not receive LSAs from its peer device or other devices in the SEP
segment within three LSA transmission intervals, the device will age the database that
saves the LSAs of the other devices in the SEP segment.
When a faulty device in a SEP segment recovers, the device needs to obtain topology
information from the other devices in the SEP segment and sends LSA request packets to

the other devices. After receiving LSA request packets from the device, neighboring
interfaces reply with LSA ACK packets that contain the latest link state information.
l SEP segment topology display
The topology display function allows you to view the topology with the highest network
connectivity on any device in a SEP segment. Link state synchronization ensures that all
devices in a SEP segment display the same topology.
Table 13-4 shows the types of SEP segment topologies.
Table 13-4 Types of SEP segment topologies
Topology Type Description Constraint
Ring topology Each interface in a SEP l If the primary edge

segment has a neighboring interface is elected on a
interface in Up state and a ring, the primary edge
brother interface, and each interface is listed first
node has two interfaces in in the topology
the SEP segment. information displayed
on each interface.
l If the primary edge
interface is not elected
but the secondary edge
interface is elected, the
secondary edge
interface is listed first
in the topology
information displayed
on each interface.
Linear topology All topologies except ring For interfaces at both ends
topologies are linear of a link:
topologies. l If one interface
functions as the
primary edge interface,
the primary edge
in the topology
on each interface.
l If the primary edge
interface is not elected
but the secondary edge
interface is elected, the
secondary edge
in the topology
on each interface.

NOTE
The constraints listed in Table 13-4 ensure that each node in a ring or linear topology displays the
same topology information.
Primary Edge Interface Election

Only interfaces that are configured as no-neighbor edge interfaces, primary edge interfaces,
and secondary edge interfaces can participate in primary edge interface election.
NOTE
If only one interface on a node has SEP enabled, you must set the role of the interface to edge so that the
interface can function as an edge interface.
As shown in Figure 13-3, if there is no faulty link on the network and SEP is enabled on the
interfaces, the following situations occur:
l Common interfaces do not participate in primary edge interface election. Only P1 on
Router1 and P1 on Router5 participate in primary edge interface election.
l If P1 on Router1 and P1 on Router5 have the same role, P1 with a higher MAC address
is elected as the primary edge interface.
After the primary edge interface is selected, it periodically sends primary edge interface
election packets without waiting for the success of neighbor negotiations. A primary edge
interface election packet contains the interface role (primary edge interface, secondary edge
interface, or common interface), bridge MAC address of the interface, interface ID, and
integrity of the topology database.
Figure 13-3 Networking diagram of electing the primary edge interface
Network Network
Router1 Router5 Router1 Router5
P1 P1 P1 P1
SEP SEP
Segment Segment
Router2 Router4 Router2 Router4

Failed
Failed
Router3 Router3
Primary Edge Port

Secondary Edge Port
Election packet of
Primary Edge Port

As shown in Figure 13-3, if a link fault occurs in the SEP segment, P1 on Router1 and P1 on
Router5 receive fault notification packets or P1 on LSW5 does not receive primary edge
interface election packets within a specified period. Then P1 on Router1 becomes the
secondary edge interface. Consequently, two secondary edge interfaces exist in the SEP
segment and periodically send primary edge interface election packets.
When all link faults in the SEP segment are rectified, the two secondary edge interfaces can
receive primary edge interface election packets and elect a new primary edge interface within
a configured interval (1s by default).
Specifying an Interface to Block

Normally, a blocked interface is one of the two interfaces that complete neighbor negotiations
last. In some cases, however, the negotiated blocked interface may not be the required one.
You can specify an interface to block according to network requirements. The specified
interface preempts to be the blocked interface only after the preemption mechanism takes
effect.
l Interface blocking mode
You can configure the interface blocking mode to specify a blocked interface. Table 13-5
lists interface blocking modes.
Table 13-5 Interface blocking mode

Interface Blocking Mode Description
Specify the interface with SEP compares interface priorities as follows:

the highest priority as the 1. Compares configured interface priority values. A
blocked interface. larger value indicates a higher priority.
2. Compares bridge MAC addresses of interfaces
with same priority values. A smaller bridge MAC
address indicates a higher priority.
3. Compares interface numbers of interfaces with
identical bridge MAC addresses. A smaller
interface number indicates a higher priority.
Specify the interface in the -

middle of a SEP segment as
the blocked interface.
Specify a blocked interface SEP sets the hop count of the primary edge interface
based on the configured hop to 1 and the hop count of the neighboring interface of
count. the primary interface to 2. Hop counts of other
interfaces increase by steps of 1 in the downstream
direction of the primary edge interface.

Interface Blocking Mode Description
Specify a blocked interface After SEP is configured, the interface to be blocked is

based on the device and determined by the device and interface names. Before
interface names. specifying an interface to block, run the display
command to view the current ring topology and all
interfaces, and then specify the device and interface
names.
If multiple interfaces on the ring have the same device
and interface names, SEP blocks the interface nearest
to the primary edge interface in the topology.
NOTE
If you change the device name or interface name after
specifying the interface to block, the interface cannot
preempt to be the blocked interface.
l Preemption
After the interface blocking mode is specified, whether a specified interface will be
blocked is determined by the preemption mode. Table 13-6 lists the preemption modes.
Table 13-6 Preemption mode

Preemption Mode Description
Non-preemption mode When all link faults are rectified or the last two
interfaces enabled with SEP complete neighbor
negotiations, interfaces send blocking status packets to
each other. The interface with the highest priority is
then blocked, and the other interfaces enter the
Forwarding state.

Preemption Mode Description
Preemption Mode Preemption is classified into delayed preemption and

NOTE manual preemption.
Preemption can only be l Delayed preemption
implemented on the device
where the primary edge After all the faulty interfaces recover, the edge
interface or no-neighbor interfaces no longer receive fault notification
primary edge interface resides. packets. If the primary edge interface does not
receive fault advertisement packets within 3
seconds, it starts the delay timer. After the delay
timer expires, nodes in the SEP segment start
blocked interface preemption.
l Manual preemption
When the link status databases of the primary edge
interface and secondary edge interface are
complete, the primary edge interface or brother
interface of the no-neighbor primary edge interface
sends preemption packets to block a specified
interface. The specified interface then sends
blocking status packets to request the previously
blocked interface to transition to the Forwarding
state.
NOTE
Only two interfaces on a device can be added to the same
SEP segment. If one interface is the no-neighbor primary
edge interface, the other interface is the brother interface
of the no-neighbor primary edge interface.
Whether the brother interface of the no-neighbor primary
edge interface needs to send preemption packets depends
on whether the brother interface is blocked.
l If the brother interface is blocked, it does not need to
send preemption packets.
l If the brother interface is unblocked, it needs to send
preemption packets.
SEP Topology Change Notification

SEP considers that the topology of a SEP-enabled network changes in either of the following
situations described in Table 13-7.

Table 13-7 SEP topology change notification

SEP Topology Change Description
Notification
An interface fault occurs. Figure 13-4 shows an interface fault in a SEP segment.
An interface fault can be a link fault or neighboring
interface fault.
If a device having an interface in Forwarding state in the
SEP segment receives a fault advertisement packet, the
device needs to send a Flush-Forwarding Database
(Flush-FDB) packet through the interface to notify other
nodes in the SEP segment that there is a change in
topology.
The fault is rectified and the After faults occur in the SEP segment and the last faulty
preemption function takes interface recovers, the blocked interface is preempted
effect. and the topology is considered changed.
Preemption is triggered by the primary edge interface.
When an interface in a SEP segment receives a
preemption packet from the primary edge interface, the
interface needs to send Flush-FDB packets to notify
other nodes in the SEP segment that there is a change in
topology.

Figure 13-4 Networking diagram for SEP topology change notification
Network
Router
8
SEP SEP
Router1 Segment1 Segment3 Router13
Router9 Router10
Router2 SEP Router11 SEP Router12

Segment2 Segment4
Failed
Router3 Router4 Router5 Router6 Router7
Block Port
Primary Edge Port
Forwarding Database
Topology Change
NOTE
The topology change notification function is configured on devices that connect an upper-layer network
and a lower-layer network. If the topology of one network changes, devices affected inform the other
network of the change.
Table 13-8 lists the scenarios in which topology changes are reported.

Table 13-8 SEP topology change notification

SEP Scenario Description Solution
Topology
Change
Notification
Topology A SEP network is l If the blocked interface Configure the SEP

change connected to an on a lower-layer SEP topology change
notification upper-layer network network is manually notification
from a lower- running other changed, the topology of function.
layer network features such as the SEP segment
to an upper- SEP and STP. changes. Because the
layer network upper-layer network is
unable to detect the
change in topology,
traffic is interrupted.
l If an interface on a
lower-layer SEP network
becomes faulty, the
topology of the SEP
segment changes but the
upper-layer network is
unable to detect the
change. As a result,
traffic is interrupted.
Suppression of SEP TC Notification Packets

Topology changes of a SEP segment are advertised to other SEP segments or upper-layer
networks. A large number of topology change (TC) notification packets are generated in the
following cases:
l A link becomes disconnected transiently.
l A SEP segment is attacked by invalid TC notification packets.
l There are multiple SEP ring networks.
Figure 13-5 shows a networking scenario with three SEP ring networks. If the topology
of SEP segment 3 changes, the number of TC notification packets doubles and SEP
segment 2 is flooded with these packets. Each time TC notification packets pass through
a SEP segment, the number of TC notification packets doubles.

Figure 13-5 Networking diagram for multiple SEP ring networks
Router9 Router10
SEP
Segment 1
Router7 Router8
SEP
Segment2
Router4 Router6
Router5
SEP
Segment3
Router1 Router3
Router2
Primary Edge Port

Secondary Edge Port
Block Port
Sending a large number of TC notification packets reduces the CPU capability to quickly
process other types of packets. In addition, devices in SEP segments frequently update MAC
address entries, heavily consuming bandwidth resources. To solve such problems, the
following measures can be taken to suppress TC notification packets:
l Configure a device to process only one of the TC notification packets carrying the same
source address.
l Configure a device to process a specified number of TC notification packets within a
specified period. By default, three TC notification packets with different source
addresses are processed in 2s.
l Avoid the networking scenario having more than three SEP ring networks.
SEP Multi-Instance
In common SEP networking shown in Figure 13-6, a physical ring network can be configured
with only one SEP segment in which only one interface can be blocked.
If an interface in a complete SEP segment is blocked, all service data is transmitted only along
the path where the primary edge interface is located. The path where the secondary edge
interface is located remains idle, wasting bandwidth.

Figure 13-6 Networking diagram for SEP
Router2 Router4
SEP
Segment1
Router1 Router3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance allows two SEP segments to be configured on a physical ring. Each SEP
segment independently detects the completeness of the physical ring, blocks or unblocks
interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be
configured with a protected instance, each protected instance indicating a VLAN range. The
topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between
protected instances and VLANs is set, a blocked interface is only valid for the VLANs
protected by the SEP segment where the blocked interface resides. Data traffic for different
VLANs can be transmitted along different paths. This implements traffic load balancing and
link backup.

Figure 13-7 Networking diagram for SEP multi-instance
Router2 Router4
SEP
Segment2
P2 SEP Segment1 P1
Router1 Router3
Instance1: Instance2:
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 13-7, the SEP multi-instance ring network that consists of Router1 to
Router4 has two SEP segments. P1 is the blocked interface in SEP segment 1, and P2 is the
blocked interface in SEP segment 2.
l Protected instance 1 is configured in SEP segment 1 to protect the data from VLAN 100
to VLAN 200. The data is transmitted along path Router1->Router2. As the blocked
interface in SEP segment 2, P2 blocks only the data from VLAN 201 to VLAN 400.
l Protected instance 2 is configured in SEP segment 2 to protect the data from VLAN 201
to VLAN 400. The data is transmitted along path Router3->Router4. As the blocked
interface in SEP segment 1, P1 blocks only the data from VLAN 100 to VLAN 200.
When a node fault or link fault occurs, each SEP segment calculates its own topology
independently, and the nodes in each SEP segment update their own LSA databases.
As shown in Figure 13-8, a fault occurs on the link between LSW3 and LSW4. The link fault
does not affect the transmission path for the data from VLAN 100 to VLAN 200 in SEP
segment 1, but blocks the transmission path for the data from VLAN 201 to VLAN 400 in
SEP segment 2.

Figure 13-8 Networking diagram for a link fault on a SEP multi-instance network
LSW2 LSW4
SEP
Segment2
P2 SEP Segment1 P1
Router1 Router3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
After the link between Router3 and Router4 becomes faulty, Router3 starts to send LSAs to
instruct the other devices in SEP segment 2 to update their LSA databases, and the blocked
interface enters the Forwarding state. After the topology of SEP segment 2 is recalculated, the
data from VLAN 201 to VLAN 400 is transmitted along path Router3->Router1->Router2.
After the link between Router3 and Router4 recovers, the devices in SEP segment 2 perform
delayed preemption. After the preemption delay expires, P1 becomes the blocked interface
again, and sends LSAs to instruct the other devices in SEP segment 2 to update their LSA
databases. After the topology of SEP segment 2 is recalculated, the data from VLAN 201 to
VLAN 400 is transmitted along path Router3->Router4.
13.3 Applications Scenarios for SEP
13.3.1 Open-Ring Networking

As shown in Figure 13-9, Router1 to Router5 form an open ring to access a Layer 2 network.
The two edge devices on the Layer 2 network, that is, Router1 and Router5, are not directly
connected. This networking is called open-ring networking. The open-ring networking is at
the access layer and is used to transparently transmit Layer 2 unicast and multicast services.
When SEP runs at the access layer, redundancy protection switching can be implemented at
the access layer and topology of the SEP segment can be displayed.
On an open-ring network, edge interfaces are located on the two edge devices in the SEP
segment.

Figure 13-9 Networking diagram of an open ring running SEP
Network
Router1 Router5
SEP
Segment
Router2 Router4
Router3
CE
Primary Edge Port

Secondary Edge Port
Block Port
13.3.2 Closed-Ring Networking

As shown in Figure 13-10, Router1 to Router5 form a dual-homed link to access a Layer 2
network. Router1 and Router5at the edge of the Layer 2 network are directly connected. This
networking is called closed-ring networking. The networking is at the aggregation layer and is
used to aggregate Layer 2 unicast and multicast services. When SEP runs at the aggregation
layer, redundancy protection switching can be implemented at the aggregation layer and the
topology of the SEP segment can be displayed.
On a closed-ring network, two edge interfaces are located on the same edge device.

Figure 13-10 Networking diagram of a closed ring running SEP
Router1 Router5
SEP
Segment
Router2 Router4
Router3
CE1 CE2 CE3
Primary Edge Port

Secondary Edge Port
Block Port
13.3.3 Multi-Ring Networking

As shown in Figure 13-11, the networking composed of Router1 to Router14 is called multi-
ring networking. Router1 to Router5 are at the aggregation layer, and Router6 to Router14 are
at the access layer. Layer 2 services are transparently transmitted at the access layer and the
aggregation layer. When SEP runs at the access layer and the aggregation layer, redundancy
protection switching can be implemented at the access layer and the aggregation layer and the
topology of the SEP segment can be displayed.
If the topology of the access layer changes, a node in the SEP segment sends a Flush-FDB
packet to instruct other nodes in the SEP segment to update their MAC address forwarding
tables and ARP tables. Edge devices in the SEP segment send TC packets to notify the upper-
layer network that the topology of the SEP segment changes.
In multi-ring networking, the topology change notification function needs to be configured
among ring networks.

Figure 13-11 Networking diagram of multiple rings running SEP
Router1 Router5
SEP
Segment 1
Router2 Router4
Router3
Se
SE en
gm
P t3
t2
gm EP
SEP
en
Se S
Router9
Router6 Segment 4
Router12
SEP
Segment 5
Router8 Router14
Router13
Router7
Router10 Router11
Block Port
13.3.4 Hybrid SEP+MSTP Ring Networking

As shown in Figure 13-12, Router1 to Router3 form a SEP segment to access the MSTP ring.
The networking is called hybrid SEP+MSTP ring networking. Router1 to Router3 are at the
access layer and transparently transmit Layer 2 unicast and multicast services. When SEP
runs at the access layer, redundancy protection switching can be implemented at the access
layer.
If the topology of the access layer changes, a node in the SEP segment sends a Flush-FDB
packet to instruct other nodes in the SEP segment to update their MAC address forwarding
tables and ARP tables. Router1 and Router2 at the edge of the SEP segment send a TC packet
to notify the aggregation layer of the topology change in the SEP segment.
In hybrid-ring networking, no-neighbor edge interfaces need to be deployed on the edge
devices of SEP networks, and the SEP networks need to report topology changes to MSTP
networks.

Figure 13-12 Networking diagram of hybrid rings running SEP+MSTP
PE3 PE4
MSTP
PE1 PE2
Do not Support SEP
SEP
Segment
Router1 Router2
Router3
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
Block Port
13.3.5 SEP Multi-Instance

As shown in Figure 13-13, SEP multi-instance allows two SEP segments to be configured on
a physical ring. Each SEP segment independently detects the completeness of the physical
ring, blocks or unblocks interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be
configured with a protected instance, each protected instance indicating a VLAN range. The
topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between
protected instances and VLANs is set, a blocked interface is only valid for the VLANs
protected by the SEP segment where the blocked interface resides. Data traffic for different
VLANs can be transmitted along different paths. This implements traffic load balancing and
link backup.

Router2 Router4
SEP
Segment2
P2 SEP Segment1 P1
Router1 Router3
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
13.4 Summary of SEP Configuration Tasks

Table 13-9 lists the configuration task summary of SEP.
Table 13-9 SEP configuration tasks

Configuring Basic SEP After basic SEP functions 13.6 Configuring Basic
Functions are configured on devices, SEP Functions
the devices start SEP
negotiation. One of the two
interfaces that complete
neighbor negotiations last is
blocked to eliminate
redundant links.
NOTE
When logging in to nodes on a
SEP semi-ring through Telnet
to configure the nodes, note
the following points:
l Basic SEP functions need
to be configured from the
node at one end of the
semi-ring to the node at
the other end of the semi-
ring.

Specifying an Interface to In some cases, however, the 13.7 Specifying an

Block negotiated blocked interface Interface to Block
may not be the required one.
You can specify an interface
to block according to
network requirements.
Configuring SEP Multi- To implement load 13.8 Configuring SEP

Instance balancing and make efficient Multi-Instance
use of bandwidth, protected
instances need to be
deployed on a SEP network
and mapped to VLANs.
Configuring the Topology A SEP network usually 13.9 Configuring the

Change Notification needs to work together with Topology Change
Function another network running Notification Function
other features. To ensure
network reliability, if the
topology of one network
changes, the other network
must be able to detect the
topology change and take
measures to ensure reliable
data transmission.
Therefore, the topology
change notification function
needs to be enabled on the
SEP network.
13.5 Licensing Requirements and Limitations for SEP

None
SEP is a basic feature of a router and is not under license control.
Feature Limitations
When deploying SEP on the router, pay attention to the following:
The AR100-S, AR110-S, AR120-S, AR160-S series, and AR151-S2 do not support SEP.

13.6 Configuring Basic SEP Functions

When there is no faulty link on a ring network running SEP, SEP can eliminate loops on the
Ethernet. When a link fault occurs on the ring network, SEP can immediately restore the
communication between the nodes on the network.
Before configuring basic SEP functions, complete the following tasks:
l Establishing the ring networking

l Ensuring that the devices are powered on correctly and operate properly
13.6.1 Configuring a SEP Segment
Context
A SEP segment is the basic unit for SEP. A SEP segment consists of interconnected Layer 2
switching devices configured with the same SEP segment ID and control VLAN ID.
Procedure
Step 2 Run sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 (Optional) Run description text
A description is configured for the SEP segment.
By default, no description is configured for an SEP segment.
----End
13.6.2 Configuring a Control VLAN
Context
In a SEP segment, a control VLAN is used to transmit SEP packets but not service packets,
enhancing SEP security. Each SEP segment must be configured with a control VLAN. After
being added to a SEP segment configured with a control VLAN, an interface is added to the
control VLAN automatically.
NOTE
On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot be
added to the control VLAN of the SEP segment. Otherwise, a loop will occur on the network.

Procedure
Step 3 Run control-vlan vlan-id
A control VLAN is configured for the SEP segment to transmit SEP packets.
The control VLAN must be not created, and is not used by VLAN mapping and VLAN
stacking. Additionally, no interface is added to the control VLAN in trunk, access, hybrid, or
qinq mode.
l Different SEP segments can use the same control VLAN.

l If an interface has been added to the SEP segment, the control VLAN of the SEP
segment cannot be deleted directly. To delete the control VLAN, run the undo sep
segment segment-id command in the interface view to delete the interface from the SEP
segment, and then run the undo control-vlan command in the SEP segment view to
delete the control VLAN.
l If no interface is added to the SEP segment, you can run the control-vlan vlan-id
command multiple times. Only the latest configuration takes effect.
l After the control VLAN is created successfully, the command used to create a common
VLAN will be displayed in the configuration file.
Each SEP segment must be configured with a control VLAN. After an interface is added
to a SEP segment configured with a control VLAN, the interface is automatically added
to the control VLAN.
– If the interface type is trunk, in the configuration file, the port trunk allow-pass
vlan command is displayed in the view of the interface added to the SEP segment.
– If the interface type is hybrid, in the configuration file, the port hybrid tagged vlan
command is displayed in the view of the interface added to the SEP segment.
----End
13.6.3 Creating a Protected Instance
Context
Interfaces can be added to a SEP segment only after the SEP segment is configured with
protected instances.
Procedure

Step 3 Run protected-instance { all | { instance-id1 [ to instance-id2 ] } &<1-10> }
A protected instance is created in a SEP segment.
By default, no protected instance is configured in a SEP segment.
----End
13.6.4 Adding a Layer 2 Interface to a SEP Segment and

Configuring a Role for the Interface
Context
To ensure that SEP packets are forwarded correctly in a SEP segment, add Layer 2 interfaces
to the SEP segment and configure different roles for the interfaces.
After an interface is added to a SEP segment, the interface sets its interface role to the primary
edge interface if the interface has the right to participate in primary edge interface election.
Then, the interface periodically sends a primary edge interface election packet without
waiting for the success of neighbor negotiations.
A primary edge interface election packet contains the interface role (primary edge interface,
secondary edge interface, or common interface), bridge MAC address of the interface,
interface ID, and integrity of the topology database.
Table 13-10 lists interface roles.
Table 13-10 Interface roles
Interface Sub-role Description Deployment Scenario

Role
Common - In a SEP segment, all -

interface interfaces except edge
interfaces and blocked
interfaces are common
interfaces.
A common interface
monitors the status of the
directly-connected SEP link.
When the link status
changes, the interface sends
a topology change
notification message to
notify its neighbors. Then
the topology change
notification message is
flooded on the link until it
finally reaches the primary
edge interface. The primary
edge interface determines
how to process the link
change.


Role
Edge interface Primary A SEP segment has only one Open-ring networking
edge primary edge interface, Closed-ring networking
interface which is determined by the
configuration and election. Multi-ring networking
The primary edge interface

initiates blocked interface
preemption, terminates
packets, and sends topology
change notification
messages to other networks.
Secondary A SEP segment has only one

edge secondary edge interface,
interface which is determined by the
configuration and election.
The secondary edge
interface terminates packets
and sends topology change
notification messages to
other networks.
No- An interface at the edge of a Hybrid SEP+MSTP ring

neighbor SEP segment is a no- networking
primary neighbor edge interface,
edge which is determined by the
interface configuration and election.
The no-neighbor primary
edge interface terminates
packets and sends topology
change notification
messages to other networks.
No-neighbor primary edge
interfaces are used to
interconnect Huawei devices
and non-Huawei devices or
and devices that do not
support SEP.


Role
No- The no-neighbor secondary

neighbor edge interface terminates
secondary packets and sends topology
edge change notification
interface messages to other networks.
No-neighbor secondary edge
interfaces are used to
and non-Huawei devices or
and devices that do not
support SEP.
NOTE
l Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
l Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the
interface (except that the interface is a no-neighbor edge interface).
Procedure
The view of an Ethernet interface added to the SEP segment is displayed.
Step 3 (Optional) Run stp disable
STP is disabled on the interface.
Step 4 Run sep segment segment-id [ edge [ no-neighbor ] { primary | secondary } ]
The Ethernet interface is added to a specified SEP segment and a role is configured for the
interface.
----End
13.6.5 Verifying the Basic SEP Configuration
Procedure
l Run the display sep segment { segment-id | all } command to check the configurations
of SEP segments.
l Run the display sep interface [ interface-type interface-number | segment segment-id ]
[ verbose ] command to check information about interfaces that are added to a specified
SEP segment.

l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
13.7 Specifying an Interface to Block

By default, the blocked interface is one of the two interfaces that complete neighbor
negotiations last. Sometimes, the negotiated blocked interface, however, may not be the
expected one. You can configure a blocked interface to suit your needs.
13.7.1 Setting an Interface Blocking Mode

Context
In a SEP segment, some interfaces are blocked to prevent loops.
You can configure the interface blocking mode to specify a blocked interface. Table 13-11
lists interface blocking modes.
Table 13-11 Interface blocking mode

Interface Blocking Description
Mode
Specify the interface This mode applies to a large-scale network.

with the highest priority After fault recovery, the interface with the highest priority in a
as the blocked interface. SEP segment becomes the blocked interface. In this mode, the
priorities of the interfaces in the SEP segment need to be set in
advanced.
Specify the interface in This mode applies to a network where traffic is symmetrically
the middle of a SEP distributed.
segment as the blocked After fault recovery, the interface in the middle of a SEP
interface. segment becomes the blocked interface.
Specify a blocked This mode applies to a small-scale network.

interface based on the After fault recovery, a specified interface is blocked based on
configured hop count. the hop count. A network planner needs to be familiar with the
topology of the entire SEP segment and the number of hops
from the blocked interface to the primary edge interface.
Specify a blocked This mode applies to a small-scale network.

interface based on the After fault recovery, a specified interface is blocked based on
device and interface the device and interface names. A network planner needs to be
names. familiar with the names of devices and interfaces in the entire
SEP segment and ensures that each device name is unique.
Perform the following operations on the device where the primary edge interface or no-
neighbor primary edge interface is located:

Procedure
Step 3 Run block port { optimal | middle | hop hop-id | sysname sysname interface { interface-
type interface-number | interface-name } }
An interface blocking mode is set.
By default, one of the interfaces at two ends of the link that is set up last or recovers from a
fault last is blocked.
----End
Follow-up Procedure
If the interface with the highest priority is specified to block, run the sep segment segment-id
priority priority command in the view of the interface to be blocked to increase its priority.
When a fault is rectified, the specified interface is blocked.
The default priority of an interface added to a SEP segment is 64. The priority value of an
interface is an integer that ranges from 1 to 128. A larger priority value indicates a higher
priority.
13.7.2 Configuring the Preemption Mode

Context
After the interface blocking mode is specified, whether a specified interface will be blocked is
determined by the preemption mode. Table 13-12 lists the preemption modes.
Table 13-12 Preemption mode

Preemption Advantage Disadvantage
Mode
Non-preemption SEP is in non- The blocked interface is one of the two

mode preemption mode by interfaces that complete neighbor
default. negotiations last.
In this mode, blocking
an interface does not
disconnect any link in a
SEP segment.

Preemption Advantage Disadvantage

Mode
Preempt Delayed Each time a fault is l The delayed preemption mode needs
ion preempt rectified, the system to be specified in advance. There is no
mode ion automatically completes default delay in preemption, and the
preemption and ensures delay time needs to be configured
that the specified using a command.
interface is blocked. l After delayed preemption is
configured successfully, a fault needs
to be simulated to ensure that the
specified interface is blocked.
Manual Whether the specified l The manual preemption mode needs to

preempt interface will be blocked be specified in advance.
ion can be controlled l After a network fault is rectified and
manually. the preemption action is taken, manual
preemption no longer takes effect.
Manual preemption needs to be
configured again to ensure that the
blocked point can be moved to the
specified point after the next fault is
rectified. This increases the
maintenance workload.
The following conditions must be met to trigger preemption:
l The SEP segment topology is complete.

l The primary edge interface or no-neighbor primary edge interface has been elected in the
SEP segment.
l The function of flexibly specifying a blocked interface is enabled on the device where
the primary edge interface or no-neighbor primary edge interface resides.
Perform the following operations on the Layer 2 switching device where the primary edge
interface or no-neighbor primary edge interface resides.
Procedure
Step 3 Run preempt { manual | delay seconds }
The preemption mode is configured on the primary edge interface.

By default, no preemption mode is configured on the primary edge interface, that is, the non-
preemption mode is used.
----End
13.7.3 Verifying the Configuration of Specifying an Interface to

Block
Procedure
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the
topology status of a specified SEP segment.
----End
13.8 Configuring SEP Multi-Instance

Application Scenarios
bandwidth.

IP/MPLS Core
Core
group 1:Master group 2:Master
group 2:Backup group 1:Backup
NPE1 NPE2
VRRP+peer BFD
Aggregation
Router2 Router4
SEP
Segment2
P2 SEP Segment1 P1
Router1 Router3 Instance2:

Instance1:
Access
VLAN 100~200 VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load
balancing and link backup. As shown in Figure 13-14, multiple instances are deployed in the
SEP segment, and protected instances are mapped to different VLANs. Data traffic for
different VLANs can then be transmitted along different paths.
NOTE
Currently, SEP multi-instance allows two SEP segments to be configured on a physical ring. Different
blocked interfaces and priorities need to be configured for the two SEP segments.
Before configuring SEP multi-instance, complete the following tasks:
l Configuring basic SEP functions
l Specifying an interface to block

Procedure
Step 2 Run stp region-configuration
The MST region view is displayed.
Step 3 Run instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
Mappings between protected instances and VLANs are configured.
The value of instance-id specified in this command must be the same as that of instance-id
specified in the protected-instance command.
Before you switch a VLAN from one SEP segment to another segment, shut down the
blocked port. If you do not shut down the blocked port, a routing loop may occur after the
VLAN switchover.
Step 4 Run active region-configuration
Mappings between protected instances and VLANs are activated.
After mappings between protected instances and VLANs take effect, topology changes of a
SEP segment affect only corresponding VLANs. This ensures reliable service data
transmission.
----End
13.9 Configuring the Topology Change Notification

Function
The topology change notification function is configured on the device that connects a lower-
layer network to an upper-layer network. This function enables the device to notify the peer
device of topology changes in the lower-layer and upper-layer networks. All the devices on
the network where the peer device resides then delete original MAC addresses and ARP
entries and learn new MAC addresses to ensure uninterrupted traffic forwarding.
13.9.1 Reporting Topology Changes in a Lower-Layer Network -

SEP Topology Change Notification
Context
SEP runs on devices at the access layer. The topology change notification function enables
devices to detect topology changes on the upper and lower-layer networks.
If the upper-layer network fails to be notified of the topology change in a SEP segment, the
MAC address entries remain unchanged on the upper layer network and user traffic may be
interrupted. To ensure uninterrupted traffic forwarding, configure devices on the lower-layer
network to report topology changes to the upper-layer network and specify the devices on the
upper-layer network that will be notified of topology changes.

NOTE
Currently, topology changes in a SEP segment can be reported to other SEP segments, STP networks.
After receiving a topology change notification from a lower-layer network, a device on the
upper-layer network sends TC packets to instruct other devices on the upper-layer network to
clear original MAC addresses and learn new MAC addresses after the topology of the lower-
layer network changes. This ensures uninterrupted traffic forwarding.
Procedure
Step 3 Run tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp }
The topology change of the specified SEP segment is reported to another SEP segment or a
network running other ring protocols such as STP or RRPP.
By default, the topology change of a SEP segment is not reported.
----End
Follow-up Procedure
In the networking scenario where three or more SEP ring networks exist, when a topology
change notification is sent through multiple links, the upper-layer network will receive it
multiple times. This reduces packet processing efficiency on the upper-layer network.
Therefore, topology change notifications need to be suppressed. Suppressing topology change
notifications frees the upper-layer network from processing multiple duplicate packets and
protects the devices in the SEP segment against topology change notification attacks.
Run the tc-protection interval interval-value command in the SEP segment view to set the
interval for suppressing topology change notifications.
By default, the interval for suppressing topology change notifications is 2s, and three
topology change notifications with different source addresses are processed within 2s.
NOTE
l In the networking scenario where three or more SEP ring networks exist, the tc-protection interval
interval-value command must be run. If this command is not run, the default interval for suppressing
topology change notifications is used.
l A longer interval ensures stable SEP operation but reduces convergence performance.
13.9.2 Verifying the Configuration of the Topology Change

Notification Function
Procedure
l Run the display sep interface verbose command to check information about the
interfaces added to a SEP segment.
----End

13.10 Maintaining SEP
13.10.1 Clearing SEP Statistics

You can run the reset command to clear existing SEP statistics before re-collecting SEP
statistics.
Context
SEP statistics cannot be restored after being cleared. Therefore, exercise caution when you
run reset commands.
Procedure
Step 1 Run the reset sep interface interface-type interface-number statistics command in the user
view to clear SEP packet statistics on a specified interface in a SEP segment.
----End
13.11 Configuration Examples for SEP
13.11.1 Example for Configuring SEP on a Closed Ring Network
Generally, redundant links are used to connect an Ethernet switching network to an upper-
layer network to provide link backup and enhance network reliability. The use of redundant
links, however, may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, communication quality deteriorates, and services may even be
interrupted. SEP can be deployed on the ring network to eliminate loops and restore
communication if a link fault occurs.
In the closed ring networking, CE1 is dual-homed to a Layer 2 network through multiple
Layer 2 switching devices. The two edge devices connected to the upper-layer Layer 2
network are directly connected to each other. The closed ring network is deployed at the
aggregation layer to transparently transmit Layer 2 unicast and multicast packets. SEP runs at
the aggregation layer to implement link redundancy.
As shown in Figure 13-15, Layer 2 switching devices Router1 to Router5 form a ring
network.
SEP runs at the aggregation layer.
l When there is no faulty link on a ring network, SEP can eliminate loops on the network.

l When a link fails on the ring network, SEP can rapidly restore communication between
nodes on the network.
Figure 13-15 Networking diagram of a closed ring SEP network
GE7/0/2 GE7/0/3 GE7/0/2

Router1 GE7/0/3 Router5
GE7/0/1 GE7/0/1
Aggregation
SEP
Segment1
GE7/0/1 GE7/0/1
Router2 Router4
Router3
GE7/0/2 GE7/0/2
GE7/0/1 GE7/0/2
GE7/0/3
GE7/0/1
Access
Primary Edge Port

CE1
Secondary Edge Port
VLAN 100 Block Port
1. Configure basic SEP functions.

a. Configure SEP segment 1 on Router1 to Router5 and configure VLAN 10 as the
control VLAN of SEP segment 1.
b. Add all devices on the ring to SEP segment 1, and configure the roles of GE7/0/1
and GE7/0/3 of Router1 in SEP segment 1.
c. On the device where the primary edge interface is located, specify the interface with
the highest priority to block.
d. Set priorities of the interfaces in the SEP segment.
Set the highest priority for GE7/0/2 of Router3 and retain the default priority of the
other interfaces so that GE7/0/2 of Router3 will be blocked.
e. Configure delayed preemption on the device where the primary edge interface is
located.
2. Configure the Layer 2 forwarding function on CE1 and Router1 to Router5.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on Router1 to Router5 and configure VLAN 10 as the control
VLAN of SEP segment 1.

# Configure Router1.
[Huawei] sysname Router1
[Router1] sep segment 1
[Router1-sep-segment1] control-vlan 10
[Router1-sep-segment1] protected-instance all
[Router1-sep-segment1] quit
NOTE
– The control VLAN must be a VLAN that has not been created or used, but the configuration
file automatically displays the command for creating the VLAN.
– Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the
control VLAN.
2. Add all devices on the ring to SEP segment 1 and configure interface roles on the
devices.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On Router1, configure GE7/0/1 as the primary edge interface and GE7/0/3 as the
secondary edge interface.
[Router1] interface gigabitethernet 7/0/1
[Router1-GigabitEthernet7/0/1] stp disable
[Router1-GigabitEthernet7/0/1] sep segment 1 edge primary
[Router1-GigabitEthernet7/0/1] quit
[Router1-GigabitEthernet7/0/3] sep segment 1 edge secondary

[Router2-GigabitEthernet7/0/1] sep segment 1

3. Specify an interface to block.

# On Router1 where the primary edge interface is located, specify the interface with the
highest priority to block.
[Router1-sep-segment1] block port optimal
4. Set the priority of GE7/0/2 on Router3.

[Router3-GigabitEthernet7/0/2] sep segment 1 priority 128
5. Configure the preemption mode.

# Configure delayed preemption on Router1.
[Router1-sep-segment1] preempt delay 30
NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and then
run the undo shutdown command on GE7/0/2 to rectify the fault.

Step 2 Configure the Layer 2 forwarding function on CE1 and Router1 to Router5.
For details about the configuration, see the configuration files.
# Run the shutdown command on GE7/0/1 of Router3 to simulate an interface fault, and then
run the display sep interface command on Router3 to check whether GE7/0/2 of Router3 has
switched from the Discarding state to the Forwarding state.
<Router3> display sep interface gigabitethernet 7/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/2 common up forwarding
----End
Configuration Files
l Configuration file of Router1
#
sysname Router1
#
vlan batch 10 100 200
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 4094
#
port hybrid tagged vlan 10 100
stp disable
sep segment 1 edge primary
#
#
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1 edge secondary
#
return

#
sysname Router2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#

stp disable
sep segment 1
#
return
#
sysname Router3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
sep segment 1 priority 128
#
#
return
#
sysname Router4
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname Router5
#
vlan batch 10 100 200
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#


#
stp disable
sep segment 1
#
return

#
sysname CE1
#
vlan batch 100
#
#
return
13.11.2 Example for Configuring SEP on a Multi-Ring Network

In multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployed
at the access layer and aggregation layer. SEP runs at the access layer and aggregation layer to
implement link redundancy.
As shown in Figure 13-16, multiple Layer 2 switching devices form ring networks at the
access layer and aggregation layer.
SEP runs at the access layer and aggregation layer. When there is no faulty link on a ring
network, SEP can eliminate loops on the network. When a link fails on the ring network, SEP
can rapidly restore communication between nodes on the network.

Figure 13-16 Networking diagram of a multi-ring SEP network
Router1 GE7/0/3 GE7/0/3 Router5

GE7/0/1 GE7/0/1
Aggregation SEP
GE7/0/1 Segment 1 GE7/0/3
Router4
Router2 GE7/0/1
GE7/0/2
G
GE7/0/2 Router3
E7
/0
/3
GE7/0/4
GE7/0/1 GE7/0/2 GE7/0/1 GE7/0/2
t2
gm EP
Router11
Se
en
SE en
Router6
S
GE7/0/2
gm
P t
Router8
Se
GE7/0/2 GE7/0/1
3
GE7/0/1 GE7/0/1 GE7/0/2
GE7/0/1 GE7/0/2 Router9 GE7/0/1
Router7 GE7/0/3 Router10 GE7/0/3
Access
GE7/0/1 GE7/0/1
CE2
CE1
VLAN 200 VLAN 100
Primary Edge Port Control VLAN 10

Secondary Edge Port Control VLAN 20
Block Port Control VLAN 30

a. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30
as their respective control VLANs.
n Configure SEP segment 1 on Router1 to Router5 and configure VLAN 10 as
the control VLAN of SEP segment 1.
n Configure SEP segment 2 on Router2, Router3, and Router6 to Router8, and
configure VLAN 20 as the control VLAN of SEP segment 2.
n Configure SEP segment 3 on Router3, Router4, and Router9 to Router11, and
configure VLAN 30 as the control VLAN of SEP segment 3.
b. Add devices on the rings to the SEP segments and configure interface roles on the
edge devices of the SEP segments.

n On Router1 to Router5, add the interfaces on the ring at the access layer to
SEP segment 1. Configure the roles of GE7/0/1 and GE7/0/3 of Router1 in
SEP segment 1.
n Add GE7/0/2 of Router2, GE7/0/1 and GE7/0/2 of Router6 to Router8, and
GE7/0/2 of Router3 to SEP segment 2. Configure the roles of GE7/0/2 of
Router2 and GE7/0/2 of Router3 in SEP segment 2.
n Add GE7/0/1 of Router3, GE7/0/1 and GE7/0/2 of Router9 to Router11, and
GE7/0/1 of Router4 to SEP segment 3. Configure the roles of GE7/0/1 of
Router3 and GE7/0/1 of Router4 in SEP segment 3.
c. Specify an interface to block on the device where the primary edge interface is
located.
n In SEP segment 1, specify the interface with the highest priority to block.
n In SEP segment 2, specify the device and interface names to block the
specified interface.
n In SEP segment 3, specify the blocked interface based on the configured hop
count.
d. Configure the preemption mode on the device where the primary edge interface is
located.
Configure delayed preemption in SEP segment 1 and manual preemption in SEP
segment 2 and SEP segment 3.
e. Configure the topology change notification function on the edge devices between
SEP segments, namely, Router2, Router3, and Router4.
2. Configure the Layer 2 forwarding function on CE1, CE2, and Router1 to Router11.
Procedure
1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as
their respective control VLANs, as shown in Figure 13-16.

# Configure Router6 to Router11.

The configurations of Router6 to Router11 are similar to the configurations of Router1 to
Router5 except for the control VLANs of different SEP segments.
NOTE
control VLAN.
2. Add devices on the rings to the SEP segments and configure interface roles according to
Figure 13-16.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On Router1, configure GE7/0/1 as the primary edge interface and GE7/0/3 as the
secondary edge interface.


# Configure Router6 to Router11.
The configurations of Router6 to Router11 are similar to the configurations of Router1 to
Router5 except for the interface roles.
# On Router1 where the primary edge interface of SEP segment 1 is located, specify the
interface with the highest priority to block.
[Router1-sep-segment1] block port optimal
# On Router3, set the priority of GE7/0/4 to 128, which is the highest priority among the
interfaces so that GE7/0/4 will be blocked.
[Router3-GigabitEthernet7/0/4] sep segment 1 priority 128

Retain the default priority of the other interfaces in SEP segment 1.

# On Router2 where the primary edge interface of SPE segment 2 is located, specify the
device and interface names so that the specified interface will be blocked.
Before specifying the interface to block, use the display sep topology command to view
the current topology information and obtain information about all the interfaces in the
topology. Then specify the device and interface names.
[Router2-sep-segment2] block port sysname Router7 interface gigabitethernet
7/0/1
# On Router4 where the primary edge interface of SEP segment 3 is located, specify the
blocked interface based on the configured hop count.
[Router4-sep-segment3] block port hop 5
NOTE
SEP sets the hop count of the primary edge interface to 1 and the hop count of the secondary edge
interface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction of
the primary interface.
# Configure delayed preemption on Router1.
NOTE
– You must set the preemption delay when delayed preemption is used because there is no
default delay time.
– When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the
fault. For example:
Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and then
run the undo shutdown command on GE7/0/2 to rectify the fault.
# Configure manual preemption on Router2.
[Router2-sep-segment2] preempt manual
# Configure the manual preemption mode on Router4.

5. Configure the topology change notification function.

# Configure devices in SEP segment 2 to notify SEP segment 1 of topology changes.
[Router2-sep-segment2] tc-notify segment 1
# Configure SEP segment 3 to notify SEP segment 1 of topology changes.

NOTE
The topology change notification function is configured on edge devices between SEP segments
so that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and Router1 to Router11.
# After completing the preceding configurations, verify the configuration. Router1 is used as
an example.
l Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and
then run the display sep interface command on Router3 to check whether GE7/0/4 of
Router3 has switched from the Discarding state to the Forwarding state.
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname Router1
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
#
stp disable
#
#
port hybrid tagged vlan 10 100 200 300
stp disable
#
return


#
sysname Router2
#
vlan batch 10 20 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
block port sysname Router7 interface GigabitEthernet7/0/1
tc-notify segment 1
#
stp disable
sep segment 1
#
stp disable
#
stp disable
sep segment 1
#
return

#
sysname Router3
#
vlan batch 10 20 30 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
tc-notify segment 1
sep segment 3
control-vlan 30
tc-notify segment 1
#
stp disable
#
stp disable
#
stp disable
sep segment 1
#
stp disable
sep segment 1

sep segment 1 priority 128

#
return
#
sysname Router4
#
vlan batch 10 30 100 200
#
sep segment 1
control-vlan 10
sep segment 3
control-vlan 30
block port hop 5
tc-notify segment 1
#
stp disable
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return
#
sysname Router5
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
#
port hybrid tagged vlan 10 100 200 300
stp disable
sep segment 1
#
return
#
sysname Router6
#
vlan batch 20 200
#
sep segment 2

control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2
#
return
#
sysname Router7
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2
#
#
return
#
sysname Router8
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#
stp disable
sep segment 2
#
stp disable
sep segment 2
#
return
#
sysname Router9
#
vlan batch 30 100
#
sep segment 3
control-vlan 30

#
stp disable
sep segment 3
#
stp disable
sep segment 3
#
return

#
sysname Router10
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3
#
stp disable
sep segment 3
#
#
return

#
sysname Router11
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#
stp disable
sep segment 3
#
stp disable
sep segment 3
#
return

#
sysname CE1
#
vlan batch 100
#

#
return

#
sysname CE2
#
vlan batch 200
#
#
return
13.11.3 Example for Configuring a Hybrid SEP+MSTP Ring

Network
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
As shown in Figure 13-17, multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. The two devices where the
access layer and the aggregation layer are intersected do not support SEP. You can configure
SEP at the access layer to implement redundancy protection switching and configure the
topology change notification function on an edge device in a SEP segment. This function
enables an upper-layer network to detect topology changes in a lower-layer network in time.
l When there is no faulty link on the ring network, SEP can eliminate loops.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes.
l The topology change notification function must be configured on an edge device in a
SEP segment. This enables an upper-layer network to detect topology changes in a
lower-layer network in time.
After receiving a message indicating the topology change in a lower-layer network, a device
on an upper-layer network sends TC packets to instruct other devices to delete original MAC
addresses and learn new MAC addresses after the topology of the lower-layer network
changes. This ensures uninterrupted traffic forwarding.

Figure 13-17 Networking diagram of a hybrid-ring SEP network
GE7/0/2
GE7/0/3 GE7/0/3
GE7/0/2
Aggregation
PE3 PE4
GE7/0/1
GE7/0/1
MSTP
GE7/0/2 PE1 PE2 GE7/0/2
GE7/0/3
GE7/0/1 Do not Support SEP GE7/0/1
GE7/0/1 GE7/0/1
SEP
Router1 Segment1 Router2
GE7/0/2 GE7/0/2
GE7/0/2 GE7/0/1
Access
GE7/0/3Router3
GE7/0/1
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
VLAN100 Block Port(SEP)
Block Port(MSTP)

a. Configure SEP segment 1 on Router1 to Router3 and configure VLAN 10 as the
control VLAN of SEP segment 1.
b. Add Router1 to Router3 to SEP segment 1 and configure interface roles on the edge
devices (Router1 and Router2) of the SEP segment.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of Router1 and
Router2 connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located, specify the
interface in the middle of the SEP segment as the interface to block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-layer network
running MSTP can be notified of topology changes in the SEP segment.

2. Configure basic MSTP functions.

a. Add Router1, Router2, PE1 to PE4 to an MST region RG1.
b. Create VLANs on Router1, Router2, PE1 to PE4 and add interfaces on the STP ring
to the VLANs.
c. Configure PE3 as the root bridge and PE4 as the backup root bridge.
3. Configure the Layer 2 forwarding function on CE and Router1 to Router3.
Procedure
1. Configure SEP segment 1 on Router1 to Router3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
NOTE
control VLAN.
2. Add Router1 to Router3 to SEP segment 1 and configure interface roles.
[Router1-GigabitEthernet7/0/1] sep segment 1 edge no-neighbor primary
[Router2-GigabitEthernet7/0/1] sep segment 1 edge no-neighbor secondary


# On Router1 where the no-neighbor primary edge interface of SEP segment 1 is located,
specify the interface in the middle of the SEP segment as the interface to block.
[Router1-sep-segment1] block port middle

# Configure the manual preemption mode on Router1.
5. Configure the topology change notification function.

# Configure devices in SEP segment 1 to notify the MSTP network of topology changes.
[Router1-sep-segment1] tc-notify stp
[Router2-sep-segment1] tc-notify stp
Step 2 Configure basic MSTP functions.

1. Configure an MST region.
# Configure PE1.
[PE1] stp region-configuration
[PE1-mst-region] region-name RG1
[PE1-mst-region] active region-configuration
[PE1-mst-region] quit
# Configure PE2.
# Configure PE3.
# Configure PE4.


[Router1] stp region-configuration
[Router1-mst-region] region-name RG1
[Router1-mst-region] active region-configuration
[Router1-mst-region] quit
[Router2-mst-region] region-name RG1
2. Create VLANs and add interfaces to VLANs.

# On PE1, create VLAN 100 and add GE7/0/1, GE7/0/2, and GE7/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1-GigabitEthernet7/0/1] port hybrid tagged vlan 100
# On PE2, PE3, and PE4, create VLAN 100 and add GE7/0/1, GE7/0/2, and GE7/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1. For
details about the configuration, see the configuration files.
# On Router1 and Router2, create VLAN 100 and add GE7/0/1 to VLAN 100. The
configurations of Router1 and Router2 are similar to the configuration of PE1. For
details about the configuration, see the configuration files.
3. Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
[Router1] stp enable
[Router2] stp enable
4. Configure PE3 as the root bridge and PE4 as the backup root bridge.
# Set the priority of PE3 to 0 in MSTP to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTP to ensure that PE4 functions as the backup
root bridge.
[PE4] stp root secondary

Step 3 Configure the Layer 2 forwarding function on the CE and Router1 to Router3.
# After the configurations are complete and network becomes stable, run the following
commands to verify the configuration. Router1 is used as an example.
l Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and
then run the display sep interface command on Router3 to check whether GE7/0/2 of
Router3 has switched from the Discarding state to the Forwarding state.
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname Router1
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
#
sep segment 1 edge no-neighbor primary
#
stp disable
sep segment 1
#
return

#
sysname Router2
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
tc-notify stp
#


sep segment 1 edge no-neighbor secondary
#
stp disable
sep segment 1
#
return
#
sysname Router3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
port hybrid tagged vlan vlan 100
#
return
#
sysname PE1
#
vlan batch 100
#
region-name RG1
#
#
#
#
return
#
sysname PE2
#
vlan batch 100
#
region-name RG1
#
#


#
#
return

#
sysname PE3
#
vlan batch 100 200
#
#
region-name RG1
#
#
#
#
return

#
sysname PE4
#
vlan batch 100 200
#
#
region-name RG1
#
#
#
#
return
l Configuration file of CE
#
sysname CE
#
vlan batch 100
#
#
return

13.11.4 Example for Configuring SEP Multi-Instance

On a closed ring network, two SEP segments are configured to process different VLAN
services, implement load balancing, and provide link backup.
bandwidth.
To improve bandwidth efficiency and implement traffic load balancing, Huawei develops SEP
multi-instance.
Figure 13-18 SEP multi-instance on a closed ring network
Network
/0/3 GE7
GE7/0/2 GE7 /0/3 GE7/0/2
Router1
Router4
GE7/0/1
GE7/0/1
Aggregation
P2 P1 GE7/0/1
GE7/0/1
Router2 GE Router3
7/0/ /0/2
GE7/0/3 2 GE7 GE7/0/3
GE7/0/1 GE7/0/1
Access
CE1 CE2
VLAN VLAN
100~300 301~500
SEP Segment1
SEP Segment2
Primary Edge Port
Secondary Edge Port
Block Port

As shown in Figure 13-18, a ring network comprising Layer 2 switches (Router1 to Router4)
is connected to the network. SEP runs at the aggregation layer. SEP multi-instance is
configured on Router1 to Router4 to allow for two SEP segments to improve bandwidth
efficiency, implement load balancing, and provide link backup.

a. Create two SEP segments and a control VLAN on Router1 to Router4.
Different SEP segments can use the same control VLAN.
b. Configure SEP protected instances, and set mappings between SEP protected
instances and user VLANs to ensure that topology changes affect only
corresponding VLANs.
c. Add all the devices on the ring network to the SEP segments, and configure
GE7/0/1 as the primary edge interface and GE7/0/3 as the secondary edge interface
on Router1.
d. Configure an interface blocking mode on the device where the primary edge
interface resides.
e. Configure the preemption mode to ensure that the specified interface is blocked
when a fault is rectified.
2. Configure the Layer 2 forwarding function on CE1, CE2, and Router1 to Router4.
Procedure
l Configure SEP segment 1 and control VLAN 10.
[Router2] sep segment1

l Configure SEP segment 2 and control VLAN 10.

[Router2] sep segment2
NOTE
l The control VLAN must be a new one.

l The command used to create a common VLAN is automatically displayed in a configuration file.
l Each SEP segment must be configured with a control VLAN. After being added to a SEP segment
configured with a control VLAN, an interface is added to the control VLAN automatically. You do
not need to run the port trunk allow-pass vlan command. In the configuration file, the port trunk
allow-pass vlan command, however, is displayed in the view of the interface added to the SEP
segment.
Step 2 Configure SEP protected instances, and configure mappings between SEP protected instances
and user VLANs.
[Router1] vlan batch 100 to 500
[Router1-sep-segment1] protected-instance 1
[Router1-sep-segment2] protected-instance 2
[Router1-mst-region] instance 1 vlan 100 to 300
[Router1-mst-region] instance 2 vlan 301 to 500
The configurations of Router2 to Router4 are similar to that of Router1, and are not
mentioned here. For details, see the configuration files.
Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# On Router1, configure GE7/0/1 as the primary edge interface and GE7/0/3 as the secondary
edge interface.


Step 4 Specify an interface to block.
# Configure delayed preemption and block an interface based on the device and interface
names on Router1 where the primary edge interface is located.
[Router1-sep-segment1] block port sysname Router3 interface gigabitethernet 7/0/1
[Router1-sep-segment2] block port sysname Router2 interface gigabitethernet 7/0/1
NOTE
l In this configuration example, an interface fault needs to be simulated and then rectified to
implement delayed preemption. To ensure that delayed preemption takes effect on the two SEP
segments, simulate an interface fault in the two SEP segments. For example:
– In SEP segment 1, run the shutdown command on GE 7/0/1 of Router2 to simulate an
interface fault. Then, run the undo shutdown command on GE7/0/1 to simulate interface fault
recovery.
– In SEP segment 2, run the shutdown command on GE 7/0/1 of Router3 to simulate an
interface fault. Then, run the undo shutdown command on GE7/0/1 to simulate interface fault
recovery.

Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and Router1 to Router4.
The configuration details are not mentioned here. For details, see the configuration files.
# Simulate a fault, and then check whether the status of the blocked interface changes from
blocked to forwarding.
# Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault.
# Run the display sep interface command on Router3 to check whether the status of GE7/0/1
in SEP segment 1 changes from blocked to forwarding.
[Router3] display sep interface gigabitethernet 7/0/1
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
SEP segment 2
----------------------------------------------------------------
----------------------------------------------------------------
# The preceding command output shows that the status of GE7/0/1 changes from blocked to
forwarding and the forwarding path change in SEP segment 1 does not affect the forwarding
path in SEP segment 2.
----End
Configuration Files
#
sysname Router1
#
vlan batch 10 100 to 500
#
#
sep segment 1
control-vlan 10
preempt delay 15
protected-instance 1
sep segment 2
control-vlan 10
preempt delay 15
#
port hybrid tagged vlan 10 100 to 500
stp disable
#
stp disable


#
return
#
sysname Router2
#
#
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#
stp disable
sep segment 1
sep segment 2
#
stp disable
sep segment 1
sep segment 2
#
port hybrid tagged vlan 100 to 300
#
return
#
sysname Router3
#
#
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#
stp disable
sep segment 1
sep segment 2
#
stp disable
sep segment 1
sep segment 2
#


#
return

#
sysname Router4
#
#
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#
stp disable
sep segment 1
sep segment 2
#
stp disable
sep segment 1
sep segment 2
#
return

#
sysname CE1
#
#
#
return

#
sysname CE2
#
#
#
return

CLI-based Configuration Guide - Ethernet Switching 14 Layer 2 Protocol Transparent Transmission
Configuration Configuration
14 Layer 2 Protocol Transparent

Transmission Configuration
About This Chapter
This chapter describes the concept, configuration procedure, and configuration examples of
Layer 2 protocol transparent transmission.
14.1 Overview of Layer 2 Protocol Transparent Transmission

14.2 Understanding Layer 2 Protocol Transparent Transmission
This section describes the principles of Layer 2 protocol transparent transmission.
14.3 Application Scenarios for Layer 2 Protocol Transparent Transmission
14.4 Licensing Requirements and Limitations for Layer 2 Protocol Transparent Transmission
This section describes the notes about configuring Layer 2 protocol transparent transmission.
14.5 Configuring Layer 2 Protocol Transparent Transmission
14.6 Configuration Examples for Layer 2 Protocol Transparent Transmission
14.1 Overview of Layer 2 Protocol Transparent

Transmission
Definition
Layer 2 protocol transparent transmission is a Layer 2 tunneling technology that transparently
transmits BPDUs between private networks at different locations over a specified tunnel on a
public Internet Service Provider (ISP) network.
Purpose
Leased lines of ISPs are often used to establish Layer 2 networks. As a result, private
networks of a user can be located at two sides of the ISP network. As shown in Figure 14-1,
User A has two networks: network1 and network2. The two networks are connected through

the ISP network. When network1 and network2 run the same Layer 2 protocol (such as
MSTP), Layer 2 protocol packets from network1 and network2 must be transmitted through
the ISP network to perform Layer 2 protocol calculation (for example, calculating a spanning
tree). Generally, the destination MAC addresses in Layer 2 protocol packets of the same
Layer 2 protocol are the same. For example, the MSTP PDUs are BPDUs with the destination
MAC address 0180-C200-0000. Therefore, when a Layer 2 protocol packet reaches an edge
device on the ISP network, the edge device cannot identify whether the Layer 2 protocol
packet comes from a user network or the ISP network and sends the Layer 2 protocol packets
to the CPU to calculate a spanning tree.
In Figure 14-1, devices on user network1 build a spanning tree together with PE1 but not
with devices on user network2. As a result, the Layer 2 protocol packets on user network1
cannot traverse the ISP network to reach user network2.
Figure 14-1 Transparent transmission of Layer 2 protocol packets on the ISP network
ISP
network
PE1 PE2
CE1 CE2
User A User A
network1 network2
You can use Layer 2 protocol transparent transmission to transparently transmit Layer 2
protocol packets from the user network for the ISP network. This addresses the network
identity issue. The procedure is as follows:
1. After receiving Layer 2 protocol packets sent from CE1, PE1 replaces the destination
MAC address with a specified multicast MAC address. Then PE1 forwards the packets
on the ISP network.
2. PE2 of the ISP network receives the packet, restores the original destination MAC
address of packets, and sends it to CE2.
14.2 Understanding Layer 2 Protocol Transparent

Transmission
This section describes the principles of Layer 2 protocol transparent transmission.
As shown in Figure 14-2, each PE interface connects to a user network, and all user networks
do not belong to the same LAN. PEs need to distinguish from which user network Layer 2
protocol packets come from. Layer 2 protocol packets of a user network of LAN-A must be
sent to the other user networks of LAN-A. In addition, Layer 2 protocol packets cannot be
processed by PEs on the ISP network.

Figure 14-2 Networking Layer 2 protocol transparent transmission
ISP
Network
PE1 BPDU Tunnel PE2
LAN-A LAN-A
MSTP MSTP
Layer 2 protocol packets need to be transparently transmitted on the backbone network. The
following requirements must be met:
l All branches of a user network can receive Layer 2 protocol packets from other
branches.
l Layer 2 protocol packets of a user network cannot be processed by the CPU of devices
on the ISP network.
l Layer 2 protocol packets of different user networks must be isolated and do not affect
each other.
You can configure Layer 2 protocol transparent transmission to meet the preceding
requirements.
1. PE1 on the backbone network receives Layer 2 protocol packets from user networks.
PE1 replaces the standard multicast destination MAC address of Layer 2 protocol
packets with a specified multicast MAC address according to the mappings between
multicast destination MAC addresses and Layer 2 protocols.
2. Internal nodes on the backbone network forward the packets across the backbone
network as common Layer 2 packets.
3. The egress device PE2 of the backbone network restores the original destination MAC
address of the packets according to the mappings between multicast destination MAC
addresses and Layer 2 protocols, and then forwards the packets to user networks.
14.3 Application Scenarios for Layer 2 Protocol

Transparent Transmission
As shown in Figure 14-3, CE1 and CE2 are edge devices on private networks of User A in
different locations. The two private networks connect to the ISP network through PE1 and
PE2. Networks of User A have redundant links, so MSTP is used to remove loops on the
Layer 2 network. When MSTP packets sent by CEs reach PEs, PEs send the packets to the
CPUs for processing because they cannot identify the network that MSTP packets come from.
Layer 2 protocol calculations on the user network and ISP network affect each other and
cannot be implemented independently.

You can configure Layer 2 protocol transparent transmission on PEs, so that MSTP packets
are not sent to the CPUs of PEs for processing. This prevents PEs from participating in
spanning tree calculation.
Figure 14-3 Networking of Layer 2 protocol transparent transmission
ISP
network
PE1 PE2
CE1 CE2
User A User A
network1 network2
14.4 Licensing Requirements and Limitations for Layer 2

Protocol Transparent Transmission
This section describes the notes about configuring Layer 2 protocol transparent transmission.

None
Layer 2 Protocol Transparent Transmission is a basic feature of a router and is not under
license control.
Feature Limitations
l When configuring Layer 2 protocol transparent transmission, do not use multicast MAC
addresses that have been used on the device.
l The user-side interface cannot be a VLANIF interface; otherwise, protocol packets
cannot be transmitted.
l Currently, the device supports transparent transmission of packets of the following Layer
2 protocols:
– Spanning Tree Protocol (STP)
– Link Aggregation Control Protocol (LACP)
– Link Layer Discovery Protocol (LLDP)
– Cisco Discovery Protocol (CDP)

– User-defined protocols
14.5 Configuring Layer 2 Protocol Transparent

Transmission
14.5.1 Replacing the Multicast Destination MAC Address of Layer

2 Protocol Packets with a Specified Multicast MAC Address
Context
Layer 2 protocol transparent transmission is implemented by replacing the original multicast
MAC address of Layer 2 protocol packets from user networks with a specified multicast
MAC address.
Perform the following steps on the PE.
Procedure
Step 2 Run the following commands as required.

l If the Layer 2 protocol packets from a user network are STP BPDUs, LACPDUs,
LLDPDUs, or CDP packets, run the l2protocol-tunnel protocol-type group-mac group-
mac command to replace the destination MAC address of the Layer 2 protocol packets
with a specified multicast MAC address.
By default, the device is not enabled to replace the multicast destination MAC address of
Layer 2 protocol packets with a specified multicast MAC address.
NOTE
– The used multicast MAC address on the device cannot be replaced destination MAC address of
Layer 2 protocol packets.
l If the Layer 2 protocol packets from a user network are not STP BPDUs, LACPDUs,
LLDPDUs, or CDP packets, run the l2protocol-tunnel user-defined-protocol protocol-
name protocol-mac protocol-mac group-mac group-mac command to customize Layer
2 protocol packets and replace the destination MAC address of the Layer 2 protocol
packets with a specified multicast MAC address.
By default, Layer 2 protocol packets are not customized.
NOTE
– The destination MAC address of user-defined protocol packets must be different from that of STP
BPDUs, LACPDUs, LLDPDUs, and CDP packets, and the replaced multicast MAC address must
be different from the used multicast MAC address.
----End
14.5.2 Configuring a Transparent Bridge

Context
To configure Layer 2 protocol transparent transmission, you need to configure a bridge group
and add user-side and network-side interfaces of a PE to the bridge group.
Perform the following steps on the PE.
Procedure
By default, no bridge group is configured.
Step 3 Run quit
Step 4 Add a user-side interface to the bridge group.
1. Run interface interface-type interface-number
2. Run bridge bridge-id
The interface is added to the bridge group.
By default, no interface is added to the bridge group.
Step 5 Repeat step 4 to add a network-side interface to the bridge group.
----End
14.5.3 Enabling Layer 2 Protocol Transparent Transmission on an

Interface
Context
Perform the following operations on PEs based on the required Layer 2 protocol transparent
transmission mode.
Procedure
The network-side interface view is displayed.
Step 3 Run l2protocol-tunnel { protocol-type | user-defined-protocol protocol-name } enable
Layer 2 protocol transparent transmission is enabled on the interface.

By default, Layer 2 protocol transparent transmission is disabled on the interface.
----End
14.5.4 Verifying the Configuration of Interface-based Layer 2

Protocol Transparent Transmission
Procedure
l Run the display current-configuration | include l2protocol-tunnel command to check
the global configuration of Layer 2 protocol transparent transmission.
l Run the display current-configuration interface interface-type interface-number
command to check the global configuration of Layer 2 protocol transparent transmission.
----End
14.6 Configuration Examples for Layer 2 Protocol

14.6.1 Example for Configuring Layer 2 Protocol Transparent

Transmission
As shown in Figure 14-4, CEs are edge devices on an enterprise's networks in different
locations, and PE1 and PE2 are edge devices on the ISP network. The two networks are Layer
2 networks and connected through the ISP network. STP is used to prevent loops on Layer 2
networks. Enterprise users require that STP should run on their Layer 2 networks so that
spanning trees can be generated correctly.
Figure 14-4 Networking of interface-based Layer 2 protocol transparent transmission
PE1 PE2
GE2/0/0 ISP GE2/0/0
GE1/0/0 network
GE1/0/0
Eth2/0/0 Eth2/0/0
CE1 CE2
User A User A
network1 network2

1. Configure STP on CEs to prevent loops on Layer 2 networks.
2. Configure interface-based Layer 2 protocol transparent transmission on PEs so that STP
BPDUs are not sent to the CPUs of PEs for processing.
Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
# Set the priority of CE2 to 4096.

[CE2] stp priority 4096
NOTE
STP is enabled in the system and on an interface by default. You do not need to configure it.
Step 2 Configure PEs to replace the destination MAC address of STP BPDUs received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-0ccd-eeee
# Configure PE2.
[PE2] l2protocol-tunnel stp group-mac 0100-0ccd-eeee
Step 3 Configure the transparent bridge on PEs.

# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned
here.
[PE1] bridge 1
[PE1-bridge1] quit
[PE1-GigabitEthernet1/0/0] bridge 1
[PE1-GigabitEthernet2/0/0] bridge 1
Step 4 Enable Layer 2 protocol transparent transmission on GE2/0/0 of PE1 and PE2.
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not mentioned
here.
[PE1-GigabitEthernet2/0/0] l2protocol-tunnel stp enable


# After the configuration is complete, wait for 30s and run the display stp brief command on
CE1 and CE2 to view the root in the MST region. You can see that a spanning tree is
calculated between CE1 and CE2. Eth2/0/0 on CE1 is a root port, and Eth2/0/0 on CE2 is a
designated port.
[CE1] display stp brief
[CE2] display stp brief
----End
Configuration Files
#
sysname CE1
#
#
return

#
sysname CE2
#
stp instance 0 priority 4096
#
#
return

#
sysname PE1
#
l2protocol-tunnel stp group-mac 0100-0ccd-eeee
#
bridge 1
#
bridge 1
#
bridge 1
l2protocol-tunnel stp enable
#
return

#
sysname PE2
#
l2protocol-tunnel stp group-mac 0100-0ccd-eeee
#
bridge 1
#
bridge 1
#
bridge 1
l2protocol-tunnel stp enable

#
return

Configuration 15 Transparent Bridging Configuration
15 Transparent Bridging Configuration
About This Chapter
Transparent bridges are widely used in Ethernet LANs because they are easy to configure and
operate.
15.1 Overview of Transparent Bridge
15.2 Understanding Transparent Bridging
15.3 Application Scenarios for Transparent Bridging
15.4 Summary of Transparent Bridging Configuration Tasks
operate.
15.5 Default Settings for Transparent Bridging
This section provides default parameter settings of transparent bridging.
15.6 Licensing Requirements and Limitations for Transparent Bridging
15.7 Configuring Local Bridging
Configuring local bridging allows users in the same geographical location and on the same
network segment to communicate with each other.
15.8 Configuring Local Bridging Integrated with IP Routing
Configuring local bridging integrated with IP routing allows users in the same geographical
location but on different network segments to communicate with each other.
15.9 Configuring Remote Bridging
Configuring remote bridging allows users in different geographical locations and on the same
15.10 Configuring Remote Bridging Integrated with IP Routing
Configuring remote bridging integrated with IP routing allows users in different geographical
locations and on different network segments to communicate with each other.
15.11 Maintaining Transparent Bridging
This section describes how to clear traffic statistics on a bridge group to help locate faults in
the bridge group.
15.12 Configuration Examples for Transparent Bridging

This section describes the typical application scenarios of transparent bridging and provides
configuration roadmaps.
15.13 FAQ About Transparent Bridging
This section lists FAQs related to the transparent bridging configuration.
15.1 Overview of Transparent Bridge

Definition
Transparent bridges are applied in Ethernet environments to connect LANs, to facilitate
seamless interaction between LANs. A transparent bridge learns the network topology needed
to forward packets by reading the received packet's source MAC address and creating a
mapping table between the source MAC address and the interface.
Purpose
Ethernet LAN has become the mainstream technology due to its robust expansibility and low
costs. On some small-scale networks especially on dispersed networks where PPP, HDLC,
FR, or ATM links are interconnected, interworking between LANs remains a problem and
needs to be addressed urgently.
Traditional routers can connect LANs, but the costs are high and the configurations are
complex. Transparent bridging can be used on an Ethernet network to connect LANs.
Transparent bridging makes full use of links but not low-speed Ethernet links to connect
LANs without affecting the existing LAN network. Transparent bridging is easy to use and
cost-effective, so it is widely used.
15.2 Understanding Transparent Bridging
15.2.1 Basic Principles of Transparent Bridging

Forwarding Entry Learning
Transparent bridging uses a forwarding table to forward packets. A network bridge's
forwarding table records the mapping between the MAC address and the packet's outbound
interface. If an Ethernet frame arrives, the network bridge takes the following actions to
forward it:
l Obtain the source MAC address of the valid Ethernet frame.
l Add the mapping relationship between the source MAC address and the interface to the
forwarding table to generate a forwarding entry.
As shown in Figure 15-1, PC1, PC2, PC3, and PC4 are located on two LANs. PC1 connects
to bridge port Port1 and PC2 connects to bridge port Port2. When PC1 sends an Ethernet
frame to PC2, both Port1 and PC2 receive the frame.

Figure 15-1 PC1 transmitting information to PC2 on LAN1
LAN1 LAN1
PC 1 PC 2
Port1 RouterA Port2
Port3 Port4
PC 3 PC 4
LAN2 LAN2
After Port2 receives the frame, the network bridge learns that PC1 connects to Port1 because
the frame is received from Port1. Then the mapping between the MAC address of PC1 and
Port1 is added to the network bridge table, as shown in Figure 15-2.
Figure 15-2 Network bridge learning that PC1 connects to Port1
LAN1 LAN1
PC 1 PC 2
Source MAC Destination MAC

00e0:fcaa:aaaa 00e0:fcaa:bbbb
Port1 RouterA Port2
Port3 Port4
MAC address Port
00e0:fcaa:aaaa port1
PC 3 PC 4
LAN2 LAN2

When PC2 responds to the frame from PC1, the network bridge also detects the frame from
PC2 and learns that PC2 connects to Port2 because the frame is received from Port2. The
mapping between the MAC address of PC2 and Port2 is added to the network bridge table, as
shown in Figure 15-3.
Figure 15-3 Network bridge learning that PC2 connects to Port2
LAN1 LAN1
PC 1 PC 2
Destination MAC Source MAC

00e0:fcaa:aaaa 00e0:fcaa:bbbb
Port1 RouterA Port2
Port3 Port4
MAC address Port
00e0:fcaa:bbbb port2
PC 3 PC 4
LAN2 LAN2
The network bridge learns the mappings between all MAC addresses and bridge interfaces, as
shown in Figure 15-4.

Figure 15-4 Last network bridge address table
LAN1 LAN1
PC 1 PC 2
Port1 RouterA Port2
Port3 Port4
MAC address Port
00e0:fcaa:bbbb port2
PC 3 00e0:fcaa:cccc port3 PC 4
00e0:fcaa:dddd port4
LAN2 LAN2
If a MAC address establishes a mapping relationship with more than one interface, the more
recent mapping relationship overrides the earlier one. This ensures each MAC address is
related with only one outbound interface.
The transparent bridge can perform dynamic MAC address learning. Learned MAC address
entries are deleted when their aging time expires.
Packet Processing
The transparent bridge processes received data frames in either of the following modes:
l Unicast frame
If the received data frame's destination MAC address can be found in the forwarding
table, and the inbound and outbound interfaces of the frame are different, the outbound
interface forwards the data frame.
l Broadcast
If the received data frame's destination MAC address is a unicast MAC address and
cannot be found in the forwarding table, or the destination MAC address of the data
frame is a multicast or broadcast MAC address, the data frame is forwarded to all
interfaces in the corresponding bridge group on the same VLAN, except the frame's
inbound interface.
NOTE
When packets enter the network bridge, the following BPDUs will be discarded:
l If the network bridge interface is configured with selective QinQ, the packets with the destination MAC
address of 0180-C200-0002 will be discarded.
l If the network bridge interface is not configured with selective QinQ, the packets with the destination
MAC addresses of 0180-C200-000x and 0180-C200-002x will be discarded. x represents 1-bit
hexadecimal integer.

15.2.2 Local Bridging

Local bridging is the basic function of transparent bridging. As shown in Figure 15-5, LAN 1
and LAN 2 are in the same geographic location and need to communicate with each other at
the link layer. Transparent bridging can be used to bridge these LANs locally.
Figure 15-5 Local bridging network diagram

PC 3 PC 4
LAN1
Eth2/0/1
RouterA
Eth2/0/2
LAN2
PC 1 PC 2
A bridge group is created on Router A. Ethernet 2/0/1 in LAN 1 and Ethernet 2/0/2 in LAN 2
are added to the bridge group. In this manner, LAN 1 and LAN 2 are bridged and can
communicate with each other at the link layer.
After local bridging is configured, the bridge group configured for the transparent bridge is
able to:
l Learn the mapping relationship between the MAC address and the interface (MAC
forwarding entry).
l Be configured with static and blackhole MAC address entries.
l Be enabled with or disabled from dynamic MAC address entry learning.
l Be configured with the aging time of dynamic MAC entries.
l Bridge all protocol packets (including IP and non-IP packets) by default.
15.2.3 Remote Bridging

If LANs in different geographical locations need to communicate with each other at the link
layer, remote bridging can be used to bridge the LANs.

Figure 15-6 Networking diagram for remote bridging

PC 3 PC 4 PC 7 PC 8
HostA HostB
LAN1 LAN3
Eth2/0/1 Eth2/0/1
Serial1/0/0 Serial1/0/0
RouterA Network RouterB
Serial1/0/1 Serial1/0/1
Eth2/0/2 Eth2/0/2
LAN2 LAN4
HostC HostD
PC 1 PC 2 PC 5 PC 6
As shown in Figure 15-6, Router A and Router B are connected with each other over a
network. PC2, PC4, PC5, and PC7 belong to four different LANs (LAN 2, LAN 1, LAN 4,
LAN 3) on different network segments. LAN 1 needs to communicate with LAN 3, and LAN
2 with LAN 4.
Bridges 1 and 2 are created on Router A and Router B, respectively. Ethernet2/0/1 and Serial
1/0/0 on both Router A and Router B are added to bridge 1; Ethernet2/0/2 and Serial 1/0/1 on
both Router A and Router B are added to bridge 2. In this manner, the preceding
communication requirement can be met.
Other types of links, such as Ethernet, Point-to-Point Protocol (PPP), Asynchronous Transfer
Mode (ATM), and High-level Data Link Control (HDLC), can also be used for remote
bridging.
To support remote bridging, transparent bridging provides the following functions:
l Allow Ethernet interfaces, Ethernet sub-interfaces, VLANIF, VT, Serial, Serial sub-
interfaces, Dialer, PON interfaces, ATM interfaces, ATM sub-interfaces, FR interfaces,
FR sub-interfaces, MP-Group interfaces, MFR interfaces, MFR sub-interfaces to be
added to bridge groups.
l Link encapsulation protocols such as Ethernet, PPP, HDLC, FR, PPP0A, PPPOE,
PPPOEOA, and ATM.
l 802.1Q VLAN ID transparent transmission.
l Bridging IP and non-IP packets.
15.2.4 Integrated Bridging and Routing

Bridge groups connect different LANs at the link layer. Generally, LAN users that need to be
interconnected belong to the same network segment or aggregated network segment. When
users in a bridge group need to access another network, link-layer bridging is unsatisfactory.
Integrated bridging and routing can meet these needs.

Integrated bridging and routing uses Bridge-if interfaces for routing packets. Bridge-if
interfaces can be configured with network layer attributes, such as IP addresses. Each bridge
group can be configured with only one Bridge-if interface. A Bridge-if interface's number is
the number of the bridge group that the Bridge-if interface represents. After the integrated
bridging and routing function has been activated, the Bridge-if interface can route packets
between users in the bridge group and the outside network.
The integrated bridging and routing function needs to be enabled using the command line.
Otherwise, all the packets in a bridge group can only be bridged, but not routed. After
integrated bridging and routing has been enabled, protocol packets can either be bridged or
routed, which can be configured through the command line.
After integrated bridging and routing has been enabled, the interfaces added to a bridge group
cannot be configured with IP addresses.
Figure 15-7 Integrated bridging and routing network diagram
PC1 PC2
1.1.1.11/24 1.1.1.12/24
Eth2/0/1 Eth1/0/0 Eth1/0/0 RouterB

Bridge-if 2.2.2.1/24 2.2.2.2/24
1.1.1.1/24
RouterA
Eth2/0/2 Eth2/0/2
1.1.1.13/24 1.1.1.14/24 3.2.2.3/24 3.2.2.4/24
PC3 PC4 PC5 PC6
As shown in Figure 15-7, a bridge group and a Bridge-if interface are configured on Router
A. Ethernet2/0/1 and Ethernet2/0/2, connecting two different LANs, are added to the bridge
group. An IP address is configured for the Bridge-if interface. After the integrated bridging
and routing function and the IP packet routing function have been enabled, the Bridge-if
interface can route IP packets between the four hosts (PC1, PC2, PC3, and PC4) and the
network outside the bridge group, and the return route is configured for Router B. That is, the
four hosts can access the network outside the bridge group by using the Bridge-if interface.
15.2.5 VLAN ID Transparent Transmission

Packet VLAN IDs need to be transmitted between multiple bridged LANs so that devices in
different VLANs can be isolated and those in the same VLAN can communicate with each
other. VLAN ID transparent transmission can prevent VLAN IDs from being dropped during
transmission.

Figure 15-8 Networking diagram for VLAN ID transparent transmission
RouterA RouterB
Eth2/0/0 Eth2/0/0
VLAN2 Eth1/0/0 Eth1/0/0 VLAN2
SwitchA SwitchB
PC1 PC2
If two trunk interfaces are connected over Ethernet, configuring VLAN ID transparent
transmission prevents the transmission devices on the Ethernet from removing VLAN IDs of
the packets. The two trunk interfaces can be considered as directly connected. For example, in
Figure 15-8 VLAN ID transparent transmission is enabled on the interfaces of Router A and
Router B, allowing PC1 and PC2 to communicate with each other.
15.3 Application Scenarios for Transparent Bridging

Transparent bridging allows communication between different LANs. Transparent bridging
can be configured in four usage scenarios depending on the geographical locations and
network segments of LANs. Table 15-1 lists the four usage scenarios and selection rules.

Table 15-1 Transparent bridging usage scenarios

Scenar Users in the Users in the Users in Users in
io Same Same Different Different
Geographical Geographical Geographical Geographical
Location and Location but Locations but Locations and
Network Different Same Network Network
Segment Network Segment Segments
Segments
Functio Local bridging as Local bridging Remote bridging Remote bridging

n shown in Figure integrated with IP and VLAN ID integrated with IP
Requir 15-9 routing as shown transparent routing as shown
ed in Figure 15-10 transmission (if in Figure 15-13
communication
within VLANs
and isolation
between VLANs
are required)
Users in different
locations but on
the same network
segment
communicate
with each other
using remote
bridging, as
shown in Figure
15-11. To
implement
interworking in a
VLAN and
isolation between
different VLANs,
enable VLAN ID
transparent
transmission, as
shown in Figure
15-12.
Interworking on the Same Network Segment

An enterprise has multiple departments located in the same office building but on different
floors. As businesses develop, data communication is required between the terminals within
the same department, and between some departments. Due to information security,
information in some departments needs to be isolated with that in the other departments. In
this case, local bridging can be used. Users that require communication with each other need
to be added to the same bridge group so that some departments can communicate or be
isolated with other departments.
As shown in Figure 15-9, User 1 and User 2 belong to the same department, and both of them
are added to VLAN 11. User 4 and User 3 belong to the different departments. User 1, User 2,

and User 3 need to communicate with each other. After bridge groups are created on RouterA,
departments in the same bridge group can communicate with each other and those in different
bridge groups are isolated from each other.
Figure 15-9 Interworking on the same network segment

RouterA
User 1 User 2 User 3 User 4

1.1.1.1/24 1.1.1.2/24 1.1.1.3/24 1.1.1.4/24
VLAN 11
Interworking on Different Network Segment

As shown in Figure 15-10, as businesses of Enterprise A develop, data communication is
required between departments of Enterprise A, and between Enterprise A and local
Enterprises B.
Departments of Enterprise A belong to the LANs on the same network segment, and therefore
they can be bridged to communicate with each other. Enterprise B, however, belongs to a
LAN on a different network segment. Therefore, link-layer bridging cannot meet the
requirement of the communication between Enterprise A and Enterprise B.
In this case, you can configure local bridging integrated with IP routing to achieve the
communication between Enterprise A and Enterprise B.
Figure 15-10 Interworking on different network segments

Bridge-if
RouterA

1.1.1.1/24 1.1.1.2/24 3.1.1.3/24
Enterprise A Enterprise B

Remote Users on the Same Network Segment

An enterprise has multiple departments in different locations. As businesses develop, data
communication is required between the terminals within the same department, and between
some departments. To enable the communication between departments in different locations,
remote bridging can be used.
As shown in Figure 15-11, intermediate links are used to connect RouterA and RouterB,
which are located in different locations. Users 1 to 4 are on the same network segment. User 3
and User 4 are in a different location than User 1 and User 2. Configuring remote bridging
allows User 1 and User 2 to communicate with User 3 and User 4.
Figure 15-11 Remote users on the same network segment

RouterA RouterB
Network

1.1.1.1/24 1.1.1.2/24 1.1.1.3/24 1.1.1.4/24
Remote Users in the Same VLAN on the Same Network Segment

To allow users in the same department (the same VLAN) to communicate with each other,
and to isolate users in different departments (different VLANs), VLAN ID transparent
transmission must be enabled.
As shown in Figure 15-12, User 1, User 2, User 3, and User 4 are on the same network
segment. User 1 and User 3 belong to a VLAN; User 2 and User 4 belong to the other VLAN.
To allow users in the same VLAN to communicate with each other and isolate users in
different VLANs, remote bridging and VLAN ID transparent transmission can be enabled. In
this manner, User 1 can only communicate with User 3, and User 2 can only communicate
with User 4.

Figure 15-12 Remote users in the same vlan on the same network segment
RouterA RouterB
Network
Eth1/0/3 Eth1/0/3
Eth1/0/1 Eth1/0/2 Eth1/0/1 Eth1/0/2

Switch 1 Switch 2

1.1.1.1/24 1.1.1.2/24 1.1.1.3/24 1.1.1.4/24
VLAN 11 VLAN 12 VLAN 11 VLAN 12
Remote Users on Different Network Segments

As shown in Figure 15-13, As businesses of Enterprise A develop, data communication is
required between departments of Enterprise A, and between Enterprise A and remote
Enterprises C (in a different geographical location).
Departments of Enterprise A belong to the LANs on the same network segment, and therefore
they can be bridged to communicate with each other. Enterprise C, however, belongs to a
LAN on a different network segment. Therefore, link-layer bridging cannot meet the
requirement of the communication between Enterprise A and Enterprise C.
In this case, you can configure remote bridging integrated with IP routing to achieve the
communication between Enterprise A and Enterprise C.
Figure 15-13 Remote users on different network segments

Bridge-if RouterB
RouterA
Network

1.1.1.1/24 1.1.1.2/24 2.1.1.4/24
Enterprise A Enterprise C

15.4 Summary of Transparent Bridging Configuration

Tasks
operate.
Table 15-2 lists the configuration task summary of Transparent Bridging.
Table 15-2 Transparent Bridging configuration tasks

Configuring Local Bridging Configuring local bridging 15.7 Configuring Local

allows users in the same Bridging
geographical location and
on the same network
segment to communicate
with each other.
Configuring Local Bridging Configuring local bridging 15.8 Configuring Local

Integrated with IP Routing integrated with IP routing Bridging Integrated with
allows users in the same IP Routing
geographical location but on
different network segments
to communicate with each
other.
Configuring Remote Configuring remote bridging 15.9 Configuring Remote

Bridging allows users in different Bridging
geographical locations and
on the same network
segment to communicate
with each other.
Configuring Remote Configuring remote bridging 15.10 Configuring Remote

Bridging Integrated with IP integrated with IP routing Bridging Integrated with
Routing allows users in different IP Routing
geographical locations and
on different network
segments to communicate
with each other.
15.5 Default Settings for Transparent Bridging

This section provides default parameter settings of transparent bridging.

Table 15-3 Default setting for transparent bridging

Bridging function for a specified network Enabled for all protocols

protocol
Routing function Disabled for IP protocol packets
Transparent transmission of VLAN IDs Disabled
15.6 Licensing Requirements and Limitations for

Transparent Bridging
None
Transparent bridging is a basic feature of a router and is not under license control.
Feature Limitations
None
15.7 Configuring Local Bridging

Configuring local bridging allows users in the same geographical location and on the same
15.7.1 Creating a Bridge Group
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added
to the group.
Procedure
If the bridge group specified by bridge-id exists, the bridge group view is displayed.

Multiple devices can use the same bridge number.
----End
15.7.2 Adding Local Interfaces to a Bridge Group
Context
to the group.
As shown in Figure 15-14, the following methods can be used to add users to a bridge group:
l Directly add users to the bridge group. User 3 uses this method.
l Use a VLAN to add users to the bridge group. Create a VLAN on a bridge and add users
to the VLAN. Users then connect to the bridge group through the VLANIF interface.
User 1 and User 2 use this method.
l Use Ethernet sub-interfaces to add users to the bridge group. This method is used when
flows on a physical interface need to be differentiated using sub-interfaces. User 4 uses
this method.
Figure 15-14 Networking diagram for adding users to bridge groups
User 3 RouterA User 4

Sub interface
VLANIF 11
User 1 User 2
VLAN 11
Perform the following steps on the user-side interface of the device.
Procedure
The user-side interface view is displayed.
An interface is added to a bridge group.

A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can
be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
----End
15.7.3 (Optional) Disabling a Bridge Group from Bridging

Specified Protocol Packets
Context
To allow a bridge group to forward specified protocol packets, enable the function that
bridges the protocol packets on the bridge group. If a bridge group is disabled from bridging
specified protocol packets, the bridge group will discard the protocol packets.
Procedure
The bridge group view is displayed.
Step 3 Run bridging { ip | others } disable
The bridge group is disabled from bridging specified protocol packets.
By default, a bridge group bridges all protocol packets.
----End
15.7.4 (Optional) Configuring a MAC Address Table for a Bridge

Group
Context
By default, dynamic MAC address learning is enabled for a bridge group. When a network is
insecure and vulnerable to attacks, you can disable dynamic MAC address learning and use
static MAC address entries for traffic forwarding.
Procedure
Step 3 Run mac-address learning disable
Dynamic MAC address learning is disabled.

By default, dynamic MAC address learning is enabled for a bridge group.
Step 4 Run quit
Step 5 Configure a MAC address entry.

l Run mac-address static mac-address interface-type interface-number bridge bridge-id
A static MAC address entry is configured for a bridge group.
By default, no static MAC address entry is configured. In a bridge group, each MAC
address entry can be configured as only one static entry. If the MAC address entry is
configured as a static entry repeatedly, the last configuration overwrites the previous
configuration.
l Run mac-address blackhole mac-address bridge bridge-id
A blackhole MAC address entry is configured for a bridge group.
By default, no blackhole MAC address entry is configured.
l Run mac-address aging-time seconds bridge
The aging time is configured for a dynamic MAC entry.
The configured aging time takes effect on the dynamic MAC address entries of all bridge
groups.
----End
15.7.5 Verifying the Configuration of the Local Bridging
Prerequisites
The configurations for local bridging are complete.
Procedure
l Run the display bridge [ bridge-id ] information command to view information about
the bridge group.
l Run the display bridge traffic [ bridge bridge-id | interface interface-type interface-
number ] command to view the traffic statistics on a specified interface in the bridge
group.
----End
15.8 Configuring Local Bridging Integrated with IP

Routing
Configuring local bridging integrated with IP routing allows users in the same geographical
location but on different network segments to communicate with each other.


Context
to the group.
Procedure
----End
15.8.2 Adding Local Interfaces to a Bridge Group

Context
to the group.
this method.
User 3 RouterA User 4

Sub interface
VLANIF 11
User 1 User 2
VLAN 11

Procedure
----End
15.8.3 Enabling IP Routing for a Bridge Group

Context
IP routing enables a bridge group to bridge and route packets. If IP routing is not enabled, all
protocol packets can only be bridged. After IP routing is enabled, specified protocol packets
can be bridged or routed depending on the configuration.
Procedure
Step 3 Run routing ip
IP routing is enabled for the bridge group.
The IP routing function cannot be configured if any of member interfaces in the bridge group
has an IP address. Before configuring the IP routing function, delete the IP addresses of these
member interfaces.
Step 4 Run quit
Step 5 Run interface bridge-if bridge-id
A Bridge-if interface is created and the Bridge-if interface view is displayed.
An IP address is configured for the Bridge-if interface.

Step 7 (Optional) Run mac-address mac-address

A MAC address is configured for the Bridge-if interface.
----End

Context
Procedure
----End

Group
Context
Procedure

Step 4 Run quit

configuration.
groups.
----End
15.8.6 Verifying the Configuration of the Local Bridging

Integrated with IP Routing
Prerequisites
The configurations for local bridging integrated with IP routing are complete.
Procedure
l Run the display interface bridge-if [ bridge-id ] command to check information about
the Bridge-if interface.
l Run the display bridge [ bridge-id ] information command to check information about
the remote bridge group.
group.
----End
15.9 Configuring Remote Bridging

Configuring remote bridging allows users in different geographical locations and on the same


Context
to the group.
Procedure
----End
15.9.2 Adding a LAN-side Interface to a Bridge Group

Context
to the group.
this method.

User 1
User 4 RouterA RouterB

Network
User 5
User 2 User 3
VLAN 11
Procedure
Ethernet sub-interfaces and GE sub-interfaces configured to terminate QinQ tags do not
support transparent bridging.
----End
15.9.3 Adding a WAN-side Interface to a Bridge Group

Context
Two devices can be connected using different types of intermediate links, such as Ethernet,
PPP, HDLC, FRMP, and ATM to bridge data between different LANs.

To implement remote bridging between different LANs, add the user-side interface
connecting to a LAN and the network-side interface connecting to the intermediate link to the
same bridge group.
Perform the following steps on the devices at both ends of the intermediate link.
Procedure
The view of the network-side interface is displayed.
Step 3 Perform the following operations depending on the type of interface:
l Add an Ethernet interface to a bridge group.
a. Run bridge bridge-id
The Ethernet interface is added to the bridge group.
l Add an HDLC interface to a bridge group.
a. Run link-protocol hdlc
HDLC is enabled on the interface.
The HDLC interface is added to the bridge group.
l Add a PPP interface to a bridge group.
a. Run link-protocol ppp
PPP is enabled on the interface.
The PPP interface is added to the bridge group.
l Add an MP group interface to a bridge group.
The VT interface is added to the bridge group.
b. Run quit
c. Run interface interface-type interface-number
The MP group interface view is displayed.
d. Run link-protocol ppp
e. Run ppp mp virtual-template number
The MP group interface is bound to a virtual template.
l Add an FR interface to a bridge group.
a. Run link-protocol fr
FR is enabled on the interface.
b. Run fr dlci dlci

A frame relay DLCI is created.

c. Run quit
Return to the interface view.
d. Run bridge bridge-id
The FR interface to the bridge group.
e. Run fr map bridge dlci-number broadcast
A mapping between the frame relay DLCI and the bridge group is configured.
l Add an ATM interface to a bridge group.
The ATM interface is added to the bridge group.
b. Run pvc { { pvc-name [ vpi/vci ] | vpi/vci } | { start-vpi/start-vci end-vpi/end-vci } }
The PVC view is displayed.
c. Run map bridge broadcast
The PVC is configured to receive and send bridging packets.
l Add an IMA-Group interface to a bridge group.
The IMA-Group interface is added to the bridge group.
The number of interfaces that can be added to a bridge group depends on device models:
l AR100-S&AR110-S&AR120-S&AR150-S&AR160-S&AR200-S&AR1200-S series: 20
Interfaces of different types can be added to the same bridge group, but Layer 2 interfaces
cannot be added to a bridge group.
----End

Context
Procedure

----End
15.9.5 (Optional) Configuring Transparent Transmission of

BPDUs
Context
Some BPDUs sent out from an interface of a bridge group may be discarded during
transmission by default. After the outbound interface added to the bridge group is enabled to
transparently transmit BPDUs, BPDUs can be sent from this interface.
Procedure
Step 3 Run bpdu transmit enable
The interface is enabled to transparently transmit BPDUs.
By default, a network bridge interface or an interface connected to a VLL is disabled from

transparently transmitting BPDUs.
NOTE
The command can only be used on Layer 3 interfaces.
Step 4 Run quit
----End
15.9.6 (Optional) Configuring VLAN ID Transparent

Transmission
Context
By default, an outbound interface of a bridge group removes the VLAN IDs of the packets to
be sent out. After VLAN ID transparent transmission is configured on an outbound interface
of a bridge group, the outbound interface does not remove the VLAN IDs of the packets to be
sent out.

Procedure
Step 3 Run bridge vlan-transmit enable
VLAN ID transparent transmission is enabled.
NOTE
l VLANIF interfaces do not support VLAN ID transparent transmission.

l It is not recommended to use the VLAN ID transparent transmission for sub-interfaces.
Step 4 Run quit

----End

Group
Context
Procedure
Step 4 Run quit

configuration.
groups.
----End
15.9.8 Verifying the Configuration of the Remote Bridging
Prerequisites
The configurations for remote bridging are complete.
Procedure
l Run the display bridge [ bridge-id ] information command to view information about
the bridge group.
group.
----End
15.10 Configuring Remote Bridging Integrated with IP

Routing
Configuring remote bridging integrated with IP routing allows users in different geographical
locations and on different network segments to communicate with each other.
Context
to the group.
Procedure

----End
15.10.2 Adding a LAN-side Interface to a Bridge Group
Context
to the group.
this method.
User 1
User 4 RouterA RouterB

Network
User 5
User 2 User 3
VLAN 11

Procedure
Ethernet sub-interfaces and GE sub-interfaces configured to terminate QinQ tags do not

support transparent bridging.
----End
15.10.3 Adding a WAN-side Interface to a Bridge Group
Context
Two devices can be connected using different types of intermediate links, such as Ethernet,
PPP, HDLC, FRMP, and ATM to bridge data between different LANs.
To implement remote bridging between different LANs, add the user-side interface
connecting to a LAN and the network-side interface connecting to the intermediate link to the
same bridge group.
Perform the following steps on the devices at both ends of the intermediate link.
Procedure
The view of the network-side interface is displayed.
Step 3 Perform the following operations depending on the type of interface:

l Add an Ethernet interface to a bridge group.
The Ethernet interface is added to the bridge group.
l Add an HDLC interface to a bridge group.
a. Run link-protocol hdlc
HDLC is enabled on the interface.
The HDLC interface is added to the bridge group.

l Add a PPP interface to a bridge group.

a. Run link-protocol ppp
The PPP interface is added to the bridge group.
l Add an MP group interface to a bridge group.
The VT interface is added to the bridge group.
b. Run quit
c. Run interface interface-type interface-number
The MP group interface view is displayed.
d. Run link-protocol ppp
e. Run ppp mp virtual-template number
The MP group interface is bound to a virtual template.
l Add an FR interface to a bridge group.
a. Run link-protocol fr
FR is enabled on the interface.
b. Run fr dlci dlci
A frame relay DLCI is created.
c. Run quit
Return to the interface view.
d. Run bridge bridge-id
The FR interface to the bridge group.
e. Run fr map bridge dlci-number broadcast
A mapping between the frame relay DLCI and the bridge group is configured.
l Add an ATM interface to a bridge group.
The ATM interface is added to the bridge group.
l Add an IMA-Group interface to a bridge group.
The IMA-Group interface is added to the bridge group.

The number of interfaces that can be added to a bridge group depends on device models:
l AR100-S&AR110-S&AR120-S&AR150-S&AR160-S&AR200-S&AR1200-S series: 20
Interfaces of different types can be added to the same bridge group, but Layer 2 interfaces
cannot be added to a bridge group.
----End
15.10.4 Enabling IP Routing for a Bridge Group
Context
IP routing enables a bridge group to bridge and route packets. If IP routing is not enabled, all
protocol packets can only be bridged. After IP routing is enabled, specified protocol packets
can be bridged or routed depending on the configuration.
Procedure
Step 3 Run routing ip
IP routing is enabled for the bridge group.
The IP routing function cannot be configured if any of member interfaces in the bridge group
has an IP address. Before configuring the IP routing function, delete the IP addresses of these
member interfaces.
Step 4 Run quit
Step 5 Run interface bridge-if bridge-id
A Bridge-if interface is created and the Bridge-if interface view is displayed.
An IP address is configured for the Bridge-if interface.
Step 7 (Optional) Run mac-address mac-address
A MAC address is configured for the Bridge-if interface.
----End


Context
Procedure
----End

Group
Context
Procedure
Step 4 Run quit


configuration.
groups.
----End
15.10.7 Verifying the Configuration of the Remote Bridging

Integrated with IP Routing
Prerequisites
The configurations for remote bridging integrated with IP routing are complete.
Procedure
l Run the display interface bridge-if [ bridge-id ] command to check information about
the Bridge-if interface.
l Run the display bridge [ bridge-id ] information command to check information about
the remote bridge group.
number ] command to view the traffic statistics on the bridge group.
----End
15.11 Maintaining Transparent Bridging

This section describes how to clear traffic statistics on a bridge group to help locate faults in
the bridge group.
15.11.1 Monitoring the Operation of Bridge Groups
Context
During routine maintenance, you can run the following commands in any view to monitor the
operation of bridge groups.

Procedure
number ] command in any view to check whether the traffic statistics on a bridge group
have been cleared.
l Run the display bridge [ bridge-id ] information command in any view to check
information about a bridge group.
l Run the display interface bridge-if [ bridge-id ] command in any view to check
information about the Bridge-if interface of a specified bridge group, including the
protocol status, interface description, and IP address.
l Run the display mac-address [ mac-address | blackhole | static | dynamic ] [ bridge
bridge-id ] [ verbose ] command in any view to check the static, dynamic, or blackhole
MAC address entry of a specified bridge group.
l Run the display mac-address [ mac-address | interface-type interface-number ] bridge
bridge-id [ verbose ] command or display mac-address { static | dynamic } [ interface-
type interface-number ] bridge bridge-id verbose command in any view to check the
static or dynamic MAC address entry of a specified bridge group and interface.
----End
15.11.2 Clearing the Traffic Statistics of a Bridge Group
Context
Before collecting traffic statistics on a bridge group, clear the previous statistics.
The traffic statistics cannot be restored after being cleared.
Procedure
l Run the reset bridge bridge-id statistics command in the user view to clear the traffic
statistics of a bridge group.
----End
15.11.3 Clearing the Traffic Statistics on the Bridge-if Interface of

a Bridge Group
Context
To locate faults in a bridge group, you can clear the traffic statistics on the Bridge-if interface.
The traffic statistics cannot be restored after being cleared.

Procedure
l Run the reset counters interface bridge-if [ bridge-id ] command in the user view to
clear the traffic statistics on the Bridge-if interface of the bridge group.
----End
15.12 Configuration Examples for Transparent Bridging

This section describes the typical application scenarios of transparent bridging and provides
configuration roadmaps.
15.12.1 Example for Configuring Local Bridging

Configuring local bridging allows the communication between the LANs on the same
network segment and in the same geographical location.
An enterprise has multiple departments located in the same office building but on different
floors. As business expands for the enterprise, data communication is required between
terminals within the same department, and between some departments. To keep information
secure, information in some departments needs to be isolated from that in the other
departments. Users that require communication with each other need to be added to the same
bridge group so that they can communicate with each other and are isolated from other
departments.
As shown in Figure 15-18, User 1 and User 2 belong to the same department, and both of
them are added to VLAN 11. User 4 and User 3 belong to the different departments. User 1,
User 2, and User 3 need to communicate with each other. After bridge groups are created on
RouterA, departments in the same bridge group can communicate with each other and those in
different bridge groups are isolated from each other.
Figure 15-18 Networking diagram of local bridging configuration
RouterA
Eth2/0/2
Eth3/0/0
Eth2/0/1
Eth4/0/0

10.1.1.1/24 10.1.1.2/24 10.1.1.3/24 10.1.1.4/24
VLAN 11

1. Add User 1 and User 2 to VLAN 11 and then add them to bridge group 1 on VLANIF
11. Add User 3 to bridge group 1. This allows communication between User 1, User 2,
and User 3.
2. Add User 4 to bridge group 2 to isolate User 4 from User 1, User 2, and User 3.
Procedure
Step 1 Create bridge group 1.
[RouterA] bridge 1
[RouterA-bridge1] quit
Step 2 Add Eth2/0/1 and Eth2/0/2 to VLAN 11.

[RouterA] vlan 11
Step 3 Add VLANIF 11 and Eth4/0/0 to bridge group 1.

[RouterA-Ethernet4/0/0] bridge 1
[RouterA-Vlanif11] bridge 1
Step 4 Create bridge group 2.

[RouterA] bridge 2
Step 5 Add Eth3/0/0 to bridge group 2.


# Run the display bridge information command to view the configuration of the bridge
groups.
[RouterA] display bridge information
Bridge 1 :
Status : Undo Shutdown
Bridging : IP, Others
Routing : -
MAC learning : Enable
interface :total 2 interface(s) in the bridge
Ethernet4/0/0 : Up
Vlanif11 : Up
Bridge 2 :
Status : Undo Shutdown
Bridging : IP, Others
Routing : -

MAC learning : Enable

interface :total 1 interface(s) in the bridge
Ethernet3/0/0 : Up
# After the preceding configuration is complete, User 1, User 2, and User 3 can ping each
other, User 3 cannot ping User 4.
----End
Configuration Files
#
sysname RouterA
#
vlan batch 11
#
bridge 1
bridge 2
#
interface Vlanif11
bridge 1
#
#
#
bridge 1
#
bridge 2
#
return
15.12.2 Example for Configuring Local Bridging with IP Routing

Configuring local bridging and IP routing allows LANs on different network segments to
Departments of Enterprise A need to communicate with each other and with local Enterprise
B.
Departments of Enterprise A belong to the LANs on the same network segment and can be
bridged, but Enterprise B belongs to a LAN on a different network segment. As a result, link-
layer bridging cannot be used to communicate between Enterprise A and Enterprise B.
In this scenario, local bridging integrated with IP routing offers a viable solution.
As shown in Figure 15-19, bridge groups are configured on local bridging, and interfaces are
added to different bridge groups. After Bridge-if interfaces are created and assigned IP
addresses, and the IP routing function is enabled, the two hosts of Enterprise A can
communicate with the hosts of Enterprises B.

Figure 15-19 Networking diagram of local bridging integrated with IP routing

Bridge-if
RouterA
Eth2/0/1
Eth3/0/0
Eth2/0/2

10.1.1.1/24 10.1.1.2/24 10.1.3.3/24
Enterprise A Enterprise B
1. Create a bridge group on RouterA.
2. Add Eth2/0/1 and Eth2/0/2 on Router A to the created bridge group to allow the two
hosts of Enterprise A to communicate with each other.
3. Create a Bridge-if interface and enable IP routing for the bridge group on RouterA to
allow Enterprise A to communicate with Enterprise B.
Procedure
Step 1 Configure the IP routing function.
# Create bridge group 1 and enable local bridging and IP routing for the bridge group.
[RouterA] bridge 1
[RouterA-bridge1] routing ip
# Add Eth2/0/1 and Eth2/0/2 to VLAN 11.

[RouterA] vlan 11
#Add VLANIF 11 to bridge group 1.


# Configure an IP address for Ethernet3/0/0 on RouterA.

[RouterA-Ethernet3/0/0] ip address 10.1.3.1 255.255.255.0
# Create Bridge-if interface 1 and configure an IP address for it.

[RouterA] interface bridge-if 1
[RouterA-Bridge-if1] ip address 10.1.1.3 255.255.255.0
[RouterA-Bridge-if1] quit
# After the preceding configurations are complete, User 1 and User 3 can ping each other.
----End
Configuration Files
#
sysname RouterA
#
vlan batch 11
#
bridge 1
routing ip
#
interface Vlanif11
bridge 1
#
#
#
ip address 10.1.3.1 255.255.255.0
#
interface Bridge-if1
ip address 10.1.1.3 255.255.255.0
#
return
15.12.3 Example for Configuring Remote Bridging

Configuring remote bridging allows LANs on the same network segment but in different
geographical locations to communicate with each other.
An enterprise has multiple departments in different locations. As business expands for the
enterprise, data communication is required between terminals within the same department and
between other departments located in different geological areas.
As shown in Figure 15-20, intermediate links are used to connect RouterA and RouterB,
which are located in different locations. Users 1 to 4 are on the same network segment. User 3

and User 4 are in a different location than User 1 and User 2. Configuring remote bridging
allows User 1 and User 2 to communicate with User 3 and User 4.
Figure 15-20 Networking diagram of remote bridging

RouterA RouterB
Eth2/0/1 Serial3/0/0 Serial3/0/0 Eth2/0/1

Network
Eth2/0/2 Eth2/0/2

10.1.1.1/24 10.1.1.2/24 10.1.1.3/24 10.1.1.4/24
1. Configure bridge groups on RouterA and RouterB.
2. Add User 1 and User 2 to VLAN 11 on RouterA, and add User 3 and User 4 to VLAN
11 on RouterB so that users can communicate with each other.
3. Add VLANIF 11 and Serial3/0/0 to bridge group 1 on RouterA and add VLANIF 11 and
Serial3/0/0 to bridge group 1 on RouterB. Enable remote bridging.
Procedure
# Create bridge group 1.
[RouterA] bridge 1
# Add Eth2/0/2 and Eth2/0/1 to VLAN 11 to allow the communication between User 1 and
User 2.
[RouterA] vlan 11


# Add Serial3/0/0 to bridge group 1.

[RouterA] interface serial 3/0/0
[RouterA-Serial3/0/0] link-protocol ppp
[RouterA-Serial3/0/0] bridge 1
[RouterA-Serial3/0/0] quit

[RouterB] bridge 1
[RouterB-bridge1] quit
User 4.
[RouterB] vlan 11

[RouterB-Vlanif11] bridge 1
# Add Serial3/0/0 to bridge group 1.

[RouterB] interface serial 3/0/0
[RouterB-Serial3/0/0] link-protocol ppp
[RouterB-Serial3/0/0] bridge 1
[RouterB-Serial3/0/0] quit

# After the preceding configurations are complete, User 1, User 2, User 3, and User 4 can
ping each other.
----End
Configuration Files
#
sysname RouterA
#
vlan batch 11
#
bridge 1
#
interface Vlanif11
bridge 1
#

#
#
interface Serial3/0/0
bridge 1
link-protocol ppp
#
return
#
sysname RouterB
#
vlan batch 11
#
bridge 1
#
interface Vlanif11
bridge 1
#
#
#
interface Serial3/0/0
bridge 1
link-protocol ppp
#
return
15.12.4 Example for Configuring Remote Bridging with IP

Routing
Configuring remote bridging with IP routing allows LANs in different geographical locations
and on different network segments to communicate.
Departments of Enterprise A need to communicate with other and with Enterprises C (in a
different geographical location).
Departments of Enterprise A belong to the LANs on the same network segment and can be
bridged, but Enterprise C belongs to a different network segment. As a result, link-layer
bridging cannot be used to communicate between Enterprise A and Enterprise C.
In this scenario, local bridging integrated with IP routing offers a viable solution.
As shown in Figure 15-21, bridge groups are configured on local bridging, and interfaces are
added to different bridge groups. After Bridge-if interfaces are created and assigned IP
addresses, and the IP routing function is enabled, the two hosts of Enterprise A can
communicate with the hosts of Enterprises C.

Figure 15-21 Networking diagram of remote bridging integrated with IP routing

Bridge-if RouterB
Eth2/0/1 RouterA
Eth2/0/2 Network
Eth3/0/0 Eth3/0/0
Eth2/0/0

10.1.1.1/24 10.1.1.2/24 10.1.2.4/24
Enterprise A Enterprise C
1. Configure bridge groups on RouterA and RouterB.
2. Add Ethernet 2/0/1 and Ethernet 2/0/2 on Router A to a bridge group so that the two
hosts of Enterprise A can communicate with each other.
3. Add Ethernet3/0/0 to another bridge group on Router A, and add Ethernet 3/0/0 to the
bridge group on Router B.
4. Create Bridge-if interfaces and enable the IP routing function for the bridge groups on
Router A and Router B. This allows Enterprise A and Enterprise C to communicate with
each other.
Procedure
# Create bridge group 1 and bridge group, then enable the IP routing function for the bridge
groups.
[RouterA] bridge 1
[RouterA] bridge 2
User 2.
[RouterA] vlan 11



# Add Ethernet3/0/0 on Router A to bridge group 2.

# Create Bridge-if interface 1 for bridge group 1 and Bridge-if interface 2 for bridge group 2,
and then configure IP addresses for the two Bridge-if interfaces.

# Create bridge group 2 and enable the IP routing function for the bridge groups.
[RouterB] bridge 2
[RouterB-bridge2] routing ip
# Add Ethernet2/0/0 to VLAN11.

[RouterB] vlan 11

[RouterB-Vlanif11] bridge 2
# Add Ethernet3/0/0 on Router B to bridge group 2.

[RouterB-Ethernet3/0/0] bridge 2

# After the preceding configuration is complete, User 1 and User 4 can successfully ping each
other.
----End
Configuration Files

#
sysname RouterA
#
vlan batch 11
#
bridge 1
routing ip
bridge 2
routing ip
#
interface Vlanif11
bridge 1
#
#
#
ip address 10.1.1.3 255.255.255.0
#
ip address 10.1.2.3 255.255.255.0
#
bridge 2
#
return
#
sysname RouterB
#
vlan batch 11
#
bridge 2
routing ip
#
interface Vlanif11
bridge 2
#
#
bridge 2
#
return
15.12.5 Example for Configuring Remote Bridging with VLAN ID

Remote bridging with VLAN ID transparent transmission allows the devices in the same
VLAN but different in locations to communicate with each other.
An enterprise has multiple departments in different locations. To allow the communication
between departments in different locations, remote bridging can be used. To allow users in the
same department (the same VLAN) to communicate with each other, while isolating users in

different departments (different VLANs), VLAN ID transparent transmission must be

enabled.
As shown in Figure 15-22, User 1, User 2, User 3, and User 4 are on the same network
segment. User 1 and User 3 belong to a VLAN; User 2 and User 4 belong to the other VLAN.
To allow users in the same VLAN to communicate with each other and isolate users in
different VLANs, remote bridging and VLAN ID transparent transmission can be enabled. In
this manner, User 1 can only communicate with User 3, and User 2 can only communicate
with User 4.
Figure 15-22 Networking diagram for remote bridging
RouterA RouterB
Network
Eth2/0/0 Eth2/0/0
Eth1/0/0 Eth1/0/0
Eth1/0/3 Eth1/0/3
Eth1/0/1 Eth1/0/2 Eth1/0/1 Eth1/0/2

Switch 1 Switch 2

10.1.1.1/24 10.1.1.2/24 10.1.1.3/24 10.1.1.4/24
VLAN 11 VLAN 12 VLAN 11 VLAN 12
l On Switch 1 and Switch 2:

a. Create VLANs.
b. Add interfaces to the VLANs.
c. Configure interfaces to allow the packets from VLAN 11 and VLAN 12 to pass
through.
l On Router A and Router B:
a. Configure bridge groups.
b. Add WAN interfaces Ethernet1/0/0 and Ethernet2/0/0 to the same bridge group.
c. Enable VLAN ID transparent transmission on user-side interfaces and network-side
interfaces to allow users in the same VLAN to communicate with each other and
isolate users in different VLANs.

Procedure
Step 1 Configure Router A.
[RouterA] bridge 1
[RouterA-bridge1] undo shutdown
# Add Ethernet1/0/0 and Ethernet2/0/0 to bridge group 1, and enable VLAN ID transparent
transmission on the two interfaces.
[RouterA-Ethernet1/0/0] bridge vlan-transmit enable
[RouterA-Ethernet2/0/0] bridge vlan-transmit enable
Step 2 Configure Switch 1.

# Create VLANs.
[Huawei] sysname Switch1
[Switch1] vlan 11
[Switch1-vlan11] quit
[Switch1] vlan 12
# Add Ethernet1/0/1 to VLAN 11 and Ethernet1/0/2 to VLAN 12.

[Switch1] interface ethernet 1/0/1
[Switch1-Ethernet1/0/1] port link-type access
[Switch1-Ethernet1/0/1] port default vlan 11
[Switch1-Ethernet1/0/1] quit
# Configure Ethernet 1/0/3 to allow the packets from VLAN 11 and VLAN 12 to pass
through.
[Switch1-Ethernet1/0/3] port link-type trunk
[Switch1-Ethernet1/0/3] port trunk allow-pass vlan 11 to 12
Step 3 Configure Router B.

[RouterB] bridge 2
# Add Ethernet1/0/0 and Ethernet2/0/0 to bridge group 2, and enable VLAN ID transparent
transmission on the two interfaces.

[RouterB-Ethernet1/0/0] bridge vlan-transmit enable

[RouterB-Ethernet2/0/0] bridge vlan-transmit enable
Step 4 Configure Switch 2.

# Create VLANs.
[Huawei] sysname Switch2
[Switch2] vlan 11
[Switch2] vlan 12
# Add Ethernet1/0/1 to VLAN 11 and Ethernet1/0/2 to VLAN 12.

# Configure Ethernet1/0/3 to allow the packets from VLAN 11 and VLAN 12 to pass through.
[Switch2-Ethernet1/0/3] port link-type trunk
[Switch2-Ethernet1/0/3] port trunk allow-pass vlan 11 to 12

# After the preceding configurations are complete, User 1 and User 3 can ping each other;
User 2 and User 4 can ping each other.
----End
Configuration Files
l Configuration file of Router A
#
sysname RouterA
#
vlan batch 11 to 12
#
bridge 1
#
bridge 1
#
bridge 1
#
return
l Configuration file of Router B

#
sysname RouterB
#

vlan batch 11 to 12
#
bridge 2
#
bridge 2
#
bridge 2
#
return
l Configuration file of Switch 1
#
sysname Switch1
#
vlan batch 11 to 12
#
#
#
#
return
l Configuration file of Switch 2
#
sysname Switch2
#
vlan batch 11 to 12
#
#
#
#
#
return
15.13 FAQ About Transparent Bridging

This section lists FAQs related to the transparent bridging configuration.
15.13.1 Are Packets in a Bridge Group Forwarded at Layer 2 or

Layer 3?
Packets in a bridge group are forwarded at Layer 2. Only interfaces supporting Layer 3
functions can be added to a bridge. Data in a bridge, however, is forwarded at Layer 2.

15.13.2 Do Network Bridges on AR Series Routers Transparently

Transmit BPDUs?
No. Network bridges on all models of AR series routers do not transparently transmit BPDUs.
15.13.3 Can the MAC Address of the BVI Interface in a Network

Bridge Be Changed?
Yes, you can change the media access control (MAC) address of a Bridged Virtual Interface
(BVI).
15.13.4 Do Network Bridges Transparently Transmit Packets with

VLAN Tags?
Yes, network bridges transparently transmit packets with virtual local area network (VLAN)
tags. VLANIF interfaces, however, do not transparently transmit packets with VLAN tags.
Using sub-interfaces to transparently transmit packets with VLAN tags is not recommended.
15.13.5 What Are the Differences Between Network Bridge MAC

Addresses and Common MAC Addresses?
The two types of MAC addresses have the same functions. Packets bridged by network
bridges are complete Ethernet Layer 2 packets.
15.13.6 Which Layer 2 Links Do Network Bridges Support?

Network bridges support the following Layer 2 links: Ethernet, Multilink PPP (MP), Point-to-
Point Protocol (PPP), frame relay (FR), Asynchronous Transfer Mode (ATM), Point-to-Point
Protocol over Ethernet (PPPoE), Point-to-Point Protocol over FR (PPPoFR), Point-to-Point
Protocol over Ethernet over ATM (PPPoEoA), and High-Level Data Link Control (HDLC)
links.
15.13.7 Can an Optical Interface on the AR Router Join a Bridge

Group?
An optical interface on the AR router can join a bridge group.

Huawei AR Series Access Routers CLI Base

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Huawei AR Series Access Routers CLI Base

Uploaded by

Copyright:

Available Formats

Huawei AR Series Access Routers

CLI-based Configuration Guide -

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. i

About This Document

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. ii

NOTE Calls attention to important information,

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. iii

– When configuring a password, the cipher text is recommended. To ensure device

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. iv

Mappings Between Product Software Versions and NMS

AR Product eSight iManager U2000

V200R009C00 V300R008C00 V200R017C60

Changes in Issue 06 (2019-04-30)

Changes in Issue 05 (2018-11-30)

Changes in Issue 04 (2018-07-06)

Changes in Issue 03 (2018-01-05)

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. v

l 6.5 Licensing Requirements and Limitations for VLAN Termination

Changes in Issue 02 (2017-10-13)

Changes in Issue 01 (2017-08-04)

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. vi

About This Document.....................................................................................................................ii

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. vii

1.13.2 Why Are Source MAC Addresses Not Learned?.................................................................................................... 29

2 Link Aggregation Configuration..............................................................................................31

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. viii

2.11.2 Example for Configuring Link Aggregation in LACP Mode..................................................................................65

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. ix

4 VLAN Aggregation Configuration........................................................................................ 136

5 MUX VLAN Configuration..................................................................................................... 152

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. x

5.5.1 Example for Configuring the MUX VLAN Function............................................................................................. 158

6 VLAN Termination Configuration........................................................................................ 165

7 Voice VLAN Configuration.....................................................................................................223

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xi

7.6 Configuring an Automatic Voice VLAN....................................................................................................................228

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xii

8.8.3 Configuring L3VPN................................................................................................................................................ 260

9 VLAN Mapping Configuration.............................................................................................. 293

10 GVRP Configuration.............................................................................................................. 310

11 STP/RSTP Configuration....................................................................................................... 328

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xiii

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xiv

11.12.1 Clearing STP/RSTP Statistics..............................................................................................................................377

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xv

12.9.1 Configuring BPDU Protection on a Switching Device......................................................................................... 424

Issue 06 (2019-04-30) Copyright © Huawei Technologies Co., Ltd. xvi